Black Hat Edition
Mandiant july 21-22july 23-24
Ends February 1
Ends June 1
Ends July 20
Mandiant has raised the bar of effective detection, response, and remediation through their Incident Response (IR) coursework. This two-day Special Edition class teaches the fundamental and cutting edge data collection and analysis techniques information security professionals need to investigate increasingly complex intrusion scenarios. The course contains case studies and hands-on lab exercises tailored to the latest attack scenarios identified by Mandiant's investigations into the compromise of public and private sector organizations. Attendees will gain experience in the following topic areas.The Incident Response Process
- Preparing for Incidents
- Detection and Analysis
- Containment, Eradication, and Recovery
- Volatile vs. Non-Volatile Evidence
- Forensic Imaging
- Volatile Data Acquisition
- NTFS File System Artifacts
- Windows Registry Artifacts
- Microsoft Windows Event Log Analysis
- Microsoft Windows Prefetch
- Scheduled task Logs
- Artifacts in Recycler
- Web Browser History
- Alternate Data Streams
- Time Stomping
- Advanced Persistence Mechanisms
- System, Pagefile, and Process Memory
- Analyzing Forensic Artifacts in Memory
These topics will help prepare you for some of the most common questions and challenges facing an incident responder, such as:
- How do you fully "scope" an incident?
- What is the best way to conduct rapid triage on a system to determine if it is compromised?
- What types of evidence result from common initial attack vectors such as spear-phishing or web application exploits?
- How do attackers establish persistence on a system?
- What are the tell-tale signs of attacker lateral movement and privilege escalation in a compromised environment?
- How can attackers manipulate evidence, and how can you detect and defeat such techniques?
The class is structured to include exercises, tools, and sample evidence based on real-world cases throughout the material – we strive to minimize lecture time and maximize hands-on learning.
What to bring
Students must provide their own laptop that is running a version of Microsoft Windows or Virtualization software such as VMware that is running a version of Microsoft Windows. Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.
- Microsoft Office or Open Office is required to open documents provided as part of the labs.
Students, who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at firstname.lastname@example.org to see if a laptop can be provided for you.
What You Will Get
- Class Handouts and Slides
- MANDIANT gear
Who Should Attend the Class
Anyone involved in the information technology and information security fields responsible for responding to computer intrusions or securing corporate networks. The class covers the basics of the incident response process and proper handling of incidents as well as advanced investigative techniques used to respond to computer intrusions.
- Students must be familiar with executing command line utilities as an Administrator and navigating the Windows file system using the command line.
- Common file system structures
- Microsoft Windows registry
- Active Directory and basic Windows security controls
- Networking fundamentals, including common Windows protocols
Chris Nutt is a Manager within the Professional Services Division of MANDIANT. Mr. Nutt has eight years of experience in enterprise incident response, working with the federal government, defense industrial base, and fortune 100 companies. He has extensive experience in incident response, computer forensics, remediation strategies, and project management.
Mr. Nutt has led and conducted incident response and forensic analysis engagements for government entities and the Fortune 100. He has led high visibility investigations into the theft of intellectual property as well as the theft of payment card industry information. He regularly assists organizations in developing remediation strategies designed to remove sophisticated attackers from client networks.
Mr. Nutt leverages his consulting experience to develop and deliver incident response training to law enforcement, the federal government, and corporate security groups. He has also presented at a variety of security industry events; his most recent presentation was at DoD CyberCrime Conference 2012.
Ryan Kazanciyan is a Principal Consultant with Mandiant and has ten years of experience specializing in incident response, forensic analysis, penetration testing, and web application security. He has most recently conducted intrusion investigations and remediation efforts for organizations in the technology, financial services, and defense industrial base sectors. Mr. Kazanciyan has experience with analysis of host and network-based indicators of compromise, disk and memory forensics, and malware identification and triage. He also helped victim organizations develop and implement remediation steps to address existing vulnerabilities and enhance security controls.
In addition to his experience in incident response, Mr. Kazanciyan has an extensive background managing and executing large penetration testing engagements in Windows and UNIX environments, social engineering, and wireless assessments. Ryan also is proficient in application security and has conducted black-box and source-code assessments for web applications and "thick" clients.
Mr. Kazanciyan has leveraged his consulting experience to lead training sessions for a variety of audiences in law enforcement, the federal government, and corporate security groups. He has taught courses on incident response, forensic analysis, penetration testing, and web application security. He has also presented at a variety of security industry events including Black Hat Federal, ShmooCon, and the DoD CyberCrime Conference.
Mary Singh is a Senior Consultant with Mandiant with ten years of experience in information security. Ms. Singh specializes in forensic analysis, location of information exposure, and EnCase forensic software. She has experience in military information operations, intrusion detection and incident response, and identified specific military and engineering data targeted at several major defense contractors. In a recent investigation, she discovered a malicious driver that was unknowingly being hosted and distributed from a legitimate website.
In the military and as a consultant, Ms. Singh developed both network and host level indicators of compromise. She shares her experience and knowledge by teaching courses on incident response and network investigative techniques. She also presented the past two years at the DoD CyberCrime Conference, sharing the latest methods to "find evil" with law enforcement, federal government, and industry.