WEBVTT

0:00:00.360000 --> 0:00:05.360000
 Hello everyone and welcome to the Instant
 Response Analysis course summary.

0:00:05.360000 --> 0:00:08.160000
 So this is going to be the final video
 in this course and this is where

0:00:08.160000 --> 0:00:11.080000
 we go through everything we've
 covered in the course.

0:00:11.080000 --> 0:00:15.080000
 We revisit the learning outcomes or the
 learning objectives to see whether

0:00:15.080000 --> 0:00:17.560000
 I indeed covered what I told you.

0:00:17.560000 --> 0:00:21.200000
 I was going to cover in the course overview
 video and this is very important

0:00:21.200000 --> 0:00:30.380000
 because it'll give you a very good,
 you know, it'll give you a very way

0:00:30.380000 --> 0:00:35.140000
 to assess, you know, what you've learned
 both in the context of knowledge

0:00:35.140000 --> 0:00:41.740000
 but, you know, what you're able to do in
 the context of skills and abilities.

0:00:41.740000 --> 0:00:46.740000
 So let's, you know, go through or recap
 the key concepts as outlined in

0:00:46.740000 --> 0:00:47.900000
 the course overview video.

0:00:47.900000 --> 0:00:52.380000
 So in this course, we're supposed to
 cover, you know, the principle or

0:00:52.380000 --> 0:00:57.980000
 the concept of first response, endpoint
 analysis, endpoint log analysis,

0:00:57.980000 --> 0:01:03.140000
 network analysis and we're, you know,
 to tie all of this together, you

0:01:03.140000 --> 0:01:08.440000
 know, by taking a look at real-world instant
 response practices or I should

0:01:08.440000 --> 0:01:12.960000
 say each of these key concepts was covered
 with that in mind or that as

0:01:12.960000 --> 0:01:14.620000
 the basis, right?

0:01:14.620000 --> 0:01:17.880000
 And now that brings us to
 the learning outcomes.

0:01:17.880000 --> 0:01:20.860000
 So let's, you know, take
 a look at them again.

0:01:20.860000 --> 0:01:25.480000
 So firstly, you have the ability to confidently
 perform endpoint and network

0:01:25.480000 --> 0:01:28.520000
 analysis. We covered both
 in quite a bit of detail.

0:01:28.520000 --> 0:01:30.480000
 So I'm fairly happy with that.

0:01:30.480000 --> 0:01:34.280000
 You'll have the ability to perform
 initial response or first response

0:01:34.280000 --> 0:01:38.740000
 actions and deep analysis to assess the
 scope and impact of security incidents.

0:01:38.740000 --> 0:01:41.100000
 And we dedicated the whole
 section to that.

0:01:41.100000 --> 0:01:44.280000
 So I'm quite satisfied with
 my coverage of that.

0:01:44.280000 --> 0:01:48.060000
 And hopefully you have a very good understanding
 of the concept of first

0:01:48.060000 --> 0:01:53.040000
 or initial response and how that leads
 into deep analysis or the need

0:01:53.040000 --> 0:01:55.740000
 for deep analysis or investigation.

0:01:55.740000 --> 0:01:59.560000
 You should also have the ability to conduct
 endpoint and log based investigations

0:01:59.560000 --> 0:02:04.560000
 using tools like Sysmon, which we covered,
 the Windows event utility,

0:02:04.560000 --> 0:02:08.040000
 which we also covered when we're taking
 a look at Windows event log analysis

0:02:08.040000 --> 0:02:18.120000
 and likewise the same for
 EVTX, ECMD and Chain.

0:02:18.120000 --> 0:02:23.740000
 So how to collect and extract Windows
 event logs, how to pass them using

0:02:23.740000 --> 0:02:29.620000
 a tool like EVTX, ECMD, how to analyze
 them using chainsaw in conjunction

0:02:29.620000 --> 0:02:32.380000
 with Sigma. So again, I'm very,
 very happy with that.

0:02:32.380000 --> 0:02:36.660000
 And of course, this was all underpinned
 or this was all facilitated through

0:02:36.660000 --> 0:02:38.400000
 the use of a practical lab environment.

0:02:38.400000 --> 0:02:41.500000
 So you actually took a look at
 how to do this practically.

0:02:41.500000 --> 0:02:45.740000
 You should also have the ability to
 analyze network traffic using PCAPs,

0:02:45.740000 --> 0:02:50.500000
 flow data and logs to detect scanning
 attacks and network scanning, network

0:02:50.500000 --> 0:02:52.780000
 attacks and exfiltration.

0:02:52.780000 --> 0:02:56.960000
 And of course, we covered this, you know,
 both theoretically and practically

0:02:56.960000 --> 0:03:03.760000
 also again, through the use of practical
 labs on the INE platform.

0:03:03.760000 --> 0:03:09.400000
 So again, I'm fairly happy or really
 comfortable and pleased with how

0:03:09.400000 --> 0:03:12.140000
 I covered that or how that was covered.

