ＨｉｄｅＺｅｒｏＯｎｅ

This intensive three-day course is designed to teach the fundamental investigative techniques needed to respond to today’s cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms and investigate an incident throughout an enterprise. Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency.

Syllabus

• Describe the incident response process, including the threat landscape, targeted attack life cycle, initial attack vectors used by different threat actors, and phases of an effective incident response process
• Conduct system triage to answer key questions about what transpired across the enterprise during an incident
• Apply lessons learned to proactively investigate an entire environment (including metadata, registry, event logs, services, persistence mechanisms and artifacts of execution) at scale for signs of compromise
• Manage and effectively record information related to ongoing investigations and incidents
• Understand the role of the remediation phase in an enterprise investigation
• Understand how to hunt for threats using threat intelligence, anomaly detection and known threat actor techniques, tactics and procedures (TTPs)

Mandiant Academy – Windows Enterprise Incident Response

Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches in the last several years has shown that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of deeply technical areas including file systems, operating system design, and knowledge of possible network and host attack vectors.  During this training, students will learn how to approach digital investigations in a manner that allows for immediate forensic exploitation of relevant data both in-memory and on-disk. Significant hands-on experience during labs will train students to analyze the same types of evidence and situations that they will encounter in real-world investigations. This class is structured so that a specific analysis technique is discussed and then the students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives students a number of new skills as the course proceeds. Upon completion of the training, students will be able to effectively analyze a large number of digital evidence sources, including both on-disk and in-memory data, using the latest and most effective forensics tools and techniques. These skills will be immediately usable in a number of investigative scenarios and will greatly enhance even experienced investigators’ skillset. Students will also leave with media that contains all the tools and resources used throughout the training.

Digital Forensics And Incident Response – Tactical Edition (2021)

EC-Council’s Certified Incident Handler provides students with a method-driven program that uses a holistic approach to cover vast concepts concerning organizational incident handling and response from preparing and planning the incident handling response process to recovering organizational assets after a security incident. The skills taught in EC-Council’s ECIH program are desired by cybersecurity professionals from around the world and is respected by employers.

Syllabus

• Module 01: Introduction to Incident Handling and Response
• Module 02: Incident Handling and Response Process
• Module 03: Forensic Readiness and First Response
• Module 04: Handling and Responding to Malware Incidents
• Module 05: Handling and Responding to Email Security Incidents
• Module 06: Handling and Responding to Network Security Incidents
• Module 07: Handling and Responding to Web Application Security Incidents
• Module 08: Handling and Responding to Cloud Security Incidents
• Module 09: Handling and Responding to Insider Threats

EC-Council: Master Incident Handling In Cybersecurity (ECIH v2)