Skip Ribbon Commands
Skip to main content
Version HistoryVersion History

Course ID

CIHE

Title

Certified Incident Handling Engineer

Price

$3,395.00

Duration

5 Days

Audience

 

Level

 

Delivery Method

 

Software Assurance

 

Microsoft CPE

 

Course Audience

System Administrators

Security Consultants

IT Departments

Incident Handlers


Course Objectives

​Upon CompletionStudents will:

Have knowledge to detect security threats, risk, and weaknesses.

Have knowledge to plan for prevention, detection, and responses to security breaches.

Have knowledge to accurately report on their findings from examinations.

Be ready to sit for the C)IHE Certification Exam

Course Content
With 13 modules and 14 Labs, the C)IHE will prepare you to handle the toughest incidents of security breaches because you will have knowledge and experience under your belt.

Course Description

​The Certified Incident Handling Engineer course is designed to help incident handlers, system administrators, and general security engineers understand how to plan, create, and utilize their systems in order to prevent, detect, and respond to security breaches. Every business connected to the internet is getting probed by hackers trying to gain access. While we implement protective measures to prevent intrusions from ever happening, every business needs to know how to detect and resolve security breaches if and when they occur. Certified Incident Handlers are prepared to do handle these situations effectively.

Students will learn common attack techniques such as vectors and tools used by hackers so that they can effectively prevent, detect, and respond to/against them. This course is ideal for those who lead, or are members of an incident handling team.

Furthermore, students will enjoy numerous hands-on lab exercises that focus on topics such as reconnaissance, vulnerability assessments using Nessus, network sniffing, web application manipulation, malware, using Netcat, plus several additional scenarios for both Windows and Linux systems. This lab-intensive course (20 hours or 50%) will put you ahead of the competition and adversaries, and set you apart as a leader in incident handling.

Course Prerequisites

​C)SS: Security Sentinel

C)ISSO: Information Systems Security Officer

OR Equivalent Experience





Course Outline

Introduction 

Introduction

Courseware Materials

Who is this class for?

What is the purpose of this course?

What information will be covered?

The Exam

What is Incident Handling?

What is a security event?

Common Security Events of Interest

What is a security incident?

Why Incident Response?

Common Goals of Incident Response Management

What is an incident response plan?

When does the plan get initiated?

Six Step Approach to Incident Handling

Course Details


Threats, Vulnerabilities and Exploits

Overview

Malware

Botnets:

Attacks: IP Spoofing

CM: Ingress Filtering

ARP Cache Poisoning

ARP Normal Operation

ARP Cache Poisoning

ARP Cache Poisoning (Linux)

Countermeasures

What is DNS spoofing?

Tools: DNS Spoofing

Session Hijacking

Session Hijacking

4 Methods continued

Methods to Prevent Session Hijacking

Buffer Overflows

Buffer Overflow Definition

Evading The Firewall and IDS

Evasive Techniques

Firewall – Normal Operation

Evasive Technique -Example

Attack: Phishing

Social Engineering

SET

SET

Attack: Denial of Service

Attack: Insider Threat

Wireless Attacks

Software Attacks

Vulnerability Assessment

Penetration Testing

Exploitation

Review


Preparation

Overview

Senior Management Support

Policies and Procedures

The Team

Identify Incident Response Team

Roles of the Incident Response Team

IRT Team Makeup

Team Organization

Incident Communication

Incident Reporting

Incident Response Training and Awareness

Underlining Technologies

Anti-virus

Virus Total

Demo

SEIM

User Identity

Ticketing System

Instructor Demo

RTIR Features and Demo

Digital Forensics

eDiscovery

Data Backup and Recovery

Underlining Technologies

Technical Baselines


RTIR

Overview

What is Request Tracker?

RT Cake

Why Use Request Tracker?

Who Uses Request Tracker?

RT Components

Tickets

Queues

What is RTIR?

RTIR Components

RTIR Workflow

File an Incident Report

Create an Incident

Launch an Investigation

Initiating a Block

RTFM


Preliminary Response 

Overview

Responder Toolkit

Responder’s System

What to look for

Attention

Volatility

First things first

Windows Log Events

Windows Log Events

Windows Services

Windows Network Usage

Windows Network Usage

Windows Scheduled Tasks

Windows Accounts

Windows Tools

Linux Log Events

Linux Log Events

Linux Processes

Linux Network Usage

Linux Scheduled Tasks

Linux Accounts

Linux Files

Linux Files

Linux Tools

Review


Identification and Initial Response

Goal

Challenges

Categorize Incidents

Incident Signs

Three Basic Steps

Receive

Examples of Electronic Signs

Examples of Human Signs

Analyze

Analysis

Incident Documentation

Incident Prioritization

Incident Notification


Sysinternals 

Overview

Introduction

Where to get them

Process Explorer

Procexp Features

Process Monitor

Promon Filtering engine

Autoruns

PsTools

Psexec

Disk Utilities

Disk Monitor

Diskview

Security Utilities

Sigcheck

TCPView


Containment 

Overview

Containment

Goals

Delaying Containment

Choosing a Containment Strategy

On-site Response

Secure the Area

Conduct Research

Procedures for Containment

Make Recommendations

Establish Intervals

Capture Digital Evidence

Change Passwords


Eradication 

Overview

Eradication

Goals

Procedures for Eradication


Follow-up

Overview

Follow-up

Goals

Procedures of Follow-up


Incident-handling recovery

Overview

Recovery

Goals

Procedure for Recovery


Virtual Machine Security

Virtualization Components

Virtualization Attacks

Identifying VMs



Malware Incident Response

Agenda

History of Malware

Computer Viruses

Compiled Viruses

Interpreted Viruses

Computer Worms

Trojans

Backdoors

Instructor Demo

Executable Wrappers

Instructor Demo

Rootkits

Instructor Demo

Mobile Code

Blended Attacks

Cookies

Browser Plug-ins

E-mail Generators

Key Loggers

Instructor Demo

Review

Agenda

The Policy

Policy Considerations

User Awareness

Instructor Demo

Vulnerability Vs. Threat Mitigation

Patch Management

Account Security

Host Hardening

Host Hardening - Examples

Anti-virus Software

Instructor Demo

Spyware Detection and Removal

Intrusion Prevention Systems

Firewall and Routers

Application Security Settings

Instructor Demo

Review

Agenda

The Decision Flow

Confirm the Infection

Determine Course of Action Decision Flow

Clean the System Decision Flow

Attempt to Clean the System

Clean the System

Attempt to Restore System State

Rebuild the System Decision Flow

Rebuild the System

Conduct a Post-Attack Review

Review


Labs

Netcat (Basics of Backdoor Tools)

Exploiting and Pivoting our Attack

Creating a Trojan

Capture FTP Traffic

ARP Cache Poisoning Basics

ARP Cache Poisoning - RDP

Input Manipulation

Shoveling a Shell

Virus Total

Create Malware using SET

The Trojans

Examine System Active Processes and Running Services

Examine Startup Folders

The Local Registry

The IOC Finder – Collect

IOC Finder – Generate Report

Malware Removal


Status

Active

Technology

CyberSecurity

Category

Cybersecurity

SubCategory

Incident Handling and Response

Details

Certified Incident Handling Engineer

Attachments

Version: 4.0
Created at 5/12/2015 2:53 PM by Cole
Last modified at 1/4/2016 3:52 PM by Steve Rosso