Intrusion Detection and Analysis Training or Certification

Hi Everyone,

I wanted to get some feedback to see if there are any training programs for IDS/Intrusion Analysis (similar to Pen testing and OSCP course).

I was looking for options beyond SANS training (if they exist).

Thanks!

Find more posts tagged with

Comments

JDMurray

The vendor-specific Snort certification is the first thing that jumps to my mind.

ibcritn

JDMurray wrote: »

The vendor-specific Snort certification is the first thing that jumps to my mind.

Good advice. I did consider them, but I believe they are focused on building/deploying/managing the IDS and less focused on the actual analysis.

I am looking for training that will more or less teach the analysis. The rule writing would be useful, but my current role doesn't have me building/deploying rather analyzing the alerts so I suppose more GCIA, but just wanted to see if there were any other options.

Thanks again for the reply.

JDMurray

Pure log and network traffic analysis is more of a SANS thing or found in advanced college classes. Education stuff from vendors only teach analysis from the aspect of their product, such as Splunk, Narus, eEye, and ArcSight.

docrice

I think the best way to start learning analysis for free is to understand first how protocols natively work in the wild. If you spend lots of quality time with Wireshark or tcpdump and just watch packets fly by, you'll see patterns. Then replicate some of the things taught in the various offsec courses and compare.

You can take it a step further and set up a DMZ (a real one, not the "DMZ" that a lot of consumer routers refer to) in your home environment and set up a VM-based web server that you can revert to snapshot quickly. Allow TCP ports 80, 443, and 22 (as well as ICMP) from the Internet to your guinea pig and see what happens. Just make sure it doesn't get taken over and let the attackers use it as a launching point against others. This is pretty risky though, so it might be enough to just see what gets dropped on your firewall to begin with.

There are also various websites out there which have packet captures which show attack traffic. Take a look at The Honey Project as well: http://www.honeynet.org/.

docrice

It looks like TCP/IP Weapons School 3.0 finally made it to my area:

http://www.usenix.org/events/sec11/training/tutonefile.html#Monday

It's happening at Black Hat Vegas this year as well. Something else to consider, FYI...

ibcritn

docrice wrote: »

It looks like TCP/IP Weapons School 3.0 finally made it to my area:

USENIX Security '11 Training Program

It's happening at Black Hat Vegas this year as well. Something else to consider, FYI...

Hey thanks for the info.

I am fully preparing to take Mr. Bejtlich's TCP/IP weapons course. I emailed Mr. Bejtlich tonight to get on his list for the next class as I have heard this is really great for network security monitoring.

Should really help me expand in my new responsibilities of IDS/Network traffic analysis for attacks/exploitation.

I will be at Black Hat this year and I was given 1 course and ( I am kicking myself right now), but I signed up for another hacking course.....when I likely would have gotten more out of the TCP/IP weapons course.

lanrexng2

I agree understanding how protocols work and labbing with open source tools available.

docrice wrote: »

It looks like TCP/IP Weapons School 3.0 finally made it to my area:

USENIX Security '11 Training Program

It's happening at Black Hat Vegas this year as well. Something else to consider, FYI...

I love his method of teaching already. Absolutely no slides and heavily lab driven.

TaoSecurity: Sample Lab from TCP/IP Weapons School 2.0 Posted

docrice

I just signed up for TCP/IP Weapons School 3.0 at USENIX in San Francisco. I'm excited and can't wait until August rolls around. Since this is (relatively) close to me rather than going out-of-state, it's convenient. I guess I'll be missing Black Hat and Defcon this year though.

Paul Boz

GCIA will certainly give you good insight into intrusion analysis (just passed it today). I have to agree with the Sourcefire / Snort options as well. Sure they are centric to deployment of the products with minor analysis, but they use a standard format and the content is fresh. Snort is really the pillar of the IPS genre so you can't go wrong with the associated certs and training material.

I'm straight up challenging the SFCE in a few weeks. I got my hands on my first Sourcefire product two weeks ago and already have it in production, tuned, and filtering traffic. It came with the master product guides for their bigger platforms and other features which I don't have (like RNA) but I figure if I can pass the GCIA there's no reason why I can't just tie this one on.

docrice

I'm very curious what the SFCE exam is like. Be sure to keep us in the loop. What are your comparisons between Sourcefire's offerings vs. HP / TippingPoint?

Paul Boz

Never messed with Tipping Point products. I currently have 12 managed Cisco IPS but I'm going to try very very hard to replace them with two better-placed Sourcefire boxes. I'll definitely make a thread around the Sourcefire cert.