This is a practical, hands-on course that provides incident analysis training through practical exercises and the basic knowledge required to perform duties as a security analyst. We will together examine incident analysis methods from a practical perspective, necessary for corporate intrusion response and analysis tasks.
You will learn how to analyze the cause of security incidents.
You will learn about security solutions to counter cybersecurity threats.
You can practice the incident analysis process.
The pinnacle of professional security analyst practice!
Learn how to analyze breach incidents through practice.
💡 What is a breach?
When a cyberattack occurs, companies must quickly determine the extent of damage and minimize the business impact through accident recovery. If activities required to comply with laws or regulations required by the industry are omitted, penalties or additional compliance items may be imposed according to related laws or regulations. In order to minimize the business impact, companies focus on responding to incidents across the company, including the security team, public relations team, and legal team. Companies conduct annual or quarterly training through mock drills on the essential activities required to respond when a security incident occurs.
Security analysts perform incident analysis work when a breach occurs in a company or organization or legal issues arise. In order to identify the cause of system abnormalities that occur due to various causes, the ability to distinguish these problem situations is necessary. In particular, when a breach occurs due to an external intrusion or internal employee intrusion, the role of a security analyst is to analyze the damage to the system and the cause of the breach through incident analysis.
In order to analyze the damage caused by a company's accident and to devise countermeasures to prevent accidents from recurring, it is most important to analyze the exact cause of the accident. However, it is very rare and difficult to actually experience the accident analysis process.
The term “Big Root” is commonly used to emphasize the complexity of a problem or situation. “Big Root” means that the root of the problem is large and complex. This indicates that the problem is not limited to a single cause or factor, but rather is a complex intertwining of various factors .
In the case of breaches due to advanced cyberattacks, it is also difficult to resolve the cause of the incident through system analysis that is revealed on the surface. Advanced attacks cause repeated recurrence of incidents and cause continuous damage to the company's business. The corporate security team must check information on various systems and solutions during the analysis process to identify the root cause and vector of the security incident.
Through lectures, you will learn about the security incident response procedures and the types and causes of cybersecurity incidents that cause serious damage to companies. You will learn the capabilities necessary to fundamentally resolve security vulnerabilities that cause hacking incidents.
Through training in breach analysis similar to real-world cases,
You can develop your accident analysis skills.
In this lecture, we will look at the practical perspective of breach incident analysis methods required for performing intrusion response and analysis work in companies . We will provide practitioners performing network-based intrusion detection log or network packet analysis work with the knowledge and know-how of handling analysis tools required by security analysts for analysis, and explain what results should be found through analysis.
In particular, when performing security analysis work, you will use various logs and analysis tools. For those who want to analyze intrusion detection system logs, web server logs, and network packets, I would like to explain the basic concepts and practical techniques of threat analysis. By explaining the basic concepts and techniques as well as the know-how the author acquired from his work, I hope to help students improve their work performance capabilities.
The information analyzed for incident analysis typically includes web logs, IDS/IPS logs, and network packet logs. We plan to conduct incident response training while analyzing logs from systems where actual security incidents occurred. Finally, we will share how to take your career in the future from the perspective of career management.
Intrusion Response/Analysis
Required for practical use
How we collect information
Breach response/analysis
Used by practitioners
Analysis Tools and Usage
Breach response/analysis
By way of example
Practical know-how
If you do not have much experience in analyzing breaches, you may be at a loss as to where to start when investigating an incident. In this lecture, you will practice cases of each type of incident so that analysts can quickly find the cause of the incident and identify the attack path. Through the practice, you will learn what to focus on and how to analyze efficiently to find traces of the breach when analyzing security logs.
Attackers attempt to infiltrate systems in a variety of ways. By understanding the principles of exploiting vulnerabilities without being tied to specific attack tools or attack methods, you can perform analysis by applying them to various security attack attempts.
We provide some filtered attack logs detected by commercial security products for practice. The attack event name, attack time, and other information are configured identically to actual incident cases.
We directly analyze the attack techniques targeting web servers and the logs left on the target server. Through analysis, we identify vulnerable settings on the web server and identify the cause of the accident.
We reproduced a cybersecurity incident case under the same conditions in a lab environment, reproduced the process of attacking the system from the attacker's perspective, and captured network traffic. We analyzed the captured packets to analyze the attack target and the scope of damage.
📣 Please check before taking the class!
You can learn the analysis process by practicing breach analysis through each practical case study. Before learning through the analysis process, you will first perform the analysis yourself and compare the process you analyzed yourself with the contents of the analysis guide.
Before the practical training, we will look at the methodology required for analysis. We will learn how to analyze by dividing it into a method of identifying attack behaviors based on specific patterns and a method of setting thresholds and identifying threats based on behaviors. Then, we will look at how to apply it to security incident cases through an example of identifying abnormal behaviors in a movie.
Analyze the causes of large-scale network failures by analyzing intrusion detection solution events detected over a certain period of time. The following table shows intrusion detection events extracted from the intrusion detection system.
Detection Items | Detection information |
Event collection period | 3 months |
Detection signature name | TCP_Invalid_SACK |
Origin IP | 10.0.0.1 |
Departure port | Random |
Destination IP | Random |
Destination Port | Random |
Total | 1441 cases |
The intrusion detection system signature called TCP_Invalid_SACK is caused by abnormal SYN packets and ACK packets. Normally, TCP communication sends and receives necessary communication packets in a method specified by the protocol. However, depending on the program or network characteristics used for communication, a phenomenon occurs in which communication is performed in a different way from the specified protocol. The TCP_Invalid_SACK signature records this phenomenon.