0:03:12.140000 --> 0:03:17.660000
 And you know, the final learning outcome
 really just, you know, pretty

0:03:17.660000 --> 0:03:20.840000
 much encapsulates all the tools
 that I've just mentioned.

0:03:20.840000 --> 0:03:25.340000
 So, you know, you'll be able to use aforementioned
 industry standard tools

0:03:25.340000 --> 0:03:30.940000
 in conducting live investigations or,
 you know, analysis more broadly

0:03:30.940000 --> 0:03:35.680000
 speaking. So that's a recap
 of the learning outcomes.

0:03:35.680000 --> 0:03:39.620000
 And there's one final one that I forgot
 to mention, which is, you know,

0:03:39.620000 --> 0:03:43.080000
 you'll have the ability to differentiate
 analysis strategies based on

0:03:43.080000 --> 0:03:45.400000
 different types of incidents.

0:03:45.400000 --> 0:03:46.740000
 So that is quite important.

0:03:46.740000 --> 0:03:51.580000
 And again, this was also facilitated
 through, you know, the end point

0:03:51.580000 --> 0:03:57.140000
 analysis labs or scenarios that we
 went through as well as the network

0:03:57.140000 --> 0:04:00.720000
 analysis scenarios we went through.

0:04:00.720000 --> 0:04:05.740000
 So I've outlined the set of next steps
 that I recommend you take after

0:04:05.740000 --> 0:04:08.280000
 completing this course,
 which you just have.

0:04:08.280000 --> 0:04:11.600000
 A lot of these next steps are there
 to aid what you've learned in this

0:04:11.600000 --> 0:04:14.940000
 course, but also to set the stage for
 the next set of courses within this

0:04:14.940000 --> 0:04:18.420000
 learning path. So to begin with, I would
 highly recommend that you apply

0:04:18.420000 --> 0:04:20.500000
 your skills in a lab environment.

0:04:20.500000 --> 0:04:24.520000
 You know, the easiest would be the labs
 included in this course, but also

0:04:24.520000 --> 0:04:28.520000
 the detection course, which preceded
 this course, as well as some of the

0:04:28.520000 --> 0:04:33.860000
 skill dive lab collections specific
 to detection, security monitoring

0:04:33.860000 --> 0:04:35.600000
 and instant response.

0:04:35.600000 --> 0:04:39.120000
 I would also, you know, highly recommend
 that you study real-world instant

0:04:39.120000 --> 0:04:40.760000
 reports in post-mortem.

0:04:40.760000 --> 0:04:44.820000
 More specifically, I would recommend that
 you analyze public breach reports

0:04:44.820000 --> 0:04:47.240000
 from Mandian Caesar or Microsoft.

0:04:47.240000 --> 0:04:51.940000
 You know, these would be the best examples
 in order to see our professional

0:04:51.940000 --> 0:04:55.900000
 instant responders apply detection
 and analysis techniques.

0:04:55.900000 --> 0:04:59.320000
 I would also recommend that you explore
 advanced instant response topics

0:04:59.320000 --> 0:05:03.620000
 in order to, you know, more or I should
 say more specifically, deepen

0:05:03.620000 --> 0:05:07.640000
 your knowledge in areas like malware
 analysis, threat hunting, memory

0:05:07.640000 --> 0:05:10.440000
 forensics and digital forensics.

0:05:10.440000 --> 0:05:14.680000
 And then finally, I would highly recommend
 that you stay updated on emerging

0:05:14.680000 --> 0:05:19.420000
 threats and tools and more specifically,
 or, you know, to shed a bit more

0:05:19.420000 --> 0:05:21.160000
 light on what I mean by that.

0:05:21.160000 --> 0:05:25.160000
 What I mean is, you know, follow cybersecurity
 blogs, join communities,

0:05:25.160000 --> 0:05:31.060000
 for example, online communities like
 the DFIR Slack, our Reddit's Blue

0:05:31.060000 --> 0:05:36.000000
 Team Sec subreddit, and also attend webinarsal
 conferences to remain current

0:05:36.000000 --> 0:05:40.100000
 in the field. So with that being said,
 that brings us to the end of this

0:05:40.100000 --> 0:05:43.460000
 video and consequently or subsequently
 the end of this course.

0:05:43.460000 --> 0:05:48.980000
 I hope you found value in the course
 and now, you know, now that we've

0:05:48.980000 --> 0:05:54.160000
 taken a look at detection and analysis,
 we're ready to move on to the

0:05:54.160000 --> 0:05:58.540000
 other courses. We'll be covering, you
 know, specialized digital forensics

0:05:58.540000 --> 0:06:04.060000
 and, you know, threat intelligence and
 threat hunting, which, you know,

0:06:04.060000 --> 0:06:07.860000
 are also important, you know, subject.

0:06:07.860000 --> 0:06:12.920000
 These are also important topics or
 areas of expertise that, you know,

0:06:12.920000 --> 0:06:17.740000
 you should be versed in
 as an instant responder.

0:06:17.740000 --> 0:06:20.720000
 With that being said, that's going
 to be it for this video.

0:06:20.720000 --> 0:06:23.780000
 And I will be seeing you
 in the next course.