This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Education Courses
No ratings

RSA NetWitness Endpoint Hunting

ConnorMccarthy
Beginner
Beginner

on ‎2017-10-24 12:04 PM

Access Training

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Summary

This on-demand learning presents adaptive techniques for security teams proactively seeking to detect, understand, and disrupt coordinated intrusions with RSA NetWitness Endpoint.

 

Overview

This self-paced on-demand learning presents techniques prescribed by security analysts for employing RSA NetWitness Endpoint to locate sophisticated targeted attacks. Finding known malware and obviously malicious behavior is easy with this tool’s Instant Indicators of Compromise, but sophisticated intrusions can be far more challenging. Indicators of specific exploits and threats, such as common keylogging techniques, are detailed.


Audience

Security analysts using RSA NetWitness Endpoint to locate suspicious files, processes, and activity on an organization’s endpoint computers.


Delivery Type
On-Demand Learning (self-paced eLearning)


Duration
2 hours

 

Prerequisite Knowledge/Skills

Students should have completed the RSA NetWitness Endpoint Fundamentals prior to viewing this course. Experienced analysis with at least six month of real-world security analysis with NetWitness Endpoint is recommended.

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Request a scan and interpret the results
  • Perform file analysis without alerting adversaries
  • Evaluate threats based on frequency of file occurrence
  • Customize an Instant Indicator of Compromise
  • Create a custom Yara rule to adapt hunting technique to latest indicators
  • Use behavior filters to identify new threats
  • Review key Instant Indicators of Compromise
  • Obtain and analyze MFT file from endpoint system

Establish timeline based on most trusted timestamps

 

Course Outline

  • Overview
    • Why Hunt?
    • RSA NetWitness Endpoint Architecture
    • Endpoint Threat Detection
    • Daily Analyst Responsibilities
  • Functionality
    • Instant Indicators of Compromise
    • Understanding Key IIOCs
      1. Hidden Modules and Floating Code
      2. Reserved Locations and EXE Execution
      3. Unsigned Modules and Other Characteristics
    • Scans
    • Yara Pattern Matching
  • The Cyber Kill Chain
    • Timeline of Typical Attack
    • Detecting Entrenchment
    • Detecting Lateral Movement
    • Detecting Data Exfiltration
  • File Analysis
    • Downloading a Module from Endpoint
    • A Secure File Analysis Environment
    • File Analysis Within NetWitness Endpoint
    • Other Analysis Options
  • Hunting Techniques
    • Hunting with IIOCs
      1. Webshells Example
      2. Scan Data Example
    • Custom IIOC Creation
    • Hunting with Global Modules Window
    • Custom Yara Rule Creation
  • Forensics
  • NTFS Timestamps
  • MFT Analysis
    1. Obtaining the Endpoint MFT
  • Global File Retrieval
  • Specialized Hunting Techniques
  • Direct Database Queries

 

 

Access Training

In order to register for a class, you need to first create a Dell Education account

If you need further assistance, contact us

Was this article helpful? Yes No
0 Likes
Version history
Last update:
‎2017-10-24 12:04 PM
Updated by:
Beginner
Contributors
© 2022 RSA Security LLC or its affiliates. All rights reserved.