ＨｉｄｅＺｅｒｏＯｎｅ

This intensive three-day course is designed to teach the fundamental investigative techniques needed to respond to today’s cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms and investigate an incident throughout an enterprise. Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency.

Syllabus

• Describe the incident response process, including the threat landscape, targeted attack life cycle, initial attack vectors used by different threat actors, and phases of an effective incident response process
• Conduct system triage to answer key questions about what transpired across the enterprise during an incident
• Apply lessons learned to proactively investigate an entire environment (including metadata, registry, event logs, services, persistence mechanisms and artifacts of execution) at scale for signs of compromise
• Manage and effectively record information related to ongoing investigations and incidents
• Understand the role of the remediation phase in an enterprise investigation
• Understand how to hunt for threats using threat intelligence, anomaly detection and known threat actor techniques, tactics and procedures (TTPs)

Mandiant Academy – Windows Enterprise Incident Response

Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches in the last several years has shown that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of deeply technical areas including file systems, operating system design, and knowledge of possible network and host attack vectors.  During this training, students will learn how to approach digital investigations in a manner that allows for immediate forensic exploitation of relevant data both in-memory and on-disk. Significant hands-on experience during labs will train students to analyze the same types of evidence and situations that they will encounter in real-world investigations. This class is structured so that a specific analysis technique is discussed and then the students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives students a number of new skills as the course proceeds. Upon completion of the training, students will be able to effectively analyze a large number of digital evidence sources, including both on-disk and in-memory data, using the latest and most effective forensics tools and techniques. These skills will be immediately usable in a number of investigative scenarios and will greatly enhance even experienced investigators’ skillset. Students will also leave with media that contains all the tools and resources used throughout the training.

Digital Forensics And Incident Response – Tactical Edition (2021)

EC-Council’s Certified Incident Handler program equips students with the knowledge, skills, and abilities to effectively prepare for, deal with, and eradicate threats and threat actors in an incident. This ANAB-Accredited and US DoD 8140 approved program provides the entire process of Incident Handling and Response and hands-on labs that teach the tactical procedures and techniques required to effectively Plan, Record, Triage, Notify and Contain. Students will learn the handling of various types of incidents, risk assessment methodologies, as well as laws and policies related to incident handling. After attending the course, students will be able to create IH&R policies and deal with different types of security incidents such as malware, email security, network security, web application security, cloud security, and insider threat-related incidents.

eLearnSecurity by INE certifications allow students to gain real-world, hands-on experience as they complete their studies instead of requiring them to complete hundreds of multiple-choice questions. The eCIR challenges you to solve situation-based labs inside a fully featured and real-world environment while educating you on best practices for maximizing efficiency and performance, as well as reducing important security metrics such as time to detect, time to respond and points of risks. By completing a full Incident Response report, you can prove that you have the capabilities to explain why an intrusion occurred, how to prevent the intrusion again, and any additional mitigation steps necessary. Putting the analysis in your hands allows you to prove to your team and supervisors that you have what it takes to stop attacks in their tracks.