Network Incident Response

Short description

Until recently, the majority of organizations believed that they could fly under the radar in terms of targeted attacks, and that these incidents – if a concern at all – were solely worrisome to government institutions, major financial services providers and utilities. The content of this course should thus help you to be forearmed against targeted attacks in order to successfully detect them and ward them off.

Learning objectives

The goal of this training is to gain a better understanding of Incident Response in networks. Here, a scenario is played out and the appropriate measures are developed. Practical exercises and a workshop will teach you how to e.g. detect and investigate Command and Control (C&C) traffic in the network. Furthermore, the practical use of Intrusion Detection Systems (IDSs) will be discussed.

During the workshop, participants apply their acquired knowledge by devising an attack method and independently executing it in the Hacking Lab. Course participants will consequently have the unique opportunity to join the attacking side in order to actively gain insight into attackers’ point of view and thus better understand it. In a second step, participants will attempt to detect each other's attack and, if necessary, to optimize the detection rate. Incident Response measures are taken and re-enacted by way of a table-top exercise. The instruction will also point out the limitations of the technology and tools used.

Demarcation: The seminar assumes that computers in the network have already been infected with malware. There will be no discussion of how computers become infected or how malware is usually installed. This topic is part of the training session "Penetration Testing".

Moreover, the training does not address the forensically sound collection of evidence and the investigation of malicious programs. These topics are part of the training session "Host-based Incident Response".

Highlights

  • Advanced Persistent Threats (APT) and countermeasures
  • Splunk: introduction and exercises
  • Splunk: advanced application for network analysis
  • Workshop on covert channels and detection
  • Incident response scenarios and table-top exercises
  • Intrusion detection using BRO/Splunk

The exercises will be done on www.hacking-lab.com. Following the course, the labor environment is available to the participants for 30 days more

Target group

  • Security Officers
  • IT Managers
  • Security Engineers
  • System Engineers
  • Third-Level Support
  • Incident Handlers
  • SOC Team Members

Prerequisite

  • Understanding of network protocols (IP, TCP, UDP, ICMP)
  • Good network-service knowledge (DNS, DHCP, Proxy, SSH, TLS, HTTP)
  • Linux knowledge (Shell, grep, awk)
  • Windows knowledge (AD, GPO