mile2® Store

Certified Incident Handling Engineer

  • Print
Key Data
  Certified Incident Handling Engineer Course Description

Course Name: Certified Incident Handling Engineer

Duration: 5 days

Language: English

Format:
• Instructor-led classroom
• Computer Based Training
• Live Virtual Training

Prerequisites:
• A minimum of 12 months experience in networking technologies
• Sound knowledge of TCP/IP
• Knowledge of Microsoft packages
• Network+, Microsoft, Security+
• Basic Knowledge of Linux is essential

Student Materials:
• Student Workbook
• Student Reference Manual
• Key Security Concepts & Definitions Book

 

Live Remote Training Attend live classes from anywhere in the world!

• Live presentations with powerful functionality that delivers easy viewing of slides and other documents, shared Internet access, virtual whiteboard, and a media center all through an easy-to-use toolbar.
• Application, file, and desktop sharing enable you to view live demonstrations.
• Dedicated high spec remote PC per student with full access as if you are sitting in-front of the PC in the classroom.
• Instructor views each students session when you perform your hands on labs, the instructor can access your remote system to demonstrate and assist while you sit back to absorb the classroom style mentoring you expect.
• Public and private text chat allows for increased interactivity between students and instructor

Graduates of the mile2 Certified Incident Handling Engineer training obtain real world security knowledge that enables them to recognize vulnerabilities, exploit system weaknesses and help safeguard against threats. This course covers the same objectives as the SANS® Security 504 training and prepares students for the GCIH® and C)IHE certification exams.

 

Course Overview:

The Certified Incident Handling Engineer course is designed to help Incident Handlers, System Administrators, and any General Security Engineers understand how to plan, create and utilize their systems in order to prevent, detect and respond to attacks.

In this in depth training, students will learn step-by-step approaches used by hackers globally, the latest attack vectors and how to safeguard against them, Incident Handling procedures (including developing the process from start to finish and establishing your Incident Handling team), strategies for each type of attack, recovering from attacks and much more.

Students will also enjoy numerous hands-on laboratory exercises that focus on topics, such as reconnaissance, vulnerability assessments using Nessus, network sniffing, web application manipulation, malware, Netcat and several additional scenarios for both Windows and Linux systems

 

Objective of Labs:

This is an intensive hands-on class; you will spend 20 hours or more performing labs; rather than spend too much time installing 300 tools, our focus will be on the Pen Testing model. The latest Pen Testing Tools and methods will be taught. Laboratories change weekly as new methods are found. We will be using many different tools from GUI to command line. As we work through structured attacks, we try and cover tools for both Windows and Linux systems.

 

Upon Completion:

Students will be able to confidently undertake the C)IHE certification examination (recommended). Students will enjoy an in-depth course that is continuously updated to maintain and incorporate the ever changing security world. This course offers up-to-date proprietary laboratories that have been researched and developed by leading security professionals from around the world





Certified Incident Handling Engineer Module Topics:


Module 0: Introduction
Module 1: Incident Handling Explained
Module 2: Preparation
Module 3: Identification and Initial Response
Module 4: Containment
Module 5: Recovery
Module 6: Linux Fundamentals
Module 7: Reconnaissance
Module 8: The Art of Scanning
Module 9: Hacking Wireless Networks
Module 10: IDS Evasion
Module 11: Vulnerability Scanning
Module 12: Hacking Linux Systems
Module 13: Hacking Windows Systems
Module 14: Advanced Code and Application Attack Techniques
Module 15: Password Cracking
Module 16: Enumeration
Module 17: Attacking Web Technologies & Applications
Module 18: Database Exploitation
Module 19: Malware Goes Undercover
Module 20: Maintaining Access
Module 21: Covering the Tracks
Module 22: Hands-On Analysis


Introduction

Courseware Materials
Who is this class for?
What information will be covered?


