mandiant consulting course catalog

2017External EducationCourse Catalog

2017 EXTERNAL EDUCATION COURSE CATALOG2

CONTENTS

Our External Education Program 3

Course Descriptions 5

Introduction to Attribution 5

Enterprise Incident Response 6

Malware Analysis Courses 8

Advanced Investigation Techniques 10

Creative Red Teaming 12

Digital Forensics and Incident Response for PLCs 13

Appendix A: Example Instructor Biographies 14

Appendix B: Company Background 15

Appendix C: FireEye Publications 16

Appendix D: Company Information 17


OUR EXTERNAL EDUCATION PROGRAM

Mandiant, a division of FireEye, believes in intense, hands-on training that develops performable skills. We use operational case scenarios to ensure greater effectiveness. Our classes and exercises are reality-based rather than classroom mock-ups and every class is led by some of the most experienced cyber security professionals in the business.



We follow a proven training methodology that is enhanced by our significant experience responding to real-world attacks. Mandiant helps our clients respond to sophisticated security breaches daily — we are able to leverage our understanding of attackers’ methodologies, tools and tactics to identify security vulnerabilities.

Our strength is our experience. Mandiant consultants have extensive experience providing information security advice to Fortune 500 organizations and government agencies. Our consultants include former law enforcement officers, intelligence officers, Department of Defense computer security specialists, computer programmers, forensic examiners and published experts who have significant experience shaping the information security programs at global organizations.

Mandiant’s education courses can be customized to meet the specific needs and environment of the client. Our current course offerings include:

• Introduction to Attribution (1 day)

• Essentials of Malware Analysis (2 days)

• OS X Malware Analysis Crash Course (2 days)

• Malware Analysis Crash Course (3 days)

• Malware Analysis Master Course (5 days)

• Customized Malware Analysis

• Router Backdoor Analysis Course (2 days)

• Cyber Crime & Incident Response Introduction to Cyber Crime for Executives (1 day)

• Enterprise Incident Response (3 days)

• Network Investigations Network Traffic Analysis (3 days)

• Wireless Security (2 days)

• Introduction to Linux for Security Professionals (3 days)

• UNIX Investigations (5 days)

• Windows Investigations (5 days)

• Creative Red Teaming (4 days)

• Digital Forensics and Incident Response for PLCs (1 day)


Course Descriptions

INTRODUCTION TO ATTRIBUTION (1 DAY)

This course focuses on understanding Threat Intelligence and Attribution — An introduction to the precise meaning of the terms ‘threat intelligence’ and ‘attribution’. Not only will this course clarify those terms, but it will separate helpful information from hype, with an emphasis on tactical, operational and strategic threat intelligence and attribution. It will demonstrate how alerts, indicators and investigative data form the basis of threat intelligence, allowing organizations to better understand intrusions. The value of threat Intelligence is explored to include weighing connection and relationships to start building a set of “related activity” that corresponds to a group of threat actors. Building up this, the course builds upon the process of using tactical intelligence to identify indicators that can be grouped into related activity and thereby attributed to a “threat group”. The course continues by examining operational and strategic intelligence, both of which help to determine the “who” and “why” behind an operation.

The Value of Threat Intelligence: This module will explore the building blocks of a threat group: how FireEye analysts take raw tactical intelligence and weigh connections and relationships to start building a set of “related activity” that corresponds to a group of threat actors. This module includes the description of several factors that must be considered when attributing “related activity” and provide real-world examples of research and “pivoting”.

Challenges with Analysis and Attribution: This module builds on the process of using tactical intelligence to identify indicators that can be grouped into a set of related activity and thereby attributed to a “threat group”. During the early stages of identifying cyber attacks, it’s critical to carefully evaluate data for correct attribution. Many forensic artifacts have varying “got-yas” that we’ll cover, based on FireEye’s extensive experience with this process. Errors can lead to mischaracterization and possibly even misattribution down the road.

Determining Attribution and Sponsorship: This module transitions from discussing tactical information to examining operational and strategic intelligence, both of which help us to determine the “who” and “why” behind an operation. At this stage, we have built a collection of related indicators that we call a threat group and discussed common practices & errors in attributing those indicators. This module will now explore factors that help us make preliminary assessments on motivations and sponsorship of a threat group.

