Download Mandiant Consulting Course Catalog

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Digital forensics wikipedia , lookup

Transcript 
MANDIANT
CONSULTING
2016 EXTERNAL EDUCATION COURSE CATALOG
C O U R S E C ATA L O G
CONTENTS
Our External Education Program
3
Malware Analysis Course Descriptions
5
Cyber Crime & Incident Response Course Descriptions
8
Network Investigations Course Descriptions
10
Linux and UNIX Investigations Course Descriptions
11
Appendix A: Mandiant Services
13
Appendix B: Mandiant Company Background
15
Appendix C: Mandiant Publications
16
Appendix D: Mandiant Company Information
17
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
2
O U R E X T E R N A L E D U C AT I O N P R O G R A M
MANDIANT, A DIVISION OF FIREEYE,
BELIEVES IN INTENSE, HANDSON TRAINING THAT DEVELOPS
PERFORMABLE SKILLS. WE USE
OPERATIONAL CASE SCENARIOS TO
ENSURE GREATER EFFECTIVENESS.
OUR CLASSES AND EXERCISES ARE
REALITY-BASED RATHER THAN
CLASSROOM MOCK-UPS, AND EVERY
CLASS IS LED BY SOME OF THE MOST
EXPERIENCED CYBER SECURITY
PROFESSIONALS IN THE BUSINESS.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
3
We follow a proven training methodology that is enhanced by our significant experience
responding to real-world attacks. Mandiant helps our clients respond to sophisticated
security breaches on a daily basis – we are able to leverage our understanding of
attackers’ methodologies, tools, and tactics to identify security vulnerabilities.
Our strength is our experience. Mandiant consultants have extensive experience
providing information security advice to Fortune 500 organizations and government
agencies. Our consultants include former law enforcement officers, intelligence
officers, Department of Defense computer security specialists, computer
programmers, forensic examiners, and published experts who have significant
experience shaping the information security programs at global organizations.
Mandiant’s education courses can be customized to meet the specific needs and
environment of the client. Our current course offerings include:
•Malware Analysis
--Introduction to Malware Analysis for Non-programmers (1 day)
--Malware Analysis Crash Course (2 days)
--Fundamentals of Malware Reverse Engineering (3 days)
--Special Topics in Malware Analysis (5 days)
--Customized Malware Analysis
•Cyber Crime & Incident Response
--Introduction to Cyber Crime for Executives (1 day)
--Enterprise Incident Response (3 days)
•Network Investigations
--Network Traffic Analysis (3 days)
--Wireless Security (2 days)
•Linux and UNIX Investigations
--Introduction to Linux for Security Professionals (3 days)
--UNIX Investigations (5 days)
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
4
M A LWA R E A N A LYS I S CO U R S E
DESCRIPTIONS
Introduction to Malware Analysis for Nonprogrammers (1 day)
This course provides a beginner-level
introduction to the tools and methodologies
used to perform malware analysis on executables
found on Windows systems using a practical,
hands-on approach. This class is taught by
M-Labs Malware Analysts who are experienced in
analyzing a diverse set of malware.
Modules Included
•Module 1: Basic Static Analysis – Learn to
quickly perform a malware autopsy.
•Module 2: Safe Environment – Learn how to
protect yourself by analyzing malware in a safe
environment, such as using virtual machines
•Module 3: Basic Dynamic Analysis – Learn to
analyze running malware.
Who Should Attend
Information technology staff, information
security staff, corporate investigators or others
requiring an understanding of how malware
functions and the steps and processes involved
in Malware Analysis.
a system and its resources as it runs in a
debugger. They will learn how to extract host
and network-based indicators from a malicious
program. They will be taught about dynamic
analysis and the Windows APIs most often used
by malware authors. Each section is filled with
in-class demonstrations and hands-on labs with
real malware where the students practice what
they have learned.
Modules Included
•Module 1: Basic Static Analysis – Learn to
quickly perform a malware autopsy.
•Module 2: Safe Environment – Learn how to
protect yourself by analyzing malware in a safe
environment, such as using virtual machines.
•Module 3: Basic Dynamic Analysis – Learn to
analyze running malware.
•Module 4: Disassembly – Learn the basics
and build a foundation of the x86 assembly
language and also learn how to use IDA Pro
THE tool for disassembly analysis.
•Module 5: Windows Internals – Learn a wide
range of Windows-specific concepts that are
relevant to analyzing Windows malware.
•Module 6: Debugging – Learn how to
monitor and change malware behavior, as it
runs, at a low level.
Course Pre-requisites
Who Should Attend
Students should have a general knowledge of
computer and operating system fundamentals.