Incident Handling Explained

What is Incident Handling?
What is a security event?
Common Security Events of Interest
What is a security incident?
What is an incident response plan?
When does the plan get initiated?
Common Goals of Incident Response Management
Six step approach to Incident Handling


Preparation

Goal
Be Prepared
The Incident Response Plan
Identify Incident Response Team
Roles of the Incident Response Team
IRT Team Makeup
Challenges of building an IRT
Incident Response Training and Awareness
Jump Kit
Prepare Your Sites and Systems
Practical Advice



Identification and Initial Response

Goal
Three Basic Steps
Step 1 - Receive
Examples of Electronic Sensors
Examples of Human Sensors
Step 2 - Collect
Step 3 - Analyze
Analyze - First Steps
Basic Incident Response Steps
Proper Evidence Handling


Containment

Goal
Onsite Response
Secure the Area
Conduct Research
Make Recommendations
Establish Intervals
Capture Digital Evidence
Change Passwords


Eradication

Goal
Determine Cause
Defend Against Follow-on Attacks
More Defenses
Analyze Threat and Vulnerability
Remove the Cause of the Incident
Restore System(s) to Operation


Recovery

Goal
Report Findings
Restore System
Verify
Decide
Monitor Systems


Follow Up

Goal
Develop Follow-up Report
Follow-Up Report


Linux Fundamentals

Overview
Linux History: Linus + Minix = Linux
The GNU Operating System
Linux Introduction
Linux GUI Desktops
Linux Shell
Linux Bash Shell
Recommended Linux Book

Password & Shadow File Formats
User Account Management
Instructor Demonstration
Changing a User Account Password
Configuring Network Interfaces with Linux
Mounting Drives with Linux
Tarballs and Zips
Compiling Programs in Linux
Typical Linux Operating Systems
Gentoo = Simple Software Install Portal
Why Use Live Linux Boot CDs
FrozenTech’s Complete Distro List
Most Popular: BackTrack
BackTrack3 June 19th Updates
Review


Reconnaissance

Overview
What Information is gathered by the Hacker?
Methods of Obtaining Information
Physical Access
Social Access
Social Engineering Techniques
www.myspace.com
Facebook
www.facebook.com
Others From Around the World
Identity Theft and MySpace
Instant Messengers and Chats
Digital Access
Passive vs. Active Reconnaissance
Footprinting defined
Maltego
Maltego GUI
Firecat v1.5
FireFox Fully Loaded
Footprinting tools
Johnny.Ihackstuff.com
Google and Query Operators
Google (cont.)
Instructor Demonstration
SPUD: Google API Utility Tool
Instructor Demonstration
Blogs, Forums & Newsgroups
Internet Archive: The WayBack Machine
Domain Name Registration 
WHOIS 
WHOIS Output
Instructor Demonstration
http://www.dirk-loss.de/onlinetools

Instructor Demonstration
Dnsstuff.com performs various searches, including WHOIS searches.
Instructor Demonstration
DNS Databases
Using Nslookup
Dig for Unix / Linux
Traceroute Operation
Visual Mapping
Instructor Demonstration
People Search Engines
EDGAR For USA Company Info
Company House For British Company Info
http://www.companieshouse.gov.uk/
Client Email Reputation
Intelius info and Background Check Tool
Web Server Info Tool: Netcraft
Countermeasure: Domainsbyproxy.com
Footprinting Countermeasures
Review




The Art of Scanning

Overview
Introduction to Port Scanning
Port Scan Tips
Expected Results
Tools: Organizing Results
Leo meta-text editor
Instructor Demo: Leo
Free Mind: Mind mapping
IHMC CmapTools
Popular Port Scanning Tools
Stealth Online Ping
NMAP: Is the Host On-line
ICMP Disabled?
NMAP TCP Connect Scan
TCP Connect Port Scan
Nmap (cont.)
Tool Practice : TCP half-open & Ping Scan
Half-open Scan
Firewalled Ports
Iron Geek
NMAP Service Version Detection
Additional NMAP Scans
Saving NMAP results
NMAP UDP Scans
UDP Port Scan
Advanced Technique
Tool: Superscan
Tool: Look@LAN


Tool: Hping2
Tool: Auto Scan
OS Fingerprinting: Xprobe2
Xprobe2 Options
What Is Fuzzy Logic?
Tool: P0f – Passive OS Finger Printing Utility
Tool Practice: Amap
Tool Fragrouter: Fragmenting Probe Packets
Countermeasures: Scanning
Scanning Tools Summary
Review



Hacking Wireless Networks

Overview
Standards Comparison
SSID (Service Set Identity)
MAC Filtering
Wired Equivalent Privacy
Weak IV Packets
XOR - Basics
WEP Weaknesses
How WPA improves on WEP
TKIP
The WPA MIC Vulnerability
802.11i - WPA2
WPA and WPA2 Mode Types
WPA-PSK Encryption
LEAP
LEAP Weaknesses
NetStumbler
War Driving With KNSGEM
Vistumbler
Tool: Kismet
Analysis Tool: OmniPeek Personal
Omni Peek Console
Instructor Demonstration
Tool: Aircrack-ng Suite
Tool: Airodump-ng
Tool: Aireplay
DOS: Deauth/disassociate attack
Tool: Aircrack
Aircrack for Windows
Attacking WEP
Attacking WPA
coWPAtty
Exploiting Cisco LEAP
asleap
WiFiZoo
Wesside-ng
www.wirelessdefence.org


