on Jul 8, 2016
In order to register for a class, you need to first create an EMC account if you need further assistance, contact us. |
Summary
This instructor led course provides experience using the features and functions of RSA NetWitness Logs & Network to perform forensic analysis on network-based security breaches.
Overview
This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Logs & Network tool to identify, investigate and remediate network-based security breaches on your enterprise network. The course consists of about 75% hands-on lab work, following practical use cases from the identification and investigation stages through event reconstruction, damage assessment, and remediation.
Audience
SOC analysts relatively new to RSA NetWitness Logs & Network, who wish to increase their familiarity with the tool’s features and functions within the context of SOC breach investigation and analysis.
Duration
2 days, including approximately 1 ½ days of hands-on lab exercises.
Prerequisite Knowledge/Skills
Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training: RSA NetWitness Logs & Network Foundations
Course Objectives
Upon successful completion of this course, participants should be able to:
- Build dynamic dashboards to monitor network alerts
- Create alerts to populate dashboards
- Create alerts to populate meta keys
- Use investigation and event reconstruction techniques to reconstruct breach events
- Create reports to consolidate alerts across a configurable time period
- Create alerts to generate incidents in the Incident Queue
- Assign, document, and remediate incidents from within the Incident Queue
- Identify, reconstruct, and remediate four sample use cases within the student laboratory SOC environment
Course Outline
Lecture
- A Structured Approach to Analysis
- Risk Assessment
- Baselining Traffic
- Filtering and Carving Data
- Creating Application Rules
- Creating Meta Keys
- Investigating Your Data
- Identifying Threats
- Protocol Anomalies
- Abnormal traffic
- Dynamic DNS servers
- Uncommon or known-bad domains
- Source and destination countries
- Mismatched port and protocol
- Suspicious activity on critical assets
- Data Exfiltration
- Common Attack Vectors
- Phishing
- Malware
- Lateral Movement
- Webshells
- Privilege Escalation
- Beaconing
- Command and Control
Lab Exercises
Phishing Lab
- Application Rules
- Reporting Rules and Alerts
- Dashboards
- Incident Management Rules
- Parsers
- Drive-By Download Lab
- Incident Management
- Session Reconstruction
- Meta Groups and Column Groups
- Session Reconstruction
- Incident Remediation
- Webshell Lab
- Application Rules
- Reporting Rules and Alerts
- Customizing the Display
- Session Reconstruction
- Expanding the Investigation
- Creating an Incident
- Creating a Report
- Malicious Insider Lab
- ESA Rules
- ESA Alerts
- Application Rules
- Event Reconstruction
- Incident Queue
In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us