Countermeasure|2012 General Info Registration Program Training Location Sponsors News

Enterprise Incident Response by Mandiant

Trainers: Chris Nutt and Ryan Kazanciyan

Course Description:

Our Enterprise Incident Response course is an operational course using case studies and hands-on lab exercises, ensuring attendees gain experience in each topic area. In the class students will learn the following:

  • The Incident Response process
  • The composition of an effective Incident Response Team
  • To manage an effective incident response
  • How to prepare an organization to conduct agile incident response
  • To collect and analyze volatile information from a Windows system
  • The fundamentals of NTFS file system analysis
  • To collect and analyze non-volatile information from a Windows system
  • Memory acquisition and analysis
  • Tips and tricks used by an investigator
  • Characteristics of the Advanced Persistent Threat

The course is divided into the following sections:

The Incident Response Process

We outline the process of Incident Response from pre-incident preparation through incident resolution. We emphasize the importance of preparation and provide real-world examples of what organizations do right and what they do wrong when they prepare to respond to an incident. We also discuss how to scope an incident and when organizations should begin the process removing the attacker and recovering from the incident.

Non-Volatile Data Collection and Analysis

Students will learn what information is considered non-volatile and how to use common utilities to collect and analyze that information. In this section students will learn to create a bit-for-bit copy of a hard drive and how to access protected files on a Windows system. Proper evidence handling and documentation is also discussed.

Volatile Data Collection and Analysis

Students learn what information is considered volatile and how to collect volatile information from a Windows system under investigation. We also discuss the concerns that arise when information is collected from a potentially compromised and running system. Students then gain hands on experience reviewing volatile information for evidence of malicious activity.

Indicators of Compromise

Students will learn the methods used by MANDIANT to develop, track and utilize network- and host- based indicators of compromise. This section explores the various technologies available to incident responders and the need for a common language to describe malicious artifacts found on computer systems and computer networks.

Counter Forensic Techniques

This section covers the methods employed by attackers to evade detection. We begin by covering the trivial techniques used by attackers and quickly move into advanced techniques, including rootkit technologies. We will discuss the concept of "kernel" land and "user" land and how operating systems function. The study of the Windows operating system is used to teach the students how attackers use the various parts of the operating system to hide from investigators. The class will also learn the techniques used by investigators to identify malicious code.

Memory Acquisition and Analysis

Once students are familiar with advanced counter- forensic techniques (including rootkits) we discuss methods for addressing these attack techniques. We discuss the process of acquiring an image of system memory and provide tools and instruction on analyzing system memory to identify what is hidden. Memory analysis and its benefits are discussed in detail.

Windows Log Analysis

Students explore Windows event logs and methods to identify malicious activity within the logs. Students are also provided a brief introduction to web application vulnerabilities and how to identify evidence of attacks against web applications in web server logs.

Incident Response Course Work

Students are guided through the process of investigating a compromised Windows environment. Students manage the incident response process, collect volatile and non-volatile data and analyze volatile and non-volatile data. Students gain hands-on experience with all of the concepts and processes taught in class. Evil will be found and crime will be solved.

Class Details:

Both MANDIANT Enterprise Incident Response and MANDIANT Malware Analysis Crash Course combine instructor demonstrations and lecture with student labs and exercises. The approximate split between lab and lecture is 50/50 for both classes. MANDIANT Enterprise Incident Response

Students must bring their own laptop to class with a version of Microsoft Windows installed. They must have Administrator access. Students should be prepared to install software, analyze drive images, and handle malicious code. Laptops should have a minimum of 10GB free space, have wireless capabilities, and have Microsoft Office or Open Office installed.

Who Should Attend:

Managers and technical staff involved in Information Technology, Information Security and Incident Response.


Students must be familiar with the Microsoft Windows family of operating systems. Students should be familiar with the Windows command line interface and basic system configuration commands. Students should also be familiar with basic computer security terminology.

