Product Description
The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription
Security Incident Response process description and incident handling guide. It is important to know the proper way of solving a security incident in order to ensure the best possible outcome.
Participants will receive a high level overview of everything they need to know about handling a high profile security incident, necessary steps and skills to lead the incident to a successful conclusion and ensure that the same incident does not occur again.
PRE-RECORDED, SELF-PACED
COURSE DURATION: 18 hours (18 CPE credits awarded on completion)
Participants will be able to clearly define a security incident and know the proper way to handle it. The participants will also be able to define the steps needed to lead the incident to a desired outcome throughout the process of investigation.
You will find out how to:
- Detect, identify, and mitigate threats
- Assess potential security risks
- Account for human error
- Create an Incident Response Plan
- Identify High Value Targets
- Set up Incident Response tooling
- Create IoCs and implement them
- Recover systems, data and connectivity
- Return to production state
- Document the incident
Example tools used in the course:
- Windows built-in tools;
- Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview);
- Volatility;
- dd/windd;
- Logparser;
- grep and Windows Event Log Explorer
You will get familiar with:
- Identifying incident as a security incident
- Types of security incidents
- Different types of incidents
- Containment and quarantine
- Documentation of incident
- Impact analysis
- Attack Trends
- System instrumentation
- Employees' security trainings
- Special Actions for Responding to Different Types of Incidents: Espionage, Inappropriate use, Internal Threats
- Forensic Investigations
What should you know before you join:
- Operating systems knowledge
What will you need:
- PC, internet connectivity
About your instructor: Petar Yankov
Expert Digital Forensics and Investigations at DXC TechnologyCertified GIAC GCIH and EC-Council CHFI
I am currently part of the Digital Forensics and Investigations team at DXC Technology. My main responsibility is investigating security incidents that impact DXC’s clients. In my line of work I handle all sorts of security incidents, such as hacking attempts, virus infections and outbreaks, intrusions, data exfiltrations. I am deeply involved in Security Information and Event Management (SIEM), as well as network-related security incidents, and perform malware analysis, traffic/log analysis, in-depth forensic investigations and research into new threats.Working with vast variety of clients and different environments, is quite interesting and does require a lot of training and research.
My IT security carrier started back in 2008I started my work in IT security back in December 2008 with Hewlett-Packard enterprise as part of the Endpoint Security and Protection team. As part of this team, I’ve been interfacing with technical and management teams. My main responsibilities were developing and implementing endpoint security solutions in different environments. Additionally performing events monitoring and ongoing maintenance. My responsibilities included communicating with AntiVirus and Firewall vendors, submitting malware samples and creating custom installation packages for deployment on end user and server systems. That gave me a broad view of the IT security landscape and got me started on a journey that now continues for more than a decade.
COURSE SYLLABUS
Module 1
Introduction to Security incident Response, Security incident handling process
Preparation Phase
Preparing well for a security incident is one of the most important aspects of security incident handling. It is interesting to find out how, in hindsight, most security incidents can be prevented or solved much more easily with better preparation.
- Assessing potential security risks
- Accounting for human error
- Creating Incident Response Plan
- Identifying High Value Targets
- Identifying Stakeholders
- Setting up incident Response tooling
- System instrumentation
- Employees security trainings
Module 1 exercises:
Familiarizing with Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview) and Windows Event Log analysis
Module 2
Identification / Detection and Reporting, Outbreak prevention
Identifying a security incident as opposed to an operational issue is important, that must be defined clearly. Examples of a security incident are theft or loss of equipment that contains private or potentially sensitive data,. Virus or malware outbreak.
Discussion on identifying an incident as a security incident and different types of incidents.
First steps should be well documented and laid out, as many scenarios should be played out during risk assessments, past incident data and external data (such as threat intelligence feeds). That would further determine the future development of the investigation and the investigation objectives.
In the case of forensic investigations, - objectives of the investigation must be clearly identified, all stakeholders should be identified (that might include legal, PR, HR …).
Detection, identification and mitigation of threats should be well documented and prioritized.
