About the course
The course consists of the recorded video lectures and practical sessions with a trainer. You will receive lectures for self-study 2 weeks prior to the course beginning, and will be able to consolidate knowledge during the practical sessions.
The question is not whether you will experience a cyberattack — the question is when. The warning may sound extreme, but it is becoming more and more relevant with every passing day. This is because the cyber threat landscape is evolving rapidly. Criminals are constantly coming up with new tactics, techniques, and procedures (TTPs), which makes it difficult for information security experts and businesses to keep up. In fact, most companies around the world do not have a suitable incident response strategy or team. And when they do, few team members are aware of the latest attack trends and security techniques.
This three-day intensive course is designed to fill such gaps and provide incident responders with the knowledge and tools they need to rapidly and effectively respond to various security incidents.
Key topics covered:
- Cyber kill-chain and MITRE ATT&CK models
- Incident response process
- Critical sources of evidence
- Data collection techniques
- Windows artifacts for incident response
- Linux artifacts for incident response
Skills acquired:
- Understanding the incident response process
- Collecting relevant data
- Analyzing Windows artifacts
- Analyzing Linux artifacts
Target participants:
- Incident response enthusiasts
- Technical specialists with experience in IS
- Information security specialists
- SOC/CERT employees
Requirements:
- A basic understanding of the incident response process
- Some experience in IS
Course program
Video, theory, demonstration
The video covers the theoretical basics needed in incident response. Participants learn the basic steps of the response process, what kind of team is needed, and how roles and responsibilities are distributed among its members.
Day 1
The first day starts with a discussion on data collection techniques and useful tools. Attendees learn about critical data sources and practice their triage creation skills. We then look at how to analyze collected data and our first step is event log analysis. Important event logs are discussed, along with useful events and their interpretation. To reinforce the knowledge gained, participants investigate an incident using event logs. The first day concludes with a discussion on the process of working with compromise indicators and creating detection rules.
Day 2
On day two, we continue with the topic of collected data analysis, with a focus on Windows host artifacts. Attendees learn how to investigate the artifacts most often used in incident response and they test their skills with a self-paced case study.
Day 3
At the beginning of day three, attendees are given another case to practice their incident response skills. They collect the necessary data, analyze it, reconstruct the attack timeline, and come up with a plan for further action. The final part of the training is analyzing typical incidents involving Linux hosts and the basics of their analysis.
