Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MANDIANT CONSULTING 2016 EXTERNAL EDUCATION COURSE CATALOG C O U R S E C ATA L O G CONTENTS Our External Education Program 3 Malware Analysis Course Descriptions 5 Cyber Crime & Incident Response Course Descriptions 8 Network Investigations Course Descriptions 10 Linux and UNIX Investigations Course Descriptions 11 Appendix A: Mandiant Services 13 Appendix B: Mandiant Company Background 15 Appendix C: Mandiant Publications 16 Appendix D: Mandiant Company Information 17 C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 2 O U R E X T E R N A L E D U C AT I O N P R O G R A M MANDIANT, A DIVISION OF FIREEYE, BELIEVES IN INTENSE, HANDSON TRAINING THAT DEVELOPS PERFORMABLE SKILLS. WE USE OPERATIONAL CASE SCENARIOS TO ENSURE GREATER EFFECTIVENESS. OUR CLASSES AND EXERCISES ARE REALITY-BASED RATHER THAN CLASSROOM MOCK-UPS, AND EVERY CLASS IS LED BY SOME OF THE MOST EXPERIENCED CYBER SECURITY PROFESSIONALS IN THE BUSINESS. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 3 We follow a proven training methodology that is enhanced by our significant experience responding to real-world attacks. Mandiant helps our clients respond to sophisticated security breaches on a daily basis – we are able to leverage our understanding of attackers’ methodologies, tools, and tactics to identify security vulnerabilities. Our strength is our experience. Mandiant consultants have extensive experience providing information security advice to Fortune 500 organizations and government agencies. Our consultants include former law enforcement officers, intelligence officers, Department of Defense computer security specialists, computer programmers, forensic examiners, and published experts who have significant experience shaping the information security programs at global organizations. Mandiant’s education courses can be customized to meet the specific needs and environment of the client. Our current course offerings include: •Malware Analysis --Introduction to Malware Analysis for Non-programmers (1 day) --Malware Analysis Crash Course (2 days) --Fundamentals of Malware Reverse Engineering (3 days) --Special Topics in Malware Analysis (5 days) --Customized Malware Analysis •Cyber Crime & Incident Response --Introduction to Cyber Crime for Executives (1 day) --Enterprise Incident Response (3 days) •Network Investigations --Network Traffic Analysis (3 days) --Wireless Security (2 days) •Linux and UNIX Investigations --Introduction to Linux for Security Professionals (3 days) --UNIX Investigations (5 days) C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 4 M A LWA R E A N A LYS I S CO U R S E DESCRIPTIONS Introduction to Malware Analysis for Nonprogrammers (1 day) This course provides a beginner-level introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. This class is taught by M-Labs Malware Analysts who are experienced in analyzing a diverse set of malware. Modules Included •Module 1: Basic Static Analysis – Learn to quickly perform a malware autopsy. •Module 2: Safe Environment – Learn how to protect yourself by analyzing malware in a safe environment, such as using virtual machines •Module 3: Basic Dynamic Analysis – Learn to analyze running malware. Who Should Attend Information technology staff, information security staff, corporate investigators or others requiring an understanding of how malware functions and the steps and processes involved in Malware Analysis. a system and its resources as it runs in a debugger. They will learn how to extract host and network-based indicators from a malicious program. They will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned. Modules Included •Module 1: Basic Static Analysis – Learn to quickly perform a malware autopsy. •Module 2: Safe Environment – Learn how to protect yourself by analyzing malware in a safe environment, such as using virtual machines. •Module 3: Basic Dynamic Analysis – Learn to analyze running malware. •Module 4: Disassembly – Learn the basics and build a foundation of the x86 assembly language and also learn how to use IDA Pro THE tool for disassembly analysis. •Module 5: Windows Internals – Learn a wide range of Windows-specific concepts that are relevant to analyzing Windows malware. •Module 6: Debugging – Learn how to monitor and change malware behavior, as it runs, at a low level. Course Pre-requisites Who Should Attend Students should have a general knowledge of computer and operating system fundamentals. Some exposure to computer programming fundamentals and Windows Internals experience is recommended. This course is intended for software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis. MALWARE ANALYSIS CRASH COURSE (2 DAYS) This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, handson approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies Course Pre-requisites Students should have an excellent knowledge of computer and operating system fundamentals. Computer programming fundamentals and Windows Internals experience is highly recommended. