> back to overview
The Information Security Hub invite you to our first ISH  Conference in May, 2019
Be part of it!
Training overview
May 08, 2019
08.30 - 09.00
Option 1 : 09.00 - 17.00            
 Shifting to intelligence driven Cybersecurity Command and Control
Option 3: 09.00 - 17.00
 4 experts on real-world cyber protection / Server Exploitation
Option 4: 09.00 - 17.00
 Malware Analyses / 4 experts on real-world cyber protection
May 09, 2019
08.30 - 09.00
Option 2: 09.00 - 17.00
 Bloodhound Training
Option 3: 09.00 - 17.00
 Data Theft
Option 4: 09.00 - 17.00
Secure Operations Technology Advanced Cybersecurity for Industrial and Airport Operations / Minutes matter - how to resolve cyber attack incidents faster
May 08, 2019
Option 1
Session: 09.00 - 17.00
Noam Jolles, DISKIN Advanced Technologies

In a classic operations centre the Sec-Op/ IT-Op analyst is bombarded with data and tasks, fighting to correlate, detect and prioritize threats, referring to threat intelligence feeds mostly as random supporting signals. Is it possible to use threat intelligence effectively to extend attack kill chain? What could be the right model to measure and maximize TI value to enable offensive defence? This unique hands on workshop sets the stage for security decision makers to lead tactics and minimize suffers by shortening time between weak signal and threat containment, based on proven innovative Israeli cyber-intelligence methods that were to successfully pre-empt terror attacks.

Persons in charge of
  • Chief security officers and security leaders
  • SOC / CERT leaders/ Security team leaders. Intelligence team leaders
  • Threats hunters
  • Information security professionals

Learning objectives

  • Better understand their actual threat landscape and relevant adversary behaviours.
  • Better integrate adversary insight to SOC technology stack and lead tactics for response modelled on adversary behaviour.
  • Effectively manage intelligence based dynamic defence at strategic, tactical and operational levels.
  • Efficiently prioritize threat intelligence signals by structured operational parameters.

Intelligence briefing

  • Realtime Intelligence briefing of active campaigns and adversaries' activity.
  • Introduction to the main actors operating today, their agenda, dynamic, methods and capabilities.
  • The introduction will include updated intelligence briefing regarding relevant groups that currently lead cyber-crime and cyber espionage sphere and set its tone over the past four years and ongoing.

Counter Intelligence hands on training

  • Taking a safe step into adversary arena: In a safe and managed way we will elaborate our understanding of attacker expected behaviour and methods, by browsing to watch actual attacks evolvement at four pre-attack phases: Intentions, Conspiracy, Assembly and weaponization.
  • Bite sized Reconnaissance simulation: By training and experiencing actual actors’ reconnaissance methods, we will be able to better spot and assess potential weak links and vulnerabilities.

Intelligence driven cyber security command and control

  • Introduction to the existing TI solutions typology.
  • Introduction to working flows and models uniquely designed to enable Intelligence based decision making in a dynamic threat landscape/ prioritize and evaluate alerts/ deal with information overflow/share information and interact with agencies and partners.
Option 4
Malware Analyses
Session: 09.00 - 12.30
Pierre Kroma, SecureLink Germany GmbH

A user of the personnel department receives an application by email. In addition to opening a PDF file, it turns out that the user's secret logon information is e-mailed in the background. In the demo, the malware runs in a sandbox and verifies what exactly reproduces the malware process

  • Analysis of the attack and determine the cyber kill chain.
  • Introduction to CDC tools, which are necessary for the analysis
  • Discussion of the incident response process


Option 3 / 4
4 experts on real-world cyber protection
Session: 09.00 - 12.30
Frank Jonas, Kaspersky Lab

In a small series of talks, experts give an overview on options and action in detecting and fighting real world cybercrime events.

There are so many real or perceived cyber risks, but only limited time and resources to deal with it. We will try to give guidance on what to be prepared for and how to deal with it.


Persons in charge of

  • CERT / SOC manager and team members
  • IT Security staff
  • Risk management
  • all interested
  • State sponsored espionage
    • an insight view from the Kaspersky Research Team
  • Chose & use of Threat Intelligence
    • Can an organization / company be protected?
    • Publish domain sources and closed once sources
    • How to choose?
    • Few people & so much information....
    • Automating or reading, efficient work in a CERT / SOC
  • Something is going on - Incident Response
    • Short introduction to Incident Response (protect the organization & next steps)
      • Workflow etc.
      • Intelligence-Driven-Incident Response
    • How to be prepared?
    • Common challenges and their approach
  • Industrial cyber security
    • Industry xx from a Security standpoint
    • Real cyber threats in industrial environments
    • Attack on industrial processes (with demonstration model)
    • Possible detection mechanisms and counter actions


Option 3
Server Exploitation
Session: 13.30 - 17.00
Pierre Kroma, SecureLink Germany GmbH

The jump host of the service provider for managing the network was attacked. The attacker attacked this system in the DMZ and will then gain an overview of the internal system landscape. The attacker was then able to identify a vulnerable network management server. He uses an existing vulnerability in the server to compromise the system. In conclusion, the attacker will create a persistence and clean-up the traces. The aim of the demo is to analyze this multi-stage attack, to secure traces and to make recommendations for action.

