• Vulnerability Assessment - Course 589
• PKI: A Comprehensive Hands-On Introduction - Course 586
• Computer Forensics and Incident Response - Course 536
• UNIX and Linux Security - Course 433
• Securing Wireless Networks - Course 420
• Securing Windows Server 2003 - Course 599

Introduction to NSM

Defensible networks

• The enemy's plan of attack
• Rapidly identifying intrusions
• Utilizing multiple detection components

The role of an IDS

• Revealing violations of information assurance policies
• Validating IDS events with NSM techniques

Navigating the IDS landscape

• Classifying detection techniques by the attack time line
• Investigating the Snort MySQL alerts database
• Enhancing attack detection with honeypots

Deploying a Network IDS

Monitoring attacks on the network

• Locating NIDS sensors
• Operating sensors in a stealth mode
• Detecting wireless intrusions with Snort-Wireless

Solutions for a switched network

• Sniffing switches with Switch Port Analyzer (SPAN) feature
• Connecting sensors with hubs and Taps
• Combining outputs of a dual Tap

Uncovering intrusions in the enterprise

• Designing a multilayer distributed IDS hierarchy
• Consolidating with Security Management Systems
• Ensuring reliability with IDS load balancers

Interpreting IDS Alerts

Identifying IDS signatures

• Anomaly and misuse detection, stateful analysis and advanced string matching
• Selecting raw and smart signatures
• Improving signature quality for an exploit
• Discovering IDS signature syntax

Discovering attacks with Host-IDS (HIDS)

• Centralizing logs with syslog
• Analyzing server and firewall logs for anomalies
• Detecting log tampering
• Querying logs with Microsoft Log Parser

Verifying IDS operation

• Scanning with Vulnerability Assessment (VA) tools
• Replaying traces of real attacks with tcpreplay
• Crafting IP attack packets

Tuning the IDS

• Minimizing false positives with dynamic tuning and attack relevancy
• Utilizing event filtering, propagation, consolidation and parameter tuning
• Aggregating multiple events

Evading IDS

• Hiding Web attacks via SSL and polymorphic mutation
• Overlapping IP and TCP fragments
• Slicing packets with fragroute

Analyzing Intrusions

Monitoring network security using NSM

• Examining transcripts and sessions
• Resolving an attacker's identity
• Scoping the intrusion
• Catching internal attacks with extrusion detection

Validating intrusions

• Correlating IDS alerts with vulnerabilities
• Congregating events from multiple sources
• Capturing a high-level security view with event correlation

Classifying attack scenarios

• Directly attacking servers
• Indirectly attacking clients
• Discovering island hopping attacks

Performing digital network forensics

• Securing the sensor
• Collecting evidence

Recognizing Attacks

Scanning for low-hanging fruit

• Footprinting an organization
• Detecting stealth port scans

Creating buffer overflow (BO)

• Discovering remote BO attacks
• Mutating BO exploits

Cyberextortion with Denial of Service (DoS)

• Attacking with hacker botnets
• Reflecting with DrDoS (Distributed Reflection DoS)