My Experience With Recon Infosec’s NDR Training

I had the opportunity to attend Recon Infosec’s first Network Defense Range (NDR) Training on November 16th and 17th. They also run an awesome competition called OpenSOC. I participated in OpenSOC for the first time three months earlier and LOVED it, so I was very excited for this training. It did not disappoint.

I attended the two-day Essentials course taught by Eric Capuano. Eric is an excellent instructor who is very passionate about what he teaches.

Discord was used for the training. Prior to this year I hadn’t even heard of Discord, but by the time I attended this training, I belonged to over 30 cybersecurity Discord servers and attended several conferences that used it. Recon was looking into other platforms, but I thought Discord worked well.

Day one started out with an overview of most of the tools we would be using :

Graylog – A centralized log management solution.

Kibana – A data visualization interface.

Arkime (Formerly Moloch) – An indexed packet capture and search tool.

osquery – A SQL powered operating system instrumentation, monitoring and analytics framework.

Velociraptor – An endpoint visibility and collection tool.

All of these tools are free and open source. They were set up through Recon Infosec’s training platform so there was no need to install them on your own computer.

Day one also covered continuous monitoring, threat hunting with MITRE ATT&CK, Incident Response using PICERL, and included a guided threat hunt. As an entry level Incident Response Analyst who’s been in the field for about a year and a half, I learned A LOT. Eric went into detail about different approaches for threat hunting, how to use queries in the tools we were using, and talked about how different Windows processes can be used in an attack. Throughout the class, students were able to ask questions in Discord.

Day two started out with an overview of The Hive, which is a great open source tool for tracking Incident Response cases.

We were assigned to teams on day one, but they weren’t utilized until day two when were given a scenario and unleashed to hunt on our own (well, not entirely on our own). The teams used Discord voice chat as well as text chat on a different platform. There was coaching and mentoring from Recon available during the hunt if needed. Every team had a Team Lead who was responsible for creating and assigning tasks in the The Hive based on the specialties of the other team members. Being relatively new to the field, I personally thought that having some kind of playbook to follow during the hunt would have been helpful as well.

After the hunt, there was an adversary debrief where we went over the entire attack from the perspective of the attacker and learned exactly how it was done.

Now, if you follow me on social media, you know how much I love to share free training. This is a little on the pricey side. If you are able to afford it, or if your employer will pay for it, Recon Infosec’s NDR Training is absolutely worth it.