Attribution at the Organizational Level: Attribution can sometimes seem like a “nice to have”, but in many ways this type of analysis can provide incredibly helpful context to threat activity that might enable more insightful decisions or save valuable resources. We’ll explore in this module what attribution can mean for an organization.

Attribution and the Bigger Picture: Attributing cyber operations to a particular group can often have significant implications, sometimes even affecting geopolitical dynamics. It’s important to understand the implications of much of our attribution analysis. We’ll also take a look at attribution from the threat group’s point of view.

Who Should Take This Course

This is a fast-paced course that is designed to provide insight into FireEye’s attribution methodology while also demonstrating sound handling of threat intelligence information. The content and pace is intended for students with some background or familiarity with threat intelligence. Other technical skills are a plus but not required, including experience conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing or even security architecture and system administration duties. It is also well suited for those managing a technical information security team.

Student Requirements

Students must have a working understanding of basic information security principles and a general understanding of “threat intelligence” and indicators of compromise.


ENTERPRISE INCIDENT RESPONSE (3 DAYS)

Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property organizations must have the ability to rapidly detect and respond to threats. This intensive three-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. The class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident and much more.

The course is comprised of the following modules, with labs included throughout the instruction.

• The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process and remediation. This module includes an in-depth study of the following topics:

– Preparation: Reviewing the key security controls that have the most significant impact on an organization’s susceptibility to compromise, as well as the availability of sources of evidence and tools required to make a network “investigation friendly”.

– Detection and Analysis: Common mechanisms to detect threats, how to prioritize and categorize leads, the need to fully-scope targeted attacks and methods to proactively hunt for signs of compromise.

– Remediation: Understanding the goal of remediation and when remediation is necessary, how to plan for a remediation and how to execute a remediation event.

• Acquiring Forensic Evidence: A basic overview of the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. Includes the following sub-sections:

– Forensic Imaging: Understanding the different types of forensic imaging and file system access.

– Live Response Acquisition: Objectives of live response data collection, the key sources of evidence typically acquired during this process, guidelines for forensically sound acquisition and an introduction to Mandiant’s Redline toolkit.

• Introduction to Windows Evidence: An overview of the key sources of evidence that can be used to investigate a compromised Windows system, including the NTFS file system, Prefetch, web browser history, event logs, the registry, memory and more. This module focuses on the following artifacts:

– Network Connections and Browser History: A review of forensic evidence that may capture active or historical network activity on a system.

– Prefetch: How Prefetch files can capture evidence of previously-executed applications and additional metadata.

– File System Analysis: Understanding the behavior of the NTFS file system and its key artifacts, including the Master File Table, timestamp behavior, alternate data streams, recovery of deleted data and directory index attributes.

– The Registry: An introduction to the registry, how to acquire and parse its artifacts and the system and user-specific evidence it contains.

– Event Logs: An introduction to the core system, security and application event logs as well as the Application and Services logs maintained in modern versions of Windows.

– Memory Analysis: An overview of the Windows memory architecture, including physical memory, the pagefile and virtual memory. This module demonstrates how to analyze basic sources of evidence in memory including processes, handles and memory sections. Finally, it walks through attack scenarios that typically require memory analysis, such as recovery of command history, process injection and rootkit behavior.

• Persistence: This module includes an in-depth study of the following topics:

– Common Persistence Mechanisms: A review of common persistence mechanisms introduced in the previous module, followed by an in-depth look at how attackers leverage Windows Services for persistence.

– Advanced Persistence Mechanisms: More sophisticated forms of persistence including DLL search order hijacking and binary modification.

– Alternative Remote Access Techniques: Understand alternative remote access techniques such as VPN compromise and web shells.


• Investigating Lateral Movement: An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access and the resulting sources of evidence on disk, in logs and in the registry. This module includes an in-depth study of the following topics:

– Reconnaissance: How attackers enumerate domains, users, systems, shares and other information in a Windows environment.

– Windows Credentials: Understanding sources of credentials in a Windows environment and the various forms of password attacks, including pass-the-hash and in-memory clear-text password recovery.

– Logon Events: Provides scenario-based examples of the types of logons attackers perform when moving from system-to-system and the resulting sources of evidence in event logs.

– Remote Command Execution: How attackers execute commands from one system to another during lateral movement using built-in Windows mechanisms.

– Interactive Session Artifacts: Insight into the file system and registry-based sources of evidence resulting from interactive / GUI access to a Windows system, including topics such as Shell Bags, LNK files and MRU keys.

