Host Intrusion Specialist (CREST CHIA)

By the end of this training, you will have expanded your technical understanding of the types of evidence and resources available for in-depth analysis to be able to lead on the hunt for typical data that can be gathered from a host system under investigation.

Senior practitioner-level cyber security professionals who wish to understand how to conduct in-depth host intrusion analysis. Example roles might include:

• Incident Response practitioners
• Digital Forensics practitioners
• SOC Analysts
• Cyber Crime Investigators
• Security Analysts
• Malware Reverse Engineers

• Critically evaluate processes for reporting cyber security incidents.
• Understand threat intelligence sources, capabilities, and limitations.
• Identify, capture, contain and report malware.
• Effectively use protocol analyzers.
• Conduct forensic analysis in multiple operating system environments.
• Use binary analysis tools.
• Identify common encoding techniques.
• Effectively perform root cause analysis for information security issues.

Ideally, five or more years practical experience in a digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. As a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.

Knowledge of:

• Network components, their operation and appropriate network security controls and methods.
• Likely operational impacts on an organisation of cyber security breaches.
• Incident categories, incident responses and timelines for responses.
• Host-based and network-based intrusion detection methodologies and techniques.
• Operating systems.
• Network traffic protocols, methods, and management.
• File extensions.
• Types of digital forensics data and how to recognize them.
• Networking protocols.
• Software reverse engineering techniques.
• Impacts of signature implementation on viruses, malware, and attacks.
• Relevant laws, legal authorities, restrictions, and regulations that govern and are applicable to cyber security activities
• Malware analysis concepts and methodologies.
• Operating system command-line tools.
• Penetration testing and red teaming principles, tools, and techniques.
• Best practice auditing and logging procedures.
• Concepts and practices of processing digital forensic data to ensure admissibility of evidence.
• Obfuscation techniques.
• Computer programming concepts, including computer languages, programming, testing, debugging, and file types.
• Processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
• Types of persistent data and how to collect them.
• Electronic evidence law.
• Malware reverse engineering concepts.
• Anti-forensics tactics, techniques, and procedures.
• Forensics lab design configuration and support applications.
• Debugging procedures and tools.
• How and why adversaries abuse file type.
• Malware analysis tools.
• How malware evades virtual machine detection.
• Binary analysis.
• Common computer and network infections and their methods.
• Host-based security products and how those products reduce vulnerability to exploitation.

Skills in:

• Developing and deploying signatures.
• Using intrusion detection technologies to detect host and network-based intrusions.
• Performing packet-level analysis.
• Recognizing and interpreting malicious network activity in traffic.
• Analyzing memory dumps to extract information.
• Identifying and extracting data of forensic interest in diverse media.
• Using forensic tool suites.
• Deep analysis of captured malicious code.
• Determining if anomalous code is malicious or benign.
• Analyzing volatile data.
• Identifying obfuscation techniques.
• Analyzing malware.
• Conducting bit-level analysis.
• Reverse engineering to identify function and ownership of remote tools.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Record Keeping

• Refresh of reporting requirements
• Review an incident response plan
• Create a simple incident response plan
• How to report an incident

Linux File Systems

• Understanding the Linux file system and Linux file system structures
• Forensic assessment of a compromised host

Web-Based Attacks

• Identify potentially malicious actions of web pages
• Malicious HTML elements
• Decoding application JavaScript

Windows File Systems

• Understanding Windows files
• Understanding Windows registries
• File permission attributes within Windows (including File Permissions)
• Registry ACLs
• NTFS ADS
• Which registry values are normal?

Document Metadata and Malicious Document Analysis

• Malicious document analysis
• Review of metadata
• Gathering metadata

Email Analysis

• How to access emails
• Analysis of emails (headers / content / encoding)
• Recover deleted emails
• Identify source of emails

Memory Analysis

• Browser history
• Clipboard history
• CMD history
• Temp files
• Identify suspicious activities

Malware Identification

• Identifying suspect files
• Obfuscation (including malware behaviours and anti-forensics)
• Encryption, Steganography, password protection
• Persistence
• Covert storage, covert communication
• Identify malware (live malware analysis)
• Identify methods used for persistence

Analysis of File Types

• Understanding different file types
• Steganography to disguise data
• Identify hidden data within a file
• Understanding rootkits
• Rootkit identification

Exam Preparation