We can’t talk about security without mentioning cloud and machine learning any more. The current challenge the security industry faces is coming from the fact that there are too much of data to process to find anomalies in the systems and networks. Using human analysts to defend your network against hackers are not a viable option anymore. First, there are not enough human talents out there. Second, by nature, human analysts are not efficient in ROI perspective. Machine learning is not a good-to-have tool for security operation, it is a must-have.

This training course will give you a good idea about how the typical machine learning model building process looks like. Good model comes from good data and good data come from good sensors. We will focus on the sensors in the beginning and move on to the heuristic detections over the collected telemetry. Finally, we will discuss usual method to build solid machine learning model upon collected data. This course will provide POC level starting point for your corporate’s machine learning project or can give inspirations on how you can apply the methodology to your problem domain.

• For inquries on schedule or pricing, please send email to jeongoh@darungrim.com.

Time table

The following is the overall schedule over 5 day training course.

Day 1 - APT/Threat Intelligence/MITRE ATT&CK Matrix/Threat Analysis

• Objectives:
  • Understand current APT landscape, Threat Intelligence
  • Understand threat modelling approach with MITRE ATT&CK Matrix
  • Investigate real world malware/APT attacks and investigate and match them with MITRE ATT&CK Matrix for deeper understanding

Start	End	Name	Description
10:00	10:30	Introduction	Introduction, overview of the courses and Exercise preparations
10:30	12:00	Threat Analysis/Threat Intelligence/Threat Modelling	Understanding on the current threat landscape/APT vs Commodity Malware/PE vs Non-PE/Living-off-the-land Attacks/MITRE ATT&CK Matrix
12:00	13:30	Lunch	Group Lunch
13:30	17:00	Exercise	Living Off The Land Attack vs Detection Modeling

Day 2 - Sensors - Windows Events/Telemetry Collection/Event Hunting

• Objectives:
  • Understand methods for collecting Windows Events
  • Hunt useful Windows Events
  • Learn using basic Windows Events tools (focusing on PowerShell cmdlets)

Start	End	Name	Description
10:00	10:50	Windows Events	Windows Events - concepts and tools
11:00	11:50	Advanced Windows Events	PowerShell/WMI/Sysmon/AMSI
12:00	13:30	Lunch	Group Lunch
13:30	17:00	Exercise	Events Investigations: setup sysmon/winlogbeat, investigate malware activities based upon Windows Events, understanding sysmon/PowerShell/WMI/kernel events

Day 3 - Cloud + Threat Hunting

• Objectives:
  • Understand cloud storage/distributed computing technology
  • Setup ElasticSearch+Kibana environment
  • Acquire and store telemetry data from Windows Events
  • Perform threat hunting upon the collected telemetry data sets - understanding methodology and limitations

Start	End	Name	Description
10:00	11:50	Cloud	Introduction to various cloud storage and distributed processing platforms (Hadoop/Spark/Azure Data Lake/ElasticSearch/Kibana)
12:00	13:30	Lunch	Group Lunch
13:30	17:00	Exercise	Telemetry collections and threat hunting using ElasticSearch & Kibana - Setup ElasticSearch/Kibana environment/Import snapshot data/hunt threats

Day 4 - Heuristics + Data Science

• Objectives:
  • Understand heuristics approach for malware/APT detections and limitations
  • Learn data-scientific approach to real world problems

Start	End	Name	Description
10:00	11:50	Exercise	Timeline reconstruction (Python+Jupyter Notebook)
12:00	13:30	Lunch	Group Lunch
13:30	17:00	Exercise	Introduction to Machine Learning methods/concepts/exercise (Python+Jupyter Notebook)

Day 5 - Data Science

• Objectives:
  • Apply various data science methodologies to security problems (focusing on the machine telemetry)
  • Understand importance of data clean-up
  • Understand process of feature set selections and extraction methods

Start	End	Name	Description
10:00	11:50	Exercise	Building Machine Learning Models (Python+Jupyter Notebook)
12:00	13:30	Lunch	Group Lunch
13:30	17:00	Exercise	Building Machine Learning Models (Python+Jupyter Notebook)

Co-trainer

John Park

• Current: Chief Architect @ PionChain
• Kaggle Peak Ranking: 24th global.
• HP Security Research, Principal Data Scientist
• Symantec Security Response, Senior Security Researcher
• Guidance Software, Digital Forensic Analyst
• UC Berkeley. BS in EECS, BA in Cognitive Science

---

Past Trainings

• Private trainings are not listed here

July 2019

• When: Jul/29/2019 (Mon) ~ Aug/2/2019 (Fri)
• Where: Seoul, South Korea