Windows Enterprise Incident Response

This 24-hour course is designed to teach the fundamental investigative techniques needed to respond to today's cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence, and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, and investigate an incident throughout an enterprise.

Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network, and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency.

After completing this course, participants should be able to:

• Analyze the evolving threat landscape by identifying current trends and common attack vectors targeting environments.
• Correlate collected evidence with relevant threats and map findings to industry-standard incident response frameworks during an investigation.
• Execute the key phases of the incident response process effectively in the event of a security incident.
• Identify communication paths, team responsibilities, and areas to improve visibility prior to an incident.
• Implement various detection methodologies, accurately scope security incidents, and conduct comprehensive forensic analysis utilizing available evidence sources.
• Isolate compromised systems, and design and implement strategies for containing and eradicating threats from the enterprise network.
• Formulate actionable recommendations based on post-incident analysis to enhance the organization's overall security posture.

Incident response team members, threat hunters and information security professionals. Background in conducting forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, or security architecture and system administration. Participants must have a working understanding of the Windows operating system, file system, registry and command line usage. Familiarity with Active Directory and basic Windows security controls, as well as common network protocols, is beneficial.

In-classroom or virtual instructor-led training.

• 3 days (in-person delivery)
• 4 days (virtual delivery)

Participants will need a laptop with the latest browser of choice and the ability to connect to the internet.