Résumé du cours
This one-day course teaches you how to use the VMware Carbon Black® EDR™ product during incident response. Using the SANS PICERL framework, you will configure the server and perform an investigation on a possible incident. This course provides guidance on using Carbon Black EDR capabilities throughout an incident with an in-depth, hands-on, scenario-based lab.
Product Alignment
- VMware Carbon Black EDR
Moyens d'évaluation :
- Évaluations formatives pendant la formation, à travers les travaux pratiques réalisés sur les labs à l’issue de chaque module
- Évaluation sous forme de questionnaire à l’issue de la formation
A qui s'adresse cette formation
Security operations personnel, including analysts and incident responders
Pré-requis
This course requires completion of the following course:
Objectifs
By the end of the course, you should be able to meet the following objectives:
- Utilize Carbon Black EDR throughout an incident
- Implement a baseline configuration for Carbon Black EDR
- Determine if an alert is a true or false positive
- Fully scope out an attack from moment of compromise
- Describe Carbon Black EDR capabilities available to respond to an incident
- Create addition detection controls to increase security
Contenu
Course Introduction
- Introductions and course logistics
- Course objectives
VMware Carbon Black EDR & Incident Response
- Framework identification and process
Preparation
- Implement the Carbon Black EDR instance according to organizational requirements
Identification
- Use initial detection mechanisms
- Process alerts
- Proactive threat hunting
- Incident determination
Containment
- Incident scoping
- Artifact collection
- Investigation
Eradication
- Hash banning
- Removing artifacts
- Continuous monitoring
Recovery
- Rebuilding endpoints
- Getting to a more secure state
Lessons Learned
- Tuning Carbon Black EDR
- Incident close out
Moyens Pédagogiques :