A uniquely TrainedSecurity Force

INTELLIGENCE LED DIGITAL FORENSICS INCIDENT RESPONSE

INTELLIGENCE LED DIGITAL FORENSICS INCIDENT RESPONSE

Course Description

Threat Intelligence (TI) provides crucial defense posturing for proactive defense against malicious actors. Alternatively, the application of the intelligence processes to reactive incident response protocols offers valuable insight and context into the likely threat vector, the stage of the attack plan and the motive of a cyber adversary. This threat insight and attack context greatly reduces the time it takes to respond to an event.

COURSE OVERVIEW

This course will present through scenario based instruction, utilization of the intelligence cycle (Planning, Collection, Analysis, and Dissemination) to guide students through the process of discovering an event as well as the consequent investigation of an incident. Students will use intelligence to reorient their strategic response plan to leverage the power of tailored response and recovery to greatly reduce reaction times. Students will learn to apply intelligence collection and analytic methodologies to both internal forensic investigation and external threat intelligence by coupling the hands on application of threat intelligence collection and analysis to digital forensic doctrines and techniques.

MODULES IN THIS COURSE

Foreward: Scenario introduction

Lesson 1: Introduction to Intelligence & Incident Response

Lesson 2: Planning and Directing DFIR

Lesson 3: Generating DFIR Requirements

Lesson 4: Intelligence Collection & DFIR Operations

Lesson 5: Evidence and Information Processing and Exploitation

Lesson 6: DFIR Analysis and Reporting

Lesson 7: Case Wrapup & Exercise

TARGET AUDIENCE

Students that are likely to conduct incident response though the use of digital forensics and the application of intelligence to guide ongoing operations. 

PREREQUISITES

Students should bring a laptop and possess a basic comprehension of digital forensics.

COURSE LENGTH

24 hours of course work ideally delivered over 3 days. 

TESTING/CERTIFICATION

Course includes a certificate of attendance.

COURSE STRUCTURE/CONTENT OUTLINE

FOREWARD: SCENARIO INTRODUCTION

Students are introduced to scenario which will play out throughout the ongoing introduction to course content. 

LESSON 1 INTRODUCTION TO INTELLIGENCE & INCIDENT RESPONSE

1.1 What is Incident Response?

1.1.1 Incident Response Life Cycle and Protocols

1.1.2 Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident Actions

1.1.3 Integrating Forensics into Incident Response

1.2 What is Cyber Threat Intelligence?

1.2.1 Intelligence vs. Information vs. Evidence

1.2.2 Reducing Uncertainty 

1.2.3 Proactive vs. Reactive

1.2.4 Introduction to the Intelligence Cycle

1.2.5 All-Source Intelligence Lead Operations

LESSON 2 PLANNING AND DIRECTING DFIR

2.1 Strategic Planning

2.2 Operational Planning

2.3 Tactical/Technical Planning

LESSON 3 GENERATING DFIR REQUIREMENTS

3.1 Generating Requirements

3.1.1 Where requirements come from

3.1.2 Requirements Examples

3.2 Requirements for Digital Forensics Incident Response Operations 

LESSON 4 INTELLIGENCE COLLECTION & DFIR OPERATIONS

4.1 Collections Management (Tasking) & Planning

4.1.1 Developing a Collections Plan & Collection Platform

4.1.2 Single-Source Intelligence Assets

4.1.3 Intelligence Led Operations

4.1.3.1 Threat Intelligence

4.1.3.2 Digital Forensics

4.1.4 Scenario Application

LESSON 5 EVIDENCE AND INFORMATION PROCESSING AND EXPLOITATION

5.1 Source Specific exploitation and processing

5.1.1 Malware Analysis

5.1.2 Log/Data Analysis

5.1.3 Hunting (F3EAD)

5.1.4 Forensic Discovery and Exploitation

5.1.5 Scenario Application

LESSON 6 DFIR ANALYSIS AND REPORTING

6.1 Structured Analytic Techniques

6.1.1 Threat Modeling

6.1.2 Scenario Application: Attribution

6.2 Reporting Overview

6.2.1 Report Types: Strategic, Operational, Tactical

6.2.1.1 Tactical reporting to provide technical guidance 

LESSON 7 CASE WRAPUP & EXERCISE

7.1 Case re-examination Exercise

7.2 Satisfied Requirements

7.3 Post-Incident Report

PRICE: $2,950

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Instructors

James McCarter is a Marine Corps Intelligence veteran and Senior Threat Intelligence Analyst at root9B. He is a recognized subject matter expert within the intelligence and law enforcement communities with extensive Intelligence Analysis, Signals Intelligence (SIGINT), digital and mobile device forensics, Site Exploitation, Digital Data Triage and curriculum development experience. For over 12 years, he has personally conducted live operations and instruction in the aforementioned disciplines and has developed dozens of industry standard certification course modules on various classified and non-classified forensics, intelligence collection and analysis systems for commercial, DoD and Law Enforcement personnel. Mr. McCarter has provided instruction internationally to hundreds of individuals in over 100 courses and has provided support to numerous national level intelligence and law enforcement entities as a Forensics Expert, SIGINT Support Team Leader and Intelligence Analyst. He has planned, developed and executed live exercises with comprehensive course curriculum in SIGINT Operations/Signals Theory, Digital Forensics and Cyber Intelligence Analysis to multiple commercial and operational DoD entities in both tactical and non-tactical settings. He holds Professional Certifications in Computer Forensics and Digital Investigations, Cybersecurity and Security Fundamentals from Champlain College, is a graduate in Korean studies from the Defense Language Institute (USMC), received his Bachelor’s degree from Excelsior College and is a member of numerous industry Cybersecurity and Intelligence associations.

Dates & Locations

November 7, 2017
 (
Honolulu, HI
)
January 3, 2018
 (
San Antonio, TX
)
January 3, 2018
 (
Colorado Springs, CO
)
February 21, 2018
 (
Colorado Springs, CO
)
March 5, 2018
 (
Columbia, MD
)
August 20, 2018
 (
Annapolis Junction, MD
)
September 5, 2018
 (
Colorado Springs, CO
)
November 14, 2018
 (
San Antonio, TX
)