Typical Wired/Wireless Network
802.1X: EAP Types
EAP Advantages/Disadvantages
EAP/TLS Deployment
New Age Protection
Review
IDS Evasion
Covering Tracks Overview
Disabling Auditing
Clearing an Event Log
Hiding Files with NTFS Alternate Data Stream
NTFS Streams Countermeasures
Stream Explorer
Logs and Auditing
Logs and Auditing
Tor:  Anonymous Internet Access
How Tor Works
How Tor Works
How Tor Works
Encrypted Tunnel Notes
Linux Shell
Linux Bash Shell
Protocols Overview
OSI – Application Layer
OSI – Presentation Layer
OSI – Session Layer
Transport Layer
OSI – Network Layer
OSI – Data Link
OSI – Physical Layer
Protocols at Each OSI Model Layer
TCP/IP Suite
Port and Protocol Relationship
Conceptual Use of Ports
UDP versus TCP
Protocols – ARP
Protocols – ICMP
Network Service – DNS
SSH Security Protocol
SSH
Protocols – SNMP
Protocols – SMTP
Example Packet Sniffers
Sniffer Detection using Cain & Abel
Active Sniffing Methods
Linux Tool Set:Dsniff Suite
Dsniff Operation
Countermeasures for Sniffing
What is Steganography?


Steganography Tools
Shredding Files Left Behind
Leaving No Local Trace
More Anonymous Software
StealthSurfer Privacy Stick
Vulnerability Scanning
Overview
Vulnerabilities in Network Services
Vulnerabilities in Networks
Staying Abreast: Security Alerts
Vulnerability Scanners
Nessus
Nessus Report
Tool: LANguard
Instructor Demonstration
Vulnerability Scanners Examples
Microsoft Baseline Analyzer
MBSA Scan Report
Network Level Attacks
Overview
IP Spoofing
Ingress Filtering
ARP Cache Poisoning
ARP Normal Operation
ARP Cache Poisoning
ARP Cache Poisoning (Linux)
Countermeasures
What is DNS spoofing?
Tools: DNS Spoofing
TCP Connect Port Scan
TCP 3-Way Handshake
TCP Flags
Session Hijacking
4 methods continued
Methods to Prevent Session Hijacking
Buffer OverFlows
Buffer Overflow Definition
Overflow Illustration
How Buffers and Stacks Are
Supposed to Work
Stack Function
How a Buffer Overflow Works
Buffer Overflows
Heap Spraying
Prevention
Example Packet Sniffers
Tool: Pcap & WinPcap


Tool: Wireshark
TCP Stream Re-assembling
Wireshark can re-create any TCP session.
Tool: Packetyzer
tcpdump & windump
Tool: OmniPeek
Sniffer Detection using Cain & Abel
Promiscuous-mode Scanner
Active Sniffing Methods
Switch Table Flooding
ARP Cache Poisoning
ARP Normal Operation
ARP Cache Poisoning (Linux)
Countermeasures
Tool: Cain and Abel
Ettercap
Linux Tool Set:Dsniff Suite
Dsniff Operation
MailSnarf, MsgSnarf, FileSnarf
What is DNS spoofing?
Tools: DNS Spoofing
Session Hijacking
Breaking SSL Traffic
Tool: Breaking SSL Traffic
Tool: Cain and Abel
Voice over IP (VoIP)
Intercepting VoIP
Intercepting RDP
Cracking RDP Encryption
Routing Protocols Analysis
Countermeasures for Sniffing
Evading The Firewall and IDS
Evasive Techniques
Firewall – Normal Operation
Evasive Technique -Example
Evading With Encrypted Tunnels
Newer Firewall Capabilities
‘New Age’ Protection
Networking Device – Bastion Host
SpySnare - Spyware Prevention System (SPS)
Intrusion ‘SecureHost’ Overview
Intrusion Prevention Overview
Review
Hacking Linux Systems
Overview
Introduction
File System Structure
Kernel
Processes


