Incident Response - Black Hat Edition
Overview
Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's landscape of threat actors and intrusion scenarios. Completely redeveloped with all new material in 2016, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.
THE COURSE IS COMPRISED OF THE FOLLOWING MODULES, WITH LABS INCLUDED THROUGHOUT:
- The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation.
- Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools.
- Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more.
- Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the page file, and how memory analysis can identify advanced techniques used by malware.
- Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
- Persistence: Analysis of advanced persistence mechanisms - such as DLL search order hijacking, introduction to user-land and kernel root kits, and alternative remote-access mechanisms exploited by attackers.
Who Should Take this Course
This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments, and penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams or in roles that require oversight of forensic analysis and other investigative tasks.
Student Requirements
Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.
What Students Should Bring
Laptop or virtual machine running Windows 7 (32 or 64 bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.
What Students Will Be Provided With
- Class handouts and slides
- Thumbdrive containing class materials, labs, and tools
- Mandiant gear
Trainers
Devon Kerr is a Consultant in Mandiant's Alexandria office. Mr. Kerr has led and participated in threat assessments, incident response engagements, forensic analysis, education, and proactive assessments. Mr. Kerr is an OpenIOC knowledge developer within the Security Consulting Services organization and has developed internal coursework relating to IOC creation and utilization. Mr. Kerr has worked with clients in financial services, defense, manufacturing, aerospace, telecommunications, media, and infrastructure. Many of those clients rank in the Fortune 50 or Fortune 100. Mr. Kerr has been instrumental in developing the incident response capabilities of clients and providing strategic remediation guidance following investigations.
Zabi Barekzi is an Incident Response Consultant with Mandiant.
Mary Singh is a Senior Consultant with Mandiant, with 12 years of experience in the information security field. Ms. Singh specializes in forensic analysis, location of information exposure, and EnCase forensic software. She has experience in military information operations, intrusion detection and incident response, and has identified specific military and engineering data targeted at several major defense contractors. While at Mandiant, she has investigated over 50 computer intrusions working with the Federal government, defense industrial base, and Fortune 500 companies.Prior to joining Mandiant, Ms. Singh conducted attack prevention, detection, and vulnerability assessment in the U.S. Air Force and as a consultant with Booz Allen Hamilton. She shares her experience and knowledge by teaching courses on network investigative techniques and incident response. She also presented at the DoD CyberCrime Conference and the SANS Digital Forensics Incident Response Summit, and writes posts for Mandiant's blog to share the latest methods to "find evil" with law enforcement, Federal government, and industry.
Christopher DiGiamo is a Senior Consultant in Mandiant's San Francisco office. Mr. DiGiamo has over seven years of experience performing incident response and network analysis for both private and public institutions. At Mandiant, he assists in forensic investigations and data analytics for cyber incidents. Prior to joining Mandiant, Mr. DiGiamo was the technical lead of the Federal Trade Commission (FTC) Computer Incident Response Team (CIRT). Mr. DiGiamo specializes in the programmatic identification of malicious network traffic and has written tools to assist in the identification of targeted malware variants.