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 5 F U N DA M E N TA L S O F M A LWA R E R E V E R S E E N G I N E E R I N G ( 3 DAYS ) This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, handson approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. They will learn how to extract host and network-based indicators from a malicious program. They will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned. Modules Included •Module 4: Disassembly – Learn the basics and build a foundation of the x86 assembly language and also learn how to use IDA Pro THE tool for disassembly analysis. •Module 5: Windows Internals – Learn a wide range of Windows-specific concepts that are relevant to analyzing Windows malware. •Module 6: Debugging – Learn how to monitor and change malware behavior, as it runs, at a low level. •Module 9: Anti-Disassembly – Learn how to circumvent the anti-disassembly mechanisms that malware authors use to thwart your analysis in tools like IDA Pro. •Module 11: Anti-Debugging – Learn how to combat anti-debugging, including how to bypass timing checks, Windows debugger detection, and debugger vulnerabilities. •Module 12: Anti-VM – Malware can detect it is running in your safe environment; learn how to fool it to think otherwise. Who Should Attend Information security staff, forensic investigators, or others requiring an understanding of how to overcome difficult challenges in malware analysis. Course Pre-requisites Training or experience in malware analysis and extensive knowledge of computer and operating system fundamentals is required. Exposure to software development is also highly recommended. S P E C I A L T O P I C S I N M A LWA R E A N A LYS I S (5 DAYS ) Malware authors sometimes take deliberate steps to thwart the reverse engineering of their malware. This course is focused on advanced topics related to combating malware defense mechanisms. Designed for the experienced malware analyst, a robust skill set in x86 architecture and the Windows APIs is essential. Students will learn how to specifically combat against anti-disassembly, anti-debugging and anti-virtual machine techniques. Students will also learn how to defeat packed and armored executables and will be challenged to demonstrate these skills several times throughout the course. Additional topics covered will include malware stealth techniques, such as process injection and rootkit technology; analyses of samples written in alternate programming languages, such as Delphi and C++; and a review of available tools and techniques. All concepts and materials presented are reinforced with demonstrations, real-world case studies, follow-along exercises, and student labs to allow students to practice what they have learned. This class is taught by senior FLARE Malware Analysts who are experienced in fighting through the state-of-theart malware armor. •Module 14: Packers and Unpacking – Learn how to unpack manually - an important skill for analyzing malware. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 6 Modules Included Course Pre-requisites •Module 7: Stealth – Learn how malware hides its execution, including process injection and user-space rootkits. Training or experience in malware analysis and extensive knowledge of computer and operating system fundamentals is required. Exposure to software development is also highly recommended. •Module 8: Shellcode – Learn how shellcode works from beginning to end, including position independence and symbol resolution. •Module 9: Anti-Disassembly – Learn how to circumvent the anti-disassembly mechanisms that malware authors use to thwart your analysis in tools like IDA Pro. •Module 10: Scripting IDA Pro – Learn how to automate IDA Pro to help you analyze malware more efficiently. •Module 11: Anti-Debugging – Learn how to combat anti-debugging, including how to bypass timing checks, Windows debugger detection, and debugger vulnerabilities. •Module 12: Anti-VM – Malware can detect it is running in your safe environment; learn how to fool it to think otherwise. •Module 13: Reversing C++ – Learn how C++ concepts like inheritance, polymorphism, and objects influence analysis. •Module 14: Packers and Unpacking – Learn how to unpack manually - an important skill for analyzing malware. •Module 16: 64-bit Malware – Learn about how x64 changes the game for malware analysis, including how WOW64 works and the architecture changes from x86. •Module 17: Encryption and Encoding – Learn to deal with string obfuscation techniques commonly used by malware and take malware communications and analyze network packet captures based on your analysis. •Module 19: .NET Reversing – Learn how to reverse engineer .NET bytecode and deal with obfuscation techniques employed by attackers. Who