• Hunting: How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. This includes:

– Objectives of Hunting: An introduction to the objectives of “hunting.”

– Examples: Walks through several examples of sources of evidence that are well-suited to large-scale analysis, such as Task Scheduler event log entries, ShimCache and Windows Services. Techniques for efficiently searching, stacking and data reduction are provided for each.

• Investigating Web Application Attacks: This module focuses on how to analyze web logs to recognize and interpret common attack techniques. It includes the following sections:

– Introduction to Web Logs: Common web log paths and format, logging GET vs. POST, content encoding and HTTP response codes.

– Investigating Common Web Attacks: Analysis of the log entries and evidence resulting from SQL injection and web shell attacks.

– Obfuscation and Encoding: How attackers can disguise web attacks to evade automated security controls and inhibit log analysis.

• Log Analysis Techniques: A review of the tools and processes that are best-suited for analyzing web logs based on the initial leads available to an investigator.

Who Should Attend

This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams or in roles that require oversight of forensic analysis and other investigative tasks.

Course Prerequisites

Students must have a working understanding of the Windows operating system, file system, registry and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.


Malware Analysis Courses

MALWARE ANALYSIS CRASH COURSE (3 DAYS)

This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. They will learn how to extract host and network-based indicators from a malicious program. They will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

Students Learn

• Basic Static Analysis: Learn to quickly perform a malware autopsy.

• Safe Environment: Learn how to protect yourself by analyzing malware in a safe environment, such as using virtual machines.

• Basic Dynamic Analysis: Learn to analyze running malware.

• Disassembly: Learn the basics and build a foundation of the x86 assembly language and also learn how to use IDA Pro THE tool for disassembly analysis.

• Windows Internals: Learn a wide range of Windows-specific concepts that are relevant to analyzing Windows malware.

• Debugging: Learn how to monitor and change malware behavior, as it runs, at a low level.

Who Should Attend

This course is intended for software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Course Pre-requisites

Students should have an excellent knowledge of computer and operating system fundamentals. Computer programming fundamentals and Windows Internals experience is highly recommended.

OS X MALWARE ANALYSIS CRASH COURSE (2 DAYS)

Most malware analysts and incident responders aren’t able to dissect OS X malware. And with the usage of Apple Macintosh computers growing across the enterprise they need to be prepared to deal with current and future threats. With that corporate increase comes an increase in attacks. Will you be prepared to analyze malware and threats targeted for OS X when they come your way?

This Crash Course rapidly introduces the tools and methodologies necessary to get you analyzing malware that targets the OS X platform. We use a practical, hands-on approach to quickly adapt your current malware analysis skills for OS X.

During the course, you will learn everything you need to know about OS X for success with analyzing malware. You will become skilled with OS X specific static and dynamic analysis tools and techniques to quickly tease out host and network-based indictors. After learning the basics, students will learn how to analyze compiled Objective-C code and Cocoa applications using IDA Pro. Students will learn how to use the lldb debugger to aid in dynamic analysis. This course is filled with demonstrations and hands-on labs with real malware where the students immediately practice what they have been taught.

Modules Included

1. Introduction to OS X: learn OS X internals relevant to malware analysis.

2. Safe Environment: learn how to create a safe malware analysis environment in OS X.

3. Basic Static Analysis: tools and methodologies used to perform basic analysis and extract host and network-based indicators from malware without running it.

4. Basic Dynamic Analysis: tools and methodologies used to analyze malware behavior by executing it in a safe environment.

5. Advanced Static Analysis: learn disassembly techniques specific to Objective-C executables.

6. Advanced Dynamic Analysis: learn malware debugging in the OS X environment and how it can be used to monitor and change its behavior at run time.

Who Should Attend

Malware analysts, incident responders, Intel analysts, information security staff, forensic investigators or others requiring an understanding of how OS X specific malware works and the steps and processes involved in performing malware analysis of OS X specific threats.


MALWARE ANALYSIS MASTER COURSE (5 DAYS)

The following learning modules build on the basic concepts of analyzing disassembly provided within the Malware Analysis Crash Course. Each module includes targeted learning and hands-on activities that were authored by the FLARE malware analysis team at FireEye. The master course consists of Modules 6-13, 15, 16 and 18.

• Module 6: Debugging – Learn how to monitor and change malware behavior, as it runs, at a low level.

