on Apr 2, 2020
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us
Summary
This classroom-based training introduces security analysts and administrators to the architecture and toolkit for detecting and investigating risk on endpoint
hosts.
Overview
This classroom-based training provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course consists of about 50% hands-on lab work, using a virtual lab environment.
Audience
Anyone new to RSA NetWitness Endpoint interested in increasing their familiarity with the tool’s features and functions within the context of endpoint investigation and analysis..
Duration
2 days
Recommended Prerequisite Knowledge/Skills
No prerequisite requirements but basic knowledge of malware, networking fundamentals and general security analysis concepts is recommended.
Course Objectives
Upon successful completion of this training, participants should be able to:
- Describe what RSA NetWitness Endpoint is and what it does
- Identify architecture components
- Deploy a new endpoint agent
- Interpret risk scores and alerts based on endpoint data
- Explore metadata derived from endpoint scans
- Customize data types available in user interface
- Perform basic file and host analysis
- Obtain file and memory samples for forensic analysis
- Identify potentially malicious timestamp mismatches in MTF files
Course Outline
Module 1 – Introduction
- What is RSA NetWitness Platform?
- What is RSA NetWitness Endpoint?
- Flagging and Remediation options
- What is a File?
- Component Overview
- Typical Responsibilities
- Interface Modules
- RSA Live Content
Module 2 – Architecture
- Overview of Component Complexity
- High-level Data Flow
- Seeing NetWitness Hosts and Services in Interface
Module 3 – Endpoint Agents, Hosts, and Scans
- Insights vs. Advanced Agents
- Agent deployment and uninstallation
- Host view
- Scheduled and On-Demand Scans
- Policies, Groups, and Ranks
Module 4 – Risk Scores and Metadata
- Host and File Risk Scores
- Viewing & Interpreting Metadata
Module 5 – Files and Libraries
- File viewing and filtering
- Global vs. Local views
- Customize display
- File status
- Export global files
- Reset risk view
- Certificate view
- Libraries
Module 6 – Processes, Autoruns & Anomalies
- Compare Files vs. Processes
- Processes tree view
- What are autoruns and anomalies?
Module 7 – Alerts and Incidents
- Compare Incidents vs. Alerts
- The Role of Respond
- Create incidents manually
- Assign Incident to Analyst
Module 8 – Malicious Behavior & App Rules
- Threat Models
- Techniques Detected By App Rules
Module 9 – Forensic Samples
- Sample types
- MTF download and Viewer
- Timestomping Detection
- Full System Dump
- Process Dump
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us