Starting and Stopping Processes
Interacting with Processes
ACCOUNTS AND GROUPS
Password & Shadow File Formats
Accounts and Groups
Linux and UNIX Permissions
Set UID Programs
Trust Relationships
Logs and Auditing
Common Network Services
Remote Access Attacks
Brute-Force Attacks
Brute-Force Countermeasures
X Window System
X Insecurities Countermeasures
Network File System (NFS)
NFS in Action
NFS Countermeasures
Passwords and Encryption
Password Cracking Tools
Salting
Symbolic Link
Symlink Countermeasure
Core File Manipulation
Shared Libraries
Kernel Flaws
File and Directory Permissions
SUID Files Countermeasure
File and Directory Permissions
World-Writable Files Countermeasure
Clearing the Log Files
Rootkits
Rootkit Countermeasures
Review
Hacking Windows Systems
Overview
Types of Password Attacks
Keystroke Loggers
Password Guessing
Password Cracking LM/NTLM Hashes
LM Hash Encryption
NT Hash Generation
Syskey Encryption
Instructor Demonstration
Cracking Techniques
Precomputation Detail
Creating Rainbow Tables
Free Rainbow Tables
NTPASSWD:Hash Insertion Attack


Password Sniffing
Windows Authentication Protocols
Hacking Tool: Kerbsniff & KerbCrack
Countermeasure: Monitoring Event Viewer Log
Hard Disk Security
Free HD Encryption Software
Breaking HD Encryption
Tokens & Smart Cards
Smart Cards
Covering Tracks Overview
Disabling Auditing
Clearing an Event Log
Hiding Files with NTFS
Alternate Data Stream
Instructor Demonstration
NTFS Streams Countermeasures
Stream Explorer
What is Steganography?
Instructor Demonstration
Steganography Tools
Shedding Files Left Behind
Leaving No Local Trace
More Anonymous Software
StealthSurfer Privacy Stick
Tor:  Anonymous Internet Access
How Tor Works
Instructor Demonstration
Encrypted Tunnel Notes:
Hacking Tool: RootKit
Windows RootKit Countermeasures
Review
Advanced Code and Application Attack Techniques
Overview
How Do Exploits Work?
Format String
Race Conditions
Memory Organization
Buffer OverFlows
Buffer Overflow Definition
Overflow Illustration
Stack Function
How a Buffer Overflow Works
Heap Overflows
Heap Spraying
Prevention
Security Code Reviews
Stages of Exploit Development
Shellcode Development


The Metasploit Project
Defense in Depth
Meterpreter
Fuzzers
Instructor Demonstration
Review
Password Cracking
Password Guessing
Password Cracking LM/NTLM Hashes
Passwords and Encryption
Popular Password Crackers
Password Cracking Tools
John the Ripper
One-Time Password
Rule-Based Attack
L0phtCrack
Ophcrack
Brutus
Precomputation Detail
Creating Rainbow Tables
Free Rainbow Tables
Cain
Tool: Enumeration with Cain and Abel
Enumeration
Enumeration Overview
Web Server Banners
Practice: Banner Grabbing with Telnet
SuperScan 4 Tool: Banner Grabbing
HTTPrint
SMTP Server Banner
DNS Enumeration
Zone Transfers from Windows 2000 DNS
Backtrack DNS Enumeration
Instructor Demonstration
Countermeasure: DNS Zone Transfers
SNMP Insecurity
SNMP Enumeration Tools
SNMP Enumeration Countermeasures
Active Directory Enumeration 
LDAPMiner
AD Enumeration Countermeasures
Null sessions
Syntax for a Null Session
Viewing Shares
Tool: DumpSec
NAT Dictionary Attack Tool
THC-Hydra


Null Session Countermeasures
Enumeration Tools Summary
Review
Attacking Web Technologies and Applications
Overview
Web Server Market Share
Common Web Application Threats
Progression of the Professional Hacker
The Anatomy of a Web Application Attack
Components of a Generic
Web Application System
Query String
URL mappings to the web application system
Web Application Penetration Methodologies
Changing URL Login Parameters
Cross-Site Scripting (XSS)
Stored Cross-Site Scripting Illustrated
Reflected Cross Site Scripting Illustrated
Business Impacts of XSS
Finding and Fixing XSS
Injection Flaws
Unvalidated Input
Unvalidated Input Illustrated
Business Impacts of Unvalidated Input
Finding and Fixing Un-validated Input
Attacks against IIS
IIS Directory Traversal
Unicode
IIS Logs
Unicode Example
Assessment Tool: Stealth HTTP Scanner
Instructor Demonstration
NTOSpider
HTTrack Tool: Copying the website offline
Wikto
Tool: Paros Proxy
Instructor Demonstration
Tool: Burp Proxy
Dictionary Maker
Cookies
Acunetix Web Scanner
OWASP WebScarab
A Web Application Testing Proxy
Samurai Web Testing Framework
Review