Some exposure to computer programming
fundamentals and Windows Internals
experience is recommended.
This course is intended for software developers,
information security professionals, incident
responders, computer security researchers,
puzzle lovers, corporate investigators, or others
requiring an understanding of how malware
works and the steps and processes involved in
performing malware analysis.
MALWARE ANALYSIS CRASH COURSE (2 DAYS)
This course provides a rapid introduction to
the tools and methodologies used to perform
malware analysis on executables found on
Windows systems using a practical, handson approach. Students will learn how to find
the functionality of a program by analyzing
disassembly and by watching how it modifies
Course Pre-requisites
Students should have an excellent knowledge
of computer and operating system
fundamentals. Computer programming
fundamentals and Windows Internals
experience is highly recommended.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
5
F U N DA M E N TA L S O F M A LWA R E R E V E R S E
E N G I N E E R I N G ( 3 DAYS )
This course provides a rapid introduction to
the tools and methodologies used to perform
malware analysis on executables found on
Windows systems using a practical, handson approach. Students will learn how to find
the functionality of a program by analyzing
disassembly and by watching how it modifies
a system and its resources as it runs in a
debugger. They will learn how to extract host
and network-based indicators from a malicious
program. They will be taught about dynamic
analysis and the Windows APIs most often used
by malware authors. Each section is filled with
in-class demonstrations and hands-on labs with
real malware where the students practice what
they have learned.
Modules Included
•Module 4: Disassembly – Learn the basics
and build a foundation of the x86 assembly
language and also learn how to use IDA Pro
THE tool for disassembly analysis.
•Module 5: Windows Internals – Learn a wide
range of Windows-specific concepts that are
relevant to analyzing Windows malware.
•Module 6: Debugging – Learn how to monitor
and change malware behavior, as it runs, at a
low level.
•Module 9: Anti-Disassembly – Learn how to
circumvent the anti-disassembly mechanisms
that malware authors use to thwart your
analysis in tools like IDA Pro.
•Module 11: Anti-Debugging – Learn how to
combat anti-debugging, including how to
bypass timing checks, Windows debugger
detection, and debugger vulnerabilities.
•Module 12: Anti-VM – Malware can detect it is
running in your safe environment; learn how to
fool it to think otherwise.
Who Should Attend
Information security staff, forensic
investigators, or others requiring an
understanding of how to overcome difficult
challenges in malware analysis.
Course Pre-requisites
Training or experience in malware analysis
and extensive knowledge of computer and
operating system fundamentals is required.
Exposure to software development is also
highly recommended.
S P E C I A L T O P I C S I N M A LWA R E A N A LYS I S
(5 DAYS )
Malware authors sometimes take deliberate
steps to thwart the reverse engineering
of their malware. This course is focused
on advanced topics related to combating
malware defense mechanisms. Designed for
the experienced malware analyst, a robust
skill set in x86 architecture and the Windows
APIs is essential. Students will learn how to
specifically combat against anti-disassembly,
anti-debugging and anti-virtual machine
techniques. Students will also learn how to
defeat packed and armored executables and
will be challenged to demonstrate these skills
several times throughout the course. Additional
topics covered will include malware stealth
techniques, such as process injection and
rootkit technology; analyses of samples written
in alternate programming languages, such as
Delphi and C++; and a review of available tools
and techniques. All concepts and materials
presented are reinforced with demonstrations,
real-world case studies, follow-along exercises,
and student labs to allow students to practice
what they have learned. This class is taught
by senior FLARE Malware Analysts who are
experienced in fighting through the state-of-theart malware armor.
•Module 14: Packers and Unpacking – Learn
how to unpack manually - an important skill for
analyzing malware.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
6
Modules Included
Course Pre-requisites
•Module 7: Stealth – Learn how malware hides
its execution, including process injection and
user-space rootkits.
Training or experience in malware analysis
and extensive knowledge of computer and
operating system fundamentals is required.
Exposure to software development is also
highly recommended.
•Module 8: Shellcode – Learn how shellcode
works from beginning to end, including
position independence and symbol resolution.
•Module 9: Anti-Disassembly – Learn how to
circumvent the anti-disassembly mechanisms
that malware authors use to thwart your
analysis in tools like IDA Pro.
•Module 10: Scripting IDA Pro – Learn how to
automate IDA Pro to help you analyze malware
more efficiently.
•Module 11: Anti-Debugging – Learn how to
combat anti-debugging, including how to
bypass timing checks, Windows debugger
detection, and debugger vulnerabilities.
•Module 12: Anti-VM – Malware can detect it is
running in your safe environment; learn how to
fool it to think otherwise.