  • Analysis of the attack and determine the cyber kill chain.
  • Introduction to CDC tools, which are necessary for the analysis
  • Discussion of the incident response process


MAY 09, 2019
Option 2
Session: 09.00 - 17.00
Walter Legowski / @ sadprocessor

Bloodhound is an open-source Active Directory object relationship graphing tool. Initially designed for offensive purposes, it has lately become a tool of choice for defense, as well as regular admins wanting to have a clearer picture of their domains/forest.

In this session, attendees will learn the core Bloodhound concepts and UI navigation, before diving into Cypher - the Neo4j database query language. Understanding the basic Cypher syntax is important for users to start writing custom queries, including ‘Metric’ queries that can not be perform in UI. Various Cypher input techniques will be demonstrated, as well as a custom PowerShell tool build to interact with the Bloodhound Database.

Persons in charge of
  • Reds & Blues
  • (Windows) Security Folks
  • AD admins
  • IT Students
What is BloodHound?
  • Intro to BloodHound & relational databases
  • BloodHound Node types and relationship
  • Sharphound\: Harvesting and Ingesting AD data
  • Initial Setup \& Sample DB
  • Self Discovery & UI Secrets
What is Cypher?
  • Intro to neo4j Cypher language
  • BloodHound Cypher 101
  • Custom Cypher Queries (UI/Browser)
  • Cypher over REST API
  • Manipulating BH DB with Cypher
  • Advanced Neo4j Syntax tricks
  • Pulling AD metric from BH DB
  • Tool Demo: CypherDog15
Session Wrap up
Option 3
Data Theft
Session: 09.00 - 17.00
Pierre Kroma, SecureLInk Germany GmbH
A dissatisfied customer service representative wants to leave lasting damage before leaving the company. He uses an SQL vulnerability in an internal service tool that he uses daily in the company's customer service. He succeeds in creating a copy of the confidential customer data of the database server. Since the PC from which he works has limited access to the Internet, he will use a firewall bypass technique to exfiltrate the data to an external server. Finally, he will publish the sensitive data in the Darknet.
  • Analysis of the attack and determine the cyber kill chain.
  • Introduction to CDC tools, which are necessary for the analysis
  • Discussion of the incident response process


Option 4
Secure Operations Technology Advanced Cybersecurity for Industrial and Airport Operations
Session: 09.00 - 12.00
Andrew Ginter, VP Industrial Security, Waterfall Security Solution

This course surveys industrial network security problems and introduces Secure Operations Technology (SEC-OT) – a perspective, methodology and set of best practices for designing secure industrial control systems.  SEC-OT is the methodology used by the world’s most secure industrial sites. What the most secure sites do differs sharply from what most industrial sites do.

This course is based on the instructor's latest book Secure Operations Technology. Free copies of the book will be available to students, courtesy of Waterfall Security Solutions.

Course Content
  • Survey of issues applying IT-SEC to industrial / airport operations
  • Industrial security priorities: safety, reliability, correct control – not CIA or AIC
  • Patching/security updates are costly, with limited effect
  • IT-style security monitoring introduces attack paths
  • Encryption of certain networks increases costs and risks, with limited benefits
  • SEC-OT concepts
  • Protecting airport operations from information, rather than protecting the information itself
  • Classifying and grouping cyber assets into control-critical networks
  • Physical protection from information, control and attack flows
  • Defeating Offline Attacks
  • Offline survey
  • Test beds
  • Removable media and devices
  • Hardware and software supply chain
  • Insiders
  • Defeating Online Attacks
  • Online survey
  • Air gaps and their limitations
  • Unidirectional gateway technology
  • Twenty unidirectional network architectures
  • Airport use cases
  • Capabilities-based risk assessment
  • A standard set of cyber attacks
  • Using the attacks to evaluate IT-SEC, IIoT and SEC-OT security architectures
  • Communicating risk assessment results to senior management
Option 4
Minutes matter - how to resolve cyber-attack incidents faster 
Session: 13.00 - 12.00


This course gives participants an in-depth understanding of teh way to resolve incidents faster using IT Alterting.

By the end of this course, participants will be ablte to:

  • Understand the how to shorten the Mean Time to Resolve any kind of cyber attack
  • Understand how to increase the efficiency of Teams responding to such an event
Course Content
  • General introduction
  • Walk through cyber incident response 
  • The importance of reducing incident response
  • Automation to significantly reducing incident response
  • Making sure you have the Security dream team responding
  • Understanding how your organization responded