Should Attend Information security staff, forensic investigators, or others requiring an understanding of how to overcome difficult challenges in malware analysis. C U S T O M I Z E D M A LWA R E A N A LYS I S We offer customized malware analysis training solutions in order to address the business needs of our clients that may have specific learning objectives. We can build a course that includes any of our 20 malware analysis modules. These modules range from basic concepts of analyzing disassembly all the way to advanced concepts like x64 and anti-reverse engineering techniques. Each module includes targeted learning and hands-on activities that were authored by the FLARE malware analysis team at FireEye. •Module 1: Basic Static Analysis – Learn to quickly perform a malware autopsy. •Module 2: Safe Environment – Learn how to protect yourself by analyzing malware in a safe environment, such as using virtual machines. •Module 3: Basic Dynamic Analysis – Learn to analyze running malware. •Module 4: Disassembly – Learn the basics and build a foundation of the x86 assembly language and also learn how to use IDA Pro THE tool for disassembly analysis. •Module 5: Windows Internals – Learn a wide range of Windows-specific concepts that are relevant to analyzing Windows malware. •Module 6: Debugging – Learn how to monitor and change malware behavior, as it runs, at a low level. •Module 7: Stealth – Learn how malware hides its execution, including process injection and user-space rootkits. •Module 8: Shellcode – Learn how shellcode works from beginning to end, including position independence and symbol resolution. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 7 •Module 9: Anti-Disassembly – Learn how to circumvent the anti-disassembly mechanisms that malware authors use to thwart your analysis in tools like IDA Pro. •Module 10: Scripting IDA Pro – Learn how to automate IDA Pro to help you analyze malware more efficiently. •Module 11: Anti-Debugging – Learn how to combat anti-debugging, including how to bypass timing checks, Windows debugger detection, and debugger vulnerabilities. •Module 12: Anti-VM – Malware can detect it is running in your safe environment; learn how to fool it to think otherwise. •Module 13: Reversing C++ – Learn how C++ concepts like inheritance, polymorphism, and objects influence analysis. •Module 14: Packers and Unpacking – Learn how to unpack manually. •Module 15: Delphi Analysis – Learn the nuances of the Delphi programming language and how it influences assembly - this language is surprisingly popular among malware authors. •Module 16: 64-bit Malware – Learn about how x64 changes the game for malware analysis, including how WOW64 works and the architecture changes from x86. •Module 17: Encryption and Encoding – Learn to deal with string obfuscation techniques commonly used by malware and take malware communications and analyze network packet captures based on your analysis. •Module 18: Machine Learning – Learn how to cluster and classify malware automatically. •Module 19: .NET Reversing – Learn how to reverse engineer .NET bytecode and deal with obfuscation techniques employed by attackers. CYBER CRIME & INCIDENT RESPONSE CO U R S E D E S C R I P T I O N S Introduction to Cyber Crime for Executives (1 day) Network security breaches transform calm working environments into high-stress battle zones that require executives to rapidly make key decisions impacting the company and the investigation. Informed executives are better equipped to understand the threat and make the right decisions in minimal time. The Mandiant Introduction to Cyber Crime for Executives was developed to educate senior staff on cyber-crime and incident response. During the course, instructors will walk students through a scenario based on real world intrusions involving sophisticated attackers. The scenario is provided from both the attacker and victim perspectives. Throughout the course, instructors teach students about the tactics and technologies used by the victim and attackers. The scenario illustrates the most common method attackers use to establish a foothold and remain undetected in the victim network. The class discusses the pros and cons of the various courses of action available to the victim and provides students critical insight into the many issues investigators and victim organizations face in defending networks and responding to security breaches. Students Learn •How attackers defeat defenses and break into networks. •Network defense posture of the common victim. •How to collect electronic evidence. •How investigators analyze data and use findings to resolve the incident. •Many of the challenges an organization faces after its computer security defenses have been breached. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 8 Who Should Attend Executives, security staff, corporate investigators, or other staff that require a general understanding of network security, network operations and responding to breaches in network or computer security. Course Pre-requisites None. ENTERPRISE INCIDENT RESPONSE ( 3 DAYS ) Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive three-day course is designed to teach the fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. This class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more. The course is comprised of the following modules, with labs included throughout: •The Incident Response Process: An introduction to the targeted attack life-cycle, initial attack vectors used by different threat actors, the stages of an effective incident response process, and remediation. •Introduction to Windows Evidence: Analysis of the key sources of evidence that can be used to investigate a compromised Windows system, including NTFS artifacts, prefetch, web browser history, event logs, the registry, and more. •Memory Acquisition and Analysis: How memory is structured on a Windows system, the artifacts and evidence available in physical memory and the page file, and how memory analysis can identify advanced techniques used by malware. •Investigating Lateral Movement: An indepth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry. •Persistence: Analysis of advanced persistence mechanisms, such as DLL search order hijacking; introduction to user-land and kernel root kits; alternative remote-access mechanisms exploited by attackers. Students Learn •The incident response process. •The composition of an effective incident response team. •To manage an effective incident response. •How to prepare an organization to conduct agile incident response. •How to collect and analyze volatile and nonvolatile information from a Windows system. •The fundamentals of NTFS file system analysis. •Memory acquisition and analysis. •Tips and tricks used by investigators •Acquiring Forensic Evidence: An overview of volatile and non-volatile evidence, live response acquisition versus forensic imaging, and related methods and tools. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 9 Who Should Attend This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams, or in roles that require other investigative tasks. The course provides students an overview of network protocols, network architecture, intrusion detection systems, network traffic capture, and traffic analysis. The course consists of lecture and multiple hands-on labs to reinforce technical concepts. Students Learn •Common network protocols. •Network monitoring and the incident response process. •Why network monitoring is important in today’s networks. Course Pre-requisites Students must be familiar with: •Executing command line utilities as an Administrator. •Navigating the Windows file system using the command line. •Common file system structures. •Microsoft Windows registry. •Active Directory and basic Windows security controls. •Networking fundamentals, including common Windows protocols. •The different types of network monitoring. •The pros and cons of Statistical, Connection, Full Content, and Event Monitoring, and tools to perform each type of monitoring. •The tools commonly used to analyze captured network traffic. •What Botnets are and how to investigate them. •What Honeypots and honeynets are and how they are used in Network Monitoring. •How to perform event-based monitoring using Snort. •Snort rule structure and custom rule creation for network traffic minimization and the Sguil front-end for reviewing Snort alerts. N E T WO R K I N V E S T I G AT I O N S CO U R S E DESCRIPTIONS Who Should Attend Network Traffic Analysis (3 days) Sophisticated attackers frequently go undetected in a victim network for an extended period of time. Attackers know how to blend their traffic with legitimate traffic and only the skilled network traffic analyst will know how to find them. Network traffic analysis is a critical skill set for any organization. Mandiant’s intense three-day Network Traffic Analysis course prepares students to face the challenge of identifying malicious network activity. Information technology and security staff, corporate investigators, or other staff requiring an understanding of networks, network traffic, network traffic analysis and network intrusion investigations. Course Pre-requisites Students should have a basic understanding of TCP/IP and be familiar with Windows and UNIX platforms. A familiarity with computer security terminology and concepts is helpful. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 10 W I R E L E S S S E C U R I T Y ( 2 DAYS ) Wireless computing devices are everywhere and new products seem to appear daily. The explosive growth of wireless devices also brings an increased risk to networks permitting wireless access. As a result, network and information security personnel must understand the risk of wireless computing. The Mandiant Wireless Security course is a two-day class specifically designed for professionals who support, design, or assess IEEE 802.11 wireless environments, commonly known as Wi-Fi. It is a hands-on course presented from the attacker’s perspective and helps students understand the wireless attacker methodology. The course includes a variety of case studies and numerous lab exercises to reinforce wireless security concepts and materials. Students Learn •How to find and access wireless access points using free tools. •Techniques to identify “cloaked” or nonbroadcasting access points. Course Pre-requisites Students should have a basic understanding of TCP/IP networks and some familiarity with Linux systems. Familiarity with computer security terminology and concepts is helpful. L I N U X A N D U N I X I N V E S T I G AT I O N S CO U R S E D E S C R I P T I O N S Introduction to Linux for Security Professionals (3 days) The Mandiant Linux for Security Professionals course introduces information security professionals to the Linux operating system and helps prepare them to conduct investigations in a UNIX environment. The course follows the “learn by doing” philosophy. Students perform Linux/UNIX commands and discover how the operating system functions. Attendees will primarily operate in the command line environment. The course includes relevant case studies and reinforces key concepts with handson exercises to ensure students gain practical experience in each critical area discussed. •How to defeat common security features. •Brute force attacks against WPA/WPA2-PMK. Students Learn •How to forcefully disassociate a client from an access point. •The differences and similarities between the Microsoft Windows and Linux operating systems. •How to defeat WEP encryption. •How wireless access points are used as an initial entry point during a network security breach. •How to install and configure the Fedora Core Linux operating system for use on a workstation. •Common attack vectors used after accessing a wireless network. •The Linux EXT2 and EXT3 file systems and the general Linux/UNIX file structure. •Common misconceptions about wireless technologies and why it can be almost impossible to find an attacker. •Navigation in a Linux environment at the command line and through the X-Windows interface. Who Should Attend Information technology staff, information security staff, corporate investigators, or other staff who have a need to perform security audits on their wireless infrastructures. •How to configure Linux systems to communicate on TCP/IP networks. •System logging on most Linux/UNIX systems. •How to make and verify the integrity of hard drive images made with the DD command. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 11 •How to develop basic UNIX shell scripts and use powerful searching and text manipulation tools such as grep, AWK and SED. •Over 80 of the most useful Linux/UNIX commands for Security Professionals. Who Should Attend Information security, corporate investigators, or other staff that require an understanding of the Linux operating system, how attackers exploit UNIX-Based systems, how to secure Unix-based systems and how to respond to incidents that involve the UNIX operating system. The course is intended for attendees that have little to no experience or exposure to Linux or UNIX. Course Pre-requisites A familiarity with computer security terminology and concepts. U N I X I N V E S T I G AT I O N S (5 DAYS ) Attacks against systems running variants of the UNIX operating system are on the rise. In order to effectively respond to the escalating threat, organizations must have skilled information security staff able to rapidly detect and remove threats. Mandiant developed the UNIX Investigations course to provide information security personnel the fundamental skills needed to quickly identify and eliminate threats targeting UNIX or variants of the UNIX operating systems. The course is based on the real-world experience of Mandiant consultants who have years of experience combating these types of attacks. The course reinforces key concepts with handson exercises to ensure students gain practical experience in each critical area discussed. Students Learn •History of UNIX, Linux and Linux distributions. •Targeted file system searches. •File content searches using grep. •UNIX/Linux file compression, and archive utilities. •File content comparison and integrity validation. •File system architecture review. •UNIX/Linux user and system credentials. •Processes, network services, and the boot process. •Server and host network configuration. •Traffic, log, and forensic analysis. Who Should Attend Managers and technical team members involved in Information Technology, Information Security, Incident Response or other staff that have a need to investigate potentially compromised UNIX hosts. Course Pre-requisites Students should have a basic understanding of TCP/IP networks and proficient with the Linux operating system. Familiarity with basic computer security terminology is recommended. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 12 APPE NDIX A: MANDIANT SE RVICES Mandiant provides industry leading information security services to help our customers overcome their most challenging problems. Our team is equally adept at building strong programs that minimize disturbances as well as helping clients rapidly respond to incidents and resume business. Our services outlined below are a blend of proactive efforts required to build secure network environments as well as reactive services enabling you to respond to events and intrusions in a timely and effective manner. Application Security: In addition to Network testing, Mandiant consultants have significant experience in testing web based applications for security vulnerabilities. To help improve the security of your application development process, we will assist in developing and training your staff on a secure Software Development Life Cycle. We can also provide hands-on testing of new products. •Application Assessments: Mandiant reviews applications with tool suite and hands-on efforts at all levels of privilege to identify and remediate vulnerabilities. Mandiant can provide assessment services at various levels of the application development lifecycle, including requirements, design review, source code review and penetration tests. •Secure Software Development Life Cycle: Our team will work with your group to enhance your code development process to integrate security into the applications at the earliest opportunity. This enhances your posture at the least cost and most effective manner. •Product Testing: With our Forensics and Incident Response experience, we are uniquely able to assess the vulnerabilities in new products prior to release. Network Security: Mandiant excels at assessing the security posture of your enterprise. From architecture to implementation, we can assess vulnerabilities and help build cost effective plans to mitigate the risks. For many organizations, we become a temporary or long term adjunct to their information security staff, bringing specialized expertise and an independent third party view. Specific services include: •Network Assessments: Working cooperatively with your staff, Mandiant can review your architecture, policies, procedures and technical implementation against pertinent standards. We are adept at assessing the impact of ISO 17799, PCI, OCC and NIST guidance on your information security program, and how to substantially improve the security posture of the network without impairing critical business functions. •Wireless Assessments: Mandiant’s assessment teams identify security vulnerabilities impacting your authorized wireless infrastructure, and detect and identify potential rogue access points at those facilities. •Penetration Testing: Mandiant provides high quality external testing of your network perimeter, and we can work from a blind or partially informed starting point. Our process can validate existing security controls and provide an excellent venue to test your incident detection capability. Social Engineering: From email testing to surreptitious physical entry, Mandiant’s team can help you assess or test the security awareness of your staff. Many clients have found our ability to garner sensitive data through email or the phone provides strong leverage to enhance existing awareness programs. Payment Card Industry Data Security Assessments: As a Visa and MasterCard approved vendor, Mandiant can certify the security of your transaction processing environment meets the PCI standards. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 13 Incident Response: Even the most prepared organizations can be confronted with security problems in their computing environment. Mandiant consultants apply their blend of investigative and technical skills to help you solve the problem with minimum disruption of the business process. These include: •Incident Response Management: Mandiant can assist clients in identifying the nature and extent of any compromise, and then quickly build effective remediation plans to mitigate the issues. We work with your staff in conducting hands-on response and remediation efforts. Our efforts merge technical efforts to minimize exposure and strategic guidance on incident management. •Malware Analysis: We have extraordinary expertise and experience in identifying the impact of unknown code on your enterprise. We are able to perform rapid, dynamic analysis of Windows-based and UNIX-based hostile code in order to profile network and host based indicators of compromise. This lets us identify the scope and intent of the malicious code. •Program Development: Mandiant’s consultants are able to build or enhance existing Incident Response programs to