•Module 13: Reversing C++ – Learn how C++
concepts like inheritance, polymorphism, and
objects influence analysis.
•Module 14: Packers and Unpacking – Learn
how to unpack manually - an important skill for
analyzing malware.
•Module 16: 64-bit Malware – Learn about
how x64 changes the game for malware
analysis, including how WOW64 works and the
architecture changes from x86.
•Module 17: Encryption and Encoding – Learn
to deal with string obfuscation techniques
commonly used by malware and take malware
communications and analyze network packet
captures based on your analysis.
•Module 19: .NET Reversing – Learn how to
reverse engineer .NET bytecode and deal with
obfuscation techniques employed by attackers.
Who Should Attend
Information security staff, forensic investigators,
or others requiring an understanding of how to
overcome difficult challenges in malware analysis.
C U S T O M I Z E D M A LWA R E A N A LYS I S
We offer customized malware analysis training
solutions in order to address the business
needs of our clients that may have specific
learning objectives. We can build a course
that includes any of our 20 malware analysis
modules. These modules range from basic
concepts of analyzing disassembly all the way
to advanced concepts like x64 and anti-reverse
engineering techniques. Each module includes
targeted learning and hands-on activities that
were authored by the FLARE malware analysis
team at FireEye.
•Module 1: Basic Static Analysis – Learn to
quickly perform a malware autopsy.
•Module 2: Safe Environment – Learn how to
protect yourself by analyzing malware in a safe
environment, such as using virtual machines.
•Module 3: Basic Dynamic Analysis – Learn to
analyze running malware.
•Module 4: Disassembly – Learn the basics
and build a foundation of the x86 assembly
language and also learn how to use IDA Pro
THE tool for disassembly analysis.
•Module 5: Windows Internals – Learn a wide
range of Windows-specific concepts that are
relevant to analyzing Windows malware.
•Module 6: Debugging – Learn how to monitor
and change malware behavior, as it runs, at a
low level.
•Module 7: Stealth – Learn how malware hides
its execution, including process injection and
user-space rootkits.
•Module 8: Shellcode – Learn how shellcode
works from beginning to end, including
position independence and symbol resolution.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
7
•Module 9: Anti-Disassembly – Learn how to
circumvent the anti-disassembly mechanisms
that malware authors use to thwart your
analysis in tools like IDA Pro.
•Module 10: Scripting IDA Pro – Learn how to
automate IDA Pro to help you analyze malware
more efficiently.
•Module 11: Anti-Debugging – Learn how to
combat anti-debugging, including how to
bypass timing checks, Windows debugger
detection, and debugger vulnerabilities.
•Module 12: Anti-VM – Malware can detect it is
running in your safe environment; learn how to
fool it to think otherwise.
•Module 13: Reversing C++ – Learn how C++
concepts like inheritance, polymorphism, and
objects influence analysis.
•Module 14: Packers and Unpacking – Learn
how to unpack manually.
•Module 15: Delphi Analysis – Learn the nuances
of the Delphi programming language and
how it influences assembly - this language is
surprisingly popular among malware authors.
•Module 16: 64-bit Malware – Learn about
how x64 changes the game for malware
analysis, including how WOW64 works and the
architecture changes from x86.
•Module 17: Encryption and Encoding – Learn
to deal with string obfuscation techniques
commonly used by malware and take malware
communications and analyze network packet
captures based on your analysis.
•Module 18: Machine Learning – Learn how to
cluster and classify malware automatically.
•Module 19: .NET Reversing – Learn how to
reverse engineer .NET bytecode and deal with
obfuscation techniques employed by attackers.
CYBER CRIME & INCIDENT RESPONSE
CO U R S E D E S C R I P T I O N S
Introduction to Cyber Crime for Executives
(1 day)
Network security breaches transform calm
working environments into high-stress battle
zones that require executives to rapidly make
key decisions impacting the company and the
investigation. Informed executives are better
equipped to understand the threat and make
the right decisions in minimal time. The Mandiant
Introduction to Cyber Crime for Executives
was developed to educate senior staff on
cyber-crime and incident response. During the
course, instructors will walk students through a
scenario based on real world intrusions involving
sophisticated attackers. The scenario is provided
from both the attacker and victim perspectives.
Throughout the course, instructors teach students
about the tactics and technologies used by the
victim and attackers. The scenario illustrates the
most common method attackers use to establish
a foothold and remain undetected in the victim
network. The class discusses the pros and cons
of the various courses of action available to the
victim and provides students critical insight
into the many issues investigators and victim
organizations face in defending networks and
responding to security breaches.
Students Learn
•How attackers defeat defenses and break
into networks.
