On-demand
In order to register for a class, you need to first create a Dell Education account
if you need further assistance, contact us.
Summary
This instructor-led course provides experience using the features and functions of RSA NetWitness Platform to respond to and investigate security incidents.
Overview
This classroom training provides hands-on experience using the RSA NetWitness Platform to investigate and document security incidents. The course consists of about 50% hands-on lab work, following a practical methodology from the incident queue through investigation, event reconstruction, damage assessment, and documentation using real-world use cases
Audience
Level 1 and Level 2 analysts relatively new to RSA NetWitness Platform, who wish to increase their familiarity with the tool’s features and functions within the context of incident response and analysis.
Duration
2 days
Prerequisite Knowledge/Skills
Students should have familiarity with the basic processes of cybersecurity analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:
RSA NetWitness Platform Foundations
Course Objectives
Upon successful completion of this course, participants should be able to:
- Identify Analyst roles and SOC models
- Describe incident types and methods to prioritize incidents
- Describe the Incident Response process
- Use analysis tools and interfaces to perform incident response
- Describe the Investigative Methodology
- Describe a systematic approach to investigate metadata
- Describe the Investigation Model
- Identify types of threats
- Use the incident response process, the investigative methodology and tools to investigate multiple use cases using packets, logs and endpoint
Course Outline
- Analysis Tools and Processes
- Security Operations models
- Security Operations Roles
- SOC Models
- Escalation Workflow
- Incident Response Process
- Incident Response Tools
- Monitoring the Respond Interface
- Assigning an Incident
- Reviewing Threat Intelligence
- Obtaining Event Details
- Reviewing Logs
- What Should You Look For?
- Obtaining Additional Information
- Performing Analysis
- Investigating Events
- Creating Meta Groups, Queries, Query Profiles,Custom Column Groups, and Profiles
- Viewing Encrypted Traffic
- Documenting the Incident
- Closing/Escalating/Remediating the Incident
- Analysis Methodology
- Investigating Metadata
- Investigative Methodology
- Asking the Right Questions
- Phase 1: Triage
- Phase 2: Root Cause Analysis
- Phase 3: Scoping Operations
- Incident Types
- Incident Response Process
- Prioritizing Incidents
- NetWitness Metadata
- Layered Contextual Approach
- Traffic Directionality
- Network Layer Context Meta
- Endpoint Process Meta
- Endpoint Registry Meta
- Endpoint Network-Process Meta
- Windows Security Event Log Meta
- Meta Groups
- Compromise Meta
- Session, Service and File Characteristics
- Threat Examples
- Phishing
- Malware
- Lateral Movement
- Webshells
- Command Control
- Data Exfiltration
- Analysis Use Cases
- Responding to a Phishing incident using Packets
- Responding to a Suspicious Activities incident using Logs
- Responding to a Drive-by Download incident using Packets and Endpoint
- Responding to an Apache Struts Exploit incident using Packets, Logs and Endpoint
On-demand
In order to register for a class, you need to first create a Dell Education account
If you need further assistance, contact us