WEBVTT 0:00:06.220000 --> 0:00:11.100000 Hello everyone and welcome to the instant response analysis course overview. 0:00:11.100000 --> 0:00:14.260000 So before we get started with this course, I'm going to, you know, provide 0:00:14.260000 --> 0:00:17.940000 you with an overview as to what we'll be covering, what the prerequisites 0:00:17.940000 --> 0:00:21.500000 are for this course and more importantly, what the learning outcomes or 0:00:21.500000 --> 0:00:23.240000 the learning objectives are. 0:00:23.240000 --> 0:00:26.940000 With that being said, let's get some of the formalities out of the way. 0:00:26.940000 --> 0:00:29.040000 Who am I? My name is Alexis Ahmed. 0:00:29.040000 --> 0:00:31.640000 I'm the red and blue team instructor here at INE. 0:00:31.640000 --> 0:00:36.640000 By trade or by practice, I made senior pen tester and red team lead at 0:00:36.640000 --> 0:00:39.880000 Hackersploit. If you're asking yourself, what experience do I have in 0:00:39.880000 --> 0:00:41.900000 teaching a course on instant response? 0:00:41.900000 --> 0:00:45.580000 Well, I did work as a SOC analyst and then later an instant responder 0:00:45.580000 --> 0:00:47.680000 before I went into red teaming. 0:00:47.680000 --> 0:00:51.620000 And nowadays, I primarily operate or primarily perform threat intelligence. 0:00:51.620000 --> 0:00:56.080000 I facilitate purple team operations, which is, you know, sort of pegging 0:00:56.080000 --> 0:01:01.580000 the red team against the blue team in a planned and strategic fashion 0:01:01.580000 --> 0:01:07.220000 so as to improve detection and instant response capabilities in the blue 0:01:07.220000 --> 0:01:12.540000 team. So I am actively involved in incident response. 0:01:12.540000 --> 0:01:16.400000 And, you know, really from the perspective of purple teaming, but I do 0:01:16.400000 --> 0:01:19.260000 interact with instant responders quite often. 0:01:19.260000 --> 0:01:22.880000 With that being said, let's take a look at the key concepts we'll be covering 0:01:22.880000 --> 0:01:26.900000 in this course beginning with the concept of first response or the first 0:01:26.900000 --> 0:01:30.940000 five minutes. So what do you do in the first five minutes after receiving 0:01:30.940000 --> 0:01:35.220000 an incident or after an incident has been communicated or escalated to 0:01:35.220000 --> 0:01:36.960000 you as an instant responder? 0:01:36.960000 --> 0:01:40.400000 We'll then be taking a look at endpoint analysis and more specifically 0:01:40.400000 --> 0:01:42.140000 endpoint log analysis. 0:01:42.140000 --> 0:01:46.280000 We'll then turn our attention to network analysis, which is very important 0:01:46.280000 --> 0:01:50.460000 as well. And then finally, this will all be tied together by exploring 0:01:50.460000 --> 0:01:56.760000 real world incident response practices, you know, in the form of lab environment. 0:01:56.760000 --> 0:01:59.180000 So there's quite a lot we'll be covering now. 0:01:59.180000 --> 0:02:01.000000 That brings us to the major topics. 0:02:01.000000 --> 0:02:04.740000 So what are the major topics that we'll be covering in this course? 0:02:04.740000 --> 0:02:08.320000 Well, firstly, as I mentioned, we'll be taking a look at the concept of 0:02:08.320000 --> 0:02:13.520000 first response as well as deep dive or deep analysis techniques, which 0:02:13.520000 --> 0:02:18.520000 sort of occurs after first response has been performed. 0:02:18.520000 --> 0:02:23.460000 So if you receive or an incident is communicated or escalated to you as 0:02:23.460000 --> 0:02:28.440000 a responder and you perform, you know, you go through the concept of the 0:02:28.440000 --> 0:02:31.900000 practice of first response and you realize that this requires further 0:02:31.900000 --> 0:02:34.100000 analysis, what do you do next? 0:02:34.100000 --> 0:02:39.680000 Well, that phases or that process is usually called deep analysis or, 0:02:39.680000 --> 0:02:43.460000 you know, just further analysis and investigation. 0:02:43.460000 --> 0:02:47.480000 So we'll be taking a look at first response and deep dive analysis techniques. 0:02:47.480000 --> 0:02:49.680000 We'll then take a look at endpoint triage. 0:02:49.680000 --> 0:02:53.980000 So Windows, Linux, live and offline systems. 0:02:53.980000 --> 0:02:58.600000 What's the process of what is endpoint triage and what does the process 0:02:58.600000 --> 0:03:04.260000 look like? We'll then turn our attention to scene based log analysis. 