• Module 7: Stealth – Learn how malware hides its execution, including process injection and user-space rootkits.

• Module 8: Shellcode – Learn how shellcode works from beginning to end, including position independence and symbol resolution.

• Module 9: Anti-Disassembly – Learn how to circumvent the anti-disassembly mechanisms that malware authors use to thwart your analysis in tools like IDA Pro.

• Module 10: Scripting IDA Pro – Learn how to automate IDA Pro to help you analyze malware more efficiently.

• Module 11: Anti-Debugging – Learn how to combat anti-debugging, including how to bypass timing checks, Windows debugger detection and debugger vulnerabilities.

• Module 12: Anti-VM – Malware can detect it is running in your safe environment; learn how to fool it to think otherwise.

• Module 13: Reversing C++ – Learn how C++ concepts like inheritance, polymorphism and objects influence analysis.

• Module 14: Packers and Unpacking – Learn how to unpack manually. (not in scope)

• Module 15: Delphi Analysis – Learn the nuances of the Delphi programming language and how it influences assembly — this language is surprisingly popular among malware authors.

• Module 16: 64-bit Malware – Learn about how x64 changes the game for malware analysis, including how WOW64 works and the architecture changes from x86.

• Module 17: Encryption and Encoding – Learn to deal with string obfuscation techniques commonly used by malware and take malware communications and analyze network packet captures based on your analysis. (not in scope)

• Module 18: Machine Learning – Learn how to cluster and classify malware automatically.

• Module 19: .NET Reversing – Learn how to reverse engineer .NET bytecode and deal with obfuscation techniques employed by attackers.

ROUTER BACKDOOR ANALYSIS (2 DAYS)

Routers play a critical role in the security of any network. With access to a router, an attacker has complete control of the network to manipulate and copy traffic as needed. And as seen with the SYNful Knock router implant this is a serious and imminent threat. Router implants can also be difficult to detect and analyze due to their location within the network. For edge routers positioned outside of network monitoring devices, a direct analysis of the image may be the only option to obtain the critical information to mitigate the compromise.

Students will learn to analyze Cisco IOS images by performing hands-on analysis using a live router running in a lab environment. They will learn how to configure and load a router for analysis. They’ll take and analyze core memory dumps. Students will gain an understanding of the Cisco IOS image format to focus on what modifications were made to an image and for what purpose. Students will learn how to effectively dissect an IOS image using IDA Pro for static analysis and how to debug a running router for active analysis. Students will perform a final lab that involves analyzing backdoored router firmware to determine its functionality.

What You Will Learn

• Hands-on Cisco IOS malware analysis

• Familiarization of the MIPS architecture

• Format of Cisco IOS image and how the image is loaded by the router

• How to analyze an IOS image using IDA Pro

• How to identify modifications to an Cisco IOS image and focus analysis efforts

• How to obtain and analyze memory dumps of running router

• How to perform dynamic analysis on a live system

Who Should Attend

Few malware analysts have the skills taught in this class, so any malware analyst could benefit, but this course is geared towards intermediate to advanced malware analysts comfortable using IDA Pro.


• Experience in malware analysis

• Experience using IDA Pro

• Computer programming experience


Course Requirements

Students will be provided a router for use in the classroom.

Students must bring their own laptop with VMware Workstation, Server or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is required that supports the MIPS architecture. The free version of IDA Pro will not suffice for this class. If purchasing you’ll need IDA Professional Edition 14.

Advanced Investigation Techniques

UNIX INVESTIGATIONS COURSE (5 DAYS)

Attacks against systems running variants of the UNIX operating system are on the rise. In order to effectively respond to the escalating threat organizations must have skilled information security staff able to rapidly detect and remove threats. FireEye developed the UNIX Investigations course to provide information security personnel the fundamental skills needed to quickly identify and eliminate threats targeting UNIX or variants of the UNIX operating systems. The course is based on the real-world experience of FireEye consultants who have years of experience combating these types of attacks. The course reinforces key concepts with hands-on exercises to ensure students gain practical experience in each critical area discussed.

Students Learn

• History of UNIX, Linux and Linux distributions

• Targeted file system searches

• File content searches using grep

• UNIX/Linux file compression and archive utilities

• File content comparison and integrity validation

• File system architecture review

• UNIX/Linux user and system credentials

• Processes, network services and the boot process

• Server and host network configuration

Who Should Attend

Managers and technical team members involved in Information Technology, Information Security, Incident Response or other staff that have a need to investigate potentially compromised UNIX hosts.


