Spring Training 2017 - Open Source Defensive Security Training

Spring Training 2017 - Open Source Defensive Security Training

From BruCON 2017

Jump to: navigation, search

Open Source Defensive Security Training

Open Source Defensive Security Training is a 3-days long, advanced IT Security laboratory dedicated for professionals who need close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive vs offensive approach, based on real world scenarios gives you the best opportunity for making stronger defensive layers inside your Open Source network infrastructures or a Linux-based products. Check out a detailed agenda, find it interesting and register as soon as possible. May the packets be with U!

Course Description

Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration.

We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are and this is what we are delivering also. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions.

As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster."

The workshop has prepared the following examples of laboratory scenarios:

  • Web application security vs OWASP Top 10 attack techniques and others
  • Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow)
  • Seccomp/capabilities/namespaces vs exploits
  • SELinux vs exploits (Redis Command Execution, Venom, Apache)
  • Volatility vs rootkits
  • Secure SSH relays and importance of low level privileges rule
  • System users accountability, including root
  • Linux Domain Controller
  • Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services
  • Network packet filtering including TOR, ipsets, IP reputation, port knocking
  • Network honeypots vs scanning tools and obstruction of the process of enumeration
  • PCAP analysis and Deep Packet Inspection vs malware
  • Sandboxing for malware detection and deep analysis (cuckoo, yara)
  • Web Application Firewall vs OWASP Top 10
  • and others

Course contents

1) Threats are everywhere - introduction to technical Open Source Defensive Security program.

2) Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:

  • Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
  • Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based -mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based -mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
  • HTTPS – how to achieve status A+?:
    • Attacks:
      • Heartbleed
      • Breach
      • Drown
      • Beast
      • Poodle
      • MiTM: sslstrip
    • Mutual SSL
  • Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
  • Cookies:Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
  • HTTP header anomalies
  • Virtual patching
  • Full HTTP auditing
  • LUA/OpenResty support
  • Sensor approach - OWASP Appsensor
  • Web application security using Modsecurity - creating dedicated WAF rules against:
    • Injections
    • Null bytes
    • Path/directory traversal
    • LFI/RFI->Command Execution
    • Cross Site Scripting (XSS)
    • Cross Site Request Forgery (CSRF)
    • HTTP Parameter Pollution (HPP)
    • Open Redirect
    • Insecure Direct Object Reference vs HMAC
    • Forceful Browsing
    • CSWSH - Cross Site Websocket Hijacking
    • Session Security
    • Brute force
    • Slow DOS
    • GEO restrictions
    • Error handling
    • Leakage detection
    • Secure file upload
    • Secure logout / forgot password form
    • Web honeypots
    • Bot/scan protection
    • AV protection
    • PHP Security
    • Tomcat Security
    • Tools:
      • Sqlmap, sqlninja
      • Xsser
      • Dominator
      • Skipfish
      • ZAP / Burp
      • Wafdetect
      • Joomla, wpscan
      • Dirbuster, dirb
      • Nikto
      • JSDetox
      • Brakeman

3) Hardened Linux vs exploits/rootkits:

  • Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
  • Grsecurity / PAX
  • SELinux / Multi Category Security / sVirt
  • Apparmor, Tomoyo, Smack, RSBAC
  • GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
  • Linux Containers - Docker/LXC
  • LKM-off / YAMA / enforcing
  • Linux capabilities vs SUID and others
  • System call restriction - seccomp
  • Integrity checking - IMA/EVM
  • Package mgmt security
  • Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
  • Chroot/jail/pivot_root
  • Behavioural analysis - systemtap / LTTng / sysdig
  • Memory forensics - Volatility vs malware
  • PAM / 2FA
  • System update vs reboot
  • *privchecks

4) Network security:

