|
TRAINING PROGRAM
Monday, August 8, 2011
|
|
M1 TCP/IP Weapons School 3.0, Day 1
Elizabethan A
Richard Bejtlich, MANDIANT
9:00 a.m.–5:00 p.m.
Who should attend: Basic to intermediate network security personnel.
This course is an excellent way for someone with general security
knowledge to enter the incident response field. Investigators with
a background in hard disk forensics but little experience with
intrusion analysis will also find this course a great way to expand
their horizons. Because this course addresses the entire incident
detection and response process, students should not expect extremely
advanced material in any single area (such as memory forensics),
although the instructor is willing to discuss network-centric issues
beyond the intermediate level if questioned.
If you have taken Richard Bejtlich's TCP/IP Weapons School before, you need to understand that TWS3 is different. You'll find plenty of new material in this third version of the
class.
Students must be comfortable using command-line tools in a non-Windows
environment such as Linux or FreeBSD. Students must have at least
basic familiarity with TCP/IP networking and packet analysis.
Students must bring their own laptop; see "What to Bring," below, for details.
Take back to work: An investigative mindset and hands-on knowledge of
tools to detect and respond to intruders in your environment.
Is your network safe from intruders? Do you know how to find out?
Do you know what to do when you learn the truth? If you need answers
to these questions, TCP/IP Weapons School 3.0 (TWS3) is the course for you. This vendor-neutral, open source software–friendly,
reality-driven two-day event will teach students the investigative
mindset not found in classes that focus solely on tools. TWS3 is
hands-on, lab-centric, and grounded in the latest strategies and
tactics that work against adversaries like organized criminals,
opportunistic intruders, and advanced persistent threats.
TWS3 consists of a series of data-driven scenarios in which students
must interpret evidence in order to identify suspicious and malicious
activity. The purpose of the exercises is to develop an investigative
mindset, independent of any specific tool or vendor. Students will
be given advice on how to perform forensic and intrusion analysis
and then allowed to form conclusions through hands-on inspection.
Topics include:
- Collection: What data do you need to detect intruders? How can
you acquire it? What tools and platforms work, and what doesn't?
Can you build what you need?
- Analysis: How do you make sense of data? If intrusion detection
systems are dead, what good are they? What is Network Security
Monitoring (NSM)? How can you perform network forensics?
- Escalation: What do you do when you suspect an intrusion? How
can you confirm a compromise? How should you act?
- Response: You're owned! Now what? Do you contain, remediate, or
play dead? How do intruders react to your actions? Can you ever win?
What to bring: Students need to bring a laptop with at least 10 GB free and a DVD
drive. The laptop must have a VMware product already installed by
class time. Other virtualization technologies are not
supported by the instructor.
The instructor tests the VMs with several VMware products and
operating systems. The instructor expects the VMs to work on VMware
Player (free), VMware Workstation (not free), and VMware Fusion (not
free), although not all combinations can be tested.
Richard Bejtlich is Chief Security Officer and Security Services
Architect for MANDIANT. He was previously Director of Incident
Response for General Electric, where he built and led the 40-member
GE Computer Incident Response Team (GE-CIRT). Prior to GE, Richard
operated TaoSecurity LLC as an independent consultant, protected
national security interests for ManTech Corporation's Computer
Forensics and Intrusion Analysis division, investigated intrusions
as part of Foundstone's incident response team, and monitored client
networks for Ball Corporation. Richard began his digital security
career as a military intelligence officer at the Air Force Computer
Emergency Response Team (AFCERT), Air Force Information Warfare
Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a
graduate of Harvard University and the United States Air Force
Academy. He wrote The Tao of Network Security Monitoring and
Extrusion Detection and co-authored Real Digital Forensics.
He also writes for his blog (taosecurity.blogspot.com) and teaches
for Black Hat.
|
Tuesday, August 9, 2011
|
|
T1 TCP/IP Weapons School 3.0, Day 2
Elizabethan A
Richard Bejtlich, MANDIANT
9:00 a.m.–5:00 p.m.
Who should attend: Basic to intermediate network security personnel.
This course is an excellent way for someone with general security
knowledge to enter the incident response field. Investigators with
a background in hard disk forensics but little experience with
intrusion analysis will also find this course a great way to expand
their horizons. Because this course addresses the entire incident
detection and response process, students should not expect extremely
advanced material in any single area (such as memory forensics),
although the instructor is willing to discuss network-centric issues
beyond the intermediate level if questioned.
If you have taken Richard Bejtlich's TCP/IP Weapons School before, you need to understand that TWS3 is different. You'll find plenty of new material in this third version of the
class.
Students must be comfortable using command-line tools in a non-Windows
environment such as Linux or FreeBSD. Students must have at least
basic familiarity with TCP/IP networking and packet analysis.
Students must bring their own laptop; see "What to Bring," below, for details.
Take back to work: An investigative mindset and hands-on knowledge of
tools to detect and respond to intruders in your environment.
Is your network safe from intruders? Do you know how to find out?
Do you know what to do when you learn the truth? If you need answers
to these questions, TCP/IP Weapons School 3.0 (TWS3) is the course for you. This vendor-neutral, open source software–friendly,
reality-driven two-day event will teach students the investigative
mindset not found in classes that focus solely on tools. TWS3 is
hands-on, lab-centric, and grounded in the latest strategies and
tactics that work against adversaries like organized criminals,
opportunistic intruders, and advanced persistent threats.
TWS3 consists of a series of data-driven scenarios in which students
must interpret evidence in order to identify suspicious and malicious
activity. The purpose of the exercises is to develop an investigative
mindset, independent of any specific tool or vendor. Students will
be given advice on how to perform forensic and intrusion analysis
and then allowed to form conclusions through hands-on inspection.
Topics include:
- Collection: What data do you need to detect intruders? How can
you acquire it? What tools and platforms work, and what doesn't?
Can you build what you need?
- Analysis: How do you make sense of data? If intrusion detection
systems are dead, what good are they? What is Network Security
Monitoring (NSM)? How can you perform network forensics?
- Escalation: What do you do when you suspect an intrusion? How
can you confirm a compromise? How should you act?
- Response: You're owned! Now what? Do you contain, remediate, or
play dead? How do intruders react to your actions? Can you ever win?
What to bring: Students need to bring a laptop with at least 10 GB free and a DVD
drive. The laptop must have a VMware product already installed by
class time. Other virtualization technologies are not
supported by the instructor.
The instructor tests the VMs with several VMware products and
operating systems. The instructor expects the VMs to work on VMware
Player (free), VMware Workstation (not free), and VMware Fusion (not
free), although not all combinations can be tested.
Richard Bejtlich is Chief Security Officer and Security Services
Architect for MANDIANT. He was previously Director of Incident
Response for General Electric, where he built and led the 40-member
GE Computer Incident Response Team (GE-CIRT). Prior to GE, Richard
operated TaoSecurity LLC as an independent consultant, protected
national security interests for ManTech Corporation's Computer
Forensics and Intrusion Analysis division, investigated intrusions
as part of Foundstone's incident response team, and monitored client
networks for Ball Corporation. Richard began his digital security
career as a military intelligence officer at the Air Force Computer
Emergency Response Team (AFCERT), Air Force Information Warfare
Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a
graduate of Harvard University and the United States Air Force
Academy. He wrote The Tao of Network Security Monitoring and
Extrusion Detection and co-authored Real Digital Forensics.
He also writes for his blog (taosecurity.blogspot.com) and teaches
for Black Hat.
|
|
|