Enterprise-Class Incident Response & Threat Hunting
Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques. (Online classes available)
Course Key Learnings
- Understand when incident response requires in-depth host interrogation or light-weight mass collection
- Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
- Collect host- and cloud-based forensic data from large environments
- Discuss best practices for responding to Azure, M365, and AWS cloud platforms
- Learn analysis techniques for responding to Linux and Mac operating systems
- Analyze containerized microservices such as Docker containers
- Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
- Conduct analysis of structured and unstructured data to identify attacker behavior.
- Enrich collected data to identify additional indicators of compromise
- Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
- Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.
Business Takeaways
- Reduce financial and reputational impact of a breach by more efficiently and precisely managing the response
- Learn IR management techniques that optimize resource usage during an investigation
- Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
- Understand and hunt for techniques attackers use to hide from EDR and application control tools on Windows systems
- Learn analysis techniques for responding to compromised Linux and macOS systems
- Be able to respond and analyze containerized microservices such as Docker containers
- Discuss best practices for responding to the most popular cloud environments – specifically Microsoft365/AzureAD, and AWS.
Course Content:
Module1:Proactive Detection and Response
Overview
Enterprise-Class Incident Response & Threat Hunting course begins with discussions on current cyber defense concerns, and how incident responders and threat hunters can take a more active role in detection and response. Collaboration within the team and the community are a focus, as we look to incorporate shared knowledge from sources like the MITRE ATT&CK(R) framework. Furthermore, we discuss taking an active defense approach to slow attackers and facilitate detection. Specific to active detection, the use of honeypots, honey tokens, and canaries are covered, along with ways to deploy them opportunistically. This type of tripwire in the network provides defenders and responders needed visibility to find and respond to intrusions quickly.
Exercises
Analyzing Sysmon telemetry and log events for incident scoping/identification
- Deploy a small Velociraptor client-server environment and perform a hunt for artifacts generated from threat emulation tools
- Configure Elasticsearch and Kibana in the FOR608 “SIFT” Linux VM. Ingest and analyze data from Velociraptor, Kansa, and Log2timeline.
- Acquire forensic triage images using Velociraptor and CyLR. Use automation techniques to rapidly process results for timeline analysis.
Topics
- EDR and EDR Bypass
- Analyzing Sysmon telemetry and log events for incident scoping/identification
- Create custom, incident-focused Sysmon configuration files
- Discuss attacker techniques for subverting and bypassing EDR tooling
- Scaling Incident Response with Velociraptor
- Describing the various use cases for Velociraptor
- Learn to customize Velociraptor Query Language (VQL) analyzers (“artifacts”)
- Rapidly deploying Velociraptor in a client-server configuration
- Performing hunts and acquiring forensic evidence
- Using Velociraptor notebooks for effective post-processing and analysis
- Export results to Elasticsearch, Splunk, or CSV flat-files for external analysis
- Scaling Analysis with ELK
- Utilize the ELK stack (aka Elastic Stack) to ingest and analyze logs
- Ingest structured and freeform data types into ELK
- Use dashboards, histograms, graphs, and saved searches to locate attacker TTPs quickly
- Rapid Response Triage
- Utilize CyLR and Velociraptor to quickly acquire forensic artifacts from Windows, Linux, and Mac.
- Create custom acquisition packages for Velociraptor
- Post-process results for timeline analysis using Timesketch, Elasticsearch, or CSV files
Module2: Scaling Response and Analysis
Overview
Section 2 pivots directly from Section 1 as we continue to move into response mode. We will begin collecting evidence at scale to scope a potential intrusion against our example company, Stark Research Labs. SRL has Endpoint Detection and Response (EDR) tooling in place and we leverage that data to assist scoping. However, attackers sometimes bypass or otherwise subvert EDR technology, so a discussion of common bypass techniques is presented. This provides students with both awareness of EDR limitations, as well as training to look for anomalous activities within the EDR log data.
Exercises
Analyzing Sysmon telemetry and log events for incident scoping/identification
- Deploy a small Velociraptor client-server environment and perform a hunt for artifacts generated from threat emulation tools
- Configure Elasticsearch and Kibana in the FOR608 “SIFT” Linux VM. Ingest and analyze data from Velociraptor, Kansa, and Log2timeline.
- Acquire forensic triage images using Velociraptor and CyLR. Use automation techniques to rapidly process results for timeline analysis.
Topics
- EDR and EDR Bypass
- Analyzing Sysmon telemetry and log events for incident scoping/identification
- Create custom, incident-focused Sysmon configuration files
- Discuss attacker techniques for subverting and bypassing EDR tooling
- Scaling Incident Response with Velociraptor
- Describing the various use cases for Velociraptor
- Learn to customize Velociraptor Query Language (VQL) analyzers (“artifacts”)
- Rapidly deploying Velociraptor in a client-server configuration
- Performing hunts and acquiring forensic evidence
- Using Velociraptor notebooks for effective post-processing and analysis
- Export results to Elasticsearch, Splunk, or CSV flat-files for external analysis
- Scaling Analysis with ELK
- Utilize the ELK stack (aka Elastic Stack) to ingest and analyze logs
- Ingest structured and freeform data types into ELK
- Use dashboards, histograms, graphs, and saved searches to locate attacker TTPs quickly
- Rapid Response Triage
- Utilize CyLR and Velociraptor to quickly acquire forensic artifacts from Windows, Linux, and Mac.