meet current regulatory and industry requirements. These projects can include policy and procedure development, business unit involvement and buy-in, executive and staff awareness training, Incident Response exercises and customized training. •Incident Response Exercises: We have crafted numerous simulated incidents to help firms develop their hands-on response skills. Mandiant can provide table-top policy driven events and detailed technical events that allows your team execute you existing incident response procedures and update your program. We complete every exercise with a lessons learned discussion to enhance skill development. Litigation Support: Mandiant can work as an extension of your legal team, providing the technical ability to quickly identify and collect information from computer systems. We can provide assistance with language for search protocols, orders and consent letters to ensure appropriate authorization. Then, our interaction with your investigative and legal team creates effective search terms to reduce the data collected to the most likely relevant materials and ensure efficient data production. Our team can help you with: •Forensic Examination: We have acquired and reviewed data from hundreds of systems and can conduct the most detailed analysis of the existent data. Thanks to our unmatched experience, we routinely identify key information missed by other examiners. •Litigation Support: Mandiant can work as an extension of your legal team, providing the technical ability to quickly identify and collect information from computer systems. We can provide assistance with language for search protocols, orders and consent letters to ensure appropriate authorization. Then, our interaction with your investigative and legal team creates effective search terms to reduce the data collected to the most likely relevant materials and ensure efficient data production. •Expert Testimony: Our consultants have provided expert testimony in the United States and overseas on criminal and civil matters. We are frequently called to explain complex technical issues to judicial authorities and juries. Research and Development: Mandiant has a unique ability to put our technical and operational experience to work solving our client’s cutting edge security problems. Our team includes specialists with high level government clearances who can address mission critical problems and rapidly produce capabilities or countermeasures to address emerging issues on a wide variety of platforms. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 14 A P P E N D I X B : M A N D I A N T CO M PA N Y B AC KG R O U N D Mandiant has been helping its clients defend against and respond to critical security incidents of all kinds for more than a decade. Founded by Kevin Mandia, Mandiant is a pioneer in educating organizations and governments around the world about how to secure their networks against advanced targeted attacks and providing security consulting and incident response services to help them resolve security incidents when they occur. The company has driven intruders out of the computer networks and endpoints of hundreds of clients across every major industry. Mandiant is the trusted advisor for 29 of the Fortune 100 and eight of the largest US cleared defense contractors. Mandiant consultants have investigated more than 1,000,000 compromised systems, analyzed hundreds of thousands of pieces of malicious software and reverse engineered the latest techniques used by advanced persistent threat (APT) actors. As the leader in incident response, Mandiant has built an incomparable base of knowledge about APT groups by utilizing a unique combination of expert consultants and proprietary technology. To accomplish its mission Mandiant has attracted the leading cyber security practitioners, experts and analysts in the world. Mandiant consultants are published experts, speakers at well-known security conferences and experts sought by leading media organizations. Mandiant employs former law enforcement officers, intelligence officers, Department of Defense computer security specialist, and forensic examiners who have significant experience shaping the information security programs at large complex organizations. Their expertise is complemented by an extensive infrastructure of patent-pending technology that Mandiant has developed to proactively detect and respond to advanced threats at scale within an enterprise. Our unique investigative skills were demonstrated to the world in February, 2013, when the company identified a unit of the Chinese People’s Liberation Army – PLA Unit 61398 - as being responsible for years of cyberattacks targeting at least 141 government and private entities. The report made headlines worldwide, prompted a response by President Obama, and focused attention on state actors behind coordinated cyber-attacks that target intellectual