Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Incident Response Black Hat Edition

Kevin Mandia and Kris Harms, MANDIANT

Overview

As the sophistication and threats caused by malicious attacks continue to increase, Mandiant has raised the bar of effective detection, response, and remediation by introducing our Incident Response (IR) class. This two-day Special Edition class has been specifically designed for information security professionals and analysts who respond to computer security incidents. It is designed as an operational course, using case studies and hands-on lab exercises to ensure attendees are gaining experience in each topic area. Hands on exercises and labs in Windows Intrusion as well as the following topics are covered:

• The different phases and activities of the IR process
• The roles and responsibilities of each member of the IR team
• Create IR checklists and notification lists
• How to rapidly detect or confirm attacks
• Finding, reviewing, and interpreting log files
• Performing live response on a compromised server
• Learn what volatile evidence is present on a live system before it is powered down
• Determine the function of unidentified executable processes
• Detect rootkits, backdoors and trojaned files
• Interact with rootkits to learn their impact on a live system, and how to respond

What You Will Get:

• Student Manual
• Class handouts
• MANDIANT gear

Who Should Attend the Class:
Information technology staff, information security staff, corporate investigators, or other staff that require an understanding of how networks work, how to capture network traffic, how to investigate network use, how to identify and escalate suspected computer security incidents, and how to safeguard corporate assets via network defense.

Prerequisites:
Basic knowledge of computer, network, and operating system fundamentals is required.

Trainers:

Kevin Mandia is an internationally recognized expert in the field of information security. He has over fifteen years experience, beginning in the military as a computer security officer at the Pentagon. He has assisted attorneys, corporations, and government organizations with matters involving information security compliance, complex litigation support, computer forensics, expert testimony, network attack and penetration testing. Mr. Mandia established Mandiant specifically to bring together a core group of industry leaders in this field and solve client’s most difficult information security challenges.

Prior to forming Mandiant, Kevin built the computer forensics and investigations group at Foundstone from its infancy to a multi-million dollar global practice that performed civil litigation support and incident response services. As technical and investigative lead, Mr. Mandia responded on-site to dozens of computer security incidents yearly. He assisted numerous financial services and large organizations in handling and discretely resolving computer security incidents. He also led Foundstone’s computer forensic examiners in supporting numerous criminal and civil cases. He has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.

During his career, Mr. Mandia has become an extremely experienced instructor. He has developed specialized classes for the Federal Bureau of Investigations, and personally trained over four-hundred FBI agents in investigating computer crime. He has also developed specialized training for the United States Attorney’s Office, United States Secret Service, United States Air Force, State Department, the Royal Canadian Mounted Police, and other government agencies. He has trained at the FBI Academy, the National Advocacy Center, and the Federal Law Enforcement Training Center. He developed classes approved by the Continuing Legal Education (CLE) boards in the States of Virginia, New York, and California, and has trained hundreds of attorneys in the technical aspects of computer forensics and network intrusions. In addition to training law enforcement and attorneys, Kevin has provided on-site training at numerous Fortune 500 organizations. He has been a professorial lecturer at Carnegie Mellon University and currently teaches courses at The George Washington University.

Mr. Mandia is co-author of "Incident Response: Performing Computer Forensics" (McGraw-Hill, 2003) and "Incident Response: Investigating Computer Crime" (McGraw-Hill, 2001). He has also written articles for SC Magazine and The International Journal of Cyber Crime. As a noted expert and author, Mr. Mandia is frequently invited to speak at a variety of forums, from legal conferences to technical security forums. He is regularly scheduled to present at Black Hat, Networld+Interop, TechnoSecurity, and the High Technology Crime Investigators Association. Mr. Mandia continues to advance the state-of-the-industry by presenting well-received articles and books.

Kevin holds a Master of Science in Forensic Science from The George Washington University. He is a Certified Information Systems Security Professional, and has held government security clearances at the Top Secret and higher levels.

Kris Harms is a Senior Consultant at Mandiant with seven years experience in information security. Mr. Harms provides commercial organizations, attorneys and the U.S. Government with expertise in incident response, computer forensics, vulnerability assessment and security architecture design.

Mr. Harms has extensive experience investigating and resolving high risk computer security incidents. He has responded to intrusions for Fortune 100 companies, e-commerce sites and financial institutions. He has also supported multiple counter-intelligence intrusion investigations for several government entities. He has assisted organizations with post incident activities such as remediation strategy development, vulnerability management, security architecture design, executive presentations and incident response program development. Mr. Harms has also assisted attorneys and organizations with electronic evidence discovery for several multi-million dollar litigations.

Harms has a passion for teaching. He has taught computer intrusion investigations classes at the FBI Academy, commercial, and other government organizations. He is also the author of several training courses for Mandiant and the Federal Bureau of Investigation. He has provided training at several conferences including Black Hat, CSI SX and InfraGard.

Prior to joining Mandiant, Mr. Harms worked for SRA International and played a key role as an Information Assurance Engineer for the Government Accountability Office. During this time, he became the technical lead for the development and maintenance of the agency’s intrusion detection and incident response capabilities. He was also the technical lead for workstation security, providing secure solutions for auditors and support staff while on-site and off-site. This program included leading a successful rollout of agency-wide personal firewalls which incorporated never before implemented 802.1x capabilities.

As a result of his experience conducting numerous forensic investigations, Mr. Harms created Mandiant’s Restore Point Analysis Tool, and authored “Forensic Analysis of System Restore Points in Windows XP” published in the International Journal of Digital Investigation. The tool is designed to provide forensic examiners an understanding of the content found within System Restore Points which are frequently overlooked as a source for data.

A frequent industry speaker and instructor, Mr. Harms has appeared on the CBS News program 60 Minutes and PBS’s Wealth and Wisdom. Mr. Harms holds a Bachelor of Arts degree in Applied Science and Technology from The George Washington University.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2200	$2300	$2500	$2700	$3000