Complexity is the enemy of security. This is especially true in crisis. When responding to a cybersecurity incident, you need a simple, effective, repeatable plan. In this course, we’ll discuss the three primary threat vectors, outline the two most important IR playbooks, and review the two most critical IT assets: identity and endpoint.
Complexity is the enemy of security. This is especially true in crisis. When responding to a cybersecurity incident, you need a simple, effective, repeatable plan.
In this course, we’ll discuss the three primary threat vectors, outline the two most important IR playbooks, and review the two most critical IT assets: identity and endpoint. Then we’ll roll up our sleeves and practice identity and endpoint investigations, including forensic-artifact selection and acquisition, rapid processing, and prioritized investigative workflow in the context of a real-world business compromise.
We’ll discuss Active Directory and M365 Identity; Windows; and Linux OS “attack surface;” and get hands-on experience performing rapid endpoint investigations using PowerShell, Velociraptor offline collector, KAPE, and csv/xlsx output analysis.
System Requirements
A computer with a web browser. All lab VMs are cloud-hosted.
Syllabus
Developing a Tactical IR Plan
· The Three Threat Vectors
· The Two Most Important IR Playbooks
· Asking the Right Incident-Response Questions
Identity Attack Surface
· Identity: Your Most Critical IT Asset
· M365 Identity Overview
· Active Directory for IR Overview
Endpoint Attack Surface
· Understanding How Threat-Actors/Malware Impact Endpoints
Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.