Plan Your Development—Cb Response


Development Path

Course Description

Cb Response Introductory Analyst is an entry-level course recommended for those who will use Cb Response on a daily basis for incident response but who will not be responsible for setting corporate security policy. A Cb Response Analyst may be someone who will use Cb Response to identify, contain, and remediate a security incident. These individuals may be responsible for tuning the detection and response capabilities of the Cb Response platform. Job titles may include Information Security Analyst, Security Operations Center Analyst, IT Security Specialist, or Endpoint Security Specialist.

Cb Response Introductory Analyst is a one-day course that covers everyday best practices for analysts using Carbon Black Response. Learners who have taken Cb Response Administrator should not take this course.

Duration: 8 hours

Prerequisites: None

Recommended Follow-Up Courses: Cb Response Advanced Administrator or Cb Response Advanced Analyst


Syllabus
DOWNLOAD SYLLABUS

Introduction
Overview of Visibility, Detection, and Response capabilities in the Carbon Black Enterprise Response solution.
Introducing Key Concepts
Terminology

Threat Intelligence
OAlliance Feeds
Custom Threat Intelligence Feeds
Threat Report Search

Process Search
Searching/Syntax/Criteria
Facets/Charts/Results

Investigations
Default Investigation
Creating an Investigation
Correlating Tagged Items
Adding Descriptions/Custom Events

Advanced Query Skills
Advanced use of terms, phrases, and operators
Fields and Data Types
Example Process Searches and Binary Searches
Alliance Search Fields

Binary Search
Similarities and Differences from Process Search Banning
Banning

Watchlists
Creating Watchlists from search pages or feeds
Default Watchlists

Alerts
Alerts Workflow
Security Ranking

Dashboard
Summary Fields
Top Statistics/Key Performance Indicators

Network Isolation
Overview of Network Isolation

Cb Live Response
Built-In Commands

Troubleshooting
Troubleshooting the Sensor

Customer Support
Contact Information
User eXchange

Development Path

Course Description

Cb Response Advanced Analyst is an advanced, one-day course. Following the highly regarded PICERL methodology (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned), this course traces each step in threat hunting and resolution through the Carbon Black Response interface. Hands-on labs reinforce lessons learned and build familiarity building effective watchlists, queries and filters, process analysis, endpoint control, and investigations.

Duration: 8 hours

Prerequisites: Cb Response Administrator or Cb Response Introductory Analyst

Recommended Follow-Up Courses: None


Syllabus
DOWNLOAD SYLLABUS

Introduction
Introductions/Agenda
What is Carbon Black Enterprise Response?
What is PICERL?
Carbon Black Response + PICERL

Phase 1: Preparation Pre-Incident Operational Readiness ("Getting Ready")
Define Roles and Responsibilities
Define Relevant Policies
Implementing Carbon Black Enterprise Response

Phase 2: Incident Detection and Identification—The Four Zones of Detection
Passive Detection: Triage Alert Workflow
Proactive Threat Identification: Hunting ("TuningAlerts")
Make Determination Regarding Incident Identification

Phase 3: Incident Containment & Scoping
Incident Administration
Collect Artifacts and Analyze for Root Cause
Ad-Hoc Hunting
Brief Cb Response Refresher (OODA Loop)

Phase 4: Eradication and Removal of Malicious Artifacts
Banning
Remove Artifacts from Environment
Reset User Accounts
Take Down Endpoints Marked for Rebuild
Once the Initial Removal is Finished, Continue Monitoring IOCs

Phase 5: Recovery to Baseline
Rebuild Designated Endpoints
Remove Endpoints from Isolation
Recovery Validation
Once Finished Recovery, Continue Monitoring IOCs

Phase 6: Recovery to Baseline
Incident Debrief ASAP
Tune and Prioritize Carbon Black Enterprise Response Detection
Implement/Tune Additional Detection and Prevention Controls
Reporting and Communications Closeout

Development Path

Course Description

Cb Response Administrator is an entry-level course recommended for those who will need a technical understanding of Cb Response and who will be responsible for or involved in implementing the decisions that define their organization’s security posture. This is someone who may lead, or be a member of, the installation team. This person also might be involved in integrating Cb Response into the organization’s infrastructure. Advanced configuration, maintenance, and sustainment of Cb Response may also fall within this person’s responsibilities as a lead or supporting team member. Every implementation is required to have one Cb Response Administrator, though many organizations have multiple administrators. Job titles may include Information Security Administrator, IT System Administrator, Information Security Engineer, or Cybersecurity Engineer.

