Threat Discovery and Defense using Arbor Spectrum

This two-day course focuses on leveraging Arbor Networks Spectrum for proactively hunting and isolating network threats such as security breaches, intrusive behavior (probing), lateral movement between hosts (infection) and Data compromise with possible exfiltration.

The goal of the course is to build the attendee’s confidence by providing hands-on experience in using Arbor Networks Spectrum to identify and analyze malicious network activity. Attendees will learn to discover malicious host movement on the network using a variety of resources such as traffic patterns, attack signatures and pcap forensics. The attendee will learn effective strategies in isolating lateral movement of threats between critical network resources.

Then, during lab exercises, students will identify, track and mitigate a network attack campaign, concluded with generating a Report Out which will summarize the severity of the threat, consequences to critical corporate resources and future mitigation recommendations.

Target Audience

Security administrators, network operations personnel, and staff responsible for monitoring network activity, protecting against threat intrusion and ensuring peak performance of the Arbor Networks Spectrum deployment.

Duration

16 Course Hours

Course Topics

  • Arbor Spectrum Overview
  • Key features and benefits of Spectrum
  • Hardware overview and network deployment options
  • Basics of the Cyber Kill Chain
  • Identifying potential Threat Activity
  • Correlating lateral movement between network hosts
  • Developing hunting processes and structured methodology
  • Administrative tasks

Upon completion, participants should be able to:

  • Understand the changing nature of the threat characteristics facing todays networks
  • Recognize the lifecycle of the Cyber Kill Chain and how it effects network security
  • Leverage the Spectrum Hunting Module to identify potentially malicious activity
  • Identify Threat Indicators as spotlighted via AIF and ETPro feeds
  • Analyze traffic patterns between network hosts
  • Identify lateral movement of malicious hosts indicating additional compromise
  • Determine if data exfiltration has occurred and track where it’s gone
  • Coordinate with Arbor APS to block identified threat actors

Course Outline

  1. Arbor Spectrum Platform Overview
    • What does Spectrum address?
    • Key Arbor Spectrum features
    • ASERT/AIF overview
    • Data collection and retention capabilities
    • Demo of the Arbor Spectrum UI interface
    • Hardware overview
      • Controllers vs. collectors
    • Deployment concepts
      • Packet vs. flow
      • Traffic considerations and platform location
      • Create Protection Group for each server type protected
      • Single vs. multiple collector environments
  2. The Cyber Kill Chain
    • Intrusion from an Attacker’s perspective
    • Understanding the stages of an Orchestrated Attack
    • Differences between Arbor Spectrum and traditional defense methods
    • Leveraging Arbor Spectrum to disrupt the Cyber Kill Chan
      • Identifying threats in the Hunting Module – search tools, trends, AIF
      • Understanding traffic and Threat Indicators via the Host Dossier
      • Forensics – using the Connection Module, Analysis data and pcap downloads
  3. The Hunting Module
    • Understanding the Spectrum Landing Page
    • Exploring and leveraging Visualization Pages by:
      • Summary
      • Sources
      • Destinations
      • Indicators/Services
      • Analysis
    • Live Stream mode to monitor for ongoing threats
    • Applying filters and trend overlays
    • Identify top attack Sources and Destinations
    • Disable irrelevant attack signatures for greater focus
    • Leverage the Analysis Tab and pcap downloads
  4. The Host Dossier Module
    • Understanding the Host Dossier page
      • What does it show and why is it important
    • Traffic & Threat Indicator overlay
    • Explanation of the Sankey Diagram
    • Focus change and Links to other modules
  5. The Connections Module
    • Searching for connections from host to host on the network
    • Determine if Lateral Movement has occurred
    • Understanding and exporting connections results
    • Confirmation of Data compromise and Exfiltration
  6. Spectrum Workflow Methodology
    • Attack identification based on AIF
    • Identify a threat based on indicator trends
    • Investigate a threat based on source/destination IP or indicator type
    • Correlate threat indicators with traffic flow for a compromised machine
    • Identify system compromise and data exfiltration
    • Following the treat – understanding the time line
  7. Administrative Tasks
    • User Administration
    • Capture Point management considerations
    • AIF and ETPro feed updates & configuration
    • APS Integration & syslog notifications
    • Basic system Troubleshooting

Arbor Networks Educational Services

Arbor Networks offers a comprehensive selection of technical training courses, each geared to participants with distinct skill sets, from novice network operators to senior system administrators.  Instructors, with extensive security and networking experience, lead the classes and all required training materials are provided.  Each training session combines classroom instruction with tailored, hands-on experiences, in live network environments, so that participants learn practical, rather than just theoretical, skills. This process enables participants to gain the knowledge required to successfully operate their Arbor solutions while maximizing product performance.