Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats.
This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. The class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them.
Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.
|CPE Credits||Earn 16 CPE (Continuing Professional Education) for attending this training. Please request a confirmation during the registration process.|
|Location||Mövenpick Hotel Zurich-Regensdorf
Im Zentrum 2
|Date of Event||7th – 8th September 2020 (2 days)|
|Special||This training will be during the conference. You also have the ability to visit the exhibition during the breaks.|
|Time||9:00 am – 5:00 pm|
|Participation Fee||CHF 2’190.– (including refreshments, lunch and Apéro afterwards)|
The course is comprised of the following modules, with labs included throughout the instruction.
The Incident Response Process – An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation. This module includes an in-depth study of the following topics:
Acquiring Forensic Evidence – A basic overview of the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. Includes the following sub-sections:
Introduction to Windows Evidence – An overview of the key sources of evidence that can be used to investigate a compromised Windows system, including the NTFS file system, Prefetch, web browser history, event logs, the registry, memory, and more. This module focuses on the following artifacts:
Investigating Lateral Movement – An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry. This module includes an in-depth study of the following topics:
Hunting – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. This includes:
Investigating Web Application Attacks –This module focuses on how to analyze web logs to recognize and interpret common attack techniques. It includes the following sections:
Who Should Attend
Incident response team members, threat hunters and information security professionals.
Background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Learners must have a working understanding of the Windows operating system, file system, registry and use of the command line. Familiarity with Active Directory and basic Windows security controls, plus common network protocols, is beneficial.
Learners will need to bring a computer with Windows 7 or newer operating system installed, Core i5 or equivalent processor, 6 GB (preferably 8 GB) of RAM and 25 GB or more of free HDD space.
Virtual machines are acceptable provided at least 4 GB of RAM can be allocated. Learners must provide their own copies of and licenses for Windows.
Learners will receive a lab book and USB thumb drive containing all required class materials and tools.
About your trainer
Matias Bevilacqua-Brechbühler Trabado, Principal Response Consultant at Mandiant – check his bio here
Tarik Yassem, Incident Response & Forensics Consultant at Mandiant – check his profile here
Cancellations of registration are free of charge until 30 days before. Cancellations received beyond this point will incur 100% of the admission fee. You will get an invoice for the respective amount. In any case, however, a delegate may be sent at no additional costs.