Students should have a basic understanding of TCP/IP networks and proficient with the Unix operating system. Familiarity with basic computer security terminology is recommended.

WINDOWS INVESTIGATIONS COURSE (5 DAYS)

Advanced Investigation Techniques — Windows includes hands-on training of the latest technical advances and classroom exercises.

Students Learn

• Essential basics of Windows networks

• Logging protocols with Windows networks and what they can mean to an investigator

• Techniques used by hackers to perform reconnaissance of and subsequent intrusions into Windows networks

• Tool analysis

• Responding to an incident involving Windows networks and assessing the damage done

• How to secure a Windows network (bannering, etc.).

Who Should Attend

Managers and technical team members involved in Information Technology, Information Security, Incident Response or other staff that have a need to investigate potentially compromised Windows hosts.


Students should have a basic understanding of TCP/IP networks and proficient with the Windows operating system. Familiarity with basic computer security terminology is recommended.


NETWORK TRAFFIC ANALYSIS (3 DAYS)

Sophisticated attackers frequently go undetected in a victim network for an extended period of time. Attackers know how to blend their traffic with legitimate traffic and only the skilled network traffic analyst will know how to find them. Network traffic analysis is a critical skill set for any organization. FireEye’s intense three-day Network Traffic Analysis course prepares students to face the challenge of identifying malicious network activity. The course provides students an overview of network protocols, network architecture, intrusion detection systems, network traffic capture and traffic analysis. The course consists of lecture and multiple hands-on labs to reinforce technical concepts.

Students Learn

• Common network protocols

• Network monitoring and the incident response process

• Why network monitoring is important in today’s networks

• The different types of network monitoring

• The pros and cons of Statistical, Connection, Full Content and Event Monitoring and tools to perform each type of monitoring

• The tools commonly used to analyze captured network traffic

• What Botnets are and how to investigate them

• What Honeypots and honeynets are and how they are used in Network Monitoring

• How to perform event-based monitoring using Snort

• Snort rule structure and custom rule creation for network traffic minimization and the Sguil front-end for reviewing Snort alerts

Who Should Attend

Information technology and security staff, corporate investigators or other staff requiring an understanding of networks, network traffic, network traffic analysis and network intrusion investigations.


Students should have a basic understanding of TCP/IP and be familiar with Windows and UNIX platforms. A familiarity with computer security terminology and concepts is helpful.

INTRODUCTION TO LINUX FOR SECURITY PROFESSIONALS (3 DAYS)

The FireEye Linux for Security Professionals course introduces information security professionals to the Linux operating system and helps prepare them to conduct investigations in a UNIX environment. The course follows the “learn by doing” philosophy. Students perform Linux/UNIX commands and discover how the operating system functions. Attendees will primarily operate in the command line environment. The course includes relevant case studies and reinforces key concepts with hands-on exercises to ensure students gain practical experience in each critical area discussed.

Students Learn

• The differences and similarities between the Microsoft Windows and Linux operating systems.

• How to install and configure the Fedora Core Linux operating system for use on a workstation.

• The Linux EXT2 and EXT3 file systems and the general Linux/UNIX file structure.

• Navigation in a Linux environment at the command line and through the X-Windows interface.

• How to configure Linux systems to communicate on TCP/IP networks.

• System logging on most Linux/UNIX systems.

• How to make and verify the integrity of hard drive images made with the DD command.

• How to develop basic UNIX shell scripts and use powerful searching and text manipulation tools such as grep, AWK and SED.

• Over 80 of the most useful Linux/UNIX commands for Security Professionals.

Who Should Attend

Information security, corporate investigators or other staff that require an understanding of the Linux operating system, how attackers exploit UNIX-Based systems, how to secure Unix-based systems and how to respond to incidents that involve the UNIX operating system. The course is intended for attendees that have little to no experience or exposure to Linux or UNIX.


A familiarity with computer security terminology and concepts.