•Network defense posture of the common victim.
•How to collect electronic evidence.
•How investigators analyze data and use
findings to resolve the incident.
•Many of the challenges an organization faces
after its computer security defenses have
been breached.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
8
Who Should Attend
Executives, security staff, corporate
investigators, or other staff that require a
general understanding of network security,
network operations and responding to breaches
in network or computer security.
Course Pre-requisites
None.
ENTERPRISE INCIDENT RESPONSE
( 3 DAYS )
Attacks against computer systems continue
to increase in frequency and sophistication. In
order to effectively defend data and intellectual
property, organizations must have the ability
to rapidly detect and respond to threats. This
intensive three-day course is designed to teach
the fundamental investigative techniques
needed to respond to today’s landscape of
threat actors and intrusion scenarios. This
class is built upon a series of hands-on labs
that highlight the phases of a targeted attack,
key sources of evidence, and the forensic
analysis know-how required to analyze them.
Students will learn how to conduct rapid triage
on a system to determine if it is compromised,
uncover evidence of initial attack vectors,
recognize persistence mechanisms, develop
indicators of compromise to further scope an
incident, and much more.
The course is comprised of the following
modules, with labs included throughout:
•The Incident Response Process: An
introduction to the targeted attack life-cycle,
initial attack vectors used by different threat
actors, the stages of an effective incident
response process, and remediation.
•Introduction to Windows Evidence: Analysis of
the key sources of evidence that can be used to
investigate a compromised Windows system,
including NTFS artifacts, prefetch, web browser
history, event logs, the registry, and more.
•Memory Acquisition and Analysis: How memory
is structured on a Windows system, the artifacts
and evidence available in physical memory and
the page file, and how memory analysis can
identify advanced techniques used by malware.
•Investigating Lateral Movement: An indepth analysis of how attackers move from
system-to-system in a compromised Windows
environment, the distinctions between
network logons and interactive access, and the
resulting sources of evidence on disk, in logs,
and in the registry.
•Persistence: Analysis of advanced persistence
mechanisms, such as DLL search order
hijacking; introduction to user-land and
kernel root kits; alternative remote-access
mechanisms exploited by attackers.
Students Learn
•The incident response process.
•The composition of an effective incident
response team.
•To manage an effective incident response.
•How to prepare an organization to conduct
agile incident response.
•How to collect and analyze volatile and nonvolatile information from a Windows system.
•The fundamentals of NTFS file system analysis.
•Memory acquisition and analysis.
•Tips and tricks used by investigators
•Acquiring Forensic Evidence: An overview
of volatile and non-volatile evidence, live
response acquisition versus forensic imaging,
and related methods and tools.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
9
Who Should Attend
This is a fast-paced technical course that is
designed to provide hands-on experience with
investigating targeted attacks and the analysis
steps required to triage compromised systems.
The content and pace is intended for students
with some background in conducting forensic
analysis, network traffic analysis, log analysis,
security assessments & penetration testing,
or even security architecture and system
administration duties. It is also well suited for
those managing CIRT / incident response teams,
or in roles that require other investigative tasks.
The course provides students an overview
of network protocols, network architecture,
intrusion detection systems, network traffic
capture, and traffic analysis. The course consists
of lecture and multiple hands-on labs to
reinforce technical concepts.
Students Learn
•Common network protocols.
•Network monitoring and the incident response
process.
•Why network monitoring is important in
today’s networks.
Course Pre-requisites
Students must be familiar with:
•Executing command line utilities as an
Administrator.
•Navigating the Windows file system using the
command line.
•Common file system structures.
•Microsoft Windows registry.
•Active Directory and basic Windows security
controls.
•Networking fundamentals, including common
Windows protocols.
•The different types of network monitoring.
•The pros and cons of Statistical, Connection,
Full Content, and Event Monitoring, and tools
to perform each type of monitoring.
•The tools commonly used to analyze captured
network traffic.
•What Botnets are and how to investigate them.
•What Honeypots and honeynets are and how
they are used in Network Monitoring.
•How to perform event-based monitoring
using Snort.
•Snort rule structure and custom rule creation
for network traffic minimization and the Sguil
front-end for reviewing Snort alerts.
N E T WO R K I N V E S T I G AT I O N S CO U R S E
DESCRIPTIONS
Who Should Attend
Network Traffic Analysis (3 days)
Sophisticated attackers frequently go
undetected in a victim network for an extended
period of time. Attackers know how to blend
their traffic with legitimate traffic and only
the skilled network traffic analyst will know
how to find them. Network traffic analysis is a
critical skill set for any organization. Mandiant’s
intense three-day Network Traffic Analysis
course prepares students to face the challenge
of identifying malicious network activity.
