Incident Response

Workshop on Incident Response

Trainers

K. K. Mookhey

KK is one of the pioneers of information security in India. Having begun his firm as a one-man show in 2001, it has now grown to a team of over 250 consultants spread across multiple locations in India and the Middle East. He is a trusted consultant and trainer to organizations all across the globe on various aspects of information security. He is well-versed with the security challenges of various industry verticals, and also with international standards and frameworks such as ISO 27001, PCI DSS, COBIT, HIPAA, etc.

He is the author of two books (on Linux Security and on the Metasploit Framework) and of numerous articles on information security. He was the first security researcher from India to present at Blackhat in 2004 (on ‘Detection and Evasion of Web Application Attacks’) and since then has spoken at numerous conferences such as Interop, OWASP, NullCon, etc. He is currently overseeing the research activities within NII focused on use of big data in security, building various automation solutions, and security impact of the Internet of Things.

Wasim Halani

Wasim is one of the senior most consultants at NII. He started as a fresher about 8 years back and since then has been involved in various technical assessments in different industries and business verticals within India and internationally. He is currently serves as the Head of Innovations and Research (InR) team at NII, where he is responsible for introducing new ideas, tools and vectors for the Security Assessment practice. He also works to introduce new service models that NII can provide to it’s clients.

As part of his current research, he is leading a team to overcome limitations within existing security monitoring solutions by exploiting advancements in Big Data, Analytics and Machine Learning, to improve threat intelligence and monitoring and enabling early detection of advance threat actors.

Wasim is also actively involved in the Info-Sec community in India. He leads the NULL chapter in Mumbai and has participated in conferences like OWASP, SecurityByte, and Malcon.

Detailed Schedule

Module 1 - Introduction
  • Brief introduction to the incident management process. It is expected that the audience has a generally good understanding of the overall incident management process. Participants are expected to be well-versed with the broad understanding of security controls such as firewalls, intrusion detection systems, security incident and event management systems, etc.
Module 2 - Attacks Against Web & SSH Servers
  • This module covers alerts related to accepted inbound port scans or aggressive SSH connections. You are tasked with carrying out the investigation from scratch. The target server is a website that runs either on Apache or on IIS. You are required to understand the log formats, parse the logs using a tool of your choice, request for live forensics data of the server, and develop your hypothesis.
  • Tools/Technologies covered: SSH server logs, web server logs, Unix utils etc.
Module 3 - Advanced Persistent Threats
  • This module dives straight into an advanced threat detected within your organization. You are given the symptoms of the attack, and then are required to investigate the incident using an actual network setup for this purpose. You are provided with logs that you request based on the hypothesis you are building along with access to endpoints for live forensics.
  • Tools/Technologies covered: Web proxy logs, Active Directory, Windows endpoint, anti-virus, Sysinternals Suite etc.
Module 1 - Data Leakage
  • You have been informed by a particular manager within the marketing department that there is a suspicion of a user or particular set of users leaking out customer data to the competition. You are required to investigate this discreetly.
  • Technologies covered: DLP logs, proxy logs, endpoint, Active Directory, etc.
Module 2 - Ransomware Infection
  • Your systems are being impacted with ransomware. Your anti-virus is unable to protect your endpoints, and the infection may begin spreading rapidly. You need to investigate this ransomware quickly and understand how it spreads.
  • Tools/Technologies covered: Ransomware samples, malware analysis, reverse engineering, Cuckoo sandbox, etc.
Module 3 - Payment System Compromised
  • You have received notification from your Fraud Control Unit that some counterparties have informed them of a potential breach on the SWIFT payment system. You are required to undertake the investigation end to end and determine the source of the leakage and also carry out a root-cause analysis.
  • Technologies covered: Unix system logs, Windows system logs, application logs
Module 4 - Wrap-Up & Lessons Learnt
  • From the hands-on case studies covered, what changes would you make to your existing incident management processes and toolkits? What modifications would you make to your runbooks?

Ethical Hacking Training

This course goes deep down into depths of networking, systems, web applications, actual exploitation & helps beginners to take their confident first step towards information security field.

  • 6 Weeks Comprehensive Training
  • Built by Experienced Professionals
  • Regularly update on tools, techniques in course content