  • Vulnerability scanning:
    • Nmap NSE
    • Seccubus
    • OpenVAS
    • Metasploit
  • Linux Domain Controller - IdM/HBAC/SUDO
  • SFTP/SCP - Secure SSH Relay
  • Restricted shells/commands
  • SSH tips and tricks
  • Public Key Infrastructure – SSL/TLS
  • NFS Security
  • Database Security
  • DNS Security
  • Mail Security
  • DOS / scanning / brute-force protection techniques
  • Advanced network firewall: iptables/nftables/ebtables
  • System honeypots
  • Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
  • Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
    • metasploit,
    • PtH,
    • Heartbleed,
    • shellshock and others
  • Security by obscurity

5) System Auditing, integrating & accounting:

  • *syslog
  • auditd
  • OSSEC / Samhain / aide
  • SIEM: Splunk/ELK/OSSIM/osquery

6) Summary: offense vs defense. Additional labs:

  • GDB introduction LAB
  • Seccomp -> additional LABs
  • Apparmor policy development
  • Volatility LAB - diffing between infected and clean memory dumps
  • Malware PCAP analysis / tcpreplay / suricata+ELK(SELK) / cuckoo / limon sandbox
  • SELinux module development
  • PAX - policy development
  • PAM LAB: google-authenticator / yubikey
  • Simple kernel module development + hidding + detection
  • Suricata vs metasploit, PtH, heartbleed, shellshock and others
  • WLAN Security vs Evil Twin / Karma and others attack detection

Target audience

  • Linux administrators & System Architects
  • IT Security professionals
  • Penetration testers
  • IT Security consultants and Open Source specialists

Thanks to this training you will :

  • learn techniques to protect your Linux systems against attacks used by modern attackers
  • find out how you can protect Linux servers and web applications against real attacks
  • learn how to use dozens of solutions and security tools, network infrastructure and systems for offensive and defensive scope
  • configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability

True values that come with this training :

  • real life, 100% pure lab-oriented defensive security scenarios
  • minimum theory, maximum hands-on
  • a lot of cumulated knowledge in one place
  • created by enthusiasts and professionals for professionals with enthusiasm

Hardware/software Requirements

  • Laptop with 4GB RAM
  • VirtualBox installed
  • WLAN card


Leszek has more then 8 years of experience in teaching and transferring a technical knowledge and experience. Number of trained persons: 500+, the average evaluation in a 4.9 (1-5 scale)

Trainer Biography


Leszek Miś has over 11 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experience He trainer more than 500+ persons with the average evaluation in a 1-5 scale: 4.9. He is a IT Security Architect with pentester’s love and recognised expert of enterprise Open Source solutions, Provides web application and infrastructure penetration tests and specialises in Linux/OS hardening and defensive security of web application platforms

He is a known and respected trainer/examiner of Red Hat products in Poland (RHCA, RHCSS, RHCE) and author of many IT Security workshops (ModSecurity, FreeIPA, SELinux, Linux Hardening).

As a speaker he attended many conferences like Confidence 2016 (“Honey(pot) flavored hunt for cyber enemy), PLNOG 2016 (“Yoyo! It’s us, packets! Catch us if you can”), NGSEC 2016 (“Many security layers for many defensive opportunities”), Open Source Day 2010/2011/2012/2013/2014, SysDay 2008 (“SELinux vs exploits”), Confitura 2014 (“Detection and elimination of threats in real time - OWASP Appsensor in action.”), Red Hat Roadshow 2014, OWASP Chapter Poland 2015(“Does your WAF can handle it?), ISSA InfoTrams 2015, BIN Gigacon 2015(“Mapping pentesters knowledge for the need to protect a critical IT infrastructure”).

Certifications :

  • Holder of OSCP, Red Hat Certified Architect, Red Hat Certified Security
  • Specialist, RHCDS, Comptia Security +, Splunk Certified Architect and others.

300px-twitter-icon.jpg @cr0nym

Links :

Wed. 19 - 21 April 2017 (09:00 - 17:00) (3-day)


Back to Training Overview