The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription

As the threat landscape continues to shift and change, so too has the information security industry. This course will focus on the area of incident response. The purpose is to introduce incident response to students by illustrating tools, techniques, and procedures that may be used to enhance or contribute to an incident response program. Students will walk away with knowledge of tracking incidents, obtaining indicators of compromise, creating incident response reports, and obtaining artifacts.

---

Course is self-paced, pre-recorded

18 CPE points 

---

What will you learn? 

• A range of skills and techniques to assist in the incident response stages
• The six stages of incident response
• Open source toolsets to assist in incident response
• How to report the incident response to management

---

What skills will you gain? 

• Techniques for searching and obtaining artifacts critical to aid in incident response
• Open source toolsets for searching and obtaining artifacts critical to aid in incident response
• The six stages of incident response
• Techniques for building system and network defenses
• Swapping out infected systems and rerouting network traffic on the fly
• Malware analysis  
• Memory analysis
• Network protocol analysis
• Host behaviour analysis

---

---

What will you need?

• Laptop or Desktop with minimum 4gb of RAM
• VirtualBox (latest version to run image) to run Windows and Linux operating systems interchangeably

---

What should you know before you join?

• Networking knowledge and pcap dissection (including theoretical knowledge, programming languages, software & hardware)
• Linux system architecture (administration), Windows architecture (administration), network analysis, common network & system attack types
• Comfortable with Linux command line instruction
• Comfortable with Windows command line instruction
• Background or interest in information security technical roles, e.g., network, system administration, engineering, devops

---

Your intructor: O'Shea Bowens

O’Shea Bowens is an information security enthusiast with a decade of information security experience. His primary focus is incident response, malware analysis, and blue teaming functions. O'Shea has worked and consulted for companies and clients in the federal government, U.S. and international firms in various information security roles, including security analyst, incident response, network & systems forensics, architecture and network engineering.

---

Syllabus

---

Before the start

• VirtualBox
• Networking in VirtualBox (Students will need to setup a virtual environment for this course)
• Linux command line knowledge
• Windows command line knowledge
• Networking TCP Ipv4 knowledge
• Common malware traits

---

Module 1: Introduction to Incident Response
Why Are We Here?

Module 1 covered topics: The Six Stages of Incident Response

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
• Legal Problems
• Cyber Laws as they Currently Stand

Module 1 exercises:

• Understanding of incident response forms
• Introduction to incident response stages
• Setting up a lab environment to analyze malware (never use your production systems)

---

Module 2: Preparation & Identification
Understanding of incident response stages - Preparation & Identification

Module 2 covered topics:

• Events versus Incidents
• Incident Response Parties Involved
• Network Intrusion Detection Systems
• Host based intrusion detection
• ** Logs of system events vs incidents- participants  will need an open source NIDS & HIDS tool, for analyzing malicious activity

Module 2 exercises: 

• System logs provided to assist in exercise
• Vulnerable image of OS provided to perform exercises
• Introduction of OSSEC
• Introduction of Bro
• Leveraging of Windows event logs (security) & Windows log auditing
• Leveraging Linux auditd logs
• Pcap Analysis Tutorial

---

Module 3: Containment & Eradication
Understanding of incident response stages - Containment & Eradication  

Module 3 covered topics:

• Establishing short/long-term containment
• Enhancement of defensive posture for network, servers, and endpoints
• Indicators of compromise creation and usage in incident response
• Indicators of attack correlation

Module 3 exercises: 

• System and network logs provided to assist in exercise
• Vulnerable image of OS to perform exercises
• How to create a secure forensic image guide
• How to craft an indicator of compromise
• Searching across your environment for malware
• Creating correlation to spot malicious activity
• Taking advantage of IP tables
• Obtaining stings to hunt for activity

---

Module 4: Recovery & Lessons Learned
Understanding of Incident Response Stages - Recovery & Lessons

Module 4 covered topics:

• Procedure to test, monitor, and confirm system behavior
• How to define scope of incident
• Injecting backups
• Conducting roundtable discussions for lessons learned

Module 4 exercises: 

• System and network logs provided to assist in exercise
• Vulnerable image of OS to perform exercises
• Searching across the environment for threats based on IOC
• Provide summary of attack based on artifacts
• Leveraging “Regshot” to compare registry for normalization
• Conducting vulnerability assessments with OpenVas
• Creating executive summary of incident

---

Module 5 Putting it together - Attack Scenario #1
Attack scenario walkthrough with reporting form for incident to be completed

Module 5 covered topics:

• Objective: Complete executive summary with incident response
• Track attack via pcaps, logs, and disk analysis

Module 5 exercises:

• With image supplied of exploited server/endpoint, objective is for participants to utilize  supplied log sources, memory images, and pcaps to establish report of root cause analysis. (Supply IR forms, i.e., communication form, incident report - how were IOC/artifacts gathered)

Module 5 Tools: Students may use tools listed below or tools of choice:

• Wireshark
• Process Explorer
• Regshot
• Sysinternals
• NIDS – BRO, Snort
• HIDS- OSSEC
• Memory Analysis- Volatility
• IDA
• Event Log Viewer
• ApateDns

Module 5 Malicious activity:

• Malware introduced to system via covered attack vector
• Provided network traffic of malware sample
• Provided system events via Windows logs to verify activity  
• Provided memory image

---

Module 6 title: Putting it together - Attack Scenario #2
Attack scenario walkthrough with reporting form for incident to be completed.

Module 6 covered topics:

• Objective: Complete executive summary of incident. Note: There are different methods of obtaining artifacts and interpreting the incident. So be creative.
• Track attack via pcaps, logs, and disk analysis

Module 6 exercises:

• With image supplied of exploited server/endpoint, objective is for participants to utilize  supplied log sources, memory images, and pcaps to establish report of root cause analysis. (Supply IR forms i.e. communication form, incident report - how were IOC/artifacts gathered)

Module 6 Tools: Students may use tools listed below or tools of choice:

• Wireshark
• Process Explorer
• Regshot
• Sysinternals
• NIDS - BRO
• HIDS - OSSEC
• Memory Analysis - Volatility
• IDA
• Event Logs

Module 6 Malicious activity

• Malware introduced to system via covered attack vector
• Provided network traffic of malware sample
• Provided system events via Windows logs to verify activity  
• Provided memory image

---

Course format: 

• The course is self-paced – you can visit the training whenever you want and your content will be there.
• Once you’re in, you keep access forever, even when you finish the course.
• There are no deadlines, except for the ones you set for yourself.
• We designed the course so that a diligent student will need about 18 hours of work to complete the training.
• Your time will be filled with reading, videos, and exercises. 

---

QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].