WIRELESS SECURITY (2 DAYS)

Wireless computing devices are everywhere and new products seem to appear daily. The explosive growth of wireless devices also brings an increased risk to networks permitting wireless access. As a result, network and information security personnel must understand the risk of wireless computing. The FireEye Wireless Security course is a two-day class specifically designed for professionals who support, design or assess IEEE 802.11 wireless environments, commonly known as Wi-Fi. It is a hands-on course presented from the attacker’s perspective and helps students understand the wireless attacker methodology. The course includes a variety of case studies and numerous lab exercises to reinforce wireless security concepts and materials.

Students Learn

• How to find and access wireless access points using free tools.

• Techniques to identify “cloaked” or non-broadcasting access points.

• How to defeat common security features.

• Brute force attacks against WPA/WPA2-PMK.

• How to forcefully disassociate a client from an access point.

• How to defeat WEP encryption.

• How wireless access points are used as an initial entry point during a network security breach.

• Common attack vectors used after accessing a wireless network.

• Common misconceptions about wireless technologies and why it can be almost impossible to find an attacker.

Who Should Attend

Information technology staff, information security staff, corporate investigators or other staff who have a need to perform security audits on their wireless infrastructures.


Students should have a basic understanding of TCP/IP networks and some familiarity with Linux systems. Familiarity with computer security terminology and concepts is helpful.

CREATIVE RED TEAMING (4 DAYS)

As cyber security professionals and technologies continue to evolve and become better at prevention, detection and remediation, attackers are forced to continually evolve their Tools, Tactics and Procedures (TTPs) in order to remain effective. This is especially true with the most advanced attack groups operating that need to remain undetected for periods of time in order to effectively accomplish their mission. FireEye is on the front lines investigating these types of breaches. This gives us unparalleled access to understand not only how advanced attackers operate and what TTPs they’re leveraging, but also what attack methodologies are most effective across industries.

This intense three-day course is designed to teach advanced offensive techniques to provide you with the ultimate skillset to test your existing security controls. You will learn proven FireEye Red Team methodologies that start with the successful TTPs we see used by advanced attackers and builds upon them to be even more effective and stealthy. You will even learn how to successfully complete your mission even if part of your team gets caught. This course makes heavy use of labs so that you get to practice everything you learn in a realistic scenario. By learning how to implement and protect against effective TTPs you learn how to help your organization best prevent, detect and respond to cyber threats.

Who should attend

This is a fast-paced technical course designed to provide hands-on experience conducting covert no-holds barred cyber attack simulations to accomplish various objectives within in a corporate environment, just like an advanced adversary would do. FireEye is the recognized global leader in performing incident response. As such we blend the latest attacker TTPs we investigate into our Red Team Operations methodology. This course provides an opportunity to learn how real attackers conduct offensive operations, how we improve upon those operations and to understand how to defend against them. The content and pace is intended for students with a background in conducting penetration tests, security assessments, IT administration and/or incident response.


Course Prerequisites

Students must have working knowledge of the Windows Operating system, file systems, registry and use of the Windows command line. Students should have some experience with the following:

Active Directory and basic Windows security controls; Common network protocols; Linux Operating Systems; Scripting languages such as PowerShell, Python or Perl; Assessing web applications using the OWASP top 10.

DIGITAL FORENSICS AND INCIDENT RESPONSE FOR PLCS ( 1 DAY)

Attacks against industrial control systems (ICS) are on the rise. In order to effectively respond to this emerging threat organizations should be aware about the challenges of performing digital forensics and incident response (DFIR) for ICS. Mandiant developed the “Digital Forensics for ICS” course to give ICS security personnel the fundamental skills needed to identify and understand threats targeting ICS devices that use embedded operating systems such as VxWorks and Windows CE.

This is a technical course designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised ICS systems.

Note: This course will not cover Standard Windows and Linux, as tools such as RedLine and Volatility exist and many training classes exist for those. We will include references to using RedLine etc on human machine interfaces (HMIs) and Engineering Workstations as part of the class for completeness (overall DFIR strategy). For example, Stuxnet affected Engineering Workstations and PLCs…so we would mention both, but mainly focus on the PLC/embedded systems forensics part.

Slides, handouts, digital forensic files and any DFIR tools provided on a USB for each student

Who Should Attend

This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised industrial control systems. The content and pace is intended for students with some background in ICS, PLCs and other embedded devices and embedded operating systems. It is also meant for students with backgrounds in conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing or even security architecture and system administration duties.


• Prior digital forensics experience is helpful but not required.

• Familiarity with PLCs and their software tools is suggested.


