Linux & Cloud Security Operations Training

At Longterm Security, we provide training for organizations looking to build up or improve their in-house Security Operations capabilities. Our other trainings include offensive security training which focuses on reverse engineering, vulnerability discovery, and bypassing exploit mitigations.We also have defensive security training for security design reviews, secure coding and testing methodology.

We’d like to point out that in-house only Security Operations is not the only way to go. Upon request, there are a number of Managed Security Service Providers (MSSPs) that we can recommend for organizations looking to outsource their security monitoring and threat hunting to experts. Although most organizations do Security Operations in-house, we recommend looking at MSSP offerings as well since the best MSSPs will have solid teams with unparalleled experience and they regularly deal with real world breaches.

Our training focuses on the monitoring of Linux servers & Cloud services for those organizations running in-house programs. The training enables teams to gain much better visibility into their networks, data, and servers to detect, prevent, and respond to breaches and build hands on experience with readily available technologies.

The end goal of the training to make a teams battle-hardened and ready to detect real world attacks.

To put things into perspective, consider the tactics used by Alexey Belan, one of the now infamous Yahoo attackers from 2014, which Chris McNab from AlphaSOC outlined in an excellent post. Does your Security Operations team have monitoring in place that’s capable of detecting some of that activity inside your own network? Here are some examples from this writeup:

  • Exploitation of PHP code execution vulnerabilities
  • Credential searches on internal wikis
  • Backdoored sign-in page installation
  • Malicious code deployment to production
  • Linux privilege escalation via userland vulnerabilities
  • Data exfiltration over NFS shares
  • Internal network port scanning
  • Internal network SSH brute force attacks
  • Hiding tracks with wiped utmp, wtmp entries

We train teams to build capabilities to monitor for and detect intrusions that employ tactics such as these.

To do this we provide students with linux environments to defend throughout the course. We show how to use operating system features and open source tools such as ELK, elastalert, OSQuery, auditd, seccomp, containers, and bro to monitor and defend linux systems. The training teaches how to operationalize security data into actionable information with meaningful security alerts.

We also go through a few realistic incident response simulations to test the defensive work and reinforce the teaching. We also practice forensics capabilities in the simulations with tools such as volatility.

To pull this all off, we’ve also “gamified” the training. From the very first day, the environments are running services that are being actively attacked in what we like to call a “reverse-CTF”. In a normal capture the flag competition, teams work primarily to find vulnerabilities, patch them, and exploit them to steal other team’s flags. In the training, we twist flags to also emphasize defensive skills with “attack flags”.

In addition to traditional CTF flags on systems, attack scripts are continuously placing “attack flags” by actively exploiting a vulnerability and performing malicious or anomalous system activity. Defending students need to operationalize their security monitoring capabilities to automatically detect (and sometimes block) the attacks, extract the “attack flags” and turn them in for points.

To be successful students some need some foresight to build good alerts as well as skill at looking through security data, identifying an attack, and then writing an alert to automatically “capture” the attack.

On the final day of the training, we have two phases for students to test their skills and have some fun, phase one is purely defense and phase two allows attacking too.

During phase one we turn the points on, put a scoreboard up, deploy fresh services, and test how well teams withstand attacks against unknown system weaknesses. To do well they need to put together the capabilities they have developed across all of their cloud, host, and network monitoring. Points are scored for preventing attacks attacks as well as detecting “attack flags”. Teams can update their tools and alerting and patch vulnerabilities throughout the event.

Since defence is hard, during phase two we let teams go on the offensive. We add another batch of services and connect the different student environments together to allow teams to go head to head against each other’s systems for points while trying to evade detection.

If your organization would like to learn more about this offering and ask about a tailored training please reach out to