Cybersecurity Threats and Defenses in a Microsoft 365 Platform

Class Overview

Traditional security methods have focused on using an organization’s network as the primary security limit. But in today’s world, network security often bypasses, especially when data and resources are hosted outside the traditional network boundary, or when opponents gain access to workstations inside the network boundary through phishing and other attacks. Cyber ​​attacks target accounts and other areas of privileged access to quickly access targeted data and systems using credential theft and reuse attacks such as token manipulation, pass-the-hash, and pass-the-ticket.

In this training, you will learn how to handle these critical issues with security features built into Windows Client and Server, as well as in Azure and Microsoft 365, and maximize your investment in the Microsoft platform. It is a unique hands-on lab for IT professionals and IT managers covering all aspects of Windows Enterprise security regarding cyber attack and defense.

The training covers threats that include advanced, persistent (APT), identity theft, hacker tools, and technologies used by cybercrime and malicious authors. It also focuses on how to defend and protect a modern Windows environment using the latest and greatest built-in features and components along with PKI and certificate-based authentication, privileged identity management, remote administration, just-in-time access, behavior monitoring, and more.

Instructors discuss protection and mitigation strategies for each attack scenario covered in the training, based on their extensive real-world experience and knowledge. Using examples from incidents, attacks, and Red Team exercises, they demonstrate the importance of governing privileged access and how it minimizes your organization’s attack surface and thwarts in-progress attacks.

Key players of the Truesec cybersecurity team, consisting of both red and blue team members and other security experts, developed this unique training based on real-world experience from numerous incident response cases, penetration tests, security health checks, Red Team exercises, and security design and architecture projects. They include some of the world’s leading security experts, Cloud and Enterprise Security MVPs, and recognized Microsoft Ignite speakers.

After taking this course, you will fully understand the threats of today and be able to implement security controls that are proven to defend your Microsoft infrastructure effectively in the real world. You will take home key knowledge based on the instructors’ many years of experience helping customers in the field investigate and mitigate security challenges.

Level

300 (Advanced)

Who Should Attend

IT technicians, administrators, architects, and IT managers who want to learn more about cybersecurity with a focus on Microsoft security.

Prerequisites

Good IT knowledge in enterprise environments and in Windows systems, with some experience administrating cloud services.

Material

Student lab manual and tools.

Class Outline

Module 1 – Introduction

• Intelligence report – the latest threats and notes from the field
• Anatomy of APTs and targeted attacks
• Crypto mining
• Ransomware / crypto locking

Module 2 – Initial Recon

• Advanced information gathering
• Social engineering using social networking, email, and similar
• Network and host-based enumeration
• System and service enumeration
• Vulnerability analysis

Module 3 – Remote Attacks

• The anatomy of exploitation
• Buffer overflows
• Attack frameworks
• Password-based attacks, passive and active (brute force, spraying, reuse)

Module 4 – Web/SQL-Based Attacks

• The anatomy of web/SQL exploitation
• OWASP Top 10

Module 5 – Client-Side Attacks

• Phishing attacks
• Credential theft
• Exploit-based attacks using attack frameworks

Module 6 – Lateral Movement

• Remote access tools and Trojans
• Lateral movement using dependencies
• Passing the hash and passing the ticket
• Token manipulation
• Other credential extraction

Module 7 – Miscellaneous Attacks

• Wireless attacks
• Physical attacks including attacks on encrypted laptops
• Mobile platforms

Module 8 – System Hardening

• Intelligence report – The latest features, tools, and techniques from the field
• Windows enterprise-hardening strategies
• Security policy configuration, security compliance, and enterprise distribution
• System security update strategies – patch management
• Implementing AppLocker in the real world
• Health attestation (Hyper-V guarded fabric and physical endpoints)
• Device encryption (BitLocker)
• Device Guard (TPM, Credential Guard)
• Hardening system management (WinRM, PowerShell, RDP, WMI, RPC, etc.)

Module 9 – Enterprise Authentication and Authorization

• PKI-based authentication
• Virtual smartcards, smartcards
• Authentication Mechanism Assurance
• Active Directory authentication strategies
• Claims-based authentication and identity federation (ADFS, Azure AD, other cloud services)
• Authentication policies and silos (AD, Kerberos)
• Windows Hello for Business
• MFA (Azure MFA, Azure AD, token-based, passwordless)
• Service accounts (managed service accounts, service account strategies)
• Privileged Access Management (Privileged Access Management with Active Directory, Azure Privileged Identity Access Management, JIT, JEA, etc.)
• Secure Score (Azure AD, Office 365, Azure ATP)
• Dynamic Access Control and conditional access policies (on-prem, Azure AD)

Module 10 – Network Security

• IPSEC/domain Isolation (zero trust networks)
• Server/service isolation (OnPrem, Azure Security Groups, Azure Firewall)
• Windows Advanced Firewall
• Direct access/always-on VPN

Module 11 – Auditing

• Endpoint monitoring (Sysmon, ELK)
• Windows Defender ATP
• Azure Log Analytics
• PowerShell logging
• Advanced auditing

Module 12 – Data Protection

• Azure Identity Protection
• BitLocker
• Rights Management Services
• File system encryption

Module 13 – Summary

• Mitigation and protection strategies
• Incident response