https://wiki.itcollege.ee/api.php?action=feedcontributions&user=Vlariono&feedformat=atomICO wiki - User contributions [en]2024-03-28T17:19:09ZUser contributionsMediaWiki 1.41.0https://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118341Category:C21 Incident response2017-03-03T10:04:22Z<p>Vlariono: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br><br />
Ideally, in the end of this course a potential student:<br><br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br><br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br><br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br><br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br><br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br><br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118340Category:C21 Incident response2017-03-03T10:00:42Z<p>Vlariono: </p>
<hr />
<div>== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=English&diff=118339English2017-03-03T10:00:24Z<p>Vlariono: </p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to Estonian IT College wikis English version.<br />
<br />
Our official web page<br />
<br />
==Courses==<br />
<br />
* [https://wiki.itcollege.ee/index.php/I253_Presessional_Informatics Presessional course in Informatics]<br />
* [https://wiki.itcollege.ee/index.php/Category:I600_Introduction_to_Computers_and_Informatics Introduction to Computers and Informatics]<br />
** [[Exam help]]<br />
* [[Logic and Discrete Mathematics Exam Help]]<br />
* [[Operating systems]]<br />
* [https://wiki.itcollege.ee/index.php/Category:I704_Ruby I704 Ruby (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/I719_Fundamentals_of_Python I719 Fundamentals of Python (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/Category:I703_Python Python]<br />
* [https://wiki.itcollege.ee/index.php/Category:I702_Web_Application_Programming Web Application Programming]<br />
* [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec Firewalls and VPN/IPSec]<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Ideas Ideas for research project or thesis]<br />
* [[I803 IT Infrastructure services]]<br />
* [[Basics of C/C++ Programming]]<br />
<br />
2nd year Spring semester<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:I804_Linux_Windows_administration Linux/Windows administration]<br />
* [https://wiki.itcollege.ee/index.php/Category:I805_Authentication_and_Authorization Authentication and Authorization]<br />
* [[C21 Incident response]]<br />
<br />
Misc<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Lecturer_FAQ Lecturer FAQ]<br />
<br />
==Quickstart==<br />
<br />
This section is for freshmen who want to get up to speed with latest open-source technology.<br />
<br />
* [https://wiki.itcollege.ee/index.php/User:Akerge CSE survival guide]<br />
* [[Getting started with Ubuntu]]<br />
* [[Getting started with Raspberry Pi]]<br />
* [[Accessing a virtual machine via SSH connection]]<br />
* [[Setting up SSH access to enos.itcollege.ee]]<br />
* [[Getting started with GCC]]<br />
<br />
==International Projects==<br />
<br />
* [[Deploying IT Infrastructure Solutions| Erasmus intensive program "Deploying IT Infrastructure Solutions"]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=English&diff=118338English2017-03-03T09:59:57Z<p>Vlariono: </p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to Estonian IT College wikis English version.<br />
<br />
Our official web page<br />
<br />
==Courses==<br />
<br />
* [https://wiki.itcollege.ee/index.php/I253_Presessional_Informatics Presessional course in Informatics]<br />
* [https://wiki.itcollege.ee/index.php/Category:I600_Introduction_to_Computers_and_Informatics Introduction to Computers and Informatics]<br />
** [[Exam help]]<br />
* [[Logic and Discrete Mathematics Exam Help]]<br />
* [[Operating systems]]<br />
* [https://wiki.itcollege.ee/index.php/Category:I704_Ruby I704 Ruby (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/I719_Fundamentals_of_Python I719 Fundamentals of Python (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/Category:I703_Python Python]<br />
* [https://wiki.itcollege.ee/index.php/Category:I702_Web_Application_Programming Web Application Programming]<br />
* [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec Firewalls and VPN/IPSec]<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Ideas Ideas for research project or thesis]<br />
* [[I803 IT Infrastructure services]]<br />
* [[Basics of C/C++ Programming]]<br />
<br />
2nd year Spring semester<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:I804_Linux_Windows_administration Linux/Windows administration]<br />
* [https://wiki.itcollege.ee/index.php/Category:I805_Authentication_and_Authorization Authentication and Authorization]<br />
* [[Category:C21 Incident response]]<br />
<br />
Misc<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Lecturer_FAQ Lecturer FAQ]<br />
<br />
==Quickstart==<br />
<br />
This section is for freshmen who want to get up to speed with latest open-source technology.<br />
<br />
* [https://wiki.itcollege.ee/index.php/User:Akerge CSE survival guide]<br />
* [[Getting started with Ubuntu]]<br />
* [[Getting started with Raspberry Pi]]<br />
* [[Accessing a virtual machine via SSH connection]]<br />
* [[Setting up SSH access to enos.itcollege.ee]]<br />
