PRE-CONFERENCE TRAINING

Training sessions will be held on August 23 and 24. All sessions are from 9am – 5pm, unless otherwise noted. Pre-registration is required.

 

 

 

Overview:
This hands-on course will cover the basic uses of the Wireshark Packet Capture/Analysis Tool during the critical early hours of an attack or incident. Topics will include: Which operating systems to use, How to get started quickly during an incident response, Performance tips, Display and Capture filters, Timestamps, Normal versus malicious traffic spotting, IPv4 and IPv6, WiFi captures, Bluetooth captures, VoIP captures, Hardware tips, What to keep and what to toss, and Exporting captures to other packet tools. Each student will be given an incident response boot CD with the latest version of Wireshark and sample captures. Students will practice real-world traffic captures and analysis during a simulated live attack. Every student attending this course must have a laptop computer that they can configure and bring to the class. All students in the class should have an understanding of basic networking and routing concepts.
 

Instructor: James "Kelly" Brown
Kelly Brown is an employee of CSC, assigned to the Defense Cyber Investigations Training Academy (DCITA) in Linthicum, Maryland. With over 8 years experience in the Information Technology field, Mr. Brown is an Instructor and Curriculum Developer for DCITA's Technology Track with a BS in Computer Networking and holds the MCSE and CTT+ certifications. Prior to teaching at DCITA, Mr. Brown worked as an Information Security Professional employed by IBM in the Security, Privacy, and Wireless Division Federal Sector conducting network and database audits, reporting information assurance and compliance activities, and conducting annual security awareness training. Mr. Brown has extensive experience as a Senior Systems Engineer responsible for the successful development, implementation, and administration of numerous companies in the private sector.
 

Instructor: Dave Warren
Dave Warren is a CSC employee assigned to the DCITA contract as an instructor/Subject Matter Expert. He is a Certified Information System Security Professional (CISSP) with over twenty years experience in the field of Information Technology. During those twenty years Mr. Warren has worked in various positions including programmer, systems analyst, systems administrator (Unix and Windows), network engineer, information security engineer, and information risk manager. Mr. Warren is working to complete his Masters degree in Applied Information Technology, with an emphasis in Information Assurance, in the Fall of 2008. When not working or studying, Mr. Warren enjoys fishing and golf.

 

 

Overview:
ABSTRACT: This hands-on course will be an abridged edition of DCITA's CIRC focusing on response in a Windows environment. SEARCH & SEIZURE
Lesson 1 - First Response
Lesson 2 - Processing On-screen Data
Lesson 3 - Shutdown Procedures
Lesson 4 - Packaging and Transportation

 

INCIDENT RESPONSE - WINDOWS 2003 SERVER
Lesson 1 - Incident Preparation
Lesson 2 - Information Collection
Lesson 3 - Evidence Imaging
Lesson 4 - Physical Memory Acquisition All students in the class should have basic computer hardware knowledge.

 

Instructor: Michael Moore
Michael Moore is an employee of Computer Sciences Corporation, assigned to the Defense Cyber Investigations Training Academy (DCITA) in Linthicum, Maryland. He has been an instructor and course developer for the academy for the past 9 years. Mr. Moore is a graduate of the University of Maryland where he majored in Criminology. He has a Masters degree in Applied Information Technologies from Towson University. He holds numerous technical certifications and is a Certified Technical Trainer, having earned his CTT+ certification.

 

Instructor: Dave DeMaio
Dave DeMaio is an employee of Computer Sciences Corporation (CSC) as an instructor for DCITA's response track. After decades of programming, administering and designing real-time computer systems in a nuclear power environment, Mr. DeMaio turned his focus to forensics and data recovery. Before coming to DCITA, he was a principal consultant and problem solver for small businesses and private clients. He is a member of IFSCE and a Certified Computer Examiner. He is also published author.

 

 

Overview:
Through classroom instruction and practical hands-on exercises, this two-part workshop will teach you how to conduct basic and in-depth network forensic investigations to discover and defend against sophisticated attack methodologies, and find the roots of external and internal security problems in the network data. Attackers have moved away from direct attacks on network perimeters, and are focusing their efforts on application layer attacks. This two-part course provides valuable insight on exposing covert communications channels, data leakage, and other unauthorized network activity. At the end of this workshop, attendees will leave better equipped to identify and respond to anomalous network activity, perform in-depth network-based investigations and audits, save time and resources by resolving network security problems more quickly, and properly preserve evidence to assist management or law enforcement. This hands-on lab is an introduction to Network Forensics. Designed for the computer forensics practitioner, incident responder, fraud investigator, or I/T auditor who has a need to learn how to perform basic network forensics work, this session covers current adversary attack methodologies and tools, network investigative and technical threat analysis best practices, and chain of custody requirements and evidentiary standards. This lab also provides the attendee with a working knowledge and experience with tools such as WinPCAP, TCPDump, Wireshark and NetWitness Investigator Freeware. The lab uses sample data obtained from actual commercial and U.S. government cases and the students will be asked to perform forensic analysis and make judgments regarding the detailed concerns associated with the specific cases presented.