Information technology and security staff,
corporate investigators, or other staff requiring
an understanding of networks, network traffic,
network traffic analysis and network intrusion
investigations.
Course Pre-requisites
Students should have a basic understanding of
TCP/IP and be familiar with Windows and UNIX
platforms. A familiarity with computer security
terminology and concepts is helpful.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
10
W I R E L E S S S E C U R I T Y ( 2 DAYS )
Wireless computing devices are everywhere
and new products seem to appear daily. The
explosive growth of wireless devices also
brings an increased risk to networks permitting
wireless access. As a result, network and
information security personnel must understand
the risk of wireless computing. The Mandiant
Wireless Security course is a two-day class
specifically designed for professionals who
support, design, or assess IEEE 802.11 wireless
environments, commonly known as Wi-Fi. It is a
hands-on course presented from the attacker’s
perspective and helps students understand
the wireless attacker methodology. The course
includes a variety of case studies and numerous
lab exercises to reinforce wireless security
concepts and materials.
Students Learn
•How to find and access wireless access points
using free tools.
•Techniques to identify “cloaked” or nonbroadcasting access points.
Course Pre-requisites
Students should have a basic understanding of
TCP/IP networks and some familiarity with Linux
systems. Familiarity with computer security
terminology and concepts is helpful.
L I N U X A N D U N I X I N V E S T I G AT I O N S
CO U R S E D E S C R I P T I O N S
Introduction to Linux for Security Professionals
(3 days)
The Mandiant Linux for Security Professionals
course introduces information security
professionals to the Linux operating system and
helps prepare them to conduct investigations
in a UNIX environment. The course follows the
“learn by doing” philosophy. Students perform
Linux/UNIX commands and discover how
the operating system functions. Attendees
will primarily operate in the command line
environment. The course includes relevant case
studies and reinforces key concepts with handson exercises to ensure students gain practical
experience in each critical area discussed.
•How to defeat common security features.
•Brute force attacks against WPA/WPA2-PMK.
Students Learn
•How to forcefully disassociate a client from an
access point.
•The differences and similarities between
the Microsoft Windows and Linux operating
systems.
•How to defeat WEP encryption.
•How wireless access points are used as an initial
entry point during a network security breach.
•How to install and configure the Fedora
Core Linux operating system for use on a
workstation.
•Common attack vectors used after accessing a
wireless network.
•The Linux EXT2 and EXT3 file systems and the
general Linux/UNIX file structure.
•Common misconceptions about wireless
technologies and why it can be almost
impossible to find an attacker.
•Navigation in a Linux environment at the
command line and through the X-Windows
interface.
Who Should Attend
Information technology staff, information
security staff, corporate investigators, or other
staff who have a need to perform security audits
on their wireless infrastructures.
•How to configure Linux systems to
communicate on TCP/IP networks.
•System logging on most Linux/UNIX systems.
•How to make and verify the integrity of hard
drive images made with the DD command.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
11
•How to develop basic UNIX shell scripts and
use powerful searching and text manipulation
tools such as grep, AWK and SED.
•Over 80 of the most useful Linux/UNIX
commands for Security Professionals.
Who Should Attend
Information security, corporate investigators, or
other staff that require an understanding of the
Linux operating system, how attackers exploit
UNIX-Based systems, how to secure Unix-based
systems and how to respond to incidents that
involve the UNIX operating system. The course
is intended for attendees that have little to no
experience or exposure to Linux or UNIX.
Course Pre-requisites
A familiarity with computer security terminology
and concepts.
U N I X I N V E S T I G AT I O N S (5 DAYS )
Attacks against systems running variants of the
UNIX operating system are on the rise. In order
to effectively respond to the escalating threat,
organizations must have skilled information
security staff able to rapidly detect and
remove threats. Mandiant developed the UNIX
Investigations course to provide information
security personnel the fundamental skills needed
to quickly identify and eliminate threats targeting
UNIX or variants of the UNIX operating systems.
The course is based on the real-world experience
of Mandiant consultants who have years of
experience combating these types of attacks.
The course reinforces key concepts with handson exercises to ensure students gain practical
experience in each critical area discussed.
Students Learn
•History of UNIX, Linux and Linux distributions.
•Targeted file system searches.
•File content searches using grep.
•UNIX/Linux file compression, and
archive utilities.
•File content comparison and integrity validation.
•File system architecture review.
•UNIX/Linux user and system credentials.
•Processes, network services, and the boot
process.
•Server and host network configuration.
•Traffic, log, and forensic analysis.
