Menu

SANS Incident Response and Indicators of Compromise

  • Tuesday, 21 July, 2015 | 09.00 – 17.00 hrs | Sands Level 4 | Room: Peony 4402

View all Sessions

Note: There’s an additional fee of S$850 + 7% GST to attend the SANS Workshop. Attendance is only open to those registered for RSA Conference Asia Pacific & Japan 2015.

If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. With the rise of 0-Days, APTs, other cutting edge evasion techniques, it is quite possible that your intrusion detection tools are being bypassed. In this subset of the popular SANS SEC504: Hacker Techniques, Exploits & Incident Handling course,

Mr. BJ Gleason is will focus on Indicators of Compromise - the basic clues that indicate your system may have been compromised, from either internal or external sources. By helping you understand attackers' tactics and strategies, the in-depth information in this course will help you increase your security posture.

Lab Requirements

IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network. It is the students' responsibility to make sure that the system is properly configured with all the drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.

Windows

You are required to bring Windows 8 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate), or 2012/2008 Server, either a real system or a virtual machine. Professional versions only, Home versions will not work.

The course includes a VMware image file of a guest Linux system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

We also require that no enterprise group policies be applied to the system. These policies can and will interfere with our labs.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you are using a Macbook or Macbook Pro with OS X 10.8 or later, you will need VMWare Fusion 5.0 or later.

VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements
  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • USB Port
  • 4 GB RAM or higher required
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • 40 GB available hard drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7, or Windows Vista
  • During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact AsiaPacific@sans.org.

Participants

This document was retrieved from https://www.rsaconference.com/events/ap15/agenda/sessions/2089/sans-incident-response-and-indicators-of on Sun, 04 Dec 2016 03:11:10 -0500.
© 2016 EMC Corporation. All rights reserved.