 

 

Overview:
TRAC is a pre-conference hands-on training exercise focusing on technical, first-responder best practices in detecting, identifying, reporting, and potentially mitigating network and system intrusions and compromises. Students will use their own laptop computers to login to the CERT® XNET training platform, where they will access scenario documentation and instructions, team collaboration and reporting tools, as well as the training network infrastructure and services. Students will work together in teams to assess network conditions and respond to active/attempted compromises and instructor-injected events and anomalies. This course will be 90 percent hands-on in nature however CERT® instructors will provide necessary instruction and facilitation to prepare students for the incident scenarios and conditions, available tools and resources, and response best practices.TRAC will be made up of 3-4 focused training scenarios that will challenge students' ability to detect, respond, and analyze events within their teams' isolated training networks. Teams will be assigned points for each challenge that they correctly report via the CERT XNET portal. At the end of each day, scores will be posted on the portal to notify teams of their standings. Winners will be announced when TRAC is concluded and prizes will be awarded. Sample scenario topics may include malware/rootkit investigation, network traffic analysis, and system forensics.

Requirements:

Instructor: Chris May
Chris May is the Technical Manager of CERT's Workforce Development program, a part the Software Engineering Institute at Carnegie Mellon University. In this role, he leads a diverse team of professionals on large-scale projects with numerous US Government agencies, notably the Department of Homeland Security and the Department of Defense. He is also on the adjunct faculty of Carnegie Mellon's Information Networking Institute, teaching courses in applied information assurance and computer forensics. Prior to joining the SEI, he served seven years in the U.S. Air Force as a communications and information officer. He served in various IT positions in Korea, Japan, and throughout Europe and the United States. May's last Air Force assignment was Chief of the Network Control Center at the United States Air Force Academy in Colorado Springs, Colorado. He led over 90 technicians, supporting 9,000 users, in the daily operations and maintenance of the 3rd largest base network in the U.S. Air Force. May received his bachelor's in education from Indiana University of Pennsylvania in Indiana, Pennsylvania, and a master's in computer resources management from Webster University in St. Louis, Missouri. He holds numerous industry certficiations and is a distinguished graduate of the U.S. Air Force Basic/Advanced Communications Officer Training School in Biloxi, Mississippi.

 

Instructor: Rob Floodeen
Rob Floodeen is a Member of Technical Staff, Workforce Development at CERT|SEI|CMU. Before joining CERT, Rob led teams performing Intrusion Detection at the Pentagon, Army Research Lab, and for the Defense Research and Engineering Network (DREN). Additionally, he spent several years managing Computer Emergency Response Team operations for the Defense Threat Reduction Agency (DTRA) and also served as a Visiting Scientist at the Software Engineering Institute. Rob holds a degree in Computer Science (Honors) from Old Dominion University and is completing postgraduate degree studies in information security from James Madison University. Mr. Floodeen also has been trained by the U.S. Army in system and network administration, computer network defense, and the employment of "really big guns" on the tactical battlefield.

 

Instructor: Dennis Allen
Dennis Allen is a Member of the Technical Staff Workforce Development at CERT|SEI|CMU. Dennis has worked at CERT for 5 years and in that time has served as Lead Course Instructor, Course owner for Advanced Information Security for Technical Staff, technical content developer, and active participant and organizer in several Cyber Defense and Information Assurance exercises. He has over 15 years of Information Technology experience supporting various desktop, server, network, and security technologies on several platforms for small private businesses as well as Fortune 500 corporations. Mr. Allen holds a Bachelor's of Science degree in Computer Science and maintains several industry certifications including CISSP, Security+, NSA IAM, Cisco CCNA, and other Microsoft and Novell certifications. In addition to his professional accreditations and skills, Mr. Allen served 14 years in the US Army, including several years with the Army Reserve Information Operations Command.

 

 

Overview:
This course is directed to those with IT Security responsibilities or background but have no previous experience in critical infrastructure control systems and their relationship to modern IT networks. Four training sessions will guide attendees from basic definitions, components, and protocols to the major applications and architectures within critical infrastructure and key resources (CIKR). Control system network architectures, cyber threats and vulnerabilities, and mitigations will be presented. Current and emerging government and industry activities that are addressing the issue of risk reduction will be discussed.

