The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription

---

Security Incident Response process description and incident handling guide. It is important to know the proper way of solving a security incident in order to ensure the best possible outcome.

Participants will receive a high level overview of everything they need to know about handling a high profile security incident, necessary steps and skills to lead the incident to a successful conclusion and ensure that the same incident does not occur again.

---

PRE-RECORDED, SELF-PACED

COURSE DURATION: 18 hours (18 CPE credits awarded on completion) 

---

---

About your instructor: Petar Yankov

Expert Digital Forensics and Investigations at DXC TechnologyCertified GIAC GCIH and EC-Council CHFI

I am currently part of the Digital Forensics and Investigations team at DXC Technology. My main responsibility is investigating security incidents that impact DXC’s clients. In my line of work I handle all sorts of security incidents, such as hacking attempts, virus infections and outbreaks, intrusions, data exfiltrations. I am deeply involved in Security Information and Event Management (SIEM), as well as network-related security incidents, and perform malware analysis, traffic/log analysis, in-depth forensic investigations and research into new threats.Working with vast variety of clients and different environments, is quite interesting and does require a lot of training and research.

My IT security carrier started back in 2008I started my work in IT security back in December 2008 with Hewlett-Packard enterprise as part of the Endpoint Security and Protection team. As part of this team, I’ve been interfacing with technical and management teams. My main responsibilities were developing and implementing endpoint security solutions in different environments. Additionally performing events monitoring and ongoing maintenance. My responsibilities included communicating with AntiVirus and Firewall vendors, submitting malware samples and creating custom installation packages for deployment on end user and server systems. That gave me a broad view of the IT security landscape and got me started on a journey that now continues for more than a decade.

---

COURSE SYLLABUS

---

Module 1

Introduction to Security incident Response, Security incident handling process

Preparation Phase

Preparing well for a security incident is one of the most important aspects of security incident handling. It is interesting to find out how, in hindsight, most security incidents can be prevented or solved much more easily with better preparation.

• Assessing potential security risks
• Accounting for human error
• Creating Incident Response Plan
• Identifying High Value Targets
• Identifying Stakeholders
• Setting up incident Response tooling
• System instrumentation
• Employees security trainings

Module 1 exercises:

Familiarizing with Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview) and Windows Event Log analysis

---

Module 2

Identification / Detection and Reporting, Outbreak prevention

Identifying a security incident as opposed to an operational issue is important, that must be defined clearly. Examples of a security incident are theft or loss of equipment that contains private or potentially sensitive data,. Vvirus or malware outbreak.

Discussion on identifying an incident as a security incident and different types of incidents.

First steps should be well documented and laid out, as many scenarios should be played out during risk assessments, past incident data and external data (such as threat intelligence feeds). Tthat would further determine the future development of the investigation and the investigation objectives.

In the case of forensic investigations, - objectives of the investigation must be clearly identified, all stakeholders should be identified (that might include legal, PR, HR …).

Detection, identification and mitigation of threats should be well documented and prioritized.

• Identifying incident as a security incident
• Types of security incidents
• First steps
• Detection, identification and mitigation of threats
• Different types of incidents
• Forensic cases / Defining objectives of investigation

Special Actions for Responding to Different Types of Incidents:

• Espionage
• Inappropriate use
• Internal Threats
• Forensic Investigations

Module 2 exercises:

• LAB: Virus infection PlugX detection;
• LAB2: Keyword searches (mainly using grep and ; volatility usage and plugins)
• LAB3: Automated malware sample analysis with Cuckoo

---

Module 3

Containment & Eradication

Making certain that the incident is contained, malware samples are quarantined for further analysis and assessing the impact of the incident. If needed – isolating impacted systems. It is important dto keep distinct that step distinct from the identification.

Documentation of the incident is very important, so that the insight gained can be used for future reference and contribute to future incidents resolution.

Environment impact analysis, ensuring threat is neutralized, all impact on systems is contained and all aspects of the threat are taken into account. It is important that we stress that in this step we make certain that the threat actor or malware does not have another way back into the environment. Patching vulnerabilities and reviewing privileges/policies once again in order to make certain that everything possible is done to prevent the same incident reoccurring.

Restoring systems and data from backup must be done while ensuring security patching is up-to date. Restoring connectivity to impacted systems needs to be done only after making certain everything has been done to mitigate the incident.

Containment

• Containment and quarantine
• IoCs creation and implementation
• Documentation of incident

Eradication

• Impact analysis
• Recover systems, data and connectivity

Module 3 Exercise:

• LAB: IoCs creation and usage

---

Module 4

Recovery & Follow up / Lessons Learned

Return to production state must be done while continuous monitoring is ensured. Restoring and returning affected systems and devices back into the environment. During this phase, it’s important to get the systems up and running again, while making certain that all precautions have been taken in order to make certain that a breach cannot occur in the same way.

After the recovery phase is complete, it is important to review and document the incident, review processes and see if the incident has shed light and if there is room for improvement.

After a targeted attack, all security personnel should be on high alert anticipating an attack from another vector.

Recovery:

• Return to production state
• Additional monitoring

Follow up / Lessons Learned

• Documenting the incident
• Contacting relevant parties
• Changes in processes / Processes reviews
• Expect an increase in attacks / Attack Trends

Final exam - multiple-choice test-based exam

---

Course format:

• Self-paced
• Pre-recorded
• Accessible even after you finish the course
• No preset deadlines
• Materials are video, labs, and text
• All videos captioned

---

---

QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].