WEBVTT

0:00:06.520000 --> 0:00:12.820000
 Hello everyone and welcome to the instant
 response detection course overview.

0:00:12.820000 --> 0:00:17.060000
 So before we get started with this course
 or any course for that matter,

0:00:17.060000 --> 0:00:22.160000
 I always like providing you, the student
 with an overview of what we will

0:00:22.160000 --> 0:00:28.040000
 be covering and we're going to touch
 on some important aspects of the

0:00:28.040000 --> 0:00:33.600000
 course and more importantly, the key
 learning outcomes or objectives and

0:00:33.600000 --> 0:00:39.340000
 this is very important because it allows
 me to set this stage by firstly

0:00:39.340000 --> 0:00:43.340000
 giving you a high level overview of what
 we'll be covering but more importantly,

0:00:43.340000 --> 0:00:48.360000
 giving you an idea or understanding
 as to what you will know and what

0:00:48.360000 --> 0:00:55.480000
 you will be able to do by the
 students out of the way.

0:00:55.480000 --> 0:00:58.160000
 Who am I? My name is Alexis Ahmed.

0:00:58.160000 --> 0:01:01.540000
 I'm a red and blue team
 instructor here at INE.

0:01:01.540000 --> 0:01:06.760000
 I'm also senior pen tester and red team
 lead at Hackersploid and if you

0:01:06.760000 --> 0:01:10.920000
 may, if you ask yourself what experience
 do I have with regard to instant

0:01:10.920000 --> 0:01:14.460000
 response, I did work as
 an instant responder.

0:01:14.460000 --> 0:01:20.460000
 Firstly, as a SOC analyst and then as
 an instant responder, before I went

0:01:20.460000 --> 0:01:26.120000
 into the offensive side of cyber security
 but also returned to incident

0:01:26.120000 --> 0:01:31.860000
 response later on after I was a red
 teamer primarily for the reason of

0:01:31.860000 --> 0:01:37.160000
 performing or planning and executing
 purple team operations to sort of

0:01:37.160000 --> 0:01:40.340000
 setting up a red team
 against a blue team.

0:01:40.340000 --> 0:01:44.960000
 In any case, that's a little
 bit about myself.

0:01:44.960000 --> 0:01:49.780000
 Let's start off by taking a look at the
 key concepts that will be covered

0:01:49.780000 --> 0:01:55.180000
 in this course. So given that we're
 getting it or this course covers the

0:01:55.180000 --> 0:02:01.220000
 detection aspect of the detection and
 analysis phase of the instant response

0:02:01.220000 --> 0:02:06.120000
 life cycle, it's going to be
 geared in that direction.

0:02:06.120000 --> 0:02:11.400000
 So the key concept to begin with is
 understanding the role of detection

0:02:11.400000 --> 0:02:16.320000
 in the instant response life cycle, understanding
 events, alerts and incidents

0:02:16.320000 --> 0:02:20.420000
 and getting an understanding of
 how to distinguish between them.

0:02:20.420000 --> 0:02:24.960000
 This is very important because we'll
 then take a look at log sources and

0:02:24.960000 --> 0:02:32.840000
 the process of log shipping, log
 collection, aggregation, etc.

0:02:32.840000 --> 0:02:36.340000
 And more importantly or more specifically
 in this context, we'll be taking

0:02:36.340000 --> 0:02:40.860000
 a look at the standard centralized log
 collection model which essentially

0:02:40.860000 --> 0:02:48.920000
 means configuring logs to be shipped
 to a centralized log destination

0:02:48.920000 --> 0:02:52.740000
 which in most cases is going
 to be a seam, right?

0:02:52.740000 --> 0:02:57.680000
 And then we'll take a look at detection
 rules and alert triage.

0:02:57.680000 --> 0:03:02.300000
 So those are the key concepts and then
 one more final one would be seam

0:03:02.300000 --> 0:03:06.960000
 operations. So we'll be taking a look
 at you know what a seam is, how

0:03:06.960000 --> 0:03:13.060000
 it works, the role it plays with regard
 to detection, you know, threat

0:03:13.060000 --> 0:03:18.740000
 detection specifically and how you know
 this particular tool is used by

0:03:18.740000 --> 0:03:22.440000
 SOC analysts and you know,
 instant responders.

