This class is about Incident Response in a post-compromised environment.
Abstract:
If you give an attacker 100 days of time to move freely in your compromised environment, the evidence is fairly strong that you are pretty bad at Security Operations. On the contrary, if your Security Operations is constantly sending breach confirmations to the forensic team which turn out to be false positives, then again, the evidence is fairly strong that you are pretty bad at Security Operations. This is what is constantly happening in a lot of large organizations, banks and government institutions around the world.
In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.
The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems.
By integrating Resilient with IBM QRadar, QRadar Network Insights and QRadar Advisor with Watson for detection, Carbon Black Response for Threat Hunting, a robust and actionable CTI from Recorded Future along with MITRE Att&ck for identifying the adversary's applied TTPs we will further demonstrate how the local relevance is expressed in STIX objects.
Integral parts of this class will be to demonstrate how security analysts will stay focused by using efficient playbooks as well as drastically reduce the time to respond by automation and orchestration techniques. The security analysts will be able to watch the movements of the intruder and limit their capabilities while the L2/L3 teams would be working on a strategy to completely remove the intruder's foothold (fully-fledged remediation, eradication and recovery) from the compromised environment.
This class includes a lot of hands-on labs that require to analyze and defend an organization's networked computer environment.
Training class dates:
2nd-6th of September 2019
11th-15th November 2019
13th-17th January 2020
Target audience:
Cyber security practitioners or Consultants of Security Operations, Threat Hunting and DFIR teams.
Pre-requisites:
Technical skills and a general understanding of Cyber Security. No programming or scripting knowledge required.
If attendees want to prepare for this class in the best manner they can read through the following three blogs:
https://www.rukhsarkhan.de/blog/introduction
https://www.rukhsarkhan.de/blog/current-security-operations-and-dfir-problems
https://www.rukhsarkhan.de/blog/solution-draft
This registration is currently considered as a first expression of interest. It is not binding and can therefore still be cancelled by the registrant. Later in Q2/2019 we will send out a confirmation email that will cover all the details like modalities and venue. And once that is approved by the registrant only then the registration will be binding.