APPENDIX A: EXAMPLE INSTRUCTOR BIOGRAPHIES

We have included an example instructor biography. Although it is not possible to identify specific instructors for classes until contracts have been executed and the timing of the training has been determined, the skills and experience reflected in this biography is consistent with the capabilities of the individuals who would be assigned to teach the class.

Devon Kerr

Devon Kerr is a Principal Consultant in Mandiant’s Alexandria office. Mr. Kerr is an incident response and remediation lead and has supported intrusion investigations by providing Live Response, forensic and log analysis. Mr. Kerr has delivered enterprise incident response training and provided proactive assessments. Mr. Kerr developed and maintains Mandiant Professional Services methodologies and documentation for the Compromise Assessment incident response service, IOC creation and utilization and hunting with the FireEye Threat Analytics Platform (TAP).

Mr. Kerr has worked with clients in financial services, defense, manufacturing, aerospace, telecommunications, media and infrastructure. Many of those clients rank in the Fortune 50 or Fortune 100. Mr. Kerr has been instrumental in developing the incident response capabilities of clients and providing strategic remediation guidance following investigations.

Mr. Kerr spent more than a decade in Network Operations and ISP infrastructure prior to Mandiant and obtained his ACE (AccessData Examiner) in 2010. He has also published and presented numerous webinars and topics such as “A Day in the Life of an Incident Responder” at Champlain College in 2013, “Ice Cold Compromise: Featuring ColdFusion” at the Rochester Institute of Technology in 2013, “Information Security Issues Facing Government Contractors” in 2013, “Moar Malware Less Malware” at the FS-ISAC Fall Summit in 2014, “There’s Something About WMI” at MIRCon in 2014, CanSecWest 2015, SANS DFIR 2015 and “IR That Won’t Make You ROFL” at the DoD Incident Response Forum in 2015.

Nick Pelletier

Nick Pelletier is a consultant at Mandiant with over five years of experience in information security. His particular areas of expertise include incident response, digital forensics, network traffic analysis, penetration testing, web application security, operational security (Endpoint Security, IDS, Firewall) and compliance, including the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) and Sarbanes-Oxley (SOX).

He has performed penetration tests, incident response and forensics and corporate security assessments. He has also measured compliance and built secure architectures for numerous organizations across many industries.

While at Mandiant, Mr. Pelletier has performed professional services and incident response engagements for the Fortune 500. A particular area of expertise is responding, investigating and remediating organizations involved in Advanced Persistent Threat (APT) compromises. More specifically, Mr. Pelletier focuses on identifying and tracking APT compromises through network traffic analysis. Mr. Pelletier has also developed and delivered professional education curricula covering various facets of information security, including network traffic analysis and wireless

Prior to joining Mandiant, Mr. Pelletier was a Network Security Engineer for Northeast Utilities, the largest utility company in New England. In this capacity, he was responsible for the development, implementation and operation of network-based and host-based security technologies including vulnerability management, intrusion detection, firewall and antivirus systems. Mr. Pelletier was also responsible for maintaining NERC CIP compliance through program development and routine audits.

Emmanuel Jean-Georges

Mr. Emmanuel (Manny) Jean-Georges is a Consultant at Mandiant working out of the Los Angeles, CA, office. Mr. Jean-Georges works primarily in the Incident Response and Computer Forensics service lines for Mandiant Security Consulting Services.

During a six-month rotation within the Mandiant’s Managed Defense team, Mr. Jean-Georges was responsible for leading surge investigations in five client environments across the Aerospace and Defense, Manufacturing and the Financial Services industries. He has since participated in 15 targeted intrusion investigations for global organizations in varying industries, educational institutions and state governments. In addition, he has helped teach Mandiant education courses on Windows forensics and Network Investigation Techniques to Federal law enforcement personnel. Prior to working at Mandiant, Mr. Jean-Georges was a Server Technology Specialist at FM Global. In this position, he administered and maintained Microsoft Windows Servers, supported application deployment and assisted server and application troubleshooting.


APPENDIX B: COMPANY BACKGROUND

FireEye’s Mandiant Consultant organization provides incident response, computer forensics, penetration testing, vulnerability assessments, web application assessments and intelligent information security solutions.

Mandiant consultants are published experts, speakers at well-known security conferences and application developers. FireEye employs former law enforcement officers, intelligence officers, Department of Defense computer security specialist and forensic examiners who have significant experience shaping the information security programs at large complex organizations. Mandiant has chased intruders through the computer networks of the Fortune 500, the defense industry and the banks of the world.

