In order to register for a class, you need to first create a Dell Education account
if you need further assistance, contact us.
Summary
This instructor-led course provides experience using the features and functions of RSA NetWitness Platform to to respond to and investigate incidents.
Overview
This instructor-led classroom-based course provides hands-on experience using the RSA NetWitness Platform to investigate and remediate security incidents. The course consists of about 50% hands-on lab work, following a practical methodology from the incident queue through investigation, event reconstruction, damage assessment, and documentation using real-world use cases.
Audience
Level 1 and Level 2 analysts relatively new to RSA NetWitness Platform, who wish to increase their familiarity with the tool’s features and functions within the context of incident response and analysis.
Duration
2 days
Prerequisite Knowledge/Skills
Students should have familiarity with the basic processes of cybersecurity forensic analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:
RSA NetWitness Platform Foundations
Course Objectives
Upon successful completion of this course, participants should be able to:
- Describe SOC roles and models
- Describe the Investigative Methodology
- Identify types of incidents
- Describe the Incident Response process
- Use analysis tools and techniques to investigate an incident
- Document the incident
- Use the incident response process and tools to investigate an incident using packets
- Use the incident response process and tools to investigate an incident using logs
- Use the incident response process and tools to investigate an incident using packets and endpoint
- Use the incident response process and tools to investigate an incident using logs, packets and endpoint
Course Outline
Analysis Tools and Processes
SOC Analyst
- Security Operations Roles
- SOC Models
- Escalation Workflow
Investigative Methodology
- Asking the Right Questions
- Phase 1: Triage
- Phase 2: Root Cause Analysis
- Phase 3: Scoping Operations
- Incident Types
- Incident Response Process
- Prioritizing Incidents
Incident Response Tools
- Monitoring the Respond Interface
- Assigning an Incident
- Reviewing Threat Intelligence
- Obtaining Event Details
- Reviewing Logs
- What Should You Look For?
- Obtaining Additional Information
- Performing Analysis
- Investigating Events
- Creating Meta Groups, Queries, Custom Column Groups, and Profiles
- Viewing Encrypted Traffic
- Documenting the Incident
- Closing/Escalating/Remediating the Incident
- Analysis Methodology
Investigating Metadata
NetWitness Metadata
- Layered Contextual Approach
- Traffic Directionality
- Network Layer Context Meta
- Endpoint Process Meta
- Endpoint Registry Meta
- Endpoint Network-Process Meta
- Windows Security Event Log Meta
- Meta Groups
- Compromise Meta
- Session, Service and File Characteristics
Identifying Anomalies
- Services
- Protocol Anomalies: HTTP
Threat Examples
- Phishing
- Malware
- Lateral Movement
- Webshells
- Command Control
- Data Exfiltration
Analysis Use Cases
- Responding to a Phishing incident using Packets
- Responding to a Suspicious Activities incident using Logs
- Responding to a Drive-by Download incident using Packets and Endpoint
- Responding to an Apache Struts Exploit incident using Packets, Logs and Endpoint
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us