- Identifying incident as a security incident
- Types of security incidents
- First steps
- Detection, identification and mitigation of threats
- Different types of incidents
- Forensic cases / Defining objectives of investigation
Special Actions for Responding to Different Types of Incidents:
- Espionage
- Inappropriate use
- Internal Threats
- Forensic Investigations
Module 2 exercises:
- LAB: Virus infection PlugX detection;
- LAB2: Keyword searches (mainly using grep and ; volatility usage and plugins)
- LAB3: Automated malware sample analysis with Cuckoo
Module 3
Containment & Eradication
Making certain that the incident is contained, malware samples are quarantined for further analysis and assessing the impact of the incident. If needed – isolating impacted systems. It is important dto keep distinct that step distinct from the identification.
Documentation of the incident is very important, so that the insight gained can be used for future reference and contribute to future incidents resolution.
Environment impact analysis, ensuring threat is neutralized, all impact on systems is contained and all aspects of the threat are taken into account. It is important that we stress that in this step we make certain that the threat actor or malware does not have another way back into the environment. Patching vulnerabilities and reviewing privileges/policies once again in order to make certain that everything possible is done to prevent the same incident reoccurring.
Restoring systems and data from backup must be done while ensuring security patching is up-to date. Restoring connectivity to impacted systems needs to be done only after making certain everything has been done to mitigate the incident.
Containment
- Containment and quarantine
- IoCs creation and implementation
- Documentation of incident
Eradication
- Impact analysis
- Recover systems, data and connectivity
Module 3 Exercise:
- LAB: IoCs creation and usage
Module 4
Recovery & Follow up / Lessons Learned
Return to production state must be done while continuous monitoring is ensured. Restoring and returning affected systems and devices back into the environment. During this phase, it’s important to get the systems up and running again, while making certain that all precautions have been taken in order to make certain that a breach cannot occur in the same way.
After the recovery phase is complete, it is important to review and document the incident, review processes and see if the incident has shed light and if there is room for improvement.
After a targeted attack, all security personnel should be on high alert anticipating an attack from another vector.
Recovery:
- Return to production state
- Additional monitoring
Follow up / Lessons Learned
- Documenting the incident
- Contacting relevant parties
- Changes in processes / Processes reviews
- Expect an increase in attacks / Attack Trends
Final exam - multiple-choice test-based exam
Course format:
- Self-paced
- Pre-recorded
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
QUESTIONS?
If you have any questions, please contact our eLearning Manager at [email protected].
rfling –
Security Incident Response is the third course I have taken here, at first I was hesitant since it is not a topic that regularly interests me but after reading the description and giving it some thought I thought it might be a good idea. I am normally looking to broaden my pentesting skills but I have to be honest, so far this course is worth my time and I am only at the end of the first module.
They say you don’t know what you don’t know and that saying applies here. I am usually one who does the attacking and have never given any thought at all to the other side of the coin. How many of us ever put any planning into actually being the victim of a cyber crime? The consequences can be huge. Far too many put this topic in the back of their mind, they just plan on hiring someone if it happens or pay it no worry because they “have insurance” against an attack.
The security of the data in your possession SHOULD be a priority. Petar (the instructor) walks you through assessing what your risk could be. Has a vulnerability scan ever been done? Do you have any end of life hardware in your possession that is a threat?
What about your data in general? Do you have research and development data that might be able to be stolen to give your competition an advantage? Do you have any health care info in your possession? Of course everyone worries about their financials.
Do you even know how to recognize that an incident has taken place? It is totally possible that your data is taken and you don’t even realize it. Have you trained your employees on best practices and maybe even given this enough thought that you have put together an incident response team! This alone was enough to get me wanting to learn more.
Overall the course is very thorough. You not only get the theory you also get an opportunity to practice everything you learn which will enable you to put what you have learned to work if ever warranted.
I am glad I took the time to work through this, it not only has given me a education on incident response but will actually even let me incident response to my list of services.
smaschnl (verified owner) –
FINISHED SECURITY INCIDENT RESPONSE
This course gives you a few guidelines for incident response but focus on using digital forensic tools.
The final exam is more on knowledge which option and tools to use, that is a pity.