Network Intrusion Specialist (CREST CNIA)

By the end of this training, you will have expanded your technical understanding of the types of evidence and resources available for in-depth analysis to be able to lead on the hunt for typical data that can be gathered from a network under investigation.

Senior practitioner-level cyber security professionals who wish to understand how to conduct in-depth network intrusion analysis. Example roles might include:

• Incident Response practitioners
• Digital Forensics practitioners
• SOC Analysts
• Cyber Crime Investigators
• Security Analysts
• Malware Reverse Engineers

• Critically evaluate processes for reporting cyber security incidents.
• Analyse different types of network communication.
• Understand threat intelligence sources, capabilities, and limitations.
• Identify, capture, contain and report malware.
• Develop and deploy signatures.
• Competently use intrusion detection technologies to detect host and network-based intrusions.
• Appropriately tune sensors.
• Effectively use protocol analyzers.
• Configure and implement network analysis tools to identify vulnerabilities.
• Perform packet-level analysis.
• Recognise and interpret malicious network activity in traffic.
• Effectively and efficiently interpret metadata.

Ideally, five or more years practical experience in a digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. As a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.

Knowledge of:

• Network components, their operation and appropriate network security controls and methods.
• Likely operational impacts on an organisation of cyber security breaches.
• Incident categories, incident responses and timelines for responses.
• Host-based and network-based intrusion detection methodologies and techniques.
• Network traffic protocols, methods, and management.
• Different types of network communication.
• Types of digital forensics data and how to recognize them.
• Relevant legislative and regulatory requirements.
• Networking protocols.
• Software reverse engineering techniques.
• Impacts of signature implementation on viruses, malware, and attacks.
• Relevant laws, legal authorities, restrictions, and regulations that govern and are applicable to cyber security activities
• Malware analysis concepts and methodologies.
• Operating system command-line tools.
• Penetration testing and red teaming principles, tools, and techniques.
• Best practice auditing and logging procedures.
• Concepts and practices of processing digital forensic data to ensure admissibility of evidence.
• Obfuscation techniques.
• Computer programming concepts, including computer languages, programming, testing, debugging, and file types.
• Processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
• Types of persistent data and how to collect them.
• Electronic evidence law.
• Malware reverse engineering concepts.
• Anti-forensics tactics, techniques, and procedures.
• Forensics lab design configuration and support applications.
• Debugging procedures and tools.
• How and why adversaries abuse file type.
• Malware analysis tools.
• How malware evades virtual machine detection.
• Binary analysis.
• Common computer and network infections and their methods.

Skills in:

• Developing and deploying signatures.
• Using intrusion detection technologies to detect host and network-based intrusions.
• Performing packet-level analysis.
• Recognizing and interpreting malicious network activity in traffic.
• Analyzing memory dumps to extract information.
• Identifying and extracting data of forensic interest in diverse media.
• Using forensic tool suites.
• Deep analysis of captured malicious code.
• Determining if anomalous code is malicious or benign.
• Analyzing volatile data.
• Identifying obfuscation techniques.
• Analyzing malware.
• Conducting bit-level analysis.
• Reverse engineering to identify function and ownership of remote tools.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Record Keeping

• Refresh of reporting requirements
• Incident Chronology
• How to report an incident

Threat Assessment

• Understanding threats and business context
• Methodologies of threat assessments
• Attribution and motivation of attacks
• Attack Victims

Emails and Browser Activity

• Understanding user activity as it traverses a network
• Users becoming victims by downloading malware

Identifying Suspect Files

• Hashes of common malware
• Malware signature analysis
• File permissions
• Strings
• Network Log Sources: Reviewing different log sources to understand a threat/attack
• Network Access Control – a review of FW and ACLs
• Log types which can show the process of an attack

Document Metadata

• Review of metadata
• Understanding how metadata supports an investigation

.pcap Analysis

• Analysis of .pcap data to identify normal and abnormal traffic
• Pull data from .pcap files
• Identifying potential actions of a malicious actor
• Data Carving to access files from pcaps

Beaconing

• Understanding Beaconing and its use
• Identifying a beaconing host

Encryption

• Review of encryption
• Review of encrypted traffic
• Identifying and decrypting encrypted traffic

Command and Control Communication

• Understanding Command and Control processes
• Understanding different types of Command and Control methods
• Identifying Command and Control communication
• Using public resources to determine Command and Control nodes

IDS Rules

• Common IDS systems
• How IDS systems can lead to false positives and false negatives
• Tuning IDS systems

Data Exfiltration

• Identify data leaving networks
• Identify sensitive data leaving the network

Lateral Movement

• Identify the lateral spread of an attack
• Identify the attack path used by a malicious actor

Exam Preparation