Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's landscape of threat actors and intrusion scenarios. Completely redeveloped with all-new material in 2013, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.
THE COURSE IS COMPRISED OF THE FOLLOWING MODULES, WITH LABS INCLUDED THROUGHOUT:
The Incident Response Process: An introduction to the targeted attack lifecycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation.
Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools.
Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more.
Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the page file, and how memory analysis can identify advanced techniques used by malware.
Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
Persistence: Analysis of advanced persistence mechanisms, such as DLL search order hijacking; introduction to user-land and kernel root kits; alternative remote-access mechanisms exploited by attackers.
This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments, and penetration testing, or even security architecture and system administration duties. It is also well-suited for those managing CIRT / incident response teams, or in roles that require oversight of forensic analysis and other investigative tasks.
Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.
Laptop or virtual machine running Windows 7 (32 or 64-bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.
Jeff Hamm has been employed with Mandiant since 2010 and is a Principal Consultant where he conducts forensic examinations and incident response. Response and examinations range from a single host to over 100,000 hosts on a network. He also works part-time as an adjunct lecturer at Gjovik University College in Gjovik, Norway since 2011. There he provides intense practical labs based on real world computer forensic incidents using both Windows and Linux servers and attacker systems. He was a Deputy with the Oakland County Sheriff's Office in the State of Michigan, USA for over 11 years. He worked four years with the Sheriff's Office as a Computer Crimes Detective and Forensic Examiner and three years as a first-line supervisor (Sergeant). Jeff has significant experience in the computer forensic field and obtained his CFCE (Certified Computer Forensic Examiner) in 2003. He obtained his ACE (AccessData Certified Examiner) in 2008, his EnCE (EnCase Certified Examiner) in 2010, and his GCFA (GIAC Computer Forensic Analyst) in 2010. He has been instructing in the field of computer forensics since 2004 at IACIS (The International Association of Computer Investigative Specialists).
Christopher Glyer is a Technical Director at Mandiant with over ten years of experience in computer and information security. Mr. Glyer leads Mandiant investigative teams performing enterprise-wide incident response and forensic analysis for global companies possessing tens of thousands of computer systems throughout the world. Mr. Glyer has significant experience working with the defense industrial base, financial industry, manufacturing industry, technology industry, pharmaceutical industry, and Fortune 500 companies. Mr. Glyer helps define feature, architecture, and design requirements for Mandiant's enterprise investigative tools including Mandiant Intelligent Response (MIR). He routinely trains both commercial and federal professionals on computer forensics and incident response including teaching Mandiant's Incident Response - Black Hat Edition course.
Tyler Oliver is a consultant as part of the Security Consulting Services division of Mandiant. Mr. Oliver has been involved in information security for over six years specializing in digital forensics and large-scale incident response. At Mandiant, Mr. Oliver is regularly involved in leading and investigating incidents around the globe. Mr. Oliver has been involved with a large number of investigations relating to targeted and financially motivated attackers over the past 4 years. In addition to this, Mr. Oliver actively performs penetration tests and vulnerability assessments using intelligence gathered during investigations.
