O'Reilly logo
live online training icon Live Online training

Defensive cybersecurity fundamentals

Utilizing the kill chain

Amanda Berlin

Everyone talks about the intrusion kill chain (sometimes called the “cyber kill chain”)—a model for actionable intelligence in which defenders align enterprise defensive capabilities to the specific processes an adversary might undertake to target that enterprise. However, much of what is discussed publicly is misinformation and scare tactics.

Amanda Berlin explores the most effective steps you can take to protect your organization from the vast majority of threats with defensive mitigation and monitoring, covering use cases such as ransomware, data exfiltration, and lateral movement to demonstrate how to improve the standard of defense at each level. You'll learn step-by-step what you can accurately cover using the kill chain by working through use cases that outline the specifics of attacks. You'll also gain hands-on experience through tabletop exercises and drills to strengthen your understanding.

Much of what is covered will be hands-on walkthroughs in a Microsoft Windows environment. Windows domains are the most popular target for attackers as they are frequently the most insecurely configured.

What you'll learn-and how you can apply it

By the end of this live online course, you’ll understand:

  • Offensive and defensive tactics, techniques, and procedures surrounding three important use cases that constantly are a threat to enterprises
  • How to complete 10 or more specific configuration changes to increase the security against the use cases listed

And you’ll be able to:

  • Gather open source intelligence (OSINT), including names and emails that an attacker may be able to take advantage of
  • Navigate several built-in Windows tools, including Group Policy and AdsiEdit
  • Implement LAPS

This training course is for you because...

  • You’re a systems administrator looking for a step-by-step guide to configuration changes in an enterprise.
  • You’re a general security practitioner looking to gain insight on defensive security strategies.
  • You’re an IT practitioner who's being encouraged by your organization to step into an information security role.


  • A general understanding of operating systems and technology in general
  • The ability to navigate the command line at a novice level
  • Knowledge of common security terminology (macros, attacker, threat, data exfiltration, etc.)
  • Set up three virtual machines with up-to-date patching (instructions below)

Create three virtual machines:

List text hereCreate a Windows Server VM.

  • Any supported version is fine, but the instructor will be using Server 2016.
  • Walk through installation and get to a stable, barebones state.
  • Create a C:\temp folder to store files in.
  • Save in C:\temp.

Create a VM of a supported enterprise version of Windows Desktop.

  • Any supported version is fine, but the instructor will be using Windows 10.
  • Walk through installation and get to a stable, barebones state.

Create a Kali Linux VM.

  • Walk through installation and get to a stable, barebones state.

Windows Server Files

Powershell Script

  1. Save the following as HoneyDirectory.ps1 in C:\temp:

Let's grab the DeviceID for the C volume

$Volume_info_for_C = Get-WMIObject -Class Win32_Volume -Filter "driveletter='c:'" $Device_ID_of_C = $Volume_info_for_C.DeviceID

Normally, everything is mounted only to the root (C:) but we are going to get creative.

$Sinkholes = @('$$') ForEach($Sinkhole in $Sinkholes){ New-Item c:\$Sinkhole -ItemType directory $Volume_info_for_C.AddMountPoint("c:\$Sinkholes") }


  1. Download Bloodhound.
  2. Save in C:\temp.


  1. Download LAPS.
  2. Save in C:\temp.

About your instructor

  • Amanda Berlin is an Information Security Architect for a midwest based security consultant. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. While working the healthcare sector Amanda has been involved in creating a secure method of Payment Card Industries (PCI) and Health Insurance Portability and Accountability Act (HIPAA) compliance and building a comprehensive phishing and awards based user education program. Amanda is an avid volunteer and has also presented at a large number of conventions, meetings and industry events. She is currently working on co-authoring the Defensive Security Handbook with Lee through O’Reilly.


The timeframes are only estimates and may vary according to how the class is progressing

Introduction (15 minutes)

  • Lecture: Kill chain overview; common threats; reverse kill chain spreadsheet overview; other kill chain variants

Setup (30 minutes)

  • Hands-on walkthrough: Promote server to domain controller; set up IP addresses and DNS; add PC to domain
  • Break (10 minutes)

Case study 1: Ransomware (60 minutes)

  • Hands-on exercises: Set default file associations; disable macros; implement honey directories
  • Q&A
  • Break (10 minutes)

Case study 2: Theft, loss, and data exfiltration (30 minutes)

  • Lecture: Overview of DLP
  • Hands-on walkthrough: Install and set up Snort
  • Demonstration: Alerting on Tor traffic

Case study 3: Lateral movement (45 minutes)

  • Hands-on exercises: Enumerate Active Directory with Bloodhound; disable LMMNR and LM hash; enable alerting for Bloodhound; SMB brute-force attack and monitor
  • Wrap-up and Q&A