Arrow ECS

Enterprise Incident Response Course

Enterprise Incident Response Course

Cena: 10086.00 PLN

Cena netto: 8200.00 PLN

Miasto: Warszawa

Data: 11-13.09.2017

Typ wydarzenia: szkolenie


Outlook Calendar:
Zarejestruj się

 

 

Enterprise Incident Response Course

Pomimo znaczących inwestycji w rozwój systemów bezpieczeństwa większość organizacji jest ciągle narażonych na ataki APT (tzw. Advanced Persistent Threats), które pozostają niewykryte przez wiele miesięcy, i mogą powodować wymierne straty dla ich działalności i wizerunku rynkowego. Rozwój „security” nie może oznaczać tylko dążenia do doskonalenia systemów prewencyjnych, które przestały być już skutecznym gwarantem obrony. Sytuacja może ulec poprawie, jeśli zmieni się podejście działów bezpieczeństwa do obsługi incydentów poprzez wdrożenie powtarzalnego procesu odpowiedzi (tzw. Incident Response Workflow) oraz poznanie zaawansowanych metod analizy ataku.

Ten intensywny trzydniowy kurs jest całkowicie ukierunkowany na przedstawienie różnych technik i narzędzi do badania i oceny incydentów. Kurs jest przygotowany w formie praktycznych ćwiczeń, nastawionych na ewidencję artefaktów zagrożenia, z podziałem na poszczególne fazy zawansowanego ataku. Uczestnicy poznają metody zbierania danych triage, szybkiej ich analizy pod kątem potwierdzenia kompromitacji stacji, oraz dalszych kroków w zakresie analizy danych prefetch, metadanych plików, pamięci, zawartości różnych logów oraz identyfikacji zastosowanych przez atakującego mechanizmów malware persistance, komunikacji z C2, itp.

Broszura ze szczegółowym opisem programu: 

 

Program

The course is comprised of the following modules, with labs included throughout the instruction.

The Incident Response Process – An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation. This module includes an in-depth study of the following topics:

  • Preparation – Reviewing the key security controls that have the most significant impact on an organization’s susceptibility to compromise, as well as the availability of sources of evidence and tools required to make a network “investigation friendly”.
  • Detection and Analysis – Common mechanisms to detect threats, how to prioritize and categorize leads, the need to fully-scope targeted attacks, and methods to proactively hunt for signs of compromise.
  • Remediation – Understanding the goal of remediation and when remediation is necessary, how to plan for a remediation, and how to execute a remediation event.

 

Acquiring Forensic Evidence – A basic overview of the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. Includes the following sub-sections:

  • Forensic Imaging – Understanding the different types of forensic imaging and file system access.
  • Live Response Acquisition – Objectives of live response data collection, the key sources of evidence typically acquired during this process, guidelines for forensically sound acquisition, and an introduction to Mandiant’s Redline toolkit.

 

Introduction to Windows Evidence – An overview of the key sources of evidence that can be used to investigate a compromised Windows system, including the NTFS file system, Prefetch, web browser history, event logs, the registry, memory, and more.  This module focuses on the following artifacts:

  • Network Connections and Browser History – A review of forensic evidence that may capture active or historical network activity on a system.
  • Prefetch – How Prefetch files can capture evidence of previously-executed applications and additional metadata.
  • File System Analysis – Understanding the behavior of the NTFS file system and its key artifacts, including the Master File Table, timestamp behavior, alternate data streams, recovery of deleted data, and directory index attributes.
  • The Registry – An introduction to the registry, how to acquire and parse its artifacts, and the system and user-specific evidence it contains.
  • Event Logs – An introduction to the core system, security, and application event logs as well as the Application and Services logs maintained in modern versions of Windows.
  • Memory Analysis – An overview of the Windows memory architecture, including physical memory, the pagefile, and virtual memory. This module demonstrates how to analyze basic sources of evidence in memory including processes, handles, and memory sections. Finally, it walks through attack scenarios that typically require memory analysis, such as recovery of command history, process injection, and rootkit behavior.

