INFOSEC Incident Response and Network Forensics Boot Camp Course

Plan
» Incident response planning fundamentals
» Building an incident response kit
» Incident response team components
» IR toolkits and appropriate implementation
» Threat Intelligence
» Cyber Kill Chain
» Agent-based IR
Identify
» Indications of an incident
» Triage
» Critical first steps
» Understanding chain of custody
Contain
» Documentation
» Written documentation and supporting media evidence
» Identification methods
» Isolation technical procedure best practices
» Containment
» Quarantine considerations for business continuity
Eradicate
» Eradication testing and the QA role
» Incremental backup compromise detection
» Operating system rebuilds
Recover
» Stakeholder identification in recovery process
» Post incident heightened monitoring tasks
» Special actions for specific incident types
» Incident record keeping
» Lessons learned
Constructing your live incident response toolkit
» Trusted command shells – Windows/Linux
» Remote shells
» PsExec vs PowerShell

Event/incident detection
» Develop an incident response strategy and plan
» Limit incident effect and repair incident damage
» Perform real-time incident response tasks
» Determine the risk of continuing operations
» Spearphishing and APT attacks
Sources of network evidence
» 3 evidence collection modalities
» Persistence checks
» Sensors
» Evidence acquisition
» Forensically sound collection of images
TCP reconstruction
» TCP session reconstruction
» Payload reconstruction
» Encapsulation methods
» tcpdump/Wireshark
» Working with pcap files
» Wireshark filtering
» Identify missing data
» Identify sources of information and artifacts
» Packet analysis
Flow analysis
» nfcapd and nfdump
» nfsen
» SiLK
» Flow record export protocols
» Network file carving
» Encrypted flow analysis
» Anomalous behavior analysis
» Flow data points
NIDS/NIPS
» Snort
» Snort rule configuration
» Collect incident data and intrusion artifacts
Log analysis
» Syslog server
» Syslog protocol format
» Event investigation
» Microsoft event log
» Event viewer
» Modeling analysis formats
» HTTP server logs
» Apache vs IIS
» Header analysis and attack reconstruction
Firewall log investigation
» Log formats
» iptables and packet flow
Log aggregation
» SIEM tools
» Splunk architecture

Triage & analysis
» Categorizing events
» Developing standard category definitions
» Perform correlation analysis on event reports
» Event affinity
» Prioritize events
» Determining scope, urgency, and potential impact
» Assign events for further analysis, response, or disposition/closure.
» Determine cause and symptoms of the incident
Network artifact discovery
» Network forensics with Xplico
DNS forensics and artifacts
» DNS tunneling
» Fast flux forensics
NTP forensics and artifacts
» Understanding NTP architecture
» NTP analysis
» NTP usage in timeline analysis and log monitoring
» Protocol inspection
HTTP forensics and artifacts
» Artifact discovery
» Request/response architecture
» HTTP field analysis
» HTTP web services
» AJAX
» Web services
HTTPS and SSL analysis
» Artifact from secure negotiation process
» Other non HTTPS SSL analysis
FTP and SSH forensics
» Capture and inspection
» SFTP considerations
Email protocol artifacts
» SMTP vs POP vs IMAP artifacts
» Adaptations and extensions
» Microsoft Protocols
» Architecture and capture
» Exchange considerations
» SMB considerations
» Cloud email forensics
Wireless network forensics
» Wireless monitoring and capture methodologies
» Understanding Wi-Fi common attacks
» WEP vs WPA vs WPA2
» Wi-Fi security compromise analysis
Perform vulnerability analysis
» Determine the risk, threat level or business impact of a confirmed incident.

Timeline analysis
» Timeline reconstruction
» Benefits of structured timeline analysis
» Required pre-knowledge
» Pivot point analysis
» Contexting with incomplete data
» Enter information into an operations log or record of daily operational activity.
» Filesystem considerations
» Time rules
» Using Sleuthkit and fls
» Program execution file knowledge
» File opening and file deletion
» log2timeline
» log2timeline input and output modules
» Using l2t_process for filtering
Volatile data sources and collection
» System memory acquisitions from Windows systems
» 64 bit Windows memory considerations
» Page File analysis
» Hibernation file analysis
» Identify rogue processes
» DLL analysis
» Handle discovery and analysis
» Code injection artifacts Rootkit indicators
» Correlation with network artifacts
» Volatility walk-through
» Redline analysis
» Volatility basics
» Volatility case study
» Advanced malware hunting with Volatility
» Examine Windows registry in memory
» Investigate windows services
» Cached files in RAM
» Credential recovery in RAM

Incident response
» Defensive review and recommendations
» Improving defenses
» Secure credential changing process and monitoring
» Increased monitoring period – when and how long
» Validate the system.
» Identify relevant stakeholders that need to be contacted
» Communications about an organizational incident
» Appropriate communications protocols and channels
» Coordinate, integrate and lead team responses with other internal groups
» Provide notification service to other constituents
» Enable constituents to protect their assets and/or detect similar incidents.
» Report and coordinate incidents with appropriate external organizations
» Liaison with law enforcement personnel
» Track and document incidents from initial detection through final resolution.
» Assign and label data according to the appropriate class or category of sensitivity
» Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
» Perform risk assessments on incident management systems and networks
» Run vulnerability scanning tools on incident management systems and networks