Database Exploitation

Overview
Vulnerabilities and Common Attacks
SQL Injection
Business Impacts of SQL Injection
Why SQL “Injection”?
SQL Injection: Enumeration
SQL Extended Stored Procedures
Direct Attacks
SQL Connection Properties
Attacking Database Servers
Obtaining Sensitive Information
Hacking Tool: SQL Ping 3
Hacking Tool: osql.exe
Hacking Tool: Query Analyzers
Hacking Tool: SQLExec
www.petefinnegan.com
Hacking Tool: Metasploit
Finding and Fixing SQL Injection
Hardening Databases
Review
Denial-of-Service Attack
Effects of DoS Attacks
DDoS Issues
Permanent Denial of Service Attack
DDoS Attack
DDoS
Pulsing Zombie
Reflected Attack
Fork Bomb
Backscatter
Resource Starvation
Livelock
Banana Attack
Nuke
Non-Repudiation
SQL Slammer Worm
FIN Scan
Idle Scan
SYN Floods
Smurf Attack
Malware Goes Undercover
Overview
Distributing Malware
Malware Capabilities
Auto starting Malware
Countermeasure: Monitoring Autostart Methods
Tool: Netcat


Netcat Switches
Netcat as a Listener
Instructor Demonstration
Executable Wrappers
Instructor Demonstration
Benign EXE’s Historically Wrapped with Trojans
Tool: Restorator
Tool: Exe Icon
The Infectious CD-Rom Technique
Trojan: Backdoor.Zombam.B
Trojan: JPEG GDI+
All in One Remote Exploit
Advanced Trojans: Avoiding Detection
BPMTK
Malware Countermeasures
Gargoyle Investigator
Spy Sweeper Enterprise
CM Tool: Port Monitoring Software
CM Tools:  File Protection Software
CM Tool: Windows File Protection
CM Tool: Windows Software
Restriction Policies
Company Surveillance Software
CM Tool: Hardware-based Malware
Detectors
Countermeasure: User Education
Review
Maintaining Access
Trojan Horses
Types of Trojans
Trojan Engines
Trojan Vectors
System Integrity Verifiers
Back Orifice Trojan
Trojan.Lodear
Win32/FlyStudio
Win32/Pacex.Gen
Win32/PSW.OnLineGames
WMA/TrojanDownloader.GetCodec
Qaz
Types of Malware
Types of Malware Cont...
Types of Viruses
More Malware: Spyware
Benign EXE’s Historically Wrapped with Trojans
The Infectious CD-Rom Technique
Trojan: Backdoor.Zombam.B
Trojan: JPEG GDI+
All in One Remote Exploit


Advanced Trojans: Avoiding Detection
Malware Countermeasures
Rootkits
Rootkits
Hacking Tool: RootKit
Windows RootKit Countermeasures
Rootkit Countermeasures
Adore
chkrootkit
Firmware rootkit
Kernel-level rootkits
Application Level Rootkit
Boot Loader Rootkit
rkhunter
Kernel Flaws
Instructor Demonstration
Covering the Tracks
Overview
Disabling Auditing
Clearing an Event Log
Hiding Files with NTFS Alternate Data Stream
NTFS Streams Countermeasures
Stream Explorer
Logs and Auditing
Tor:  Anonymous Internet Access
Encrypted Tunnel Notes
Linux Shell
Linux Bash Shell
Protocols Overview
OSI – Application Layer
OSI – Presentation Layer
OSI – Session Layer
Transport Layer
OSI – Network Layer
OSI – Data Link
OSI – Physical Layer
Protocols at Each OSI Model Layer
TCP/IP Suite
Port and Protocol Relationship
Conceptual Use of Ports
UDP versus TCP
Protocols – ARP
Protocols – ICMP
Network Service – DNS
SSH Security Protocol
SSH
Protocols – SNMP
Protocols – SMTP
Example Packet Sniffers

 

Register For This Class

buy-now-icons-question