* [[Getting started with GCC]]<br />
<br />
==International Projects==<br />
<br />
* [[Deploying IT Infrastructure Solutions| Erasmus intensive program "Deploying IT Infrastructure Solutions"]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118337Category:C21 Incident response2017-03-03T09:59:23Z<p>Vlariono: </p>
<hr />
<div>=C21 Incident response=<br />
<br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118336Category:C21 Incident response2017-03-03T09:59:04Z<p>Vlariono: </p>
<hr />
<div>=C21 Incident response=<br />
<br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table><br />
<br />
[[Category:C21 Incident response]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118334Category:C21 Incident response2017-03-03T09:54:44Z<p>Vlariono: </p>
<hr />
<div>=C21 Incident response=<br />
<br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=English&diff=118332English2017-03-03T09:50:15Z<p>Vlariono: </p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to Estonian IT College wikis English version.<br />
<br />
Our official web page<br />
<br />
==Courses==<br />
<br />
* [https://wiki.itcollege.ee/index.php/I253_Presessional_Informatics Presessional course in Informatics]<br />
* [https://wiki.itcollege.ee/index.php/Category:I600_Introduction_to_Computers_and_Informatics Introduction to Computers and Informatics]<br />
** [[Exam help]]<br />
* [[Logic and Discrete Mathematics Exam Help]]<br />
* [[Operating systems]]<br />
* [https://wiki.itcollege.ee/index.php/Category:I704_Ruby I704 Ruby (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/I719_Fundamentals_of_Python I719 Fundamentals of Python (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/Category:I703_Python Python]<br />
* [https://wiki.itcollege.ee/index.php/Category:I702_Web_Application_Programming Web Application Programming]<br />
* [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec Firewalls and VPN/IPSec]<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Ideas Ideas for research project or thesis]<br />
* [[I803 IT Infrastructure services]]<br />
* [[Basics of C/C++ Programming]]<br />
<br />
2nd year Spring semester<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:I804_Linux_Windows_administration Linux/Windows administration]<br />
* [https://wiki.itcollege.ee/index.php/Category:I805_Authentication_and_Authorization Authentication and Authorization]<br />
* [https://wiki.itcollege.ee/index.php/Category:C21_Incident_response]<br />
<br />
Misc<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Lecturer_FAQ Lecturer FAQ]<br />
<br />
==Quickstart==<br />
<br />
This section is for freshmen who want to get up to speed with latest open-source technology.<br />
<br />
* [https://wiki.itcollege.ee/index.php/User:Akerge CSE survival guide]<br />
* [[Getting started with Ubuntu]]<br />
* [[Getting started with Raspberry Pi]]<br />
* [[Accessing a virtual machine via SSH connection]]<br />
* [[Setting up SSH access to enos.itcollege.ee]]<br />
* [[Getting started with GCC]]<br />
<br />
==International Projects==<br />
<br />
* [[Deploying IT Infrastructure Solutions| Erasmus intensive program "Deploying IT Infrastructure Solutions"]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=English&diff=118331English2017-03-03T09:49:38Z<p>Vlariono: </p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to Estonian IT College wikis English version.<br />
<br />
Our official web page<br />
<br />
==Courses==<br />
<br />
* [https://wiki.itcollege.ee/index.php/I253_Presessional_Informatics Presessional course in Informatics]<br />
* [https://wiki.itcollege.ee/index.php/Category:I600_Introduction_to_Computers_and_Informatics Introduction to Computers and Informatics]<br />
** [[Exam help]]<br />
* [[Logic and Discrete Mathematics Exam Help]]<br />
* [[Operating systems]]<br />
* [https://wiki.itcollege.ee/index.php/Category:I704_Ruby I704 Ruby (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/I719_Fundamentals_of_Python I719 Fundamentals of Python (Spring 2017)]<br />
* [https://wiki.itcollege.ee/index.php/Category:I703_Python Python]<br />
* [https://wiki.itcollege.ee/index.php/Category:I702_Web_Application_Programming Web Application Programming]<br />
* [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec Firewalls and VPN/IPSec]<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Ideas Ideas for research project or thesis]<br />
* [[I803 IT Infrastructure services]]<br />
* [[Basics of C/C++ Programming]]<br />
<br />
2nd year Spring semester<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:I804_Linux_Windows_administration Linux/Windows administration]<br />
* [https://wiki.itcollege.ee/index.php/Category:I805_Authentication_and_Authorization Authentication and Authorization]<br />
* [https://wiki.itcollege.ee/index.php/Category:C21 Incident response]<br />
<br />
Misc<br />
<br />
* [https://wiki.itcollege.ee/index.php/Category:Lecturer_FAQ Lecturer FAQ]<br />
<br />
==Quickstart==<br />
<br />
This section is for freshmen who want to get up to speed with latest open-source technology.<br />
<br />
* [https://wiki.itcollege.ee/index.php/User:Akerge CSE survival guide]<br />
* [[Getting started with Ubuntu]]<br />
* [[Getting started with Raspberry Pi]]<br />
* [[Accessing a virtual machine via SSH connection]]<br />
