Hands-On Incident Response Fundamentals

Course Overview
Hiya folks, my name is Ryan Chapman, and welcome to my course, Hands-On Incident Response Fundamentals. I'm an incident handler, malware reverse engineer, and forensic analyst by trade. I love to run my mouth and share information, which is why I have presented workshops and talks in various security conferences. However, I am extremely proud to present my first course on IR here at Pluralsight. Cyberattacks are taking place every minute of the day around the world. Unfortunately, most companies have difficulty finding and hiring IR analysts, due to the lack of qualified individuals from which to choose. Hence, the reason that I've created this very course. This course provides an overview of the core principles of hands-on IR. Some of the major topics that we will cover include understanding the differences between commodity and advanced persistent threat attack groups, fielding alerts and analyzing log files, performing triage-level file analysis using a hex editor, and working with threat intelligence. By the end of this course, you will be familiar with tier-one triage requirements and be ready to analyze anomalous events in the security information and event management platform. Before beginning the course, you should be familiar with basic computer networking and have a passion for learning. I hope you'll join me on this journey to bolster your understanding of the IR realm with the Hands-on Incident Response Fundamentals course, here at Pluralsight.

The Nature of the Threat: Why Are We Here?
Welcome back folks. Our second module answers the question, why should we care about incident response? The short answer is, because the threat is real. Imagine if you will a regimented group of hundreds to thousands of hackers, each possessing unique hacking and social engineering skills, all working together in an assembly-line-like fashion over long periods of time to infiltrate large corporations and/or government organizations. This may seem like something straight out of the movies or T. V. , but it's real. It's also just one of the concepts we'll be covering in this section, so let's get started. We begin by describing "the threat", a section in which I highlight the pervasiveness of cyberattacks within our digital world. We then move to delineating the differences between the two general types of attackers, commodity and the advanced persistent threat, or APT. In an attempt to explain how sophisticated APT attacks are, I will cover what is known as the cyber kill chain in this section. Additionally, to give context to the threat of APT groups, we will cover two high-profile groups. The module concludes with an overview of operations security. Although the module will almost be over by this time, it's okay folks, because I have an awesome demo for you. The module demo includes hands-on exploration of virustotal. com, one of the most crucial tools for IR analysts worldwide. Okay, let's get things started.

Common IR Tasks: An Overview
Welcome back folks. This module focuses on incident response core tasks. Whether you work in a security operations center, on a computer incident response team, or simply function as a sole "security" guy or gal at work, these tasks can be considered your bread and butter. This is demo-heavy module, so we're sure to have some fun. Our journey begins with some terms and definitions. We can't walk the walk if we can't talk the talk, right? The key concept that ties everything together in this section is that of network security monitoring, or NSM. As such, we'll focus heavily on this area using some pretty diagrams to illustrate topics. While discussing NSM, you'll learn about the importance of collecting all the logs that we can for review. Once we've established our primary terms, it's time to delve into some demos. Our first demo involves fielding alerts. You will learn how to field a real-world intrusion detection system alert, along with how to pick apart the rule that caused the alert to fire. Alerts are often tied to logs, so I'll show you how to parse a web-proxy log in our second demo. Via these two demos, you'll see first-hand two different SIEMs and how they operate. I truly enjoy doing demos, so I hope you like them as much as I do. You better, darn it, because they're awesome. So let's get to it.

Analyzing Files: Character Encodings, Carrier Files, and Hex Editors
Welcome back folks. This module focuses on file analysis. Incident response analysts often find themselves triaging and/or performing deep dive analysis on files, so let's cover some of the central tenets of this task. Our first lesson is on character encodings. Files contain data. That data is typically stored using a common encoding system. You'll need to be able to recognize and work with character encodings, so I'll cover them first. Next, we will learn about carrier files, which I consider the new age Trojan horse; oh, hi there little Microsoft Word document, what's that you say? You have details concerning the package that I never ordered, that seems legit. I will also cover file signatures in this section, as understanding how to work with signatures eases the process of detecting carrier files. Lastly, we will learn about hex editors. The hex editor overview in this section brings together character encodings, carrier files, and file signatures in order to put the entire module into context. Hands-on hex editing, file analyzing sleuth context.

Proactive IR: Intelligence, Indicators of Compromise, and Hunting
Welcome back folks. This module introduces you to the concept of working with indicators of compromise, pivoting through data to hunt throughout your network and sharing intelligence. Adhering to these principles is what separates the strong security teams from the weak. So let's not waste any time and get started. Cyber threat intelligence comes in many forms, but our focus is going to be on tactical/technical intelligence. You will learn about indicators of compromise, or IOCs, which are a key portion of tactical intelligence. In the second half of this lesson, you will learn about intelligence sharing, along with associated file formats. We end the module with an overview of pivoting and hunting. I'm already itching to have some fun, so let's go, go, go.

Course Review & Next Steps
Well folks, our course is just about complete. I'd like to take a few minutes, just sit right there, and I'll tell you how I became the prince of a town called, wait, no, that's not it. I actually want to discuss your next steps. You wouldn't want your journey to end here, would you? This course is just the tip of the proverbial iceberg. The IR realm is vast, but at least you've dedicated yourself to starting your journey. If you've made it through the entire course, you're most likely truly interested in pursuing IR, at least I hope so. I designed this course to have a logical flow. My goal was to present content in a fashion that provides you insight into each specific topic, yet leads the way for you to learn more about each subject. Your mission, should you choose to accept it, is to use each module in this course as a springboard to learning. Up next, I provide some examples of how to do just that.