Enterprise Incident Response
Overview
Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's landscape of threat actors and intrusion scenarios. Completely redeveloped with all new material in 2016, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.
THE COURSE IS COMPRISED OF THE FOLLOWING MODULES, WITH LABS INCLUDED THROUGHOUT:
The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation.
Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools.
Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more.
Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the page file, and how memory analysis can identify advanced techniques used by malware.
Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
Persistence: Analysis of advanced persistence mechanisms - such as DLL search order hijacking, introduction to user-land and kernel root kits, and alternative remote-access mechanisms exploited by attackers.
Who Should Take this Course
This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments, and penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams or in roles that require oversight of forensic analysis and other investigative tasks.
Student Requirements
Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.
What Students Should Bring
Laptop or virtual machine running Windows 7 (32 or 64 bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.
What Students Will Be Provided With
Class handouts and slides
Thumb drive containing class materials, labs, and tools
Mandiant gear
Trainers
Antonio Monaca is an Incident Response and Forensics Consultant with Mandiant's Benelux and Nordics team. As part of the Incident Response team, Mr. Monaca provides emergency services to clients when a security breach occurs. He also conducts forensic investigations and proactive security engagements.
Mr. Monaca has a background that ranges from analysis of cyber threats to R&D. He has a thorough understanding of malware, computer forensics and attackers' TTPs.
Prior to his employment at Mandiant, Mr. Monaca was a Senior Security analyst at FireEye, where he investigated security incidents and performed proactive hunting for Fortune 500 companies as part of FireEye managed security services (FaaS). Previous to this position, he worked as a R&D analyst designing Trojan detection platforms and Anti-Fraud solutions for banks and financial institutions. While covering this position, he also wrote threat pieces on a monthly cadence for the Italian R&D Centre of Banking Technologies (ABI Lab).
Julian Pileggi is a Senior Consultant in Mandiant's Canadian office. With a strong technical background, Mr. Pileggi assists with SOC transformations, incident response, compromise assessments and health check engagements. Prior to joining Mandiant, Mr. Pileggi was employed for 5 years within the Security Operations Centre of a Canadian financial institution. Handling incident response on a daily basis for one of the largest corporations in Canada, Mr. Pileggi honed his speed, accuracy, investigative skills, incident response techniques and leadership skills. He also has helped organizations develop and improve existing incident response procedures and policies to assist in future detection and the remediation of incidents.
Mr. Harri Sylvander is a Consulting Manager in Mandiant's Dubai office. His particular areas of expertise include incident coordination and response, network traffic analysis, digital forensics, and CSIRT operations. He has performed and led multiple Response Readiness Assessments, and has vast experience of incident response engagements and forensic investigations for organizations in various industry verticals including government, telecommunications, oil and gas, travel, education, and finance. He is also one of Mandiant's Enterprise Incident Response training instructors and has delivered the training on several occasions to incident responders in the Middle East.
Prior to joining Mandiant, Mr. Sylvander was contracted to one of the largest telecommunications companies in the region as a Senior Incident Handler and Threat Analyst via Forward Discovery Middle East. While there, he played a central role in responding to critical incidents, maintaining the CSIRT infrastructure, and training the CSIRT staff, giving the team the tools and skills required for accelerated and more accurate incident response.
Before moving to the Middle East, he held the position of Team Lead of Funet CERT, the Finnish National Research Education Network's Computer Emergency Response Team, where he spent eight years detecting, coordinating, and responding to incidents in the parent organization's and constituents' networks, as well as training and helping the constituent organizations build their incident response capabilities. During this time, Mr. Sylvander was also the team representative and liaison at various local, regional, and global CSIRT initiatives, such as FIRST (the Forum for Incident Response and Security Teams).