Incident Response and Network Forensics Training Boot Camp

Course Outline

Day 1 - The Incident Response Process

Plan

• Incident response planning fundamentals
• Building an incident response kit
• Incident response team components
• IR toolkits and appropriate implementation
• Threat Intelligence
• Cyber Kill Chain
• Agent-based IR

Identify

• Indications of an incident
• Triage
• Critical first steps
• Understanding chain of custody

Contain

• Documentation
• Written documentation and supporting media evidence
• Identification methods
• Isolation technical procedure best practices
• Containment
• Quarantine considerations for business continuity

Eradicate

• Eradication Testing and the QA role
• Incremental backup compromise detection
• Operating system rebuilds

Recover

• Stakeholder identification in recovery process
• Post incident heightened monitoring tasks
• Special actions for specific incident types
• Incident record keeping
• Lessons learned

Constructing your Live Incident Response Toolkit

• Trusted command shells – Windows/Linux
• Remote shells
• Psexec vs powershell

Day 2

Event/Incident Detection

• Develop an incident response strategy and plan
• Limit incident effect and repair incident damage
• Perform real-time incident response tasks
• Determine the risk of continuing operations
• Spear phishing and APT attacks

Sources of Network Evidence

• 3 evidence collection modalities
• Persistence checks
• Sensors
• Evidence acquisition
• Forensically sound collection of images

TCP Reconstruction

• TCP session reconstruction
• Payload reconstruction
• Encapsulation methods
• tcpdump/Wireshark
• Working with pcap files
• Wireshark filtering
• Identify missing data
• Identify sources of information and artifacts
• Packet analysis

Flow analysis

• nfcapd and nfdump
• nfsen
• SiLK
• Flow record export protocols
• Network file carving
• Encrypted flow analysis
• Anomalous behavior analysis
• Flow data points

NIDS/NIPS

• Snort
• Snort rule configuration
• Collect incident data and intrusion artifacts

Log analysis

• Syslog server
• Syslog protocol format
• Event investigation
• Microsoft event log
• Event viewer
• Modeling analysis formats
• HTTP server logs
• Apache vs IIS
• Header analysis and attack reconstruction

Firewall log investigation

• Log formats
• iptables and packet flow

Log aggregation

• SIEM tools
• Splunk architecture

Day 3

Triage & Analysis

• Categorizing events
• Developing standard category definitions
• Perform correlation analysis on event reports
• Event affinity
• Prioritize events
• Determining scope, urgency, and potential impact
• Assign events for further analysis, response, or disposition/closure.
• Determine cause and symptoms of the incident

Network artifact discovery

• Network forensics with Xplico

DNS forensics and artifacts

• DNS tunneling
• Fast flux forensics

NTP forensics and artifacts

• Understanding NTP architecture
• NTP analysis
• NTP usage in timeline analysis and log monitoring
• Protocol inspection

HTTP forensics and artifacts

• Artifact discovery
• Request/response architecture
• HTTP field analysis
• HTTP web services
• AJAX
• Web services

HTTPS and SSL analysis

• Artifact from secure negotiation process
• Other non HTTPS SSL analysis

FTP and SSH forensics

• Capture and inspection
• SFTP considerations

Email protocol artifacts

• SMTP vs POP vs IMAP artifacts
• Adaptations and extensions
• Microsoft Protocols
• Architecture and capture
• Exchange considerations
• SMB considerations
• Cloud email forensics

Wireless Network Forensics

• Wireless monitoring and capture methodologies
• Understanding wi-fi common attacks
• WEP vs WPA vs WPA2
• Wi-fi security compromise analysis

Perform vulnerability analysis.

• Determine the risk, threat level, or business impact of a confirmed incident.

Day 4 - The Incident Management Knowledge Base

Timeline Analysis

• Timeline reconstruction
• Benefits of structured timeline analysis
• Required pre-knowledge
• Pivot point analysis
• Contexting with incomplete data
• Enter information into an operations log or record of daily operational activity.
• Filesystem considerations
• Time rules
• Using Sleuthkit and fls
• Program execution file knowledge
• File opening and file deletion
• log2timeline
• log2timeline input and output modules
• Using l2t_process for filtering

Volatile data sources and collection

• System memory acquisitions from Windows systems
• 64 bit Windows memory considerations
• Page File analysis
• Hibernation file analysis

Identify rogue processes

• DLL analysis
• Handle discovery and analysis
• Code injection artifacts 
• Rootkit indicators
• Correlation with network artifacts

Volatility Walk-Through

• Redline analysis
• Volatility basics
• Volatility case study
• Advanced malware hunting with Volatility
• Examine Windows registry in memory
• Investigate windows services
• Cached files in RAM
• Credential recovery in RAM

Day 5

Respond

• Defensive review and recommendations
• Improving defenses
• Secure credential changing process and monitoring
• Increased monitoring period – when and how long
• Validate the system.
• Identify relevant stakeholders that need to be contacted
• Communications about an organizational incident.
• Appropriate communications protocols and channels
• Coordinate, integrate, and lead team responses with other internal groups
• Provide notification service to other constituents
• Enable constituents to protect their assets and/or detect similar incidents.
• Report and coordinate incidents with appropriate external organizations
• Liaison with law enforcement personnel
• Track and document incidents from initial detection through final resolution.
• Assign and label data according to the appropriate class or category of sensitivity
• Collect and retain information on all events/ incidents in support of future analytical efforts and situational awareness.
• Perform risk assessments on incident management systems and networks.
• Run vulnerability scanning tools on incident management systems and networks.

CERT-CSIH Review

• CSIH Domains
• CSIH Practice Exam