Incident Response - Black Hat Edition

Mandiant | August 2-3 & 4-5

On This Page


Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. Completely redeveloped with all-new material in 2013, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.


The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation.

Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools.

Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more.

Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the page file, and how memory analysis can identify advanced techniques used by malware.

Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.

Persistence: Analysis of advanced persistence mechanisms, such as DLL search order hijacking; introduction to user-land and kernel root kits; alternative remote-access mechanisms exploited by attackers.

Who Should Take This Course

This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams, or in roles that require oversight of forensic analysis and other investigative tasks.

Student Requirements

Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.

What Students Should Bring

Laptop or virtual machine running Windows 7 (32 or 64 bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.

What Students Will Be Provided With

• Class handouts and slides
• Thumb-drive containing class materials, labs, tools


Ryan Kazanciyan is a Technical Director with Mandiant and has ten years of experience specializing in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led incident response and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. He has also helped develop Mandiant’s investigative methodologies, forensic analysis techniques, and technologies to address the challenges posed by skilled intruders and large-scale investigative efforts.

Prior to his work in incident response, Ryan specialized in leading penetration tests for both private and public-sector clients. His background included red-team operations in Windows and Unix environments, web application security assessments, and social engineering.

Ryan has taught courses on incident response, forensic analysis, and penetration testing at venues including Black Hat USA, Black Hat Abu Dhabi, and CounterMeasure. He also has presented research at industry events such as Black Hat Federal, DoD CyberCrime, ShmooCon, Infragard, ISACA, SwA Forum, and AppSec DC.

Ryan holds a bachelor’s degree in Computer Science and a minor in Economics from Duke University. He currently resides with his wife in Alexandria, Virginia.

Chris Nutt is a Senior Manager within the Professional Services Division of MANDIANT. Mr. Nutt has eight years of experience in enterprise incident response, working with the federal government, defense industrial base, and fortune 100 companies. He has extensive experience in incident response, computer forensics, remediation strategies, and project management.

Mr. Nutt has led and conducted incident response and forensic analysis engagements for government entities and the Fortune 100. He has led high visibility investigations into the theft of intellectual property as well as the theft of payment card industry information. He regularly assists organizations in developing remediation strategies designed to remove sophisticated attackers from client networks.

Mr. Nutt leverages his consulting experience to develop and deliver incident response training to law enforcement, the federal government, and corporate security groups. He has also presented at a variety of security industry events; his most recent presentation was at DoD CyberCrime Conference 2012.