NETWORK FORENSICS: CONTINUOUS MONITORING AND INSTRUMENTATION
Overview
An employee clicks on a link in a phishing email. A worm propagates through your network, undetected. A keystroke logger listens quietly, exporting passwords once a week. How can you make sure you're not the next organization in the papers? Better firewall rules? A newer generation IDS? Faster updating for A/V signatures? We all know none of these is the right solution by itself. The future of defense is practical network monitoring and forensics.
From the author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012) comes Network Forensics: Continuous Monitoring and Instrumentation. This fast-paced, intensive class includes traffic and flow record analysis, cloud-based network forensics, next-generation firewall, DLP and SIEM analysis, wireless and mobile network forensics, and malware network behavior analysis all packed into a dense 4 days, with hands-on technical labs throughout the class.
Catch an intellectual property theft in action based on flow record analysis alone then, peek inside the packet capture and carve out the sensitive proprietary data. Analyze a real-world cloud-based attack and track down the source of stolen administrator credentials. Correlate evidence from a DLP solution, firewall, and domain controller, and use it to find a malicious insider engaged in database exfiltration. Detect an APT using scalable network forensics correlation techniques, and trace the attack back to the first infected "patient zero" on your network.
This class is newly updated to include scalable network monitoring architectures, large-scale analysis techniques, strategies for centralizing network-based evidence using SIEM systems, and automatic correlation of many network- and endpoint-based evidence sources.
Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence in a scalable way. Network Forensics will teach you to how to follow the attacker's footprints and efficiently analyze evidence from the network environment. Every student will receive a fully-loaded, bootable forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.
This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.
Who Should Take this Course
- Information security professionals with some background in hacker exploits, penetration testing, and incident response
- Incident Response Team Members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases
- Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.
- Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics
- Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations
- Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or investigates individuals that are considered technical savvy
Student Requirements
Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.
What Students Should Bring
Students must bring a laptop with at least 4GB of RAM, a DVD drive, a USB port, and the latest version of VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare's web site).
What Students Will Be Provided With
Lab workbook
DVD/USBs containing lab exercises
Trainers
Sherri Davidoff is the CEO of LMG Security and the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). She has fifteen years of experience as a cyber security professional, specializing in digital forensics, penetration testing and security awareness training. Sherri has authored courses for the SANS Institute and Black Hat, and conducted onsite security training for the Department of Defense, Google, Comcast, Los Alamos National Laboratories, and many other organizations. She is a faculty member at the Pacific Coast Banking School and adjunct faculty at the University of Montana, where she teaches cybersecurity classes. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.
David Harrison is a Senior Security Consultant with LMG Security. He is the co-author of the "Network Forensics: Continuous Monitoring and Instrumentation" course, and an instructor at the global Black Hat security conferences. David has extensive experience conducting incident response and complex forensics investigations, including large-scale ransomware infections, HIPAA data breaches, and intellectual property theft. He is the co-inventor of the "Do-It-Yourself Cellular Intrusion Detection System," an open-source project designed to detect infected smartphones on a network. David specializes in mobile device forensics, network forensics and scalable log analysis solutions, and is a GIAC Certified Forensic Analyst (GCFA).
