Incident Response: Black Hat Edition

Kevin Mandia and Kris Harms, MANDIANT

Register Now // jan 31 - feb 1


As the sophistication and threats caused by malicious attacks continue to increase, MANDIANT has raised the bar of effective detection, response, and remediation by introducing our Incident Response (IR) class. This two-day Special Edition class has been specifically designed for information security professionals and analysts who respond to computer security incidents. It is designed as an operational course, using case studies and hands-on lab exercises to ensure attendees are gaining experience in each topic area. Hands on exercises and labs in Windows Intrusion as well as the following topics are covered:

  • The different phases and activities of the IR process
  • The roles and responsibilities of each member of the IR team
  • Create IR checklists and notification lists
  • How to rapidly detect or confirm attacks
  • Finding, reviewing, and interpreting log files
  • Performing live response on a compromised server
  • Learn what volatile evidence is present on a live system before it is powered down
  • Determine the function of unidentified executable processes
  • Detect rootkits, backdoors and trojaned files
  • Interact with rootkits to learn their impact on a live system, and how to respond

What You Will Get:

  • Student Manual
  • Class handouts
  • MANDIANT gear

Who Should Attend the Class:
Information technology staff, information security staff, corporate investigators, or other staff that require an understanding of how networks work, how to capture network traffic, how to investigate network use, how to identify and escalate suspected computer security incidents, and how to safeguard corporate assets via network defense.

Basic knowledge of computer, network, and operating system fundamentals is required.

What to bring:

Students must bring their own Laptop with Windows XP installed and Administrator rights. Be prepared to install software, analyze drive images, and handle malicious code. Laptops should have the following software installed.

  • VMWare Player or Workstation
  • Microsoft Office 2003, 2007 or Open Office 3.0

Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at to see if a laptop can be provided for you.


Dan McWhorter is the Director of Professional Education for MANDIANT, responsible for MANDIANT's Professional Education service line. In this role Mr. McWhorter focuses on curriculum development, course delivery, personnel management, and business development. As a MANDIANT consultant, Mr. McWhorter provides analysis for both incident response engagements and proactive assessments.

Prior to joining MANDIANT, Mr. McWhorter was an Assistant Executive Director with ManTech International. Mr. McWhorter has experience supporting, supervising, and leading an elite team of forensic and intrusion engineers, as well as technical managers and administrative personnel.

Mr. McWhorter is a graduate of the National Security Agency's (NSA) three-year Cryptologic Mathematics Program. In addition to completing several mathematics courses during this program, Mr. McWhorter contributed technically to multiple NSA offices.

Mr. McWhorter has worked toward his doctorate in mathematics at the University of North Carolina. He has a Master's of Science in mathematics from the University of Cincinnati, and a Bachelors of Science in mathematics from Mount Union College. Mr. McWhorter has thousands of hours of classroom experience, he has published and presented on numerous technical topics internal to the National Security Agency (NSA), and he has presented at several technical conferences.

Register Button

Super Early:
Ends Nov 15

Ends Dec 1

Ends Jan 30