
ABSTRACT
This course is designed to teach the fundamental investigative techniques needed to respond to today’s cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence, and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, and investigate an incident throughout an enterprise.
Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network, and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency.
WHO SHOULD TAKE THIS COURSE
This class is designed for incident response team members, threat hunters, and information security professionals.
KEY LEARNING OBJECTIVES
After completing this course, participants should be able to:
- Describe the incident response process, including the threat landscape, targeted attack life cycle, initial attack vectors used by different threat actors, and phases of an effective incident response process
- Conduct system triage to answer key questions about what transpired across the enterprise during an incident
- Apply lessons learned to proactively investigate an entire environment (including metadata, registry, event logs, services, persistence mechanisms, and artifacts of execution) at scale for signs of compromise
- Manage and effectively record information related to ongoing investigations and incidents
- Understand the role of the remediation phase in an enterprise investigation
- Understand how to hunt for threats using threat intelligence, anomaly detection, and known threat actor tactics, techniques, and procedures (TTPs)
COURSE OUTLINE
The course consists of the following modules, with labs included through the instruction.
Part 1
Threat Landscape – An introduction to the current threat landscape, the targeted attack lifecycle, and the initial attack vectors used by different threat actors. This provides a base level of knowledge about the attack lifecycle framework, which will be referenced throughout the course.
Threat Modeling - An exploration of the MITRE ATT&CK® framework and the Mandiant Attack Lifecycle will provide the foundation for understanding adversary behavior. This module covers the methods to relate collected evidence to industry standard frameworks during investigations. This will enable the participants to better understand and articulate adversarial tactics, techniques, and procedures (TTPs) and improve the overall incident response process.
The Incident Response Process – An overview of the phases of an effective incident response process, including how to prepare for incident response, how to prioritize investigative leads, and outlining a more modern approach to the investigative method.
The following topics are illustrated in this module:
- What is Incident Response?
- Preparation
- Detection
- Lead Prioritization
- Analysis
Part 2
Single System Analysis – This module includes in-depth information about the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. A deep dive will be taken into file system metadata, registry, event logs, services, common persistence mechanisms, artifacts of execution, timelining and memory analysis. Participants will be taught to answer the key questions about what transpired, and how to develop indicators of compromise (IOCs) that can be used to identify other systems of interest.
The following topics are illustrated in this module
- File System Metadata
- Event Logs
- Registry
- Services
- Persistence Mechanisms
- Artifacts of Execution
- Memory Analysis
- Timelining
Single System Analysis Labs
Part 3
Enterprise Investigations – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, how authentication works and how attackers steal credentials, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
The following topics are illustrated in this module
- Active Directory
- Internal Reconnaissance
- Privilege Escalation
- Lateral Movement
- Alternate Remote Access
- Completing the Mission
Enterprise Investigations Labs
Part 4
Investigation Management and Remediation – Effective incident and investigation information management is vital for enterprise security. This module covers best practices for enriching investigations and strengthening security. The remediation phase bridges immediate incident actions with long-term strategies to improve organizational resilience.
Threat Hunting – Threat hunting is a critical component of an effective enterprise security program. Hunting can be performed using threat intelligence, anomaly detection and known threat actor techniques, tactics and procedures (TTPs). We will discuss how to develop a threat hunting capability in a mature organization. Applying the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise.
Threat Hunting Labs
Participant Requirements
Background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Participants must have a working understanding of the Windows operating system, file system, registry and use of the command line. Familiarity with Active Directory and basic Windows security controls, plus common network protocols, is beneficial.
Technical Requirements
Participants are required to bring their own laptop that meets the following specs:
- Windows 10
- Core i5 or equivalent processor
- 16 GB of RAM
- 25 GB free HDD space
- Virtual machines are acceptable provided at least 4 GB or RAM can be allocated
- Microsoft Office installed outside the VM
- Admin/install rights
Course Materials
Participants will receive a lab book and all required class materials and tools.
COUNTERMEASURE25: 60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.