Advanced Enterprise Incident Response

Course Description

This five-day course teaches advanced investigative techniques to incident responders on the frontline to help identify and scope intrusions by government, financial and political threat groups. The course includes a series of hands-on exercises which will allow the student to explore the foundations of what they have learnt and expand on them, directly applying techniques to real world scenarios. Students will learn how to identify, detect and hunt for advanced techniques, defeating malware obfuscation and applying hunting techniques at scale across both traditional endpoint, and cloud based infrastructure. The course covers historic and live attacker scenarios, and techniques that the defender can use during an active firefight to mitigate potential losses for the company.

Course Learning Objectives

• Use ATT&CK framework to guide strategic security decisions for the organization
• Summarize the steps of the Incident Response Process
• Determine how to effectively communicate incident information to leadership and others within your organization
• Demonstrate understanding on advanced techniques used by threat actors
• Discuss non-conventional implant deployment techniques which we come across when facing advanced APT threat actors but are rarely seen leveraged by less sophisticated groups
• Recognize when obfuscation is in use
• Summarize what YARA is and how to develop a YARA rule
• Discover the layout of common memory structure and common memory attack methods
• Explain the pros and cons of different analysis tools
• Provide an overview of the available evidence sources, how to collect evidence, common investigative scenarios and available tools for data analysis and investigation
• Highlight the difference in tempo required when dealing with Live Attackers and the implications to the organization and coordination of the IR team

Delivery method

In-classroom instructor-led training

Duration

• 5 days (in-person delivery)