Foundry Capstone

What to expect

This course will put your incident response and coordination skill to the test in a live simulated incident environment. Learners will have minimal lectures and mostly focus on applying your knowledge of cloud and on-premise enterprise based threats, exploration and analysis of end point detection and response data, live response collection and analysis, network traffic analysis, memory analysis, host forensics analysis and the utilization of cloud fly away kit systems and tools.

The course will cover how to manage large, high priority incidents more efficiently through data and project management, how to effectively remediate from these types of incidents through planning and perform proactive lessons learned to better protect, detect and respond to incidents in the future.

Learners must understand incident response and technical ability in core incident response areas such as host forensics, malware analysis and/or network traffic analysis. Learners should have experience in handling an incident and be involved with daily incident response operations.

Technical Content expert

Audience

  • Incident response team leads
  • Senior incident responders
  • Security operations managers
  • Security operations staff and team leads
  • Managers of CSIRTs and SOCs
  • Reverse engineers and malware analysts
  • Participants who have attended one or more of the Cyber Fire courses and want to apply their knowledge and skills to a simulated incident

Applicability

This class is for incident responders who want to apply, train, and test their knowledge on handling breaches and incidents. Participants will apply what they learned and already know to responding to a capstone exercise involving a breach of a compromised enterprise spanning hybrid environments. Ideally you would have taken all Cyber Fire courses and/or have day to day experience in incident response work.

Objectives

  • Apply knowledge of endpoint detection and response data analysis
  • Examine cloud infrastructure logging and configurations to identify compromises
  • Collect and analyze live response data from endpoints to triage for anomalous activity
  • Review network security metadata for signs of unusual activity and incident related data
  • Apply malware analysis techniques to assist in incident response activities
  • Understand best practices of Fly Away teams including personnel tools and usage of fly away kits.
  • Effectively share incident and threat information during an incident and apply these concepts.
  • Know how to manage tasks and reporting for large incidents.
  • Know how to best plan for remediation and recovery from an incident.
  • Understand best practices for lessons learned and blameless post mortems.

Typical Agenda

Day 1

  • Fly-away kit and teams
  • Overview of using tooling on fly-way kits for fast live response triage
  • How to manage tasks and reporting during an incident
  • Capstone Exercise (working an incident)

Day 2

  • Capstone Exercise (working an incident)

Day 3

  • Capstone Exercise (working an incident)

Day 4

  • Capstone Exercise (working an incident)
  • Learning about containment and remediation best practices
  • Learning from failures, and blameless postmortems

Day 5

  • Capstone Exercise (working an incident)
  • Capstone Exercise Outbrief to executives

Setup

We expect learners in the class to have the ability to perform forensic, network, log and malware analysis and have this tooling already setup on the systems they bring to this course. We will provide some centralized logging for analysis and the learners should be familiar with SIEMs such as Splunk and ELK