on Jul 8, 2016
In order to register for a class, you need to first create an EMC account
if you need further assistance, contact us.
Summary
This instructor led course provides experience using the features and functions of RSA NetWitness Logs & Network to perform forensic analysis on network-based security breaches.
Overview
This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Logs & Network tool to identify, investigate and remediate network-based security breaches on your enterprise network. The course consists of about 75% hands-on lab work, following practical use cases from the identification and investigation stages through event reconstruction, damage assessment, and remediation.
Audience
SOC analysts relatively new to RSA NetWitness Logs & Network, who wish to increase their familiarity with the tool’s features and functions within the context of SOC breach investigation and analysis.
Duration
2 days, including approximately 1 ½ days of hands-on lab exercises.
Prerequisite Knowledge/Skills
Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training: RSA NetWitness Logs & Network Foundations
Course Objectives
Upon successful completion of this course, participants should be able to:
- Build dynamic dashboards to monitor network alerts
- Create alerts to populate dashboards
- Create alerts to populate meta keys
- Use investigation and event reconstruction techniques to reconstruct breach events
- Create reports to consolidate alerts across a configurable time period
- Create alerts to generate incidents in the Incident Queue
- Assign, document, and remediate incidents from within the Incident Queue
- Identify, reconstruct, and remediate four sample use cases within the student laboratory SOC environment
Course Outline
Lecture
- A Structured Approach to Analysis
- Risk Assessment
- Baselining Traffic
- Filtering and Carving Data
- Creating Application Rules
- Creating Meta Keys
- Investigating Your Data
- Identifying Threats
- Protocol Anomalies
- Abnormal traffic
- Dynamic DNS servers
- Uncommon or known-bad domains
- Source and destination countries
- Mismatched port and protocol
- Suspicious activity on critical assets
- Data Exfiltration
- Common Attack Vectors
- Phishing
- Malware
- Lateral Movement
- Webshells
- Privilege Escalation
- Beaconing
- Command and Control
Lab Exercises
Phishing Lab
- Application Rules
- Reporting Rules and Alerts
- Dashboards
- Incident Management Rules
- Parsers
- Drive-By Download Lab
- Incident Management
- Session Reconstruction
- Meta Groups and Column Groups
- Session Reconstruction
- Incident Remediation
- Webshell Lab
- Application Rules
- Reporting Rules and Alerts
- Customizing the Display
- Session Reconstruction
- Expanding the Investigation
- Creating an Incident
- Creating a Report
- Malicious Insider Lab
- ESA Rules
- ESA Alerts
- Application Rules
- Event Reconstruction
- Incident Queue
In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us