O'Reilly logo
live online training icon Live Online training

Defensive cybersecurity fundamentals

Utilizing the kill chain

Topic: Security
Amanda Berlin

Everyone talks about the intrusion kill chain (sometimes called the “cyber kill chain”)—a model for actionable intelligence in which defenders align enterprise defensive capabilities to the specific processes an adversary might undertake to target that enterprise. However, much of what’s discussed publicly is misinformation and scare tactics.

Join expert Amanda Berlin to learn the most effective steps you can take to protect your organization from the vast majority of threats with defensive mitigation and monitoring. Through use cases such as ransomware, data exfiltration, and lateral movement, you’ll see how to improve the standard of defense at each level, then discover step-by-step what you can accurately cover using the kill chain by working through use cases that outline the specifics of attacks. You'll also gain hands-on experience through tabletop exercises and drills to strengthen your understanding.

Much of what’s covered will be hands-on walk-throughs in a Microsoft Windows environment. Windows domains are the most popular target for attackers as they’re frequently the most insecurely configured.

What you'll learn-and how you can apply it

By the end of this live online course, you’ll understand:

  • Offensive and defensive tactics, techniques, and procedures surrounding three important use cases that constantly are a threat to enterprises
  • How to complete 10 or more specific configuration changes to increase the security against the use cases listed

And you’ll be able to:

  • Gather open source intelligence (OSINT), including names and emails that an attacker may be able to take advantage of
  • Navigate several built-in Windows tools, including Group Policy and AdsiEdit
  • Implement LAPS

This training course is for you because...

  • You’re a systems administrator looking for a step-by-step guide to configuration changes in an enterprise.
  • You’re a general security practitioner looking to gain insight on defensive security strategies.
  • You’re an IT practitioner who's being encouraged by your organization to step into an information security role.


  • A general understanding of operating systems and technology in general
  • The ability to navigate the command line at a novice level
  • Knowledge of common security terminology (macros, attacker, threat, data exfiltration, etc.)
  • Set up three virtual machines with up-to-date patching (instructions below)

Create three virtual machines:

  1. list text hereCreate a Windows Server VM.

  2. Any supported version is fine, but the instructor will be using Server 2016.

  3. Walk through installation and get to a stable, barebones state.
  4. Create a C:\temp folder to store files in.
  5. Save in C:\temp.

  6. Create a VM of a supported enterprise version of Windows Desktop.

  7. Any supported version is fine, but the instructor will be using Windows 10.

  8. Walk through installation and get to a stable, barebones state.

  9. Create a Kali Linux VM.

  10. Walk through installation and get to a stable, barebones state.

Windows Server Files

Powershell Script Save the following as HoneyDirectory.ps1 in C:\temp:

Let's grab the DeviceID for the C volume

$Volume_info_for_C = Get-WMIObject -Class Win32_Volume -Filter "driveletter='c:'" $Device_ID_of_C = $Volume_info_for_C.DeviceID

Normally, everything is mounted only to the root (C:) but we are going to get creative.

$Sinkholes = @('$$') ForEach($Sinkhole in $Sinkholes){ New-Item c:\$Sinkhole -ItemType directory $Volume_info_for_C.AddMountPoint("c:\$Sinkholes") }


  1. Download Bloodhound.
  2. Save in C:\temp.

LAPS: Download LAPS. Save in C:\temp.

About your instructor

  • Amanda Berlin is a Sr. Security Analyst for a Blumira in Southern Michigan. She is the author for a Blue Team best practices book called "Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O'Reilly Media. She is a co-host on the Breaking Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Industries (PCI) process and Health Insurance Portability and Accountability Act (HIPAA) compliance as well as building a comprehensive phishing and awards-based user education program. She now spends her time creating as many meaningful alerts as possible.


The timeframes are only estimates and may vary according to how the class is progressing

Introduction (15 minutes)

  • Presentation: Kill chain overview; common threats; reverse kill chain spreadsheet overview; other kill chain variants

Setup (30 minutes)

  • Hands-on walk-through: Promote server to domain controller; set up IP addresses and DNS; add PC to domain
  • Break (10 minutes)

Case study 1: Ransomware (60 minutes)

  • Hands-on exercises: Set default file associations; disable macros; implement honey directories
  • Q&A
  • Break (10 minutes)

Case study 2: Theft, loss, and data exfiltration (30 minutes)

  • Presentation: Overview of DLP
  • Hands-on walkthrough: Install and set up Snort
  • Demonstration: Alerting on Tor traffic

Case study 3: Lateral movement (45 minutes)

  • Hands-on exercises: Enumerate Active Directory with Bloodhound; disable LMMNR and LM hash; enable alerting for Bloodhound; SMB brute-force attack and monitor
  • Wrap-up and Q&A