 

 

 

 

Overview:
This hands-on course will cover the basic uses of the Wireshark Packet Capture/Analysis Tool during the critical early hours of an attack or incident. Topics will include: Which operating systems to use, How to get started quickly during an incident response, Performance tips, Display and Capture filters, Timestamps, Normal versus malicious traffic spotting, IPv4 and IPv6, WiFi captures, Bluetooth captures, VoIP captures, Hardware tips, What to keep and what to toss, and Exporting captures to other packet tools. Each student will be given an incident response boot CD with the latest version of Wireshark and sample captures. Students will practice real-world traffic captures and analysis during a simulated live attack. Every student attending this course must have a laptop computer that they can configure and bring to the class. All students in the class should have an understanding of basic networking and routing concepts.

 

Instructor: James "Kelly" Brown
Kelly Brown is an employee of CSC, assigned to the Defense Cyber Investigations Training Academy (DCITA) in Linthicum, Maryland. With over 8 years experience in the Information Technology field, Mr. Brown is an Instructor and Curriculum Developer for DCITA's Technology Track with a BS in Computer Networking and holds the MCSE and CTT+ certifications. Prior to teaching at DCITA, Mr. Brown worked as an Information Security Professional employed by IBM in the Security, Privacy, and Wireless Division Federal Sector conducting network and database audits, reporting information assurance and compliance activities, and conducting annual security awareness training. Mr. Brown has extensive experience as a Senior Systems Engineer responsible for the successful development, implementation, and administration of numerous companies in the private sector.

 

Instructor: Dave Warren
Dave Warren is a CSC employee assigned to the DCITA contract as an instructor/Subject Matter Expert. He is a Certified Information System Security Professional (CISSP) with over twenty years experience in the field Information Technology. During those twenty years Mr. Warren has worked in various positions including programmer, systems analyst, systems administrator (Unix and Windows), network engineer, information security engineer, and information risk manager. Mr. Warren is working to complete his Masters degree in Applied Information Technology, with an emphasis in Information Assurance, in the Fall of 2008. When not working or studying, Mr. Warren enjoys fishing and golf.

 

 

Overview:
ABSTRACT: This hands-on course will be an abridged edition of DCITA's CIRC focusing on response in a Windows environment. SEARCH & SEIZURE
Lesson 1 - First Response
Lesson 2 - Processing On-screen Data
Lesson 3 - Shutdown Procedures
Lesson 4 - Packaging and Transportation

 

INCIDENT RESPONSE - WINDOWS 2003 SERVER
Lesson 1 - Incident Preparation
Lesson 2 - Information Collection
Lesson 3 - Evidence Imaging
Lesson 4 - Physical Memory Acquisition All students in the class should have basic computer hardware knowledge.

 

Instructor: Michael Moore
Michael Moore is an employee of Computer Sciences Corporation, assigned to the Defense Cyber Investigations Training Academy (DCITA) in Linthicum, Maryland. He has been an instructor and course developer for the academy for the past 9 years. Mr. Moore is a graduate of the University of Maryland where he majored in Criminology. He has a Masters degree in Applied Information Technologies from Towson University. He holds numerous technical certifications and is a Certified Technical Trainer, having earned his CTT+ certification.

 

Instructor: Dave DeMaio
Dave DeMaio is an employee of Computer Sciences Corporation (CSC) as an instructor for DCITA's response track. After decades of programming, administering and designing real-time computer systems in a nuclear power environment, Mr. DeMaio turned his focus to forensics and data recovery. Before coming to DCITA, he was a principal consultant and problem solver for small businesses and private clients. He is a member of IFSCE and a Certified Computer Examiner. He is also published author.

 

 

Overview:
This hands-on course is structured to help students understand exactly how attacks against process control systems could be launched and why they work and to provide mitigation strategies to increase the cyber security posture of their control systems networks because this course is hands-on, students will get a deeper understanding of how the various tools work. Accompanying this course is a sample process control network that demonstrates exploits used for unauthorized control of the equipment and mitigation solutions. This network is also used during the course for the many hands-on exercises that will help the students develop control systems cyber-security skills they can apply when they return to their jobs. Every student attending this course must have a laptop computer that they can configure and bring to the class. All students in the class should have basic coding skills and a fairly deep understanding of network details, from UDP to TCP, from MAC to IP.