For this reason, even when an attacker uses a non-standard program, the communication history is detected. Of course, the detected information does not only record the attacker's communication. The number of times the attacker communicated in the 1441 detected events is likely to be a small number. Security analysts should find a small number of attack detections through event analysis.
The cause of the accident is traced through the process of analyzing the practice log file directly. The analysis results for the cause of the accident are explained in the analysis guide section. As emphasized above, you will first analyze the accident analysis process yourself and compare it with the contents of the analysis guide section and perform accident analysis training.
We analyze the accidental circumstances of the system where the intrusion occurred through web log analysis. The log processing work is to remove unanalyzed or unnecessary information to analyze the event more efficiently. However, such traffic is innumerable like a haystack. Finding the attack traffic like a needle hidden in the haystack is never easy.
In the second lab, we will look at how to clear the straw using web logs. Let's install Splunk, Log Parser, and Elasticsearch and practice the Windows web server log analysis process.
Attackers who bypass file extension restrictions upload application executable files (ASP extension files) to the bulletin board and take control of the system. Let's analyze a web shell attack that is carried out through network communication. The packet analysis process allows for a fairly efficient intrusion analysis by simply selecting the analysis scope of the target communication or server to be analyzed. In order to analyze web shell communication packets, we will efficiently analyze packets by utilizing filter statements used during analysis.
During the analysis process, let's extract the backdoor file that was executed through actual network communication and trace through reproduction what communication took place and what damage was done to the server.
Q. What prerequisite knowledge is required to learn?
This course is mainly composed of hands-on exercises. It does not include basic concepts or theories of cyber security. To perform the exercises in this course, you need to understand IDS, web application settings, and web server response codes. Although prior knowledge is required, you can analyze breach incidents even if you have never hacked before.
Q. How is it different from other security lectures?
The lecture content is organized around practical experience in security incident analysis techniques and know-how. All three breach incident analysis cases are based on actual incident cases, so they can improve your security incident analysis experience. However, the legal meaning of collecting disk images will not be covered in the forensic process.
Q. Are there any notes regarding course registration?
The training uses public tools (MS Log Parser Studio, Wireshark), free trial security products, and Microsoft EXCEL. The training content omits the process of installing the analysis product. Students must individually install the product by referring to the installation guide link of each product manufacturer.
I have been working as a CERT team breach response specialist and a solution engineer for a foreign security company for 18 years. I was in charge of SOC construction project and operation project PM at IBM Korea. I performed work on designing security infrastructure and developing construction/operation process. I performed security breach analysis & response work for private companies and public institutions at AhnLab CERT team. When the 3.20 DarkSeoul campaign occurred, I performed inspection of domestic broadcasting company systems and supported inspection of the leaked system at the time of the Nate personal information leak incident.
Key career highlights
Who is this course right for?
SOC Security Analyst
Corporate IT Security Officer
Security Incident Response Team (Blue Team)
Security monitoring personnel
Security Consultant
Other Incident Response Analysts
Need to know before starting?
Basic understanding of cyber security
Understanding of IDS and Web Application Settings, Web Server Response Codes
459
Learners
40
Reviews
4.7
Rating
1
Course
CERT팀 침해사고대응전문가와 외국계 보안 기업의 솔루션 엔지니어로 18년째 활동 하고 있습니다.
한국 IBM 에서 SOC 구축 프로젝트와 운영 프로젝트 PM을 담당 했습니다. 보안 인프라에 대한 설계와 구축/운영 프로세스 개발 업무를 수행했습니다.
시스코(CISCO) 코리아에서 보안 솔루션에 대한 기술 전문가로서 보안 아키텍처 구성 및 위협 대응 사례에 대한 지식을 갖춘 전문가로 고객 현황 진단 및 개선을 조언 하였습니다.
안랩 CERT팀에서 민간기업과 공공기관의 보안 침해사고 분석&대응 업무를 수행 했습니다. 3.20 다크서울(DarkSeoul) 캠페인 발생 당시 국내 방송사 시스템 점검을 수행했으며, 네이트 개인정보 유출사건 당시 사고 유출 시스템에 대한 점검을 지원 하였습니다. 민간 기업 및 공공 기업을 대상으로 발생한 다양한 침해사고 조사 업무를 수행했습니다.
<주요 경력사항>
• 보안컨설턴트: 보안 인프라 컨설팅을 통해 보안 강화 전략 설계/구축/운영
• 보안관제컨설팅: SOC 구축 컨설팅 및 운영 업무 수행
• 보안서비스상품개발: 차세대보안관제 솔루션&서비스 개발
• 침해사고 대응: 군/공공/민간 기업 등 다수
All
68 lectures ∙ (7hr 9min)
Course Materials:
All
40 reviews
4.7
40 reviews
Reviews 4
∙
Average Rating 5.0
Reviews 4
∙
Average Rating 5.0
Reviews 3
∙
Average Rating 5.0
Reviews 7
∙
Average Rating 5.0
5
It was great to be able to study everything from learning the basics of security incidents to advanced analysis skills.
Thank you for the course review.
Reviews 3
∙
Average Rating 5.0
Limited time deal
$45.10
24%
$59.40
Explore other courses in the same field!