Who Should Attend
Managers and technical team members involved
in Information Technology, Information Security,
Incident Response or other staff that have a
need to investigate potentially compromised
UNIX hosts.
Course Pre-requisites
Students should have a basic understanding
of TCP/IP networks and proficient with the
Linux operating system. Familiarity with basic
computer security terminology is recommended.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
12
APPE NDIX A: MANDIANT SE RVICES
Mandiant provides industry leading information
security services to help our customers
overcome their most challenging problems.
Our team is equally adept at building strong
programs that minimize disturbances as well as
helping clients rapidly respond to incidents and
resume business. Our services outlined below
are a blend of proactive efforts required to build
secure network environments as well as reactive
services enabling you to respond to events and
intrusions in a timely and effective manner.
Application Security: In addition to Network
testing, Mandiant consultants have significant
experience in testing web based applications
for security vulnerabilities. To help improve
the security of your application development
process, we will assist in developing and training
your staff on a secure Software Development
Life Cycle. We can also provide hands-on testing
of new products.
•Application Assessments: Mandiant reviews
applications with tool suite and hands-on
efforts at all levels of privilege to identify and
remediate vulnerabilities. Mandiant can provide
assessment services at various levels of the
application development lifecycle, including
requirements, design review, source code
review and penetration tests.
•Secure Software Development Life Cycle: Our
team will work with your group to enhance
your code development process to integrate
security into the applications at the earliest
opportunity. This enhances your posture at the
least cost and most effective manner.
•Product Testing: With our Forensics and
Incident Response experience, we are uniquely
able to assess the vulnerabilities in new
products prior to release.
Network Security: Mandiant excels at assessing
the security posture of your enterprise. From
architecture to implementation, we can assess
vulnerabilities and help build cost effective plans
to mitigate the risks. For many organizations,
we become a temporary or long term adjunct
to their information security staff, bringing
specialized expertise and an independent third
party view. Specific services include:
•Network Assessments: Working cooperatively
with your staff, Mandiant can review your
architecture, policies, procedures and
technical implementation against pertinent
standards. We are adept at assessing the
impact of ISO 17799, PCI, OCC and NIST
guidance on your information security
program, and how to substantially improve
the security posture of the network without
impairing critical business functions.
•Wireless Assessments: Mandiant’s assessment
teams identify security vulnerabilities impacting
your authorized wireless infrastructure, and
detect and identify potential rogue access
points at those facilities.
•Penetration Testing: Mandiant provides high
quality external testing of your network
perimeter, and we can work from a blind or
partially informed starting point. Our process
can validate existing security controls and
provide an excellent venue to test your
incident detection capability.
Social Engineering: From email testing to
surreptitious physical entry, Mandiant’s team can
help you assess or test the security awareness of
your staff. Many clients have found our ability to
garner sensitive data through email or the phone
provides strong leverage to enhance existing
awareness programs.
Payment Card Industry Data Security
Assessments: As a Visa and MasterCard
approved vendor, Mandiant can certify the
security of your transaction processing
environment meets the PCI standards.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
13
Incident Response: Even the most prepared
organizations can be confronted with security
problems in their computing environment.
Mandiant consultants apply their blend of
investigative and technical skills to help you
solve the problem with minimum disruption of
the business process. These include:
•Incident Response Management: Mandiant
can assist clients in identifying the nature
and extent of any compromise, and then
quickly build effective remediation plans
to mitigate the issues. We work with your
staff in conducting hands-on response
and remediation efforts. Our efforts merge
technical efforts to minimize exposure and
strategic guidance on incident management.
•Malware Analysis: We have extraordinary
expertise and experience in identifying the
impact of unknown code on your enterprise.
We are able to perform rapid, dynamic analysis
of Windows-based and UNIX-based hostile
code in order to profile network and host based
indicators of compromise. This lets us identify
the scope and intent of the malicious code.
•Program Development: Mandiant’s consultants
are able to build or enhance existing Incident
Response programs to meet current regulatory
and industry requirements. These projects can
include policy and procedure development,
business unit involvement and buy-in, executive
and staff awareness training, Incident Response
exercises and customized training.
•Incident Response Exercises: We have
crafted numerous simulated incidents to
help firms develop their hands-on response
skills. Mandiant can provide table-top policy
driven events and detailed technical events
that allows your team execute you existing
incident response procedures and update
your program. We complete every exercise
with a lessons learned discussion to enhance
skill development.