 

 

Overview:
Through classroom instruction and practical hands on exercises, this two-part workshop will teach you how to conduct basic and in depth network forensic investigations to discover and defend against sophisticated attack methodologies, and find the roots of external and internal security problems in the network data. Attackers have moved away from direct attacks on network perimeters, and are focusing their efforts on application layer attacks. This two-part course provides valuable insight on exposing covert communications channels, data leakage, and other unauthorized network activity. At the end of this workshop, attendees will leave better equipped to identify and respond to anomalous network activity, perform in depth network based investigations and audits, save time and resources by resolving network security problems more quickly, and properly preserve evidence to assist management or law enforcement. This hands-on lab is the follow up to Introduction to Network Forensics. Designed for the computer forensics expert, incident responder, fraud investigator, or auditor who has a basic working knowledge and experience with tools such WinPCAP, TCPDump, Wireshark and NetWitness Investigator (Freeware Edition), attendees will: perform in depth studies of specific hands on cases of beacon Trojans and other designer malware attacks; learn to recognize obfuscated JavaScript and other malcode; understand how to recognize non standard network traffic operating over standard TCP and UDP ports; learn scripting techniques to build network and application layer rules to mine data forensically in real time. The lab uses sample data obtained from actual commercial and U.S. government cases and the students will be asked to perform forensic analysis and make judgments regarding the detailed concerns associated with the specific cases presented.

 

 

Overview:
TRAC is a pre-conference hands-on training exercise focusing on technical, first-responder best practices in detecting, identifying, reporting, and potentially mitigating network and system intrusions and compromises. Students will use their own laptop computers to login to the CERT® XNET training platform, where they will access scenario documentation and instructions, team collaboration and reporting tools, as well as the training network infrastructure and services. Students will work together in teams to assess network conditions and respond to active/attempted compromises and instructor-injected events and anomalies. This course will be 90 percent hands-on in nature however CERT® instructors will provide necessary instruction and facilitation to prepare students for the incident scenarios and conditions, available tools and resources, and response best practices. TRAC will be made up of 3-4 focused training scenarios that will challenge students' ability to detect, respond, and analyze events within their teams' isolated training networks. Teams will be assigned points for each challenge that they correctly report via the CERT XNET portal. At the end of each day, scores will be posted on the portal to notify teams of their standings. Winners will be announced when TRAC is concluded and prizes will be awarded. Sample scenario topics may include malware/rootkit investigation, network traffic analysis, and system forensics.

 

Instructor: Chris May
Chris May is the Technical Manager of CERT's Workforce Development program, a part the Software Engineering Institute at Carnegie Mellon University. In this role, he leads a diverse team of professionals on large-scale projects with numerous US Government agencies, notably the Department of Homeland Security and the Department of Defense. He is also on the adjunct faculty of Carnegie Mellon's Information Networking Institute, teaching courses in applied information assurance and computer forensics. Prior to joining the SEI, he served seven years in the U.S. Air Force as a communications and information officer. He served in various IT positions in Korea, Japan, and throughout Europe and the United States. May's last Air Force assignment was Chief of the Network Control Center at the United States Air Force Academy in Colorado Springs, Colorado. He led over 90 technicians, supporting 9,000 users, in the daily operations and maintenance of the 3rd largest base network in the U.S. Air Force. May received his bachelor's in education from Indiana University of Pennsylvania in Indiana, Pennsylvania, and a master's in computer resources management from Webster University in St. Louis, Missouri. He holds numerous industry certifications and is a distinguished graduate of the U.S. Air Force Basic/Advanced Communications Officer Training School in Biloxi, Mississippi.

 

Instructor: Rob Floodeen
Rob Floodeen is a Member of Technical Staff, Workforce Development at CERT|SEI|CMU. Before joining CERT, Mr. Floodeen led teams performing Intrusion Detection at the Pentagon, Army Research Lab, and for the Defense Research and Engineering Network (DREN). Additionally, he spent several years managing Computer Emergency Response Team operations for the Defense Threat Reduction Agency (DTRA) and also served as a Visiting Scientist at the Software Engineering Institute. Rob holds a degree in Computer Science (Honors) from Old Dominion University and is completing postgraduate degree studies in information security from James Madison University. Rob also has been trained by the U.S. Army in system and network administration, computer network defense, and the employment of "really big guns" on the tactical battlefield.

 

Instructor: Dennis Allen
Dennis Allen is a Member of the Technical Staff Workforce Development at CERT|SEI|CMU. Dennis has worked at CERT for 5 years and in that time has served as Lead Course Instructor, Course owner for Advanced Information Security for Technical Staff, technical content developer, and active participant and organizer in several Cyber Defense and Information Assurance exercises. He has over 15 years of Information Technology experience supporting various desktop, server, network, and security technologies on several platforms for small private businesses as well as Fortune 500 corporations. Mr. Allen holds a Bachelor's of Science degree in Computer Science and maintains several industry certifications including CISSP, Security+, NSA IAM, Cisco CCNA, and other Microsoft and Novell certifications. In addition to his professional accreditations and skills, Mr. Allen served 14 years in the US Army, including several years with the Army Reserve Information Operations Command.

 

 

Overview:
(Coming Soon)