Students Will Learn:

  • The Incident Response process
  • The composition of an effective Incident Response Team
  • To manage an effective incident response
  • How to prepare an organization to conduct agile incident response
  • To collect and analyze volatile information from a Windows system
  • The fundamentals of NTFS file system analysis
  • To collect and analyze non-volatile information from a Windows system
  • Memory acquisition and analysis
  • Tips and tricks used by investigators

Exercise Overview:

  • Collection of volatile information
  • Analysis of volatile information
  • Collection of system memory
  • Analysis of system memory
  • Developing Indicators of Compromise
  • Imaging with FTK Imager
  • Analysis of common Windows log files


Chris Nutt

Chris Nutt is a Manager within the Professional Services Division of MANDIANT. Mr. Nutt has seven years of experience in enterprise incident response, working with the federal government, defense industrial base, and fortune 100 companies. He has extensive experience in incident response, computer forensics, remediation strategies, and project management.

Mr. Nutt has extensive experience leading and conducting incident response and forensic analysis engagements for government entities and the Fortune 100. He has led high visibility investigations into the theft of intellectual property as well as the theft of payment card industry information. He regularly assists organizations in developing remediation strategies designed to remove sophisticated attackers from client networks.

Mr. Nutt teaches computer incident response to the fortune 100, FBI, and other government agencies. He is responsible for delivery and technical content of incident response training courses during which Mr. Nutt teaches students how to collect and analyze information, and how to manage investigations.

Prior to joining MANDIANT, Mr. Nutt was a member of the Marine Computer Emergency Response Team (MARCERT). During his time there, Mr. Nutt advanced the Marine Corps incident response capability by developing processes and tools utilized during intrusion investigations across the worldwide deployment of Marine networks and communities of interest. In this capacity, Mr. Nutt was the incident response duty expert and responsible for coordinating efforts with Joint Task Force Global Network Operations (JTF-GNO), service level CERT's, and Naval Criminal Investigative Service (NCIS). He has experience supervising and leading forensic analysts and incident responders, as well as software development teams.


  • Certified Information Systems Security Professional (CISSP), August 2007
  • Qualified Security Assessor (QSA), February 2011


  • "Incident Response Black Hat Edition" – Black Hat USA, July 2011.
  • "The Secure Times Volume 5, No. 1" - American Bar Association Section of Antitrust Law's Privacy and Information Security Committee, Spring 2010.
  • "Incident Response Black Hat Edition" – Black Hat USA, July 2009.
  • "The State of the Hack" - The Computer Forensics Show, April 2009.
  • "The State of the Hack" – Lockdown 2008 University of Wisconsin-Madison, July 2008.

Ryan Kazanciyan

Ryan Kazanciyan is a Principal Consultant at MANDIANT with over eight years of experience in incident response, forensic analysis, penetration testing and web application security. He has worked with clients both in the Federal Government and private industry, including Fortune 500 organizations in the defense, technology, financial services and healthcare sectors.

Mr. Kazanciyan has conducted intrusion investigations for multi-national organizations compromised by targeted attacks, including those performed by the Advanced Persistent Threat. His experience includes analysis of host and networkbased indicators of compromise, disk and memory forensics, live response analysis, and malware identification and triage. He also has helped guide victim organizations through remediation to resolve existing compromises and improve resiliency against future attacks.

In addition to his experience in incident response, Mr. Kazanciyan has an extensive background managing and executing large penetration testing engagements that encompass traditional network and platform testing in Windows and Unix environments, social engineering, and wireless assessments. Ryan is also proficient in application security and has conducted black-box, grey-box and source-code assessments for web applications.

Mr. Kazanciyan has leveraged his consulting experience to lead training sessions for audiences in law enforcement, the federal government, and corporate security groups. He has taught courses on incident response, forensic analysis techniques, penetration testing, and web application security. He has also presented at industry and security conferences including Black Hat Federal, DoD CyberCrime, ShmooCon, Infragard, and ISACA.

Prior to joining MANDIANT, Mr. Kazanciyan was a Senior Associate with PricewaterhouseCoopers' Advisory Consulting practice, focusing on Threat and Vulnerability Management. Mr. Kazanciyan executed and managed both traditional security assessment engagements as well as strategic security consulting projects focused on architecture, governance, regulatory compliance, and policy. He was also responsible for leading the firm's national Attack and Penetration Testing team, through which he developed and taught technical security training programs and assessment methodologies.


  • Certified Information Systems Security Professional (CISSP), 2006

Minimum Class Size:

Course minimum has been reached. This class is confirmed to run.

Company Background:

MANDIANT is a 180 person Virginia headquartered, privately held, Veteran Owned Small Business created in 2004 that is dedicated to providing incident response, computer forensics, penetration testing, vulnerability assessments, web application assessments, and intelligent information security solutions.