Training

Book early and get a discount on SAS conference pricing. Any questions? Just let us know!

Main Classes

Hunt APTs with Yara like a GReAT Ninja

Trainers:

Costin Riau, Sergey Mineev, Kaspersky

Early-bird offer:

$2500*

Have you ever wondered how Kaspersky Lab discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. This training will lead you through one of the essential tools for the APT hunter: the Yara detection engine.

If you’ve wondered how to master Yara and how to achieve a new level of knowledge in APT detection, mitigation and response, it all breaks down to a couple of secret ingredients. One of them is our private stash of Yara rules for hunting advanced malware.

During this training you will learn how to write the most effective Yara rules, how to test them and improve them to the point where they find threats that nobody else does. During the training you will gain access to some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with Yara.

INTENDED AUDIENCE

Security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT hunters and IT security staff. The training is suitable for both beginners and experienced Yara users.

TOPICS COVERED

* Brief intro into Yara syntax
* Tips & tricks to create fast and effective rules
* Using Yara-generators
* Testing Yara rules for false positives
* Hunting new undetected samples on VT
* Using external modules within Yara for effective hunting
* Anomaly search
* Lots (!) of real-life examples
* A set of exercises for improving your Yara skills

CLASS REQUIREMENTS

Level: medium and advanced

Prerequisites: knowledge of the Yara language and basic rules

Class: limited to max 15 participants

Hardware: Own laptop

Minimum Software to install: Yara v. 3.6.0

Duration: 2 days

Date: April 5-6, 2019

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

The God-Mode Practical Training in Static Analysis of APT Malware

Trainers:

Igor Soumenkov, Kaspersky

Early-bird offer:

$2500*

Every flashy new computer incident involving previously unseen malicious code boils down to one question: ‘what are the attackers trying to do?’ Answering this question requires a keen investigative mind and skills to match in order to determine the functionality of that code and boil it down into actionable artifacts: either a basic set of IOCs or a complete technical description that reveals the TTPs of the attackers. With these products in hand, an organization can proactively defend against the most cutting-edge attackers.

Easier said than done. Organizations affected by a true APT-level attack will require a deep understanding of the APT toolkit to truly understand the extent of the capabilities and intentions of the determined intruders. Only with this can they ever be sure that their damage assessment and incident response efforts are accurate and effective. The only way to reach this level of understanding with true fidelity is to statically analyze the malicious code (no “if’s”, “and’s”, or dynamic “but’s” about it).

Unlike easier dynamic analysis techniques, Advanced Static Analysis allows to produce high fidelity descriptions of the executable code regardless of execution flow and tricky runtime checks. It allows analysts to produce an extensive set of actionable items, including lists of C&C servers, file and memory signatures, crypto implementations and more. A combined understanding of unique code sequences and algorithm employed by the malware developers is key in malware classification, toolset attribution, and the creation of the most advanced hunting signatures.

This course will cover most of the steps required to analyze a modern APT toolkit, from receiving the initial sample, all the way to producing a deep technical description with IOCs. The course material is based on many years of experience analysing the most complex threats ever discovered in-the-wild, including: Equation, Red October, Sofacy, Turla, Duqu, Carbanak, ShadowPad, and many more. It’s time to set your static analysis game to God-Mode.

TOPICS COVERED

* Unpacking
* Decryption
* Developing own decryptors for common scenarios
* Byte code decompilation
* Code decomposition
* Disassembly
* Reconstruction of modern APT architectures
* Recognizing typical code constructs
* Identification of cryptographic and compression algorithms
* Classification and attribution based on code and data
* Class and structure reconstruction
* APT plugin architectures (based on recent APT samples)

PREREQUISITES

* Understanding of x86 and x86_64 assembly, Python
* Basic knowledge of C/C++
* Experience with analysing code in IDA Pro

Level: medium and advanced

Hardware & Software requirements:

* Laptop with VMWare / VirtualBox virtualization solution
* Legitimate copy of IDA Pro (latest version preferred)
* Working C/C++ compiler toolset: clang, g++, mingw