0:03:22.440000 --> 0:03:25.180000
 So that brings us to the major topic.

0:03:25.180000 --> 0:03:28.800000
 So if they can look at the key concepts,
 the major topics, this is where

0:03:28.800000 --> 0:03:33.160000
 I sort of out as you know it suggests
 here, this is where I outline the

0:03:33.160000 --> 0:03:39.680000
 major topic. So if we were to break
 it down into a topic basis, the most

0:03:39.680000 --> 0:03:44.060000
 important to begin with would be endpoint
 network and application log

0:03:44.060000 --> 0:03:48.840000
 sources. So we'll get an understanding
 of log sources but then you know

0:03:48.840000 --> 0:03:53.160000
 more specifically we'll be exploring
 endpoint logs or Linux and Windows,

0:03:53.160000 --> 0:03:55.880000
 network and application log sources etc.

0:03:55.880000 --> 0:04:00.660000
 So you understand the various sources,
 you know various log sources or

0:04:00.660000 --> 0:04:03.380000
 where logs come from which
 is very important.

0:04:03.380000 --> 0:04:07.300000
 And then we'll you know take a look at
 Windows and Linux logging fundamentals

0:04:07.300000 --> 0:04:11.660000
 which is self explanatory and then as
 I mentioned in the previous slide

0:04:11.660000 --> 0:04:16.980000
 log shipping and aggregation methods
 and then IUC analysis so indicative

0:04:16.980000 --> 0:04:23.300000
 compromise, IUC analysis and alert noise
 reduction and then building and

0:04:23.300000 --> 0:04:24.880000
 tuning detection rules.

0:04:24.880000 --> 0:04:28.540000
 So these are sort of the major topics
 within this course and now that

0:04:28.540000 --> 0:04:31.920000
 brings us to a very important aspect
 of this video which is the learning

0:04:31.920000 --> 0:04:36.480000
 outcomes. So to begin with by the end
 of this course you will have the

0:04:36.480000 --> 0:04:42.740000
 ability to identify and work with key
 log sources across different types

0:04:42.740000 --> 0:04:44.420000
 of environments.

0:04:44.420000 --> 0:04:48.980000
 You'll also have the ability to utilize
 seems like Splunk and elk for

0:04:48.980000 --> 0:04:51.540000
 centralized detection.

0:04:51.540000 --> 0:04:56.580000
 You'll have the ability to analyze alerts,
 indicators of compromise and

0:04:56.580000 --> 0:05:00.780000
 false positives so you have an understanding
 of how to identify false

0:05:00.780000 --> 0:05:03.280000
 positives really quickly.

0:05:03.280000 --> 0:05:07.980000
 You'll have the ability to build effective
 detection rules for real world

0:05:07.980000 --> 0:05:13.580000
 incidents or realistic incidents I should
 say and that brings us now to

0:05:13.580000 --> 0:05:14.420000
 the prerequisites.

0:05:14.420000 --> 0:05:18.220000
 So what do you need to know before
 you get started with this course?

0:05:18.220000 --> 0:05:22.000000
 To begin with I would recommend you have
 a basic understanding of cybersecurity

0:05:22.000000 --> 0:05:33.300000
 concepts and operating system concepts
 specifically Windows and Linux

0:05:33.300000 --> 0:05:37.560000
 because you know those are the operating
 systems we're going to be interacting

0:05:37.560000 --> 0:05:42.940000
 with primarily. With that being said
 that brings us to the end of this

0:05:42.940000 --> 0:05:47.300000
 video or the end of the course overview
 video and now that you have an

0:05:47.300000 --> 0:05:51.540000
 understanding of you know what we'll
 be covering and what to expect I'll

0:05:51.540000 --> 0:05:53.860000
 be seeing you in the first
 video in this course.