- This event has passed.
Enterprise Forensics and Response
August 24 @ 9:00 am – 6:00 pm EDT
Instructor: Gerard Johansen
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
This class is part of the Antisyphon Blue Team Summit 2023. Registration for any Blue Team Summit class includes registration for the summit and all of its presentations, talks, and streams.
Clicking on the button above will take you
to our registration form on Cvent.
The Enterprise Forensics and Response course is designed to provide students with both an investigative construct and techniques that allow them to scale incident response activities in an enterprise environment. The focus of the lecture portion of the course work is understanding the incident investigation process, objective oriented analysis and response, intrusion analysis and an exploration of attacker Tactics and Techniques.
The technical portion of the course will focus on how to conduct incident investigations at enterprise scale using the remote evidence acquisition and analysis tool Velociraptor along with other free and open-source tools. The focus of the technical portion will be on extracting usable Indicators of Compromise (IOCs) related to specific MITRE ATT&CK tactics. For example, students will be instructed on extracting and analyzing evidence related to the Execution TA0002 of malicious code or LOLBAS. From here, they will be tasked with addressing containment and eradication measures.
This course will combine technical elements along with lecture that provides students with both an investigative construct and techniques that allows them to analyze evidence and provide stakeholders with data necessary to limit the damage of modern cyber-attacks.
The overall objective of Enterprise Forensics and Response is to provide students with investigation methods and workflows that incorporate digital forensics at the scale of modern enterprises.
This course is geared towards incident response personnel, digital forensic professionals or Security Operations practitioners who may have to conduct incident investigations. Additionally, those new to the blue team or security analysis will also benefit greatly from both the lecture and technical material.
Basic. Students do not need a good degree of technical skill or experience but should be familiar with digital forensic concepts, how to work within a Linux or Windows command line and understand Windows system internals processes such as Amcahce or Link file usage.
Students should be comfortable with the Windows and Linux command line and PowerShell. Some familiarity with open-source tools such as Atomic Red Team and Caldera would be helpful, but all labs will be comprehensively documented and instructed so that those that have had no exposure will be able to follow along.
Students should have some exposure to incident response and digital forensic concepts and common adversary TTPs found within the MITRE ATT&CK Framework.
Students will be provided a Windows virtual machine that contains all the necessary tools. Students will be required to have some form of virtualization software such as VMWare or VirtualBox.
Students will be provided a Windows virtual system that contains Atomic Red Team, Eric Zimmerman’s suite of tools, the Velociraptor executable and Wireshark. Additionally, the VM will contain a text document with all command line instructions written out.
Students will be provided PDF copies of the entire lecture set and detailed instructions for all labs. The intent is that students will be able to replicate the entire course later if they would like to.
At the conclusion of the course, students will be able to apply an investigative construct and digital forensic techniques that allow them to respond and investigate incidents so that key data points are located and acted on in a timely manner. It is also anticipated that students will be able to incorporate the tools explored in the course into their own environment to aid in incident investigations.
Students may want to be familiar with Eric Zimmerman’s suite of tools and the corresponding evidence sources that are analyzed with those tools. Students will also be better prepared if they are familiar with adversary TTPs through such sites as thedfirreport.com and the MITRE ATT&CK Framework.
Gerard Johansen is an information security professional with over a decade of experience in Incident Response, Digital Forensics and Threat Intelligence. During his various roles over the last decade, he has been an author and trainer, developing interactive cyber range exercises for security professionals. Additionally, Gerard has been involved in assisting organizations with cyber security incidents both as a consultant and IR lead. Gerard is currently a Principal Incident Handler with a Managed Detection and Response provider where he is currently working on the development of readiness solutions to prepare organizations for modern threats.
Gerard has also a frequent contributor to professional conferences and the overall information security community. He has spoken at various conferences held by BSides, SANS and other community-based groups. Further, he has recently completed the third edition of Digital Forensics and Incident Response, published by Packt.