RSA NetWitness Platform Analysis
Schedule
Start | End | Duration | Location | Details |
---|
Course Details
RSA NetWitness Platform Analysis
Duration: 2 Days
Course Code: RSANWAT
Prerequisite:
Students should have familiarity with the basic processes of cybersecurity analysis, including some knowledge of network architecture, the TCP/IP stack, networking protocols, and integrating log & network traffic to perform analysis on network-based security events.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:
• RSA NetWitness Platform Foundations
Course Description:
This course provides experience using the features and functions of RSA NetWitness Platform to respond to and investigate security incidents.
This classroom training provides hands-on experience using the RSA NetWitness Platform to investigate and document security incidents.
Course Objective:
Upon Completion of this Course, you will accomplish following:
• Identify Analyst roles and SOC models
• Describe incident types and methods to prioritize incidents
• Describe the Incident Response process
• Use analysis tools and interfaces to perform incident response
• Describe the Investigative Methodology
• Describe a systematic approach to investigate metadata
• Describe the Investigation Model
• Identify types of threats
• Use the incident response process, the investigative methodology and tools to investigate multiple use cases using packets, logs and endpoint
Intended Audience:
Level 1 and Level 2 analysts relatively new to RSA NetWitness Platform, who wish to increase their familiarity with the tool’s features and functions within the context of incident response and analysis.
Course Outline:
Analysis Tools and Processes
• Security Operations models
o Security Operations Roles
o SOC Models
o Escalation Workflow
• Incident Response Process
• Incident Response Tools
o Monitoring the Respond Interface
o Assigning an Incident
o Reviewing Threat Intelligence
o Obtaining Event Details
o Reviewing Logs
o What Should You Look For?
o Obtaining Additional Information
o Performing Analysis
o Investigating Events
o Creating Meta Groups, Queries, Query Profiles,Custom Column Groups, and Profiles
o Viewing Encrypted Traffic
o Documenting the Incident
o Closing/Escalating/Remediating the Incident
o Analysis Methodology
Investigating Metadata
• Investigative Methodology
o Asking the Right Questions
o Phase 1: Triage
o Phase 2: Root Cause Analysis
o Phase 3: Scoping Operations
o Incident Types
o Incident Response Process
o Prioritizing Incidents
• NetWitness Metadata
o Layered Contextual Approach
o Traffic Directionality
o Network Layer Context Meta
o Endpoint Process Meta
o Endpoint Registry Meta
o Endpoint Network-Process Meta
o Windows Security Event Log Meta
o Meta Groups
o Compromise Meta
o Session, Service and File Characteristics
• Threat Examples
o Phishing
o Malware
o Lateral Movement
o Webshells
o Command Control
o Data Exfiltration
Analysis Use Cases
• Responding to a Phishing incident using Packets
• Responding to a Suspicious Activities incident using Logs
• Responding to a Drive-by Download incident using Packets and Endpoint
• Responding to an Apache Struts Exploit incident using Packets, Logs and Endpoint