Class: limited to max 15 participants

Duration: 2 days

Date: April 5-6, 2020

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

The Good and the GReAT— Stepping up your Threat Intelligence Game

Trainers:

Brian Bartholomew, Kaspersky Brian Candlish, Telstra Threat Labs

Early-bird offer:

$2500*

In the past decade, ‘threat intelligence’ has become one of the hottest commodities in the infosec market for companies to either purchase or create. As a threat intel analyst, one must be a Jack-Of-All-Trades, without over-specializing in any one thing. Unfortunately, there are few guidelines and fewer training courses for analysts to obtain a solid foundation. Even seasoned threat intel analysts find themselves creating specific tools to accomplish a task, only to find out that someone else has already done so. And in those rare cases where expert analysts are stumped, who can they turn to for guidance? This course is designed to serve threat intel analysts of all levels of experience, providing a solid foundation for beginner-to-intermediate intel analysts, as well as showing more advanced analysts how the Global Research and Analysis Team (GReAT) conducts their research in special fringe cases.

The course will span two full days and cover the entire gamut of threat intelligence. Some of the topics covered include:

* Concepts of threat intelligence
* Intelligence life cycle
* Defining intelligence requirements
* Collecting and processing data
* Maximizing data through automation
* Open source / custom tools
* Threat hunting in large security datasets
* Intelligence reporting
* Dealing with biases
* Using estimative language
* Each day will end with large hands-on labs (approx. 2 hrs each)

CLASS REQUIREMENTS

Level: Intermediate or above

Prerequisites:
Students should be interested in learning about the many aspects of threat intelligence. Preferably, the student should be part of a threat intel team as an analyst or lead. Familiarity with commercial and open source tools such as VirusTotal, PassiveTotal, or DomainTools is helpful. Experience hunting threats and analyzing malware considered a plus.

Each student should have their own laptop with access to whatever tools they use on a daily basis. Students will be provided access to other tools as needed during the class.

Class: limited to max 15 participants

Hardware: Laptop with a minimum 20GB free space HD and 8GB RAM capable of running VMs.

Minimum Software to install: Windows / MacOS / Linux equivalent. VMWare / Virtualbox

Duration: 2 days

Date: April 5-6, 2020

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

Remote Forensics for the Modern Malware Hunter

Trainers:

Vitaly Kamluk, Kaspersky Nicolas Collery, DBS Bank

Early-bird offer:

$2500*

The increased frequency and complexity of advanced cyberattacks require swift response and silent navigation through compromised assets of sometimes large distributed networks. One of most popular approaches today relies on EDR or other live agent-based solutions. This is useful when responding to attacks by low skilled or below-average adversaries. However, the activation of security agents and activities on live compromised systems may trigger the attacker’s alerts, which may lead to a massive cleanup operation and destruction of evidence. Offline system analysis, on the other hand, may not be easy due to physical distance to the compromised system or scale of the network. This is where remote offline digital forensics becomes an incredible useful approach.

This training introduces the free, open-source forensics tool Bitscout. Attendees will learn how to build their own remote analysis tool, package with their own arsenal and how to handle customizations.

The training will be conducted by the author of the tool.

PREREQUISITES
* Familiarity with digital forensics principles
* Malware analysis and basic reversing skills
* Understanding of virtualization, networking, OS architecture, coding and scripting

Class plan:

1. Introduction and theory
2. Building your own remote ninja tool
3. Exercises:
-> Discovering malware remotely
-> Finding attack infection vectors
-> Remote disk image acquisition methods
-> Virtualization-based wizardry
-> Breaking through proprietary disk encryption
-> Analyzing non-Windows platforms
-> Converting compromised host into safe honeypot

Class: limited to max 15 participants

Hardware & Software requirements: Laptop or VM with Debian-based Linux, i.e. Ubuntu

Duration: 2 days

Date: April 5-6, 2020

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

Body Language and Nonverbal Skills for Social Engineers and Red Teams

Trainers:

