James McCarter is a Marine Corps Intelligence veteran and Senior Threat Intelligence Analyst at root9B. He is a recognized subject matter expert within the intelligence and law enforcement communities with extensive Intelligence Analysis, Signals Intelligence (SIGINT), digital and mobile device forensics, Site Exploitation, Digital Data Triage and curriculum development experience. For over 12 years, he has personally conducted live operations and instruction in the aforementioned disciplines and has developed dozens of industry standard certification course modules on various classified and non-classified forensics, intelligence collection and analysis systems for commercial, DoD and Law Enforcement personnel. Mr. McCarter has provided instruction internationally to hundreds of individuals in over 100 courses and has provided support to numerous national level intelligence and law enforcement entities as a Forensics Expert, SIGINT Support Team Leader and Intelligence Analyst. He has planned, developed and executed live exercises with comprehensive course curriculum in SIGINT Operations/Signals Theory, Digital Forensics and Cyber Intelligence Analysis to multiple commercial and operational DoD entities in both tactical and non-tactical settings. He holds Professional Certifications in Computer Forensics and Digital Investigations, Cybersecurity and Security Fundamentals from Champlain College, is a graduate in Korean studies from the Defense Language Institute (USMC), received his Bachelor’s degree from Excelsior College and is a member of numerous industry Cybersecurity and Intelligence associations.
INTELLIGENCE LED DIGITAL FORENSICS INCIDENT RESPONSE
INTELLIGENCE LED DIGITAL FORENSICS INCIDENT RESPONSE
Threat Intelligence (TI) provides crucial defense posturing for proactive defense against malicious actors. Alternatively, the application of the intelligence processes to reactive incident response protocols offers valuable insight and context into the likely threat vector, the stage of the attack plan and the motive of a cyber adversary. This threat insight and attack context greatly reduces the time it takes to respond to an event.
This course will present through scenario based instruction, utilization of the intelligence cycle (Planning, Collection, Analysis, and Dissemination) to guide students through the process of discovering an event as well as the consequent investigation of an incident. Students will use intelligence to reorient their strategic response plan to leverage the power of tailored response and recovery to greatly reduce reaction times. Students will learn to apply intelligence collection and analytic methodologies to both internal forensic investigation and external threat intelligence by coupling the hands on application of threat intelligence collection and analysis to digital forensic doctrines and techniques.
MODULES IN THIS COURSE
Foreward: Scenario introduction
Lesson 1: Introduction to Intelligence & Incident Response
Lesson 2: Planning and Directing DFIR
Lesson 3: Generating DFIR Requirements
Lesson 4: Intelligence Collection & DFIR Operations
Lesson 5: Evidence and Information Processing and Exploitation
Lesson 6: DFIR Analysis and Reporting
Lesson 7: Case Wrapup & Exercise
Students that are likely to conduct incident response though the use of digital forensics and the application of intelligence to guide ongoing operations.
Students should bring a laptop and possess a basic comprehension of digital forensics.
24 hours of course work ideally delivered over 3 days.
Course includes a certificate of attendance.
COURSE STRUCTURE/CONTENT OUTLINE
FOREWARD: SCENARIO INTRODUCTION
Students are introduced to scenario which will play out throughout the ongoing introduction to course content.
LESSON 1 INTRODUCTION TO INTELLIGENCE & INCIDENT RESPONSE
1.1 What is Incident Response?
1.1.1 Incident Response Life Cycle and Protocols
1.1.2 Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident Actions
1.1.3 Integrating Forensics into Incident Response
1.2 What is Cyber Threat Intelligence?
1.2.1 Intelligence vs. Information vs. Evidence
1.2.2 Reducing Uncertainty
1.2.3 Proactive vs. Reactive
1.2.4 Introduction to the Intelligence Cycle
1.2.5 All-Source Intelligence Lead Operations
LESSON 2 PLANNING AND DIRECTING DFIR
2.1 Strategic Planning
2.2 Operational Planning
2.3 Tactical/Technical Planning
LESSON 3 GENERATING DFIR REQUIREMENTS
3.1 Generating Requirements
3.1.1 Where requirements come from
3.1.2 Requirements Examples
3.2 Requirements for Digital Forensics Incident Response Operations
LESSON 4 INTELLIGENCE COLLECTION & DFIR OPERATIONS
4.1 Collections Management (Tasking) & Planning
4.1.1 Developing a Collections Plan & Collection Platform
4.1.2 Single-Source Intelligence Assets
4.1.3 Intelligence Led Operations
188.8.131.52 Threat Intelligence
184.108.40.206 Digital Forensics
4.1.4 Scenario Application
LESSON 5 EVIDENCE AND INFORMATION PROCESSING AND EXPLOITATION
5.1 Source Specific exploitation and processing
5.1.1 Malware Analysis
5.1.2 Log/Data Analysis
5.1.3 Hunting (F3EAD)
5.1.4 Forensic Discovery and Exploitation
5.1.5 Scenario Application
LESSON 6 DFIR ANALYSIS AND REPORTING
6.1 Structured Analytic Techniques
6.1.1 Threat Modeling
6.1.2 Scenario Application: Attribution
6.2 Reporting Overview
6.2.1 Report Types: Strategic, Operational, Tactical
220.127.116.11 Tactical reporting to provide technical guidance
LESSON 7 CASE WRAPUP & EXERCISE
7.1 Case re-examination Exercise
7.2 Satisfied Requirements
7.3 Post-Incident Report
Contact for Government rateroot9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
Dates & Locations