Enterprise Incident Response

Save the DateKlick for the .ics file to save the date

Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats.

This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. The class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them.

Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.

CPE Credits Earn 16 CPE (Continuing Professional Education) for attending this training. Please request a confirmation during the registration process.
Location Mövenpick Hotel Zurich-Regensdorf
Im Zentrum 2
8105 Zürich-Regensdorf

Date of Event 7th – 8th September 2020 (2 days)
Special This training will be during the conference. You also have the ability to visit the exhibition during the breaks.
Time 9:00 am – 5:00 pm
Language English
Participation Fee CHF 2’190.– (including refreshments, lunch and Apéro afterwards)

Learning Objectives

The course is comprised of the following modules, with labs included throughout the instruction.

The Incident Response Process – An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation. This module includes an in-depth study of the following topics:

  • Preparation – Reviewing the key security controls that have the most significant impact on an organization’s susceptibility to compromise, as well as the availability of sources of evidence and tools required to make a network “investigation friendly”
  • Detection and Analysis – Common mechanisms to detect threats, how to prioritize and categorize leads, the need to fully-scope targeted attacks, and methods to proactively hunt for signs of compromise
  • Remediation – Understanding the goal of remediation and when remediation is necessary, how to plan for a remediation, and how to execute a remediation event

Acquiring Forensic Evidence – A basic overview of the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. Includes the following sub-sections:

  • Forensic Imaging – Understanding the different types of forensic imaging and file system access
  • Live Response Acquisition – Objectives of live response data collection, the key sources of evidence typically acquired during this process, guidelines for forensically sound acquisition, and an introduction to Mandiant’s Redline toolkit

Introduction to Windows Evidence – An overview of the key sources of evidence that can be used to investigate a compromised Windows system, including the NTFS file system, Prefetch, web browser history, event logs, the registry, memory, and more. This module focuses on the following artifacts:

  • Network Connections and Browser History – A review of forensic evidence that may capture active or historical network activity on a system
  • Prefetch – How Prefetch files can capture evidence of previously-executed applications and additional metadata
  • File System Analysis – Understanding the behavior of the NTFS file system and its key artifacts, including the Master File Table, timestamp behavior, alternate data streams, recovery of deleted data, and directory index attributes
  • The Registry – An introduction to the registry, how to acquire and parse its artifacts, and the system and user-specific evidence it contains
  • Event Logs – An introduction to the core system, security, and application event logs as well as the Application and Services logs maintained in modern versions of Windows
  • Memory Analysis – An overview of the Windows memory architecture, including physical memory, the pagefile, and virtual memory. This module demonstrates how to analyze basic sources of evidence in memory including processes, handles, and memory sections. Finally, it walks through attack scenarios that typically require memory analysis, such as recovery of command history, process injection, and rootkit behavior
  • Persistence – This module includes an in-depth study of the following topics:
    • Common Persistence Mechanisms – A review of common persistence mechanisms introduced in the previous module, followed by an in-depth look at how attackers leverage Windows Services for persistence
    • Advanced Persistence Mechanisms – More sophisticated forms of persistence including DLL search order hijacking and binary modification
    • Alternative Remote Access Techniques – Understand alternative remote access techniques such as VPN compromise and web shells

Investigating Lateral Movement – An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry. This module includes an in-depth study of the following topics:

  • Reconnaissance – How attackers enumerate domains, users, systems, shares, and other information in a Windows environment
  • Windows Credentials – Understanding sources of credentials in a Windows environment and the various forms of password attacks, including pass-the-hash and in-memory clear-text password recovery.
  • Logon Events – Provides scenario-based examples of the types of logons attackers perform when moving from system-to-system and the resulting sources of evidence in event logs.
  • Remote Command Execution – How attackers execute commands from one system to another during lateral movement using built-in Windows mechanisms
  • Interactive Session Artifacts – Insight into the file system and registry-based sources of evidence resulting from interactive / GUI access to a Windows system, including topics such as Shell Bags, LNK files, and MRU keys

Hunting – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. This includes:

  • Objectives of Hunting – An introduction to the objectives of “hunting
  • Examples – Walks through several examples of sources of evidence that are well-suited to large-scale analysis, such as Task Scheduler event log entries, ShimCache, and Windows Services. Techniques for efficiently searching, stacking, and data reduction are provided for each

Investigating Web Application Attacks –This module focuses on how to analyze web logs to recognize and interpret common attack techniques. It includes the following sections:

  • Investigating Common Web Attacks – Analysis of the log entries and evidence resulting from SQL injection and web shell attacks
  • Obfuscation & Encoding – How attackers can disguise web attacks to evade automated security controls and inhibit log analysis
  • Log Analysis Techniques – A review of the tools and processes that are best-suited for analyzing web logs based on the initial leads available to an investigator

Who Should Attend
Incident response team members, threat hunters and information security professionals.

Background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Learners must have a working understanding of the Windows operating system, file system, registry and use of the command line. Familiarity with Active Directory and basic Windows security controls, plus common network protocols, is beneficial.

Course Requirements
Learners will need to bring a computer with Windows 7 or newer operating system installed, Core i5 or equivalent processor, 6 GB (preferably 8 GB) of RAM and 25 GB or more of free HDD space.

Virtual machines are acceptable provided at least 4 GB of RAM can be allocated. Learners must provide their own copies of and licenses for Windows.

Learners will receive a lab book and USB thumb drive containing all required class materials and tools.

About your trainer
Matias Bevilacqua-Brechbühler Trabado, Principal Response Consultant at Mandiant – check his bio here
Hussein Khalifa, Senior Consultant at Mandiant – check his profile here

Cancellations of registration are free of charge until 30 days before. Cancellations received beyond this point will incur 100% of the admission fee. You will get an invoice for the respective amount. In any case, however, a delegate may be sent at no additional costs.

Register here

Event Partner

Earn CPE Credits for
attenting SIGS Events