0:03:04.260000 --> 0:03:08.620000 So using scenes for log analysis and then more specifically Windows event 0:03:08.620000 --> 0:03:12.060000 log analysis, we'll take a look at the entire lifecycle. 0:03:12.060000 --> 0:03:17.060000 So how do you collect or extract Windows event logs from a, you know, 0:03:17.060000 --> 0:03:22.400000 system affected by an incident and, you know, how to pass them, how to 0:03:22.400000 --> 0:03:24.360000 analyze them, etc. 0:03:24.360000 --> 0:03:27.440000 And we'll also do the same for Linux logs. 0:03:27.440000 --> 0:03:31.300000 And then we'll in the case of network analysis, we'll be focusing on PCAP 0:03:31.300000 --> 0:03:35.840000 analysis and network investigations, and then finally to tie everything 0:03:35.840000 --> 0:03:40.300000 together, evidence, timeline, creation and correlation. 0:03:40.300000 --> 0:03:43.060000 So now that brings us to the learning outcomes. 0:03:43.060000 --> 0:03:48.040000 So what are you going to learn or what will you know and what will you 0:03:48.040000 --> 0:03:50.220000 be able to do by the end of this course? 0:03:50.220000 --> 0:03:54.040000 So firstly, you'll be able to, you'll have the ability to confidently 0:03:54.040000 --> 0:03:57.180000 perform endpoint and network analysis. 0:03:57.180000 --> 0:04:01.080000 Yeah, you'll have the ability to perform initial response actions and 0:04:01.080000 --> 0:04:04.960000 deep analysis to assess the scope and impact of security incidents. 0:04:04.960000 --> 0:04:09.280000 You will be able to conduct endpoint and log based investigations using 0:04:09.280000 --> 0:04:14.800000 tools like Sysmon, Windows, the Windows event, utility, EVTX, ECMD, as 0:04:14.800000 --> 0:04:16.360000 well as chainsaw. 0:04:16.360000 --> 0:04:21.240000 You'll have the ability to analyze network traffic using PCAPs, flow data 0:04:21.240000 --> 0:04:26.520000 and log study tech, scanning, scanning, network scanning attacks, as well 0:04:26.520000 --> 0:04:28.280000 as exfiltration. 0:04:28.280000 --> 0:04:32.360000 And you have the ability, you'll have an understanding of, and you'll 0:04:32.360000 --> 0:04:35.780000 have the ability to utilize the aforementioned industry standard tools 0:04:35.780000 --> 0:04:39.080000 in live investigations. 0:04:39.080000 --> 0:04:42.120000 And you'll also be able to differentiate, which is very important, you'll 0:04:42.120000 --> 0:04:47.400000 be able to differentiate analysis strategies or practices based on, you 0:04:47.400000 --> 0:04:50.180000 know, different scenarios or the different incidents, right? 0:04:50.180000 --> 0:04:54.380000 So you'll actually, you'll get an understanding of how and when to apply 0:04:54.380000 --> 0:04:59.340000 different analysis techniques or practices based on the incident that 0:04:59.340000 --> 0:05:00.460000 you're dealing with. 0:05:00.460000 --> 0:05:02.900000 So now that brings us to the next slide. 0:05:02.900000 --> 0:05:05.960000 So what do I recommend you know or what do I recommend? 0:05:05.960000 --> 0:05:10.460000 Yeah, primarily what should you know before getting into this course well? 0:05:10.460000 --> 0:05:13.800000 I would highly recommend you have an understanding of the OSI model and 0:05:13.800000 --> 0:05:16.020000 TCP IP networking. 0:05:16.020000 --> 0:05:19.320000 I would also recommend you are familiar with common network protocols 0:05:19.320000 --> 0:05:24.280000 that you have a basic knowledge of operating systems or Windows and Linux, 0:05:24.280000 --> 0:05:28.960000 but more specifically, basic experience with command line tools and command 0:05:28.960000 --> 0:05:29.680000 line in general. 0:05:29.680000 --> 0:05:32.860000 But more specifically in the case of Windows, I'd recommend you have an 0:05:32.860000 --> 0:05:37.160000 understanding of PowerShell, how to use it at a very basic level and bash 0:05:37.160000 --> 0:05:39.040000 in the case of Linux. 0:05:39.040000 --> 0:05:42.360000 I would also recommend you have a basic familiarity with security concepts 0:05:42.360000 --> 0:05:44.520000 and terminology. 0:05:44.520000 --> 0:05:47.880000 And with that being said, that brings us to the end of the overview video 0:05:47.880000 --> 0:05:49.940000 and I'm ready to get started. 0:05:49.940000 --> 0:05:52.820000 So with that being said, that's going to be it for this video. 0:05:52.820000 --> 0:05:55.140000 And I'll see you in the first video of this course.