Advanced Endpoint Investigations

Advanced Endpoint Investigations w/ Jake Williams or Alissa Torres

Instructor: Jake Williams (Live)
Alissa Torres (On-Demand)
Course Length: 16 Hours
Format: Live Online or On-Demand

Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.

Live Online Class Schedule
Register for On-Demand Training
Advanced Endpoint Investigations

Course Description

For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data. This course focuses on four core investigative competencies: endpoint data collection, investigative triage, incident response pivots, and root cause analysis.

After learning about key endpoint artifact and memory analysis techniques for Windows and Linux, attendees will work through real-world scenarios in hands-on labs. We’ll pivot from initial detection into host triage analysis to discern attackers’ discovery, defense evasion and lateral movement techniques. Attendees will learn to identify key indicators for the generation of high-fidelity detections.

Key Takeaways

Learning Objectives:

  • Gain fundamental knowledge of modern Windows and Linux host artifacts.
  • Explain logical investigative workflows for host pivoting, data collection, and analysis.
  • Develop an understanding of use cases for incident response host pivots and root cause analysis.

Performance Objectives:

  • Develop host triage collection and analysis skills for effective investigations of Windows and Linux systems.
  • Properly identify file system, OS, and memory artifacts to support timeline creation and attack path reconstruction.
  • Build deductive reasoning and investigative prowess through hands-on exercises built around real-world scenarios.

Who Should Take This Course

  • Security Operations/Incident Response Analysts
  • Threat Hunters
  • Tactical Threat Intel Analysts
  • Digital Forensics Investigators
  • Red teamers who want to perfect their operational discipline

Audience Skill Level

  • Basic understanding of Windows and/or Linux OS fundamentals
  • Familiarity with attack path models, threat actor frameworks, and hunt methodologies
  • STUDENT REQUIREMENTS
  • 1-2 years of experience in security operations, incident response, or threat hunting.

System Requirements

  • Stable Internet access
  • x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization
    (Apple Silicon is currently not supported)
  • A computer with at least 8 GB of RAM. 16 GB is recommended
  • VMWare Workstation or VMWare Fusion
    (VirtualBox and other VM software is not supported)
  • Windows 10/11, MacOSX+, or a currently supported Linux Distribution 
  • Full Administrator/root access to your computer or laptop

System must also have at least 80GB of available disk space, 2 vCPUs, and be able to connect to a wireless network for Internet access.

About Antisyphon Training Options

Live Online

Learn via live stream from instructors that are in the field utilizing the techniques they teach. Classes are split into four training days that are each four hours long. Live Online training includes six months access to dedicated class channels in the Antisyphon Discord server, six months access to live class recordings, a certificate of participation, and 12 months complimentary access to the Antisyphon Cyber Range.

On-Demand

Learn at your own pace with access to course content, lectures, and demos in the Antisyphon On-demand learning platform. Most courses are offered with lifetime access to the course and content updates. All On-demand courses include content update alerts, access to dedicated support channels in the Antisyphon Discord server, a certificate of participation, and 12 months complimentary access to the Antisyphon Cyber Range.

Live Training Events

There are no sessions of this course currently on our schedule.

Please keep an eye on the Live Training Calendar page for updates, or Contact Us for a private training session.

Trainer

Jake Williams
Jake Williams

Jake Williams (aka MalwareJake) is a seasoned security researcher with decades of experience in the technology and security. Jake is a former startup founder, former senior SANS instructor and course author, and an intelligence community and military veteran. He loves forensics, incident response, cyber threat intelligence, and offensive methodologies. Today, Jake is an IANS faculty member, an independent security consultant, and is performing security-focused research to benefit the broader community. He has had the honor of twice winning the DoD Cyber Crime Center (DC3) annual digital forensics challenge. You may also remember Jake from one of his many conference talks, webcasts, media appearances, or his various posts about cybersecurity.

Course Author

Alissa Torres

Alissa Torres is passionate about security operations and empowering analysts to succeed in blue team ops. Her professional experience in various security roles over her career includes forensic investigations, enterprise incident response and threat hunting, security services consulting, and incident response management. Alissa currently serves as the Threat Intel manager at Cigna. Having taught as principal faculty for several pivotal cybersecurity training institutions over the last decade, Alissa has engaged hundreds of skilled professionals around the world, growing a legion of artifact hunters who share a common affinity for adversary tracking. An investigator at heart, she frequently shares accounts of her research discoveries and tales from the trenches at industry conferences.