* [[Setting up SSH access to enos.itcollege.ee]]<br />
* [[Getting started with GCC]]<br />
<br />
==International Projects==<br />
<br />
* [[Deploying IT Infrastructure Solutions| Erasmus intensive program "Deploying IT Infrastructure Solutions"]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=C21_Incident_response&diff=118330C21 Incident response2017-03-03T09:49:22Z<p>Vlariono: Vlariono moved page C21 Incident response to Category:C21 Incident response: Merging with common approach on ITK MediaWiki.</p>
<hr />
<div>#REDIRECT [[:Category:C21 Incident response]]</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118329Category:C21 Incident response2017-03-03T09:49:21Z<p>Vlariono: Vlariono moved page C21 Incident response to Category:C21 Incident response: Merging with common approach on ITK MediaWiki.</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118328Category:C21 Incident response2017-03-03T09:46:38Z<p>Vlariono: /* Lectures plan */</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 17:30</td><td> Hands-on session arrangements. Dividing into teams and initial briefing.</td></tr><br />
<tr><td>March 10, 2017 - 18:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td colspan=2><center><b>NB! No lecture on April 7!</b></center></td></tr><br />
<tr><td>April 14, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118326Category:C21 Incident response2017-03-03T09:43:41Z<p>Vlariono: /* Lectures plan */</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
<table border=0><br />
<tr><td>March 3, 2017 - 16:00 - 17:30</td><td>Course and lecturer introduction. Getting to know each other.</td></tr><br />
<tr><td>March 3, 2017 - 18:00 - 19:30</td><td> Common threat landscape. Estonia and the world. Attack classifications. APT.</td></tr><br />
<tr><td>March 10, 2017 - 16:00 - 19:30</td><td> Monitoring, detection and reveal scenarios. Sources. Initial actions.</td></tr><br />
<tr><td>March 17, 2017 - 16:00 - 19:30</td><td> Response coordination by threat classes. Common threat classes.</td></tr><br />
<tr><td>March 24, 2017 - 16:00 - 19:30</td><td> Response coordination - APT.</td></tr><br />
<tr><td>March 31, 2017 - 16:00 - 19:30</td><td> Communcations.</td></tr><br />
</table></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118324Category:C21 Incident response2017-03-03T09:41:25Z<p>Vlariono: </p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br><br />
<br />
<br />
== Lectures plan ==<br />
March 3, 2017 - 16:00 - 17:30 Course and lecturer introduction. Getting to know each other.<br />
March 3, 2017 - 18:00 - 19:30 Common threat landscape. Estonia and the world. Attack classifications. APT.<br />
March 10, 2017 - 16:00 - 19:30 Monitoring, detection and reveal scenarios. Sources. Initial actions.<br />
March 17, 2017 - 16:00 - 19:30 Response coordination by threat classes. Common threat classes.<br />
March 24, 2017 - 16:00 - 19:30 Response coordination - APT.<br />
March 31, 2017 - 16:00 - 19:30 Communcations.</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118322Category:C21 Incident response2017-03-03T09:34:35Z<p>Vlariono: /* Introduction */</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br><br />
- Logging and monitoring<br><br />
- Evidence gathering and analysis<br><br />
- Reverse engineering<br></div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118321Category:C21 Incident response2017-03-03T09:34:06Z<p>Vlariono: </p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.<br />
<br />
Course is intended to provide the necessary basic input for such 3 semester courses like:<br />
- Logging and monitoring<br />
- Evidence gathering and analysis<br />
- Reverse engineering</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118320Category:C21 Incident response2017-03-03T09:32:54Z<p>Vlariono: /* Introduction */</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts.<br />
Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.<br />
<br />
It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.<br />
Ideally, in the end of this course a potential student:<br />
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.<br />
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.<br />
c) Knows and understands the action sequence and acting plans for intrusion response.<br />
d) Is familiar with common communication guidelines and acting policies in case of intrusion.<br />
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.</div>Vlarionohttps://wiki.itcollege.ee/index.php?title=Category:C21_Incident_response&diff=118318Category:C21 Incident response2017-03-03T09:22:40Z<p>Vlariono: Created page with " == Introduction == Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threat..."</p>
<hr />
<div><br />
== Introduction ==<br />
<br />
Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios.<br />
It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. <br />
Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.<br />
<br />
We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information.<br />
From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session.<br />
Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.<br />
<br />
The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above.<br />
For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering</div>Vlariono