This training program is designed to train IT teams to the best incident response practices once a security incident has been detected. This course presents the state-of-the-art techniques commonly used by CERT analysts to delimit the impacted perimeter, identify the cyber criminals’ modus operandi, the killchain and the Tactics, Techniques and Procedures (TTPs and tools). It details the best practices to be adopted for collecting evidence, analyzing system, network or malicious code artifacts to identify indicators of compromise, traces of attacks, evidence of exfiltration, persistence mechanisms installed, etc. in compliance with PCI-DSS requirements.
Course overview
- Understanding the challenges of forensic science
- Identifying forensic challenges
- Investigating a cyber attack
- Collecting evidence
- Analyze artifacts
- Understanding KillChain
- Present results and sequence of events
- Write a report with a timeline and summary
- Prepare a list of suitable recommendations
- Taking a step back from the crisis
Course Curriculum
Introduction
- Cybersecurity
context - Some figures around cybercrime
- Reminder of the concepts of DICT
- History of forensics from start to digital
Role of CERT
- Phases of an incident
lifecycle - Focus on the E3R sequence
- Roles and responsibilities of incident response teams
- First aid gestures
- Definition of the scope of intervention (+scoping)
- Setting Goals
Evidence collection
- Choice of elements
- Chain of custody (hash, copy)
- Online vs. offline collection
- Disk copy (software vs hardware)
- Backups
Artifacts Analysis
- Parsing
- Processing
- Identification of suspicious elements
- Memory Analysis
- FileSystemAnalysis
- Artifact analysis
- Network communication analysis
- Malware
Timeline and Collaborative Work
- Creation of the
timeline - Working together on the same incident
- Shared note-taking
- Share the right level of information (pivots / IOCs)
- Get organized
Crisis management
- The main
principles - Logistics
- Mistakes not to make
- Long time
- Communication
- Authorities
- RETEX Ransomware
Summary of results
- Writing of the
investigation report - Recommendations
- Feedback and lessons learned
- Respect of the evidence
- Anonymized reports
Method of Assessment
- Completion of a final online questionnaire covering all the concepts learned.
Training benefits
- Training provided by a defensive security expert
- Operational recommendations
- Practical tools
- Real-life case studies
Who should attend?
- IT Team
- CISO
- Support team
- System administrator
- Network administrator
- Security Analyst (SOC/CSIRT)
Entry Requirements
- Computer basics: network (protocols, OSI model, etc.) and system (Linux or Windows, server management, etc.).
- Knowledge of log analysis (Event ID, network logs, AV)
How and when to access
The participant is considered registered when:
- The prerequisites and needs are identified and validated
- The training agreement is signed
Registration requests can be sent up to 10 working days before the start of the training.
Accessibility
Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.
If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.
Duration
3 days (21 hours)
Financing
OPCO support