Cb Response Administrator is a one-day course during which we will present you with a comprehensive view of the application’s capabilities, including the Carbon Black Alliance. You will see aspects of how an actual incident response investigation is conducted using Carbon Black Response. Extensive content addresses the User Interface and Query Language, giving you the skills and understanding you need to conduct focused searches that lead to valuable findings. You will learn to enable and set up Feeds, Alerts, and Watchlists that keep an eye out for query results.

Duration: 8 hours

Prerequisites: None

Recommended Follow-Up Courses: Cb Response Advanced Administrator or Cb Response Advanced Analyst


Syllabus
DOWNLOAD SYLLABUS

Introduction
Overview of Capabilities
Key Concepts
Terminology

Planning
Hardware and Software Prerequisites
Architecture
Data Flows
Cluster Configuration

Installation
Overview of Major Steps
Review of Complete Installation Process
Installing Sensors

Configuration
Availability of the documents associated with Configuration

Threat Intelligence
Alliance Feeds
Threat Report Search

Process Search
Searching/Syntax/Criteria
Facets/Charts/Results

Process Analysis
The Process Tree
Metadata and Results

Binary Search
Similarities and Differences from Process Search
Banning

Watchlists
Creating Watchlists from Search Pages or Feeds
Default Watchlists
Watchlist Results

Alerts
Alerts Workflow
Security Ranking

Dashboard
Summary Fields
Top Statistics/Key Performance Indicators

Network Isolation
Using Network Isolation

Cb Live Response
Built-In Commands

Investigations
Default Investigation
Creating an Investigation
Correlating Tagged Items
Adding Descriptions/Custom Events

Administration
Server Dashboard
Sensors
Users
Sharing Settings
Settings

Advanced Query Skills
Advanced Use of Terms, Phrases, and Operators
Fields and Data Types
Example Process Searches and Binary Searches
Alliance Search Fields
Patterns of Compromise

Using the API
Availability of the documents associated with API Configuration

Troubleshooting
Troubleshooting Server Install
Troubleshooting the Sensor

Customer Support
Contact Information
User eXchange


Course Description

Cb Response Advanced Administrator is an advanced, one-day course. This course is intended for those who directly access and manage their Cb Response environment. If the Carbon Black Cloud Operations Team handles management activities, then some topics may not be relevant.

During the Cb Response Advanced Administrator course, we will examine the functionality and configuration of advanced components, highlighting how to adjust Cb Response to suit the unique needs of an environment. Real world experiences of the vendor and other Cb Response users will also be incorporated. The overall purpose of this training is to enable the security engineer to take their organization’s Cb Response instance to that next level of customization, thus empowering SOC and IR teams to greater effectiveness.
Note: This class focuses exclusively on advanced technical topics related to the technical back end configuration and maintenance.

Duration: 8 hours

Prerequisites: Cb Response Administrator

Recommended Follow-Up Courses: None


Syllabus
DOWNLOAD SYLLABUS

Introduction
Introductions (Name, Title, Time Zone, Carbon Black Experience)
Agenda
Brief Carbon Black Refresher (OODA Loop and Highlight vs. Filtering Methodology)

Architecture
Introduction
Data Flow and Channels
Sizing Considerations (Scalability and Clustering)
Architecture Overview
Process Event Collection
Binary Module Collection
Communication Channels and Ports
Carbon Black Server Architecture (Data Inputs, NGINX, Application Layer, Persistence Layer, Enterprise Service Bus/Rabbit MQ)
Carbon Black Alliance Connectivity Details

Datastores
Introduction Components
SOLR
Overview
Architecture
Configuration
Storage Limitations and Aging
Accessing the Datastore Directly
Postgres
Database Summary
Accessing and Querying the Database
Help
Binary Module Store
Module Store Archive Contents
Sensor Evaluation of Files to Upload
The Server Filestore
Purging (cb.conf settings)

API Programming
Introduction to the API
API Calls by the WebUI
Finding Your API Token
GIT Hub Overview and Walkthrough
Cbapi (client_apis, sensor_apis, server_apis)
Cbfeeds Summary
Cloning the API Locally
API Scripts Walkthrough
server_apis
client_apis
sensor_apis
Overview
Architecture
Configuration
Storage Limitations and Aging
Accessing the Datastore Directly

Need to Enroll?

Enroll Now

Last modified: Friday, October 5, 2018, 12:18 PM