Security Incident Response (W43)

$249.00 $219.00

9 in stock


Get the access to all our courses via Subscription

Subscribe

Categories: ,

Security Incident Response process description and incident handling guide. It is important to know the proper way of solving a security incident in order to ensure the best possible outcome.

Participants will receive a high level overview of everything they need to know about handling a high profile security incident, necessary steps and skills to lead the incident to a successful conclusion and ensure that the same incident does not occur again.


PRE-RECORDED, SELF-PACED

COURSE DURATION: 18 hours (18 CPE credits awarded on completion) 


Participants will be able to clearly define a security incident and know the proper way to handle it. The participants will also be able to define the steps needed to lead the incident to a desired outcome throughout the process of investigation.

You will find out how to:

  • Detect, identify, and mitigate threats
  • Assess potential security risks
  • Account for human error
  • Create an Incident Response Plan
  • Identify High Value Targets
  • Set up Incident Response tooling
  • Create IoCs and implement them
  • Recover systems, data and connectivity
  • Return to production state
  • Document the incident

Example tools used in the course:

  • Windows built-in tools;
  • Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview);
  • Volatility;
  • dd/windd;
  • Logparser;
  • grep and Windows Event Log Explorer

You will get familiar with:

  • Identifying incident as a security incident
  • Types of security incidents
  • Different types of incidents
  • Containment and quarantine
  • Documentation of incident
  • Impact analysis
  • Attack Trends
  • System instrumentation
  • Employees' security trainings
  • Special Actions for Responding to Different Types of Incidents: Espionage, Inappropriate use, Internal Threats
  • Forensic Investigations

What should you know before you join:

  • Operating systems knowledge

What will you need:

  • PC, internet connectivity


About your instructor: Petar Yankov

Expert Digital Forensics and Investigations at DXC TechnologyCertified GIAC GCIH and EC-Council CHFI

I am currently part of the Digital Forensics and Investigations team at DXC Technology. My main responsibility is investigating security incidents that impact DXC’s clients. In my line of work I handle all sorts of security incidents, such as hacking attempts, virus infections and outbreaks, intrusions, data exfiltrations. I am deeply involved in Security Information and Event Management (SIEM), as well as network-related security incidents, and perform malware analysis, traffic/log analysis, in-depth forensic investigations and research into new threats.Working with vast variety of clients and different environments, is quite interesting and does require a lot of training and research.

My IT security carrier started back in 2008I started my work in IT security back in December 2008 with Hewlett-Packard enterprise as part of the Endpoint Security and Protection team. As part of this team, I’ve been interfacing with technical and management teams. My main responsibilities were developing and implementing endpoint security solutions in different environments. Additionally performing events monitoring and ongoing maintenance. My responsibilities included communicating with AntiVirus and Firewall vendors, submitting malware samples and creating custom installation packages for deployment on end user and server systems. That gave me a broad view of the IT security landscape and got me started on a journey that now continues for more than a decade.


COURSE SYLLABUS


Module 1

Introduction to Security incident Response, Security incident handling process

Preparation Phase

Preparing well for a security incident is one of the most important aspects of security incident handling. It is interesting to find out how, in hindsight, most security incidents can be prevented or solved much more easily with better preparation.

  • Assessing potential security risks
  • Accounting for human error
  • Creating Incident Response Plan
  • Identifying High Value Targets
  • Identifying Stakeholders
  • Setting up incident Response tooling
  • System instrumentation
  • Employees security trainings

Module 1 exercises:

Familiarizing with Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview) and Windows Event Log analysis


Module 2

Identification / Detection and Reporting, Outbreak prevention

Identifying a security incident as opposed to an operational issue is important, that must be defined clearly. Examples of a security incident are theft or loss of equipment that contains private or potentially sensitive data,. Vvirus or malware outbreak.

Discussion on identifying an incident as a security incident and different types of incidents.

First steps should be well documented and laid out, as many scenarios should be played out during risk assessments, past incident data and external data (such as threat intelligence feeds). Tthat would further determine the future development of the investigation and the investigation objectives.

In the case of forensic investigations, - objectives of the investigation must be clearly identified, all stakeholders should be identified (that might include legal, PR, HR …).

Detection, identification and mitigation of threats should be well documented and prioritized.

  • Identifying incident as a security incident
  • Types of security incidents
  • First steps
  • Detection, identification and mitigation of threats
  • Different types of incidents
  • Forensic cases / Defining objectives of investigation

Special Actions for Responding to Different Types of Incidents:

  • Espionage
  • Inappropriate use
  • Internal Threats
  • Forensic Investigations

Module 2 exercises:

  • LAB: Virus infection PlugX detection;
  • LAB2: Keyword searches (mainly using grep and ; volatility usage and plugins)
  • LAB3: Automated malware sample analysis with Cuckoo

Module 3

Containment & Eradication

Making certain that the incident is contained, malware samples are quarantined for further analysis and assessing the impact of the incident. If needed – isolating impacted systems. It is important dto keep distinct that step distinct from the identification.

Documentation of the incident is very important, so that the insight gained can be used for future reference and contribute to future incidents resolution.

Environment impact analysis, ensuring threat is neutralized, all impact on systems is contained and all aspects of the threat are taken into account. It is important that we stress that in this step we make certain that the threat actor or malware does not have another way back into the environment. Patching vulnerabilities and reviewing privileges/policies once again in order to make certain that everything possible is done to prevent the same incident reoccurring.

Restoring systems and data from backup must be done while ensuring security patching is up-to date. Restoring connectivity to impacted systems needs to be done only after making certain everything has been done to mitigate the incident.

Containment

  • Containment and quarantine
  • IoCs creation and implementation
  • Documentation of incident

Eradication

  • Impact analysis
  • Recover systems, data and connectivity

Module 3 Exercise:

  • LAB: IoCs creation and usage

Module 4

Recovery & Follow up / Lessons Learned

Return to production state must be done while continuous monitoring is ensured. Restoring and returning affected systems and devices back into the environment. During this phase, it’s important to get the systems up and running again, while making certain that all precautions have been taken in order to make certain that a breach cannot occur in the same way.

After the recovery phase is complete, it is important to review and document the incident, review processes and see if the incident has shed light and if there is room for improvement.

After a targeted attack, all security personnel should be on high alert anticipating an attack from another vector.

Recovery:

  • Return to production state
  • Additional monitoring

Follow up / Lessons Learned

  • Documenting the incident
  • Contacting relevant parties
  • Changes in processes / Processes reviews
  • Expect an increase in attacks / Attack Trends

Final exam - multiple-choice test-based exam


Course format:

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

Contact: 

If you have any questions about the course, get in touch with us at Hakin9 by contacting our Course Coordinator Marta at [email protected]

Reviews

There are no reviews yet.

Be the first to review “Security Incident Response (W43)”

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013