 

Persistence – This module includes an in-depth study of the following topics:

  • Common Persistence Mechanisms – A review of common persistence mechanisms introduced in the previous module, followed by an in-depth look at how attackers leverage Windows Services for persistence.
  • Advanced Persistence Mechanisms – More sophisticated forms of persistence including DLL search order hijacking and binary modification.
  • Alternative Remote Access Techniques – Understand alternative remote access techniques such as VPN compromise and web shells.
  • Investigating Lateral Movement – An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry. This module includes an in-depth study of the following topics:
  • Reconnaissance – How attackers enumerate domains, users, systems, shares, and other information in a Windows environment.
  • Windows Credentials – Understanding sources of credentials in a Windows environment and the various forms of password attacks, including pass-the-hash and in-memory clear-text password recovery.
  • Logon Events – Provides scenario-based examples of the types of logons attackers perform when moving from system-to-system and the resulting sources of evidence in event logs. 
  • Remote Command Execution – How attackers execute commands from one system to another during lateral movement using built-in Windows mechanisms.
  • Interactive Session Artifacts – Insight into the file system and registry-based sources of evidence resulting from interactive / GUI access to a Windows system, including topics such as Shell Bags, LNK files, and MRU keys.

 

Hunting – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. This includes:

  • Objectives of Hunting – An introduction to the objectives of “hunting.”
  • Examples – Walks through several examples of sources of evidence that are well-suited to large-scale analysis, such as Task Scheduler event log entries, ShimCache, and Windows Services. Techniques for efficiently searching, stacking, and data reduction are provided for each.

 

Investigating Web Application Attacks – This module focuses on how to analyze web logs to recognize and interpret common attack techniques. It includes the following sections:

  • Introduction to Web Logs – Common web log paths and format, logging GET vs. POST, content encoding and HTTP response codes.
  • Investigating Common Web Attacks – Analysis of the log entries and evidence resulting from SQL injection and web shell attacks.
  • Obfuscation & Encoding – How attackers can disguise web attacks to evade automated security controls and inhibit log analysis.
  • Log Analysis Techniques – A review of the tools and processes that are best-suited for analyzing web logs based on the initial leads available to an investigator.

 

Who Should Attend:

This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams, or in roles that require other investigative tasks.

Course Pre-requisites

 

Students must be familiar with:

  • Executing command line utilities as an Administrator.
  • Navigating the Windows file system using the command line.
  • Common file system structures.
  • Microsoft Windows registry.
  • Active Directory and basic Windows security controls.
  • Networking fundamentals, including common Windows protocols.

Dodatkowe informacje

Enterprise Incident Response Course

Szkolenie prowadzone w języku angielskim

Termin szkolenia: 11-13 września 2017 roku

Lokalizacja: Warszawa

Cena: 8 200 zł netto za osobę, do podanej ceny należy doliczyć VAT

 

Płatność za szkolenie odbywa się na podstawie faktury proformy która zostanie dostarczona do uczestnika na podany podczas rejestracji adres email i powinna wpłynąć na konto Organizatora najpóźniej do 31 sierpnia 2017 roku (decyduje data wpływu na konto). 

Brak wpłaty uprawnia Organizatora do niedopuszczenia uczestnika do szkolenia.  

W sprawach organizacyjnych i płatnościach prośba o kontakt telefoniczny +48 502 641 325 lub email’owy kontakt@trento.pl.

 

Organizator skontaktuje się z zarejestrowanymi uczestnikami w celu potwierdzenia udziału w szkoleniu wraz z podaniem szczegółów organizacyjnych i płatnościach dotyczących szkolenia.

 

 

Polityka odwoływania obecności na szkoleniu: 

w przypadku odwołania obecności na szkoleniu na mniej niż 10 dni roboczych, zgadzamy się na zapłacenie kwoty równoważnej 100% ceny szkolenia.

Kontakt

Łukasz Okólski

Łukasz Okólski

Product Manager

Network & Security Business Unit

Lukasz.Okolski@arrow.com

Telefon: +48 12 616 43 36

Wydrukuj
wróć na górę