RSA NetWitness Platform Analysis 11.3

Document created by Elizabeth Maloney Employee on Jul 8, 2016Last modified by Lisa Tiernan on Dec 10, 2019
Version 54Show Document
  • View in full screen mode

Schedule & Register

Schedule Only

On-demand

 

 

 

In order to register for a class, you need to first create a Dell Education account 

if you need further assistance, contact us.

Summary

This instructor-led course provides experience using the features and functions of RSA NetWitness Platform to to respond to and investigate incidents.

 

Overview

This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Platform to investigate and remediate security incidents. The course consists of about 50% hands-on lab work, following a practical methodology from the incident queue through investigation, event reconstruction, damage assessment, and documentation using real-world use cases.

 

Audience

Level 1 and Level 2 analysts relatively new to RSA NetWitness Platform, who wish to increase their familiarity with the tool’s features and functions within the context of incident response and analysis.

 

Duration

2 days

 

Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.

 

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

RSA NetWitness Platform Foundations

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe SOC roles and models
  • Describe the Investigative Methodology
  • Identify types of incidents
  • Describe the Incident Response process
  • Use analysis tools and techniques to investigate an incident
  • Document the incident
  • Use the incident response process and tools to investigate an incident using packets
  • Use the incident response process and tools to investigate an incident using logs
  • Use the incident response process and tools to investigate an incident using packets and endpoint
  • Use the incident response process and tools to investigate an incident using logs, packets and endpoint

 

Course Outline

Analysis Tools and Processes

SOC Analyst

  • Security Operations Roles
  • SOC Models
  • Escalation Workflow

Investigative Methodology

  • Asking the Right Questions
  • Phase 1: Triage
  • Phase 2: Root Cause Analysis
  • Phase 3: Scoping Operations
  • Incident Types
  • Incident Response Process
  • Prioritizing Incidents

Incident Response Tools

  • Monitoring the Respond Interface
  • Assigning an Incident
  • Reviewing Threat Intelligence
  • Obtaining Event Details
  • Reviewing Logs
  • What Should You Look For?
  • Obtaining Additional Information
  • Performing Analysis
  • Investigating Events
  • Creating Meta Groups, Queries, Custom Column Groups, and Profiles
  • Viewing Encrypted Traffic
  • Documenting the Incident
  • Closing/Escalating/Remediating the Incident
  • Analysis Methodology

Investigating Metadata

NetWitness Metadata

  • Layered Contextual Approach
  • Traffic Directionality
  • Network Layer Context Meta
  • Endpoint Process Meta
  • Endpoint Registry Meta
  • Endpoint Network-Process Meta
  • Windows Security Event Log Meta
  • Meta Groups
  • Compromise Meta
  • Session, Service and File Characteristics

Identifying Anomalies

  • Services
  • Protocol Anomalies: HTTP

Threat Examples

  • Phishing
  • Malware
  • Lateral Movement
  • Webshells
  • Command Control
  • Data Exfiltration

Analysis Use Cases

  • Responding to a Phishing incident using Packets
  • Responding to a Suspicious Activities incident using Logs
  • Responding to a Drive-by Download incident using Packets and Endpoint
  • Responding to an Apache Struts Exploit incident using Packets, Logs and Endpoint

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Attachments

    Outcomes