On This Page

Data Breaches: Detection, Investigation and Response

Sherri Davidoff, LMG Security | August 4-5 & August 6-7


Mega-breach or minor incident? The difference is in the speed of detection, effectiveness of containment, and accuracy of scoping. IT and security professionals are on the front lines.

In this technical, hands-on class, we'll dig into different types of breach scenarios, including cloud account breaches (using Office365 as an example), internal compromise, lost/stolen device, and ransomware. Learn strategies for detection and evidence preservation, and techniques for quickly scoping/containing a breach. Each module includes a hands-on lab where you analyze and scope the breach.

We will begin by examining a transit system breach which lurked undetected for years, illustrating how a minor mistake, left unchecked, can spiral out of control. Next, we'll dig into data breach detection and reporting statistics, and examine factors which make certain types of breaches easier to detect than others.

Cloud account breaches became an epidemic in 2017, often motivated by attackers hungry for financial data. We'll investigate an Office365 data breach, including cloud evidence preservation, containment and scoping strategies.

From there, we will dissect two types of internal compromises: phishing and perimeter breaches. In each case, we will conduct a full review of the internal environment, identify types of evidence for preservation, containment strategies, and methods for tracking the compromise through your internal environment. Along the way, we'll show common "gotchas" that can dramatically affect data breach investigations, such as the use of public malware analysis services that can reveal internal information about your infrastructure.

Lost/stolen device incidents are all-too-common triggers for data breach crises. If you detect and respond quickly, however, even seemingly clear-cut cases like these can be minimized. We'll review common questions that come up in lost/stolen device cases, and show you strategies that can help you narrow down the scope.

Finally, ransomware is on the rise. We will study a Cryptolocker ransomware case, which led to a data breach, and identify early actions that could have avoided a breach or minimized the notification. We will compare and contrast the two types of ransomware cases (confidentiality vs. availability). Early on in ransomware cases, operational issues often trump evidence preservation, which can lead to far bigger data breach problems down the road. Learn strategies for preserving evidence early on in ransomware cases, in order to minimize the potential impact down the road.

Payment card data, HIPAA/HITECH information, and personally identifiable information (PII) are three core types of data that can trigger a breach. We will study each of these classes of information, and discuss how technical analysts can help gather evidence and respond most effectively in each case.

The capstone of the class is an interactive tabletop exercise. Imagine that your organization is infected with the Maktub ransomware—and then the media starts calling because data has been leaked on Pastebin. We'll assign roles and walk through a multicomponent incident, with curve balls along the way.

Every day, another data breach hits the news. Early detection and effective technical response are critical. This intensive, engaging class will give you plenty of "war stories" to share, and hands-on experience in data breach scoping and response.

Who Should Take this Course

Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics
Incident Response Team Members who are responding to complex security incidents/intrusions
Law enforcement officers, federal agents, or detectives who may be involved in data breach investigations, or who wish to expand their investigative skill set
Networking professionals who would like to branch out into data breach management/network forensics in order to understand information security implications and work on investigations
Anyone with a firm technical background who might be asked to investigate a data breach incident

Student Requirements

Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What Students Should Bring

Students must bring a laptop with at least 4GB of RAM, a USB port, and the latest version of VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare's web site).

What Students Will Be Provided With

Lab workbook
USBs containing lab exercises


Sherri Davidoff is the CEO of LMG Security and the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). She has sixteen years of experience as a cyber security professional, specializing in digital forensics, penetration testing and security awareness training. Sherri has authored courses for the SANS Institute and Black Hat, and conducted security training for the American Bar Association, Department of Defense, Google, Comcast, Los Alamos National Laboratories, and many others. She is a faculty member at the Pacific Coast Banking School, where she teaches cybersecurity classes. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.