Advanced Endpoint Investigations
April 9, 2024 @ 11:00 am – 4:00 pm EDT
Instructor: Alissa Torres
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data.
This course focuses on four core investigative competencies: endpoint data collection, investigative triage, incident response pivots, and root cause analysis.
- Gain fundamental knowledge of modern Windows and Linux host artifacts.
- Explain logical investigative workflows for host pivoting, data collection, and analysis.
- Develop an understanding of use cases for incident response host pivots and root cause analysis.
- Develop host triage collection and analysis skills for effective investigations of Windows and Linux systems.
- Properly identify file system, OS, and memory artifacts to support timeline creation and attack path reconstruction.
- Build deductive reasoning and investigative prowess through hands-on exercises built around real-world scenarios.
Who Should Take This Course
- Security Operations/Incident Response Analysts
- Threat Hunters
- Tactical Threat Intel Analysts
- Digital Forensics Investigators
- Red teamers who want to perfect their operational discipline
Audience Skill Level
- Basic understanding of Windows and/or Linux OS fundamentals
- Familiarity with attack path models, threat actor frameworks, and hunt methodologies
- 1-2 years of experience in security operations, incident response, or threat hunting.
- Stable Internet access
- x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization
(Apple Silicon is currently not supported)
- A computer with at least 8 GB of RAM. 16 GB is recommended
- VMWare Workstation or VMWare Fusion
(VirtualBox and other VM software is not supported)
- Windows 10/11, MacOSX+, or a currently supported Linux Distribution
- Full Administrator/root access to your computer or laptop
- System must also have at least 80GB of available disk space, 2 vCPUs, and be able to connect to a wireless network for Internet access.
Trainer & Author
Alissa Torres is a blue team practitioner/educator turned consultant, laser-focused on the people element of the SecOps equation. With 3 dog-years of experience spanning roles in active and passive IT and security operations, she discovered her passion for adversary hunt while serving in the trenches as an incident analyst with a third-party remediation services company, and later, leading an incident response team for a global manufacturing company. As a seasoned presenter, Alissa shares insights from her real-world experiences but she certainly hopes your mileage varies (dramatically, in some cases) from her own.