Alex Frappier, Tyler McLellan, CanCyber Foundation, Canada

Early-bird offer

$2500*

Learn how to master and detect nonverbal skills used by social engineers and red teams during physical engagements. While you may be a master hacker when you are able to get your hands on the technology or keyboard, you will not have success if you are not able to get the physical access you require.
Body language plays an essential role in human communication and interactions. Understanding nonverbal communication will allow you to look more confident, convincing, charismatic, while avoiding common indicators of deception. These skills will have a major impact as a social engineer should you be doing impersonation, voice elicitation (vishing) or physical access. Perhaps more importantly, you will also learn how to decode when someone uses these skills against you and if the other person may be lying to gain access to your company. Combined with core knowledge in influence and elicitation, this training will empower you to take your skills to a whole new level, either on offense or defence.
You will learn science based laws of nonverbal communication, including : trust indicators, negative nonverbal, vocal power, and deception detection. See how these can be successfully applied to cybersecurity and physical security, but also learn how use them in your day to day work in making you a better presenter and negotiator. Be prepared for a hands-on training that will include core knowledge, fun activities, and opportunities to practice. It will be valuable and adapted to both introverts and extroverts.

INTENDED AUDIENCE

Security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT hunters and IT security staff.

TOPICS COVERED

Body Language Laws
* Introduction to body language
* Nonverbal foundation
* Trust indicators
* Haptics
* Gazing
* Proxemics
* Power nonverbal
* Vocal laws
* Facial macro and micro expressions
* Micro positives
* Micro Negatives

Applications
* Impersonation
* Voice elicitation
* Deception detection
* Pitching
* Negotiations
* Presentation skills

CLASS REQUIREMENTS

Level: Suitable for beginner to advanced 

Prerequisites: There are no prerequisites for this training

Class: limited to max 20 participants

Hardware: Own laptop

Minimum Software to install: none

Duration: 2 days

Date: April 5-6, 2019

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

IoT Vulnerability Research and Exploitation Training

Trainers:

Roland Sako, Andrey Muravitsky, Kaspersky iCS CERT

Early-bird offer:

$2500*

Approaching IoT devices from a security assessment standpoint can be intimidating, especially when you need to work hands-on with hardware but fear not! This is the training for you, if you want to take your first steps into how  to discover vulnerabilities in any smart devices: homes, cars, routers, PLC’s, medical equipment and other IoT devices.

We will guide you through systematic analysis of IoT devices to identify vulnerabilities. You will interact directly with many hardware interfaces, and become comfortable with using the hardware and software tools of the trade to pentest and evaluate IoT devices.

After the training, you will be able to analyze and exploit the hardware and software attack surface of IoT devices to securet them. Going forward you will tackle most situations confidently, including when the firmware is not publicly available.

INTENDED AUDIENCE

This course is for all security researchers, product security teams, software and security architects, and product managers (with a security background).

TOPICS COVERED

  • Extracting and analyzing firmware
  • Understanding PCB chip identification
  • Reverse engineering ARM binaries
  • Identifying and working with unknown architectures
  • Emulating firmware
  • Identifying pinsPin identification
  • Mastering / Gaining confidence with communication protocols and interfaces (UART, SPI, JTAG, I2C, BLE)
  • Analyzing and fuzzing open source code
  • Automating vulnerability identification

Each part of the course consists of a mix of theory backed by relevant practical tasks.

CLASS REQUIREMENTS

Level: beginner to intermediate

Prerequisites:

  • Experience with any programming language
  • Familiarity with basic Linux commands
  • Basic knowledge of C and/or C++
  • Basic reverse engineering skills
  • Knowledge of / Grasp of the most common network protocols

Experience using a disassembly tool would be helpful, but not necessary

Class: limited to 20 max participants

Hardware: A laptop with at least 20GB of free space, 4GB of ram and two USB Type-A ports available

Software: Virtual Box and admin access to install additional software.

Duration: 2 days

Date: April 5-6, 2020

*price includes hotel accommodation April 5-6, breakfast, lunch and coffee breaks, and does not include SAS 2020 pass

We use cookies to make your experience of our websites better. By using and further navigating this website you accept that some of your browsing activity can be recorded in cookies. Detailed information about the use of cookies on this website is available by clicking on more information.