Litigation Support: Mandiant can work as an
extension of your legal team, providing the
technical ability to quickly identify and collect
information from computer systems. We can
provide assistance with language for search
protocols, orders and consent letters to ensure
appropriate authorization. Then, our interaction
with your investigative and legal team creates
effective search terms to reduce the data
collected to the most likely relevant materials
and ensure efficient data production. Our team
can help you with:
•Forensic Examination: We have acquired and
reviewed data from hundreds of systems and
can conduct the most detailed analysis of
the existent data. Thanks to our unmatched
experience, we routinely identify key
information missed by other examiners.
•Litigation Support: Mandiant can work as
an extension of your legal team, providing
the technical ability to quickly identify and
collect information from computer systems.
We can provide assistance with language for
search protocols, orders and consent letters
to ensure appropriate authorization. Then, our
interaction with your investigative and legal
team creates effective search terms to reduce
the data collected to the most likely relevant
materials and ensure efficient data production.
•Expert Testimony: Our consultants have
provided expert testimony in the United States
and overseas on criminal and civil matters.
We are frequently called to explain complex
technical issues to judicial authorities and juries.
Research and Development: Mandiant has
a unique ability to put our technical and
operational experience to work solving our
client’s cutting edge security problems. Our
team includes specialists with high level
government clearances who can address
mission critical problems and rapidly produce
capabilities or countermeasures to address
emerging issues on a wide variety of platforms.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
14
A P P E N D I X B : M A N D I A N T CO M PA N Y
B AC KG R O U N D
Mandiant has been helping its clients defend
against and respond to critical security incidents
of all kinds for more than a decade. Founded
by Kevin Mandia, Mandiant is a pioneer in
educating organizations and governments
around the world about how to secure their
networks against advanced targeted attacks
and providing security consulting and incident
response services to help them resolve security
incidents when they occur.
The company has driven intruders out of the
computer networks and endpoints of hundreds
of clients across every major industry. Mandiant
is the trusted advisor for 29 of the Fortune 100
and eight of the largest US cleared defense
contractors. Mandiant consultants have
investigated more than 1,000,000 compromised
systems, analyzed hundreds of thousands
of pieces of malicious software and reverse
engineered the latest techniques used by
advanced persistent threat (APT) actors. As
the leader in incident response, Mandiant has
built an incomparable base of knowledge about
APT groups by utilizing a unique combination of
expert consultants and proprietary technology.
To accomplish its mission Mandiant has
attracted the leading cyber security
practitioners, experts and analysts in the
world. Mandiant consultants are published
experts, speakers at well-known security
conferences and experts sought by leading
media organizations. Mandiant employs
former law enforcement officers, intelligence
officers, Department of Defense computer
security specialist, and forensic examiners
who have significant experience shaping the
information security programs at large complex
organizations. Their expertise is complemented
by an extensive infrastructure of patent-pending
technology that Mandiant has developed to
proactively detect and respond to advanced
threats at scale within an enterprise.
Our unique investigative skills were
demonstrated to the world in February, 2013,
when the company identified a unit of the
Chinese People’s Liberation Army – PLA Unit
61398 - as being responsible for years of cyberattacks targeting at least 141 government and
private entities. The report made headlines
worldwide, prompted a response by President
Obama, and focused attention on state actors
behind coordinated cyber-attacks that target
intellectual property, financial assets, and
present threats to national security.
Mandiant provides a full range of security
consulting services including incident response,
compromise assessments, security program
assessments, response readiness assessments and
security transformation services designed to assist
organizations in improving their security posture.
Mandiant was acquired by FireEye, Inc. on
December 31, 2013 and operates as a division
of FireEye.
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
15
A P P E N D I X C : M A N D I A N T P U B L I C AT I O N S
Incident Response and Computer
Forensics, 3rd Ed.
The Practice of Network Security
Monitoring
Authors Kevin Mandia, Matt Pepe
Author Richard Bejtlich
McGraw-Hill, August 2014
No Starch Press, July 2013
Practical Malware Analysis:
The Hands-On Guide to Dissecting
Malicious Software
The Tao of Network Security
Monitoring: Beyond Intrusion
Detection
Author Michael Sikorski
Author Richard Bejtlich
No Starch Press, February 2012
Addison - Wesley, July 2004
Incident Response and Computer
Forensics, 2nd Ed.
Hack Notes: Network Security
Authors Kevin Mandia, Matt Pepe
McGraw-Hill, July 2003
Contributing Author Vijay Akasapu
McGraw-Hill, July 2003
Windows XP: Professional Security
Contributing Author Matt Pepe
Incident Response and Computer
Forensics, 1st Ed.
