Incident Response and Network Forensics Training Boot Camp

Day 1

Plan

• Incident response planning fundamentals
• Building an incident response kit
• Incident response team components
• IR toolkits and appropriate implementation
• Threat Intelligence
• Cyber Kill Chain
• Agent-based IR

Identify

• Indications of an incident
• Triage
• Critical first steps
• Understanding chain of custody

Contain

• Documentation
• Written documentation and supporting media evidence
• Identification methods
• Isolation technical procedure best practices
• Containment
• Quarantine considerations for business continuity

Eradicate

• Eradication testing and the QA role
• Incremental backup compromise detection
• Operating system rebuilds

Recover

• Stakeholder identification in recovery process
• Post incident heightened monitoring tasks
• Special actions for specific incident types
• Incident record keeping
• Lessons learned

Constructing your live incident response toolkit

• Trusted command shells – Windows/Linux
• Remote shells
• PsExec vs PowerShell

Day 2
Event/incident detection

• Develop an incident response strategy and plan
• Limit incident effect and repair incident damage
• Perform real-time incident response tasks
• Determine the risk of continuing operations
• Spearphishing and APT attacks

Sources of network evidence

• 3 evidence collection modalities
• Persistence checks
• Sensors
• Evidence acquisition
• Forensically sound collection of images

TCP reconstruction

• TCP session reconstruction
• Payload reconstruction
• Encapsulation methods
• tcpdump/Wireshark
• Working with pcap files
• Wireshark filtering
• Identify missing data
• Identify sources of information and artifacts
• Packet analysis

Flow analysis

• nfcapd and nfdump
• nfsen
• SiLK
• Flow record export protocols
• Network file carving
• Encrypted flow analysis
• Anomalous behavior analysis
• Flow data points

NIDS/NIPS

• Snort
• Snort rule configuration
• Collect incident data and intrusion artifacts

Log analysis

• Syslog server
• Syslog protocol format
• Event investigation
• Microsoft event log
• Event viewer
• Modeling analysis formats
• HTTP server logs
• Apache vs IIS
• Header analysis and attack reconstruction

Firewall log investigation

• Log formats
• iptables and packet flow

Log aggregation

• SIEM tools
• Splunk architecture

Day 3
Triage & analysis

• Categorizing events
• Developing standard category definitions
• Perform correlation analysis on event reports
• Event affinity
• Prioritize events
• Determining scope, urgency, and potential impact
• Assign events for further analysis, response, or disposition/closure.
• Determine cause and symptoms of the incident

Network artifact discovery

• Network forensics with Xplico

DNS forensics and artifacts

• DNS tunneling
• Fast flux forensics

NTP forensics and artifacts

• Understanding NTP architecture
• NTP analysis
• NTP usage in timeline analysis and log monitoring
• Protocol inspection

HTTP forensics and artifacts

• Artifact discovery
• Request/response architecture
• HTTP field analysis
• HTTP web services
• AJAX
• Web services

HTTPS and SSL analysis

• Artifact from secure negotiation process
• Other non HTTPS SSL analysis

FTP and SSH forensics

• Capture and inspection
• SFTP considerations

Email protocol artifacts

• SMTP vs POP vs IMAP artifacts
• Adaptations and extensions
• Microsoft Protocols
• Architecture and capture
• Exchange considerations
• SMB considerations
• Cloud email forensics

Wireless network forensics

• Wireless monitoring and capture methodologies
• Understanding Wi-Fi common attacks
• WEP vs WPA vs WPA2
• Wi-Fi security compromise analysis

Perform vulnerability analysis

• Determine the risk, threat level or business impact of a confirmed incident.

Day 4
Timeline analysis

• Timeline reconstruction
• Benefits of structured timeline analysis
• Required pre-knowledge
• Pivot point analysis
• Contexting with incomplete data
• Enter information into an operations log or record of daily operational activity.
• Filesystem considerations
• Time rules
• Using Sleuthkit and fls
• Program execution file knowledge
• File opening and file deletion
• log2timeline
• log2timeline input and output modules
• Using l2t_process for filtering

Volatile data sources and collection

• System memory acquisitions from Windows systems
• 64 bit Windows memory considerations
• Page File analysis
• Hibernation file analysis
• Identify rogue processes
• DLL analysis
• Handle discovery and analysis
• Code injection artifacts
• Rootkit indicators
• Correlation with network artifacts
• Volatility walk-through
• Redline analysis
• Volatility basics
• Volatility case study
• Advanced malware hunting with Volatility
• Examine Windows registry in memory
• Investigate windows services
• Cached files in RAM
• Credential recovery in RAM

Day 5
Incident response

• Defensive review and recommendations
• Improving defenses
• Secure credential changing process and monitoring
• Increased monitoring period – when and how long
• Validate the system
• Identify relevant stakeholders that need to be contacted
• Communications about an organizational incident
• Appropriate communications protocols and channels
• Coordinate, integrate and lead team responses with other internal groups
• Provide notification service to other constituents
• Enable constituents to protect their assets and/or detect similar incidents.
• Report and coordinate incidents with appropriate external organizations
• Liaison with law enforcement personnel
• Track and document incidents from initial detection through final resolution.
• Assign and label data according to the appropriate class or category of sensitivity
• Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
• Perform risk assessments on incident management systems and networks
• Run vulnerability scanning tools on incident management systems and networks