This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Education Courses
No ratings

RSA NetWitness Endpoint Analysis

ConnorMccarthy
Beginner
Beginner

on ‎2017-10-24 11:20 AM

Schedule & Register

Schedule Only

On-demand

In order to register for a class, you need to first  create an EMC account 

If you need further assistance, contact us

Summary

This in-depth, classroom-based experience enables RSA NetWitness Endpoint security analysts to use all major facets of the NetWitness Endpoint toolkit to identify malicious software and activity.

 

Overview

This instructor-led classroom-based training provides core essentials training for security analysts employing RSA NetWitness Endpoint. Students participate in an interactive lecture format and put into practice what they learn in instructor-assisted hands-on lab work in a simulated deployment.

 

Audience

This RSA NetWitness Endpoint training is intended as the core of Tier One security analysts or the fundamental knowledge required by experienced security analysts new to the tool.

 

Duration

2 days

 

Prerequisite Knowledge/Skills

Students should have familiarity with the basic processes of security forensic analysis

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

  • RSA NetWitness Endpoint Foundations (On-Demand Learning) or RSA NetWitness Endpoint Fundamentals (Classroom)

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Schedule scans using machine groups
  • Interpret scan results based on Module and Machine context
  • Consider advanced threats employing key Windows executables and processes
  • Build a simple attack/intrusion timeline to further chronology-based investigation
  • Create a Yara signature based on a real-world Trojan.

 

Course Outline

  • Module 1 – Introduction
    • Expectations
    • ECAT as Context Detector
    • Ransomware Example
  • Module 2 – Workflows
    • Typical Roles
    • Level 1: Baseline and escalation
    • Level 2: Complete Analysis
    • Level 3: Malware forensics
    • Typical alert responses
  • Module 3 –Endpoint Scans
    • Organize by Machine Group
    • Scan parameters:
      1. Threat ratings
      2. Periodicity
      3. Basic vs. Full Scans
    • Results details
      1. Summary
      2. Downloaded
      3. Agent log
      4. Scan data
      5. More info
  • Module 4 – The Module Analysis Toolkit
    • IIOCs
    • Module Filters
    • External resources
  • Module 5 – Module Context
    • Module location
    • Proliferation (machine count)
    • File names
    • IOC combinations
    • Building a timeline
  • Module 6 – Windows Entities for Security Analysts
    • svchost.exe
    • Isass.exe
    • msiexec.exe
    • wmiPrvSe.exe
    • conhost.exe
    • Webshells
    • Mimikatz.exe
  • Module 7 – Tracking systems
    • Threat assessment
    • Signatures and recognition
    • Characteristics and behavior
    • Context

  • Module 8 – Yara

    • Purpose
    • Mechanics
    • Status
    • Rule Creation and Modification
    • Yara Rule Sources
    • Extract Signature from Trojan
    • Demonstration & Lab
  • Module 9 – Basic module forensics
    • Forensics toolkit in RSA NetWitness Endpoint
    • Other forensics tools
    • Demonstration & Lab

 

 

 

Schedule & Register

Schedule Only

On-demand

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Was this article helpful? Yes No
0 Likes
Version history
Last update:
‎2017-10-24 11:20 AM
Updated by:
Beginner
Contributors
© 2022 RSA Security LLC or its affiliates. All rights reserved.