McGraw-Hill, October 2002
Authors Kevin Mandia, Matt Pepe
McGraw-Hill, June 2001
Additional Reading
Richard B: Real Digital Forensics: Computer Security and Incident Response:
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=asap_bc?ie=UTF8
Richard B: Extrusion Detection: Security Monitoring for Internal Intrusions:
http://www.amazon.com/Extrusion-Detection-Security-Monitoring-Intrusions/dp/0321349962/ref=asap_bc?ie=UTF8
Tony Lee: Contributing Author: Hacking Exposed 7: Network Security Secrets &Amp; Solutions:
http://www.amazon.com/dp/0071780289/ref=rdr_ext_tmb
Chris Sanders:
http://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083/ref=asap_bc?ie=UTF8
Chris Sanders:
http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669/ref=asap_bc?ie=UTF8
Chris Sanders:
http://www.amazon.com/Practical-Packet-Analysis-Chris-Sanders-ebook/dp/B002N3M6RC/ref=asap_bc?ie=UTF8
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
16
A P P E N D I X D : M A N D I A N T CO M PA N Y I N F O R M AT I O N
Firm Name
Mandiant Corporation, A FireEye Company
Established
2004
Structure
Publically traded company (NASDAQ: FEYE)
Focus
World leading information security company with focus in Security Program Development, Incident Response, Computer Forensics, Threat Assessments, Threat Detection, Network Security, and Application
Security and Education
Unique Expertise
Advanced Persistent Threat Assessment, Payment Card Industry Assessments, Remote Global Enterprise Incident Response, Malicious Code Analysis, Application-Product Testing, Network Intrusion
Management, Expert Witness Testimony
Headquarters
2318 Mill Rd, Suite 500, Alexandria, Virginia 22314
Regional Offices
24 West 40th St, 9th Floor, New York, New York 10018
400 Continental Blvd., 6th Floor, El Segundo, CA 90245, USA
425 Market Street, Suite 2200, San Francisco, CA 94105 USA
12012 Sunset Hills Road, 7th Floor, Reston, VA 20190, USA
200 Brook Drive, Green Park, Reading, RG2 6UB, United Kingdom
Georges Quay Plaza, Georges Quay, Dublin 2, Ireland
Staff
450+/5000 (FireEye)
Staff Experience
Average of over 10 years in the Information Security Industry
Global Expertise
Our team has lived or worked in 47 countries to include: Canada, Georgia, United States, Mexico, Panama, Colombia, Brazil, Argentina, Japan, Korea, Singapore, Indonesia, Malaysia, Australia, India, Egypt,
Saudi Arabia, United Arab Emirates, Iraq, Jordan, Turkey, Russia, Ukraine, Finland, Sweden, Denmark,
The Netherlands, Germany, and the United Kingdom
Customer Base
Over 350 current clients in the Financial, Legal, Law Enforcement, Intelligence, Retail and Technology
sectors
Financial Stability
Highly stable firm with significant annual growth since formation
Publications
Primary and contributing authors of 8 books on information security
Authors of numerous articles in the field
Presentations
Over 100 presentations annually to industry forums, conferences and groups
Certifications
CISSP, CISA, CBP, IACIS, CCNA, GCIA, GCUX, QSA, PFI Certifications
Membership in IEEE, ECTF, HTCIA, OWASP and InfraGard
Mandiant Awards
SC Magazine 2012, 2013 & 2015 “Best Security Company”
SC Magazine 2015 “Best APT Protection”
Gartner Cool Vendors 2013 “Cool Vendors in Security for Technology and Service Providers”
Forbes 2013 “Most Influential Company on Combatting Hacking”
C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N
17
To learn more about FireEye, visit:
www.FireEye.com
FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) / [email protected]
www.FireEye.com
© 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. CC.MEE.EN-US.052016
Related documents
Do you know someone may be watching you?
Do you know someone may be watching you?
the Presentation
the Presentation
Read More - Wauchula State Bank
Read More - Wauchula State Bank
Threats – dangers on the web - Youth of Europe connect to a "Right
Threats – dangers on the web - Youth of Europe connect to a "Right
Actors behind advanced threats - Med-IT
Actors behind advanced threats - Med-IT
the Presentation
the Presentation
Android Introduction - www.SecurityXploded.com
Android Introduction - www.SecurityXploded.com
Web Based Attacks
Web Based Attacks
Dan A CSC 345 Term Paper
Dan A CSC 345 Term Paper
Taking Control of Advanced Threats
Taking Control of Advanced Threats
full paper - Acta Electrotechnica et Informatica
full paper - Acta Electrotechnica et Informatica
PPT - Department of Computer Science
PPT - Department of Computer Science
Research Scientist – Prague, Czech Republic Cisco Systems
Research Scientist – Prague, Czech Republic Cisco Systems