• Online, Instructor-Led

This three-day course is designed to teach the fundamental investigative techniques needed to respond to today’s sophisticated threat actors and their intrusion methods. This course includes a series of hands-on labs that highlight all phases of a targeted attack lifecycle, critical sources of attacker evidence and the forensic analysis required to conduct effective analysis. Students will learn how to conduct rapid triage to determine system compromise, uncover evidence of initial attack vectors, recognize persistence mechanisms and develop indicators of compromise (IOCs) to further scope an incident.

Learning Objectives

After completing this course, learners should be able to: • Understand the stages of an effective incident response process including preparation, detection and analysis and remediation • Recognize the most common forms, benefits and limitations of endpoint forensic evidence collection including forensic imaging and live response acquisition • Identify and use critical sources of evidence to investigate and analyze a compromised Linux system including EXT3/EXT4 file systems, syslog, audit logs, memory, VPN and web shells • Audit common Linux applications for databases and web servers including Oracle, MySQL, PostgreSQL, Apache and nginx • Know how attackers move from system-to-system in a compromised Linux environment through their use of data including credentials, logons, remote command execution and shell artifacts

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Incident Response

Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.