Mandiant has responded to hundreds of computer security incidents and analyzed over 1,000,000 systems. Their personnel have performed consulting for 33 of the Fortune 100 and have responded to over 120 different clients in the financial industry, defense industrial base and government agencies.

Mandiant has provided APT subject matter expertise for 8 of the largest US cleared defense contractors and has responded to several Fortune 100 companies compromised by the APT including financial, legal and manufacturing companies. Mandiant has analyzed hundreds of pieces of malicious software and has reverse engineered the latest techniques used by the APT actors. As the leader in Incident Response, Mandiant has built an incomparable base of knowledge about the Advanced Persistent Threat and has developed an innovative patent pending technology to proactively detect and respond to these threats at scale within an enterprise.


Real Digital Forensics: Computer Security and Incident Response, 2nd ed

Authors Kevin Mandia, Matt Pepe

McGraw Hill, July 2003

Incident Response and Computer Forensics, 3rd Ed.


McGraw-Hill, Aug 2014

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

Author Michael Sikorski

No Starch Press, February 2012

Mastering FreeBSD and OpenBSD Security

Author Yanek Korff

O’Reilly, 2004

Hacking Exposed 7: Network Security Secrets & Solutions

Contributing author Tony Lee

McGraw-Hill, July 2012

RootKits: Subverting the Windows Kernel

Author James Butler

Addison-Wesley, July 2005

Incident Response and Computer Forensics, 1st Ed.



Windows XP: Professional Security

Contributing Author Matt Pepe

McGraw-Hill, October 2002

Incident Response and Computer Forensics, 2nd Ed.



APPENDIX C: FIREEYE PUBLICATIONS


APPENDIX D: COMPANY INFORMATION

Firm Name Mandiant Company

Established 2004, acquired by FireEye in 2014

Focus World leading information security firm with focus in Incident Response, Computer Forensics, Network

Security, Application Security and Education

Unique Expertise Malicious Code Analysis, Payment Card Industry Assessments, Application-Product Testing, Network Intru-

sion Management, Expert Witness Testimony

Headquarters 2318 Mill Rd, Suite 500, Alexandria, Virginia 22314

Regional Offices 24 West 40th St, 9th Floor, New York, New York 10018

841 Apollo Street, Suite 500, El Segundo, CA, 90245

135 Main Street, Suite 550, San Francisco, CA 94105

1861 Alexander Bell Drive, Suite 200, Reston VA, 20191

Staff 400+

Staff Experience Average of over 10 years in the Information Security Industry

Global Expertise Our team has lived or worked in 47 countries to include: Canada, United States, Mexico, Panama, Colom-

bia, Brazil, Argentina, Japan, Korea, Singapore, Indonesia, Malaysia, Australia, India, Egypt, Saudi Arabia,

United Arab Emirates, Iraq, Jordan, Turkey, Russia, Ukraine, Finland, Sweden, Denmark, Germany and the

United Kingdom

Customer Base Over 500 current clients in the Financial, Legal, Law Enforcement, Intelligence, Retail and Technology

sectors

Customer Satisfac-

tion

Demonstrated by an over 75% rate of additional engagements from our client base in the past 4 years

Financial Stability Highly stable firm with significant annual growth since formation

Publications Primary and contributing authors of 9 books on information security

Authors of numerous articles in the field

Presentations Over 45 presentations annually to industry forums, conferences and groups

Courses Enterprise Incident Response, Malware Analysis, Advanced Memory Forensics in Incident Response, Intro-

duction to LINUX for Security Professionals, Network Investigative Techniques, Network Traffic Analysis,

UNIX Investigations, Windows Investigations, Wireless Security

Certifications CISSP, CISA, CBP, IACIS, CCNA, GCIA, GCUX, QSA, QIRA Certifications

Membership in IEEE, ECTF, HTCIA, OWASP and InfraGard

Clearances Many of the staff with current or prior Top Secret Clearances

FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / [email protected]

www.FireEye.com

© 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products or service names are or may be trademarks or service marks of their respective owners. CC.EE.EN-US.052017

To learn more about FireEye, visit:www.FireEye.com

mailto:info%40FireEye.com?subject=

http://www.FireEye.com

mandiant consulting course catalog

Documents