The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription
As the threat landscape continues to shift and change, so too has the information security industry. This course will focus on the area of incident response. The purpose is to introduce incident response to students by illustrating tools, techniques, and procedures that may be used to enhance or contribute to an incident response program. Students will walk away with knowledge of tracking incidents, obtaining indicators of compromise, creating incident response reports, and obtaining artifacts.
Course is self-paced, pre-recorded
18 CPE points
What will you learn?
- A range of skills and techniques to assist in the incident response stages
- The six stages of incident response
- Open source toolsets to assist in incident response
- How to report the incident response to management
What skills will you gain?
- Techniques for searching and obtaining artifacts critical to aid in incident response
- Open source toolsets for searching and obtaining artifacts critical to aid in incident response
- The six stages of incident response
- Techniques for building system and network defenses
- Swapping out infected systems and rerouting network traffic on the fly
- Malware analysis
- Memory analysis
- Network protocol analysis
- Host behaviour analysis
What will you need?
- Laptop or Desktop with minimum 4gb of RAM
- VirtualBox (latest version to run image) to run Windows and Linux operating systems interchangeably
What should you know before you join?
- Networking knowledge and pcap dissection (including theoretical knowledge, programming languages, software & hardware)
- Linux system architecture (administration), Windows architecture (administration), network analysis, common network & system attack types
- Comfortable with Linux command line instruction
- Comfortable with Windows command line instruction
- Background or interest in information security technical roles, e.g., network, system administration, engineering, devops
Your intructor: O'Shea Bowens
O’Shea Bowens is an information security enthusiast with a decade of information security experience. His primary focus is incident response, malware analysis, and blue teaming functions. O'Shea has worked and consulted for companies and clients in the federal government, U.S. and international firms in various information security roles, including security analyst, incident response, network & systems forensics, architecture and network engineering.
Syllabus
Before the start
- VirtualBox
- Networking in VirtualBox (Students will need to setup a virtual environment for this course)
- Linux command line knowledge
- Windows command line knowledge
- Networking TCP Ipv4 knowledge
- Common malware traits
Module 1: Introduction to Incident Response
Why Are We Here?
Module 1 covered topics: The Six Stages of Incident Response
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
- Legal Problems
- Cyber Laws as they Currently Stand
Module 1 exercises:
- Understanding of incident response forms
- Introduction to incident response stages
- Setting up a lab environment to analyze malware (never use your production systems)
Module 2: Preparation & Identification
Understanding of incident response stages - Preparation & Identification
Module 2 covered topics:
- Events versus Incidents
- Incident Response Parties Involved
- Network Intrusion Detection Systems
- Host based intrusion detection
- ** Logs of system events vs incidents- participants will need an open source NIDS & HIDS tool, for analyzing malicious activity
Module 2 exercises:
- System logs provided to assist in exercise
- Vulnerable image of OS provided to perform exercises
- Introduction of OSSEC
- Introduction of Bro
- Leveraging of Windows event logs (security) & Windows log auditing
- Leveraging Linux auditd logs
- Pcap Analysis Tutorial
Module 3: Containment & Eradication
Understanding of incident response stages - Containment & Eradication
Module 3 covered topics:
- Establishing short/long-term containment
- Enhancement of defensive posture for network, servers, and endpoints
- Indicators of compromise creation and usage in incident response
- Indicators of attack correlation
Module 3 exercises:
- System and network logs provided to assist in exercise
- Vulnerable image of OS to perform exercises
- How to create a secure forensic image guide
- How to craft an indicator of compromise
- Searching across your environment for malware
- Creating correlation to spot malicious activity
- Taking advantage of IP tables
- Obtaining stings to hunt for activity
Module 4: Recovery & Lessons Learned
Understanding of Incident Response Stages - Recovery & Lessons
Module 4 covered topics:
- Procedure to test, monitor, and confirm system behavior
- How to define scope of incident
- Injecting backups
- Conducting roundtable discussions for lessons learned
Module 4 exercises:
- System and network logs provided to assist in exercise
- Vulnerable image of OS to perform exercises
- Searching across the environment for threats based on IOC
- Provide summary of attack based on artifacts
- Leveraging “Regshot” to compare registry for normalization
- Conducting vulnerability assessments with OpenVas
- Creating executive summary of incident
Module 5 Putting it together - Attack Scenario #1
Attack scenario walkthrough with reporting form for incident to be completed
Module 5 covered topics:
- Objective: Complete executive summary with incident response
- Track attack via pcaps, logs, and disk analysis
Module 5 exercises:
- With image supplied of exploited server/endpoint, objective is for participants to utilize supplied log sources, memory images, and pcaps to establish report of root cause analysis. (Supply IR forms, i.e., communication form, incident report - how were IOC/artifacts gathered)
Module 5 Tools: Students may use tools listed below or tools of choice:
- Wireshark
- Process Explorer
- Regshot
- Sysinternals
- NIDS – BRO, Snort
- HIDS- OSSEC
- Memory Analysis- Volatility
- IDA
- Event Log Viewer
- ApateDns
Module 5 Malicious activity:
- Malware introduced to system via covered attack vector
- Provided network traffic of malware sample
- Provided system events via Windows logs to verify activity
- Provided memory image
Module 6 title: Putting it together - Attack Scenario #2
Attack scenario walkthrough with reporting form for incident to be completed.
Module 6 covered topics:
- Objective: Complete executive summary of incident. Note: There are different methods of obtaining artifacts and interpreting the incident. So be creative.
- Track attack via pcaps, logs, and disk analysis
Module 6 exercises:
- With image supplied of exploited server/endpoint, objective is for participants to utilize supplied log sources, memory images, and pcaps to establish report of root cause analysis. (Supply IR forms i.e. communication form, incident report - how were IOC/artifacts gathered)
Module 6 Tools: Students may use tools listed below or tools of choice:
- Wireshark
- Process Explorer
- Regshot
- Sysinternals
- NIDS - BRO
- HIDS - OSSEC
- Memory Analysis - Volatility
- IDA
- Event Logs
Module 6 Malicious activity
- Malware introduced to system via covered attack vector
- Provided network traffic of malware sample
- Provided system events via Windows logs to verify activity
- Provided memory image
Course format:
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- Your time will be filled with reading, videos, and exercises.
QUESTIONS?
If you have any questions, please contact our eLearning Manager at [email protected].
Reviews
There are no reviews yet.