Windows Enterprise Incident Response: Black Hat Edition
Overview
Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's threat. The class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. This class will primarily focus on analyzing Windows-based systems and servers; however, the techniques and investigative processes are applicable to all systems and applications. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, investigate an incident throughout the enterprise, and much more.
Course Description
The course is comprised of the following modules, with labs included throughout the instruction:
- The Incident Response Process – An introduction to the threat landscape, targeted attack life-cycle, initial attack vectors used by different threat actors, and the phases of an effective incident response process.
- Single System Analysis – This module includes in-depth information about the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. A deep dive will be taken into file system metadata, registry, event logs, services, common persistence mechanisms, and artifacts of execution. Students will be taught to answer the key questions about what transpired.
- File System Metadata
- Event Logs
- Enterprise Investigations – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
- Investigation Management – Managing and effectively recording information related to ongoing investigations and incidents is crucial for success. This module will cover the best practices and some approaches to information management which enrich the investigative process and bolster the enterprise security program.
- Remediation – The remediation phase of an enterprise investigation is an important part of the incident response process. Discussion on the containment and remediation of a security incident will bridge short-term immediate actions taken during a live incident, to longer term strategic posturing to improve the resiliency of the organization as a whole.
- Threat Hunting – Threat hunting is a critical component of an effective enterprise security program. Hunting using threat intelligence, anomaly detection and known threat actor techniques, tactics and procedures (TTPs). Applying the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise.
Who Should Take this Course
This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting security operations, incident response, forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams, or in roles that require oversight of forensic analysis and other investigative tasks.
Student Requirements
Students must have:
- a working understanding of the Windows operating system, file system, registry, and use of the command-line.
- familiarity with Active Directory, basic Windows security controls, and common network protocols.
What Students Should Bring
- Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB drive.
- Students must bring a laptop that meets the following minimum requirements:
- Operating System: Windows 7 or newer
- Processor: Core i5 or equivalent
- RAM: At least 6GB, preferably 8GB
- HDD: At least 25GB free space
- Virtual machines are acceptable provided at least 4GB of RAM can be allocated. Students are responsible for providing their own copies of and licenses for Windows.
What Students Will Be Provided With
- a USB drive containing all required lab materials and tools
- Mandiant-branded gear
Trainers
Julian Pileggi is a Senior Consultant in Mandiant's Canadian office. With a strong technical background, Mr. Pileggi assists with SOC transformations, incident response, compromise assessments and health check engagements.
Prior to joining Mandiant, Mr. Pileggi was employed for 5 years within the Security Operations Centre of a Canadian financial institution. Handling incident response on a daily basis for one of the largest corporations in Canada, Mr. Pileggi honed his speed, accuracy, investigative skills, incident response techniques and leadership skills. He also has helped organizations develop and improve existing incident response procedures and policies to assist in future detection and the remediation of incidents.
Phillip Kealy is a West Regional Manager of Incident Response in Mandiant's Denver office. As a leader of the Incident Response team, Mr. Kealy provides emergency services to clients when a security breach occurs. His particular areas of expertise include enterprise-wide incident response investigations, secure network design, enterprise architecture, and security operations center development. Mr. Kealy has significant experience working with the defense industrial base and the financial and technology industries.
Mr. Kealy performs incident response and forensic analysis for global companies possessing hundreds of thousands of computer systems worldwide. He has led incident response teams in multiple Advanced Persistent Threat and Financial theft compromises. Specifically, Mr. Kealy led investigations of four large financial or credit card data thefts and three of the largest thefts of proprietary technology data. He also helps clients analyze and test existing incident response plans and provides incident response training.
With over 14 years of experience in both private and public sector environments, Mr. Kealy has a solid background in networking and operating system administration, both on Windows and Linux/UNIX platforms. He has a thorough understanding of computer forensics, and tactics, techniques, and procedures that are leveraged by attackers.Mr. Kealy entered the security field as an incident responder at the Federal Trade Commission. There, he was architected and implemented security applications and controls, detected and responded to incidents, and started the hunting program.Prior to joining Mandiant, Mr. Kealy spent three years leading the security organization for URS Corporation. There, he provided strategic and tactical leadership for the URS IT Security team. He spent the majority of his time training the IT Security staff and architecting the environment to address new security threats.
Andrew Rector is a Consultant in Mandiant's San Francisco office. As part of the Incident Response team, Mr. Rector provides emergency services to clients when a security breach occurs, including enterprise wide incident response investigations, and single system forensic investigations. During his time at Mandiant, Mr. Rector has worked investigations in high tech and financial industries, as well as health care organizations. Additionally, Mr. Rector has provided incident response and forensic investigation training to clients.
Mr. Rector's specialty is digital forensics and file system artifacts based on his experience analyzing a variety of different systems and media types. Additionally, Mr. Rector has extensive experience performing forensic analysis using industry-leading tools such as EnCase and FTK, along with open source tools.
Prior to his employment at Mandiant, Mr. Rector was a student at Bloomsburg University. At Bloomsburg, Mr. Rector served as the manager for the Pennsylvania Center for Digital Forensics (PACDF). At the PACDF, Mr. Rector conducted data recovery investigations, mobile forensic investigations, and assisted Pennsylvania state law enforcement in the use of specialized mobile forensics tools at the PACDF. Mr. Rector performed his own research in penetration testing, tool development using Python, Linux forensics and oversaw a team of researchers at the PACDF.