Introduction to Malware Analysis
Almost every computer incident involves a trojan, backdoor, virus, or rootkit. Incident responders must be able to perform rapid analysis on the malware encountered in an effort to cure current infections and prevent future ones. This course provides a quick introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to extract host and network-based indicators from a malicious program using dynamic and static analysis techniques. They will learn the basics of how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system as it runs in a debugger. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned in a safe environment. This class is taught by M-Labs Malware Analysts who are experienced in analyzing a diverse set of malware.
Intermediate Malware Analysis
The malware author’s job is to develop software that can collect and return data, run undetected, frustrate reverse-engineering efforts, and make detection as difficult as possible. Building on the material presented in our Introduction to Malware Analysis class, this course dives deeper into three areas critical to successful malware reverse engineering: disassembly, debugging, and Windows internals. Other topics covered include how to: determine the functionality of a program by analyzing disassembly and observing the changes made to the system as it runs, extract investigative leads from host-based and network-based indicators associated with a malicious program, and identify specific coding constructs in disassembly. Additional topics will include the art of dynamic analysis and a discussion of several Windows APIs that are most often used by malware authors. Each section is filled with in-class demonstrations and instructor-led exercises. Students also complete labs to reinforce key concepts.
Advanced Malware Analysis
Malware authors sometimes take deliberate steps to thwart the reverse engineering of their malware. This course is focused on advanced topics related to combating malware defense mechanisms. Designed for the experienced malware analyst, a robust skill set in x86 architecture and the Windows APIs is essential. Students will learn how to specifically combat against anti-disassembly, anti-debugging and anti-virtual machine techniques. Students will also learn how to defeat packed and armored executables and will be challenged to demonstrate these skills several times throughout the course. Additional topics covered will include malware stealth techniques, such as process injection and rootkit technology; analyses of samples written in alternate programming languages, such as Delphi and C++; and a review of available tools and techniques. All concepts and materials presented are reinforced with demonstrations, real-world case studies, follow-along exercises, and student labs to allow students to practice what they have learned. This class is taught by senior M-Labs Malware Analysts who are experienced in fighting through the state-of-the-art malware armor.
Customized Malware Analysis
We offer customized malware analysis training solutions in order to address the business needs of our clients that may have specific learning objectives. We can build a course that includes any of our 16 malware analysis modules. These modules range from basic concepts of analyzing disassembly all the way to advanced concepts like x64 and anti-reverse engineering techniques. Each module includes targeted learning and hands-on activities that were authored by the Mandiant Labs(M-Labs) malware analysis team at Mandiant.
Wireless computing devices are everywhere and new products seem to appear daily. The explosive growth of wireless devices also brings an increased risk to networks permitting wireless access. As a result, network and information security personnel must understand the risk of wireless computing. The Mandiant Wireless Security course is a two-day class specifically designed for professionals who support, design, or assess IEEE 802.11 wireless environments, commonly known as Wi-Fi. It is a hands-on course presented from the attacker’s perspective and helps students understand the wireless attacker methodology. The course includes a variety of case studies and numerous lab exercises to reinforce wireless security concepts and materials.
Network Traffic Analysis
Sophisticated attackers frequently go undetected in a victim network for an extended period of time. Attackers know how to blend their traffic with legitimate traffic and only the skilled network traffic analyst will know how to find them. Network traffic analysis is a critical skill set for any organization. Mandiant’s intense three-day Network Traffic Analysis course prepares students to face the challenge of identifying malicious network activity. The course provides students an overview of network protocols, network architecture, intrusion detection systems, network traffic capture, and traffic analysis. The course consists of lecture and multiple hands-on labs to reinforce technical concepts.
Network Investigative Techniques
Incident response teams often overlook readily available resources that can help quickly identify attacker activity. Responders greatly improve their chances of identifying attackers if they recognize how to tap all available sources of evidence. The Mandiant Network Investigative Techniques course provides students a broad introduction to the technologies, techniques, and resources that incident response teams can use to quickly identify attacker activity. The course reinforces critical concepts through case studies and hands-on exercises.
