Course Description
Cyber-attacks are becoming an everyday occurrence. Information security specialists are having to manage their incident response and intrusion analysis to protect the organization and provide digital evidence where appropriate.
This course will provide you with an understanding of the various attack characteristics, an analysis of lessons learned from recent attacks, and allow you to create your own processes for responding to attacks of your enterprise network.
In the 1 day version, Using lecture and workshops, you will have the opportunity to explore and experience documented incidents.
In the 2 day version, you will learn from “live” events and scenarios from actual computer incidents. Each “live” exercise will have a series of events from firewall Logs to users calling the help desk, and your task will be to review the information, then using the defined incident response plan, determine what is required to be recorded, reported in the required steps, to move forward. The incidents will increase in scope and become more challenging as the workshop progresses.
Learning Objectives
- Learn the fundamentals of intrusions
- Examine network traffic for intrusions
- Develop a systematic process for intrusion analysis
- Explore the artifacts of emerging threat attacks
- Establish an incident response lifecycle
- Create a response template for handling basic to advanced attacks
- Process “live” monitored alerts and assess the enterprise threat*
- Extract sophisticated malware information from the latest types of attacks*
Course Outline
Introduction to Forensics
- Computer Forensics defines
- Traditional forensics
- “Live” system forensics
- Establishing a Forensic Methodology
- Repeatable process
- LAB ONE : Forensic Analysis: What we are up against
Intrusion Analysis of Network Traffic on Windows and Linux
- Identifying normal vs abnormal traffic
- Determining cause of abnormal traffic: Error vs. Malicious
- Recognizing common patterns of network attacks
- Identifying the OS from the network traffic
- Passive fingerprinting characteristics
- Nuances of the TCP/IP stack
- LAB TWO: Analyzing basic attacks
- Components of a sophisticated attack
- Deception techniques
- Protocol camouflage
- Encryption and tunnels
- LAB THREE: Analyzing a sophisticated attack
- Components of advanced attacks
- Protocol encapsulation—More than one layer 7
- Web attacks – Services, SQL, XSS, Access controls
- LAB FOUR: Analysis of Web Attacks
Introduction to Incident Response
- Security Policy and its role in incident response
- Introduction and overview of computer forensics and incident response
- Planning for incident response: Developing a plan of action
- Incident response life cycle explained
- Incident Response Workshop One
Planning a Response to a potential incident
- Search and seizure laws
- What can and cannot you take
- Laws of digital evidence
- Hearsay
- Exceptions to the hearsay law
- Digital evidence references
Processing Windows “LIVE” Forensics information to discover malware
- Analyzing volatile data
- Analyzing non-volatile data
- LAB: Windows “LIVE” Incident Response Workshop Two
Malware Incident Response
- Advanced Windows Forensics: Performing low-level internal analysis to identify advanced memory corruptions
- Windows internals
- Windows rootkits
- Traditional
- Hooking
- DKOM
- LAB: Malware Analysis
- Client side exploitation
- Binary payloads
- Malicious files
- Bypassing anti-virus and other protections
- Obfuscation and encoding
- Powershell
- LAB: Client Side Attack Vectors
NOTE: *Refers to 2-day seminar
Additional Information
Who Should Attend
- IT Auditors
- Information Security Managers, Analysts, and Architects
- IT Management
- IT Architects
- Consultants
Learning Level
Advanced
Delivery
Group Live
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
A strong background in networking, TCP/IP, Linux, and Windows
Session Duration
On Site: 1 or 2 days
CPE Credits: 8 or 16