property, financial assets, and present threats to national security. Mandiant provides a full range of security consulting services including incident response, compromise assessments, security program assessments, response readiness assessments and security transformation services designed to assist organizations in improving their security posture. Mandiant was acquired by FireEye, Inc. on December 31, 2013 and operates as a division of FireEye. C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 15 A P P E N D I X C : M A N D I A N T P U B L I C AT I O N S Incident Response and Computer Forensics, 3rd Ed. The Practice of Network Security Monitoring Authors Kevin Mandia, Matt Pepe Author Richard Bejtlich McGraw-Hill, August 2014 No Starch Press, July 2013 Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software The Tao of Network Security Monitoring: Beyond Intrusion Detection Author Michael Sikorski Author Richard Bejtlich No Starch Press, February 2012 Addison - Wesley, July 2004 Incident Response and Computer Forensics, 2nd Ed. Hack Notes: Network Security Authors Kevin Mandia, Matt Pepe McGraw-Hill, July 2003 Contributing Author Vijay Akasapu McGraw-Hill, July 2003 Windows XP: Professional Security Contributing Author Matt Pepe Incident Response and Computer Forensics, 1st Ed. McGraw-Hill, October 2002 Authors Kevin Mandia, Matt Pepe McGraw-Hill, June 2001 Additional Reading Richard B: Real Digital Forensics: Computer Security and Incident Response: http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=asap_bc?ie=UTF8 Richard B: Extrusion Detection: Security Monitoring for Internal Intrusions: http://www.amazon.com/Extrusion-Detection-Security-Monitoring-Intrusions/dp/0321349962/ref=asap_bc?ie=UTF8 Tony Lee: Contributing Author: Hacking Exposed 7: Network Security Secrets &Amp; Solutions: http://www.amazon.com/dp/0071780289/ref=rdr_ext_tmb Chris Sanders: http://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083/ref=asap_bc?ie=UTF8 Chris Sanders: http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669/ref=asap_bc?ie=UTF8 Chris Sanders: http://www.amazon.com/Practical-Packet-Analysis-Chris-Sanders-ebook/dp/B002N3M6RC/ref=asap_bc?ie=UTF8 C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 16 A P P E N D I X D : M A N D I A N T CO M PA N Y I N F O R M AT I O N Firm Name Mandiant Corporation, A FireEye Company Established 2004 Structure Publically traded company (NASDAQ: FEYE) Focus World leading information security company with focus in Security Program Development, Incident Response, Computer Forensics, Threat Assessments, Threat Detection, Network Security, and Application Security and Education Unique Expertise Advanced Persistent Threat Assessment, Payment Card Industry Assessments, Remote Global Enterprise Incident Response, Malicious Code Analysis, Application-Product Testing, Network Intrusion Management, Expert Witness Testimony Headquarters 2318 Mill Rd, Suite 500, Alexandria, Virginia 22314 Regional Offices 24 West 40th St, 9th Floor, New York, New York 10018 400 Continental Blvd., 6th Floor, El Segundo, CA 90245, USA 425 Market Street, Suite 2200, San Francisco, CA 94105 USA 12012 Sunset Hills Road, 7th Floor, Reston, VA 20190, USA 200 Brook Drive, Green Park, Reading, RG2 6UB, United Kingdom Georges Quay Plaza, Georges Quay, Dublin 2, Ireland Staff 450+/5000 (FireEye) Staff Experience Average of over 10 years in the Information Security Industry Global Expertise Our team has lived or worked in 47 countries to include: Canada, Georgia, United States, Mexico, Panama, Colombia, Brazil, Argentina, Japan, Korea, Singapore, Indonesia, Malaysia, Australia, India, Egypt, Saudi Arabia, United Arab Emirates, Iraq, Jordan, Turkey, Russia, Ukraine, Finland, Sweden, Denmark, The Netherlands, Germany, and the United Kingdom Customer Base Over 350 current clients in the Financial, Legal, Law Enforcement, Intelligence, Retail and Technology sectors Financial Stability Highly stable firm with significant annual growth since formation Publications Primary and contributing authors of 8 books on information security Authors of numerous articles in the field Presentations Over 100 presentations annually to industry forums, conferences and groups Certifications CISSP, CISA, CBP, IACIS, CCNA, GCIA, GCUX, QSA, PFI Certifications Membership in IEEE, ECTF, HTCIA, OWASP and InfraGard Mandiant Awards SC Magazine 2012, 2013 & 2015 “Best Security Company” SC Magazine 2015 “Best APT Protection” Gartner Cool Vendors 2013 “Cool Vendors in Security for Technology and Service Providers” Forbes 2013 “Most Influential Company on Combatting Hacking” C O U R S E C ATA L O G / 2 0 1 6 E X T E R N A L E D U C AT I O N 17 To learn more about FireEye, visit: www.FireEye.com FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / [email protected] www.FireEye.com © 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. CC.MEE.EN-US.052016