Cyber Crime & Incident Response
Introduction to Cyber Crime for Executives
Network security breaches transform calm working environments into high stress battle zones that require executives to rapidly make key decisions impacting the company and the investigation. Informed executives are better equipped to understand the threat and make the right decisions in minimal time. The Mandiant Introduction to Cyber Crime for Executives was developed to educate senior staff on cyber-crime and incident response. During the course, instructors will walk students through a scenario based on real world intrusions involving sophisticated attackers. The scenario is provided from both the attacker and victim perspectives. Throughout the course, instructors teach students about the tactics and technologies used by the victim and attackers. The scenario illustrates the most common method attackers use to establish a foothold and remain undetected in the victim network. The class discusses the pros and cons of the various courses of action available to the victim and provides students critical insight into the many issues investigators and victim organizations face in defending networks and responding to security breaches.
Advanced Memory Forensics in Incident Response
Forensic analysts can no longer rely on getting all of the information they need from the hard drive. As an industry, information security organizations consistently overlook some of the most important data in an investigation by neglecting memory analysis. Attackers have developed examples of malware that never touch the drive; as a result of this, drive analysis may lead to one conclusion while memory analysis can lead to quite another. This class focuses on the use of freeware and open source tools to perform advanced memory analysis. Students will also be taught the concepts necessary to extend these tools or build new ones where the existing toolset does not meet all the needs of a particular incident. This course builds on the student’s skill in reverse engineering, malware analysis, and programming.
Hunting with MIR®
This two-day training takes place on November 7-8 from 8:30am - 5:00pm each day.
This course represents the most advanced MIR training available. The course material moves beyond finding known IOC’s to finding and identifying unknown malicious activity lurking in a network. Students will focus on understanding the underlying needs of the attackers in order to identify hidden evidence of attacker activity using MIR and other security tools.
After completing this training, students will be able to:
Understand attacker needs and how this drives their activities
Use “stacking” techniques to identify anomalies in hosts
Leverage intelligence to locate attacker activity
Understand numerous approaches to finding covert malicious activity
Enterprise Incident Response
This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. Completely redeveloped with all-new material in 2012, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.
Student must bring a laptop or virtual machine running Windows 7 (32 or 64 bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.
Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.
UNIX and Windows Investigations
Attacks against systems running the Windows family of operating systems continues to increase in terms of frequency and sophistication. In order to effectively respond to the escalating threat, organizations must have skilled information security staff able to rapidly detect and remove threats. Mandiant developed the Windows Investigations course to provide information security personnel the fundamental skills needed to quickly identify and eliminate sophisticated threats targeting Windows operating systems. The course is based on the real-world experience of Mandiant consultants who have years of experience combatting these types of attacks. The course includes relevant case studies and reinforces key concepts with hands-on exercises to ensure students gain practical experience in each critical area discussed.
Attacks against systems running variants of the UNIX operating system are on the rise. In order to effectively respond to the escalating threat, organizations must have skilled information security staff able to rapidly detect and remove threats. Mandiant developed the UNIX Investigations course to provide information security personnel the fundamental skills needed to quickly identify and eliminate threats targeting UNIX or variants of the UNIX operating systems. The course is based on the real-world experience of Mandiant consultants who have years of experience combating these types of attacks. The course reinforces key concepts with hands-on exercises to ensure students gain practical experience in each critical area discussed.
Introduction to Linux for Security Professionals
The Mandiant Linux for Security Professionals course introduces information security professionals to the Linux operating system and helps prepare them to conduct investigations in a UNIX environment. The course follows the “learn by doing” philosophy. Students perform Linux/UNIX commands and discover how the operating system functions. Attendees will primarily operate in the command line environment. The course includes relevant case studies and reinforces key concepts with hands-on exercises to ensure students gain practical experience in each critical area discussed.