Search
Close this search box.

Are you the victim of a security incident? Contact our CERT

Training

Incident response and forensics analysis techniques

This training program is designed to train IT teams to the best incident response practices once a security incident has been detected. This course presents the state-of-the-art techniques commonly used by CERT analysts to delimit the impacted perimeter, identify the cyber criminals’ modus operandi, the killchain and the Tactics, Techniques and Procedures (TTPs and tools). It details the best practices to be adopted for collecting evidence, analyzing system, network or malicious code artifacts to identify indicators of compromise, traces of attacks, evidence of exfiltration, persistence mechanisms installed, etc. in compliance with PCI-DSS requirements.

Course overview

  • Understanding the challenges of forensic science
  • Identifying forensic challenges
  • Investigating a cyber attack
  • Collecting evidence
  • Analyze artifacts
  • Understanding KillChain
  • Present results and sequence of events
  • Write a report with a timeline and summary
  • Prepare a list of suitable recommendations
  • Taking a step back from the crisis

Course Curriculum

Introduction

  • Cybersecurity
    context
  • Some figures around cybercrime
  • Reminder of the concepts of DICT
  • History of forensics from start to digital

Role of CERT

  • Phases of an incident
    lifecycle
  • Focus on the E3R sequence
  • Roles and responsibilities of incident response teams
  • First aid gestures
  • Definition of the scope of intervention (+scoping)
  • Setting Goals

Evidence collection

  • Choice of elements
  • Chain of custody (hash, copy)
  • Online vs. offline collection
  • Disk copy (software vs hardware)
  • Backups

Artifacts Analysis

  • Parsing
  • Processing
  • Identification of suspicious elements
  • Memory Analysis
  • FileSystemAnalysis
  • Artifact analysis
  • Network communication analysis
  • Malware

Timeline and Collaborative Work

  • Creation of the
    timeline
  • Working together on the same incident
  • Shared note-taking
  • Share the right level of information (pivots / IOCs)
  • Get organized

Crisis management

  • The main
    principles
  • Logistics
  • Mistakes not to make
  • Long time
  • Communication
  • Authorities
  • RETEX Ransomware

Summary of results

  • Writing of the
    investigation report
  • Recommendations
  • Feedback and lessons learned
  • Respect of the evidence
  • Anonymized reports

Method of Assessment

  • Completion of a final online questionnaire covering all the concepts learned.

Training benefits

  • Training provided by a defensive security expert
  • Operational recommendations
  • Practical tools
  • Real-life case studies

Who should attend?

  • IT Team
  • CISO
  • Support team
  • System administrator
  • Network administrator
  • Security Analyst (SOC/CSIRT)

Entry Requirements

  • Computer basics: network (protocols, OSI model, etc.) and system (Linux or Windows, server management, etc.).
  • Knowledge of log analysis (Event ID, network logs, AV)

How and when to access

The participant is considered registered when:

  • The prerequisites and needs are identified and validated
  • The training agreement is signed

Registration requests can be sent up to 10 working days before the start of the training.

Accessibility

Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.

If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.

Duration

3 days (21 hours)

Financing

OPCO support

Download the training sheet in PDF format

Would you like more information?

+33 (0)2 55 59 01 11

Almond commits itself to ensure that the collection and processing of your data, carried out from the site https://almond.eu/, are in conformity with the General Data Protection Regulation (GDPR) and with the modified law n° 78-17 of January 6, 1978, relating to the protection of personal data. The information collected on this form is recorded in a file computerized by Almond, in order to answer the requests for information. You can access the data concerning you, ask for their correction or their deletion. You also have a right of opposition, and a right to limit the processing of your data (see cnil.fr for more information on your rights). You can exercise your rights by contacting Almond's Data Protection Officer at the following address: [email protected]. Your data will be kept within the European Union, in accordance with the regulations in force.