Ethical/White-hat hacking and IR courses typically teach a large volume of highly technical information in a short time, requiring significant memorization with little or no hands-on experience. Students can quickly become overwhelmed and once that happens, the learning stops. They leave the course able to “talk the talk” but not always able to “walk the walk”. On top of that, they have paid a hefty price to endure that pain! We take a different approach. Using the latest techniques and methods the hackers use, we dive into the world of Incident Response using a holistic “hands-on” approach. Our series of 7 courses teaches Incident Response from the ground up. For example “Networking for Incident Response” might sound like something every network administrator has under their belt, but chances are they have never reconstructed what a network looks like and where it is vulnerable from the outside. We look at networking concepts through the eyes of a responder, which builds that skill.
Our instructors come from the industry where they practice IR on a daily basis. This ensures the material being presented is relevant to what the students will see in the field. It also adds value to the course in that students can ask questions from someone who is “walking the walk”. Classes are conducted in an open format that encourages questions and discussion about workflows and pain points students might experience. We take the time to ensure each student grasps the subject being covered before moving on so that no one is left behind and students can build on previous knowledge as they progress. Students work alongside the instructor in a hands-on, interactive fashion to really drive home the concepts being covered.
Currently, there are 7 courses, which equate to 19 days of training, with additional courses being added as needed.
These courses are the suggested learning path for F.I.R.S.T. Responder certification (Forensic and Incident Response Strategic Training), which will be available in early 2015.
One of the most important skills an incident responder can possess is a strong understanding of networking. The majority of security incidents that occur today have some network component that needs to be effectively evaluated. A strong understanding of network concepts and practical application can help an incident responder discover critical artifacts quickly and efficiently.
This five-day course will help a student gain a solid foundation in networking concepts and skills. Utilizing hands-on training and practical exercises geared toward understanding critical artifacts found within the network, each student will learn the networking skills that can be immediately applied to incident response.
Keep your friends close and your enemies closer. This applies to network attacks and attackers as well. In order to most effectively investigate the compromises that many networks face, it is critical to understand how they are executed in the first place.
This five-day course offers the student the opportunity to learn the concepts behind the major types of attacks that are the most prevalent today as well as the hands-on experience of how these attacks are ultimately executed. Students will also discover the types of artifacts left behind once these attacks are realized.
Artifacts left behind once an attack has been executed within a network environment can be found in many different places and can often seem very random and arbitrary in nature. These artifacts can be given a greater meaning and ultimately tell the entire story of the attack if their events can be correlated and tied together by a common information source. Log files often provide the ‘glue’ that helps put the entire artifact puzzle together.
This one-day course offers the student an introduction into the artifacts that can be found within log files and provide the information that allows incident responders the most complete view of an incident’s events.
As a first responder in an incident response scenario, the collection and analysis of volatile data is critical. One of the most volatile data sources that could provide a great deal of insight into the current breach situation is network traffic. The analysis of network traffic from a compromised network can offer artifacts pointing to the origin of the attack to discovery of the overall scope of the incident.
This two-day course will give the student the opportunity to learn different strategies for network traffic capture and packet analysis through hands-on activities and scenarios.
The analysis of volatile data from a system that has been compromised can provide some of the best artifacts during the course of an investigation. If there is something currently running on a system that is malicious in nature, it is running in RAM. An effective analysis of RAM can identify the current compromise of the system and possibly even other systems that may be a part of the incident.
This three-day course will immerse the student in RAM analysis techniques through hands-on exercises and practical scenarios. From RAM capture scenarios and techniques to comprehensive analysis, this class will get the first responder ready to effectively use RAM in an incident response.
You’ve responded to the incident on your network. You have collected all of the critical volatile data and performed analysis. During your investigation, you found a piece of malware on the victim system, but do not quite understand all that it is designed to do. What are the next steps?
This two-day course will help the student understand the concept of building a lab based sandbox environment that can be used to test and observe many artifacts discovered in a breach. Students will walk away with the knowledge and several tools that will help them build their own sandbox environment.
The analysis of volatile data is critical to any incident response. It is not, however, the only analysis that needs to be completed. The Dead Box Analysis of a compromised system can offer many artifacts that cannot be gained from volatile data analysis activities.
This one-day course will take the student through the critical components of a Dead Box investigation for incident response purposes. Through hands-on activities and scenarios, each student will learn the skills needed to further complete an incident response process.