- Create custom acquisition packages for Velociraptor
- Post-process results for timeline analysis using Timesketch, Elasticsearch, or CSV files
Module3: Modern Attacks against Windows and Linux DFIR
Exercises
- Detecting LOLBAS activity
- Linux web log analysis
- Triaging Linux
Topics
- Modern Attacks Against Windows
- Fileless malware in the wild
- Common “LOLBAS” activity, including precursors to ransomware attacks
- Hunting amongst the noise for suspicious “LOLBAS” usage
- Introduction to Linux
- History of Linux
- Ubiquitous nature of Linux
- Challenges organizations face with managing, securing, and monitoring Linux systems
- Modern Attacks Against Linux
- Exploiting vulnerable applications or operating system services
- Misconfigurations or unpatched services lead to successful attacks
- Attacker techniques for accomplishing the attack lifecycle, including privilege escalation, persistence, lateral movement, and exfiltration
- Linux DFIR Fundamentals
- Understanding primary differences in file systems
- EXT3, EXT4, XFS file system overviews
- Understanding the Logical Volume Manager (LVM2)
- Available timestamps in Linux file systems (comparing EXT3, EXT4, XFS, Btrfs, ZFS)
- Typical Linux file system directory hierarchy
- Linux Log Analysis
- Common logs and locations
- IR strategy for log analysis
- Reviewing logon activity
- Mining application logs for suspicious events
- Linux Triage Collection and Forensic Readiness
- Collecting key configuration files
- Collecting artifact-rich logs
- Scripting collection for simplicity and consistency
- Hardening Linux configurations
- Improving audit policies
- Adding endpoint security tooling
Module4: Analyzing macOS and Docker Containers
Overview
By this point in the course, students have undertaken a wide-range of tasks, including collecting of host-based data, deployment of live-response tools to catch attackers “in the act”, and utilizing “big-data” analysis platforms to find suspicious activity at scale. Students have also taken a deep-dive into the Linux operating system and discovered important ways to respond to the inevitable attacks against these systems.
Exercises
- Mount and analyze APFS disk images
- Review macOS artifacts and logs
- Docker administration and logs
- Docker triage and IR
Topics
- macOS Foundations
- A history of Apple operating systems
- Apple in the enterprise
- Apple Filesystems
- APFS characteristics
- macOS timestamps
- macOS file & directory structure
- Key file types such as Property List (.plist) files
- Mac Incident Response
- Challenges with forensic acquisitions
- Options for mounting disk images
- Profiling users and system configurations
- Review common persistence methods
- Log analysis for macOS
- Scripting live triage acquisitions
- Containers in the Enterprise
-
- onceptual overview of containers
- Introduction to Docker
- Attacks against containers
- Forensic challenges
- DFIR for Containers
- Metadata collection and analysis
- Using snapshots to save containerized files
- Log analysis for Docker
- Gather ephemeral data
- Review image files and history
Module5: Cloud Attacks and Response
Overview
This day is focused on responding to incidents in the major cloud platforms from Microsoft and Amazon. Although the analysis focuses on those platforms, we cover log analysis techniques, architecture designs, and automation initiatives that can be applied to just about any cloud provider. We also cover attacks instigated from cloud environments and the artifacts that may be left behind in such cases.
Exercises
- M365 log analysis
- Finding attacker cloud exfil infrastructure
- AWS CloudTrail log analysis
- AWS VPC Flow log analysis
Topics
- DFIR in the Cloud
- Cloud service models (IaaS, PaaS, SaaS)
- Cloud forensics vs. traditional forensics
- MITRE ATT&CK(R) Cloud Matrix
- Incident Response in Azure & M365
- M365/O365 SaaS offerings
- Azure IaaS and PaaS platform
- Azure AD architecture
- Common attack scenarios
- Important log sources & log extraction
- Investigating suspicious user logons and email activity
- Securing M365 & Azure
- Attackers in the Cloud
- Investigating attacks that leverage the cloud
- Discover host-based artifacts from attacker’s cloud infrastructure
- AWS Foundations
- Organizational and account hierarchy
- AWS Identity and Access Management (IAM)
- Authentication and identity types
- AWS regions and API endpoints
- AWS computing, storage, and networking constructs
-
Incident Response in AWS
- Leveraging the AWS Incident Response Guide
- AWS incident domains
- Critical log sources such as CloudTrail and CloudWatch
- Threat detection and response services such as GuardDuty and Detective
- Network analysis with VPC flow logs and traffic mirroring
- Architecting for analysis in the cloud
- Acquiring logs and snapshots
- Planning and practicing likely scenarios
- IR Automation in AWS
- Identifying tasks for automation
- Using AWS VM templates (AMIs) for quick response
- Leveraging AWS Lamda and Step Functions for automation and orchestration
Course Prerequisites
Students must have multiple years of DFIR experience and/or have taken classes such as:
(Windows Forensics Analysis), and/or
(Advanced Digital Forensics, Incident Response, and Threat Hunting)
International Student Fee: 950 US$
Job Interview Preparation (Soft Skills Questions & Answers)
- Tough Open-Ended Job Interview Questions
- What to Wear for Best Job Interview Attire
- Job Interview Question- What are You Passionate About?
- How to Prepare for a Job Promotion Interview
🎥 Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
Flexible Class Options
- Week End Classes For Professionals SAT | SUN
- Corporate Group Trainings Available
- Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
Advanced Incident Response, Threat Hunting, and Digital Forensics
Enterprise Memory Forensics In-Depth
Enterprise-Class Incident Response & Threat Hunting
Ransomware for Incident Responders
Advanced Network Forensics- Threat Hunting, Analysis, and Incident Response