Host Intrusion Specialist (CREST CHIA)

Our CREST-aligned Host Intrusion Specialist training provides the expert level knowledge and skills required for experienced cyber security professionals to conduct advanced host system investigations, within a security operations centre (SOC) or incident response function.

Training is aligned to support individuals seeking to undertake the CREST Certified Host Intrusion Analyst (CCHIA) exam.

This training can be delivered virtually, at our London or Bristol facilities, or at our clients' premises; training is typically for group bookings only.

Certification

CREST Certified Host Intrusion Analyst (CCHIA)

By the end of this training, you will have expanded your technical understanding of the types of evidence and resources available for in-depth analysis to be able to lead on the hunt for typical data that can be gathered from a host system under investigation.

Audience

Senior practitioner-level cyber security professionals who wish to understand how to conduct in-depth host intrusion analysis. Example roles might include:

• Incident Response practitioners
• Digital Forensics practitioners
• SOC Analysts
• Cyber Crime Investigators
• Security Analysts
• Malware Reverse Engineers

Learning outcomes

• Critically evaluate processes for reporting cyber security incidents.
• Understand threat intelligence sources, capabilities, and limitations.
• Identify, capture, contain and report malware.
• Effectively use protocol analyzers.
• Conduct forensic analysis in multiple operating system environments.
• Use binary analysis tools.
• Identify common encoding techniques.
• Effectively perform root cause analysis for information security issues.

Prerequisites

Ideally, five or more years practical experience in a digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. As a minimum, at least 12 months' hands on experienced once CRIA has been achieved.

Knowledge of:

• Network components, their operation and appropriate network security controls and methods.
• Likely operational impacts on an organisation of cyber security breaches.
• Incident categories, incident responses and timelines for responses.
• Host-based and network-based intrusion detection methodologies and techniques.
• Operating systems.
• Network traffic protocols, methods, and management.
• File extensions.
• Types of digital forensics data and how to recognize them.
• Networking protocols.
• Software reverse engineering techniques.
• Impacts of signature implementation on viruses, malware, and attacks.
• Relevant laws, legal authorities, restrictions, and regulations that govern and are applicable to cyber security activities
• Malware analysis concepts and methodologies.
• Operating system command-line tools.
• Penetration testing and red teaming principles, tools, and techniques.
• Best practice auditing and logging procedures.
• Concepts and practices of processing digital forensic data to ensure admissibility of evidence.
• Obfuscation techniques.
• Computer programming concepts, including computer languages, programming, testing, debugging, and file types.
• Processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
• Types of persistent data and how to collect them.
• Electronic evidence law.
• Malware reverse engineering concepts.
• Anti-forensics tactics, techniques, and procedures.
• Forensics lab design configuration and support applications.
• Debugging procedures and tools.
• How and why adversaries abuse file type.
• Malware analysis tools.
• How malware evades virtual machine detection.
• Binary analysis.
• Common computer and network infections and their methods.
• Host-based security products and how those products reduce vulnerability to exploitation.

Skills in:

• Developing and deploying signatures.
• Using intrusion detection technologies to detect host and network-based intrusions.
• Performing packet-level analysis.
• Recognizing and interpreting malicious network activity in traffic.
• Analyzing memory dumps to extract information.
• Identifying and extracting data of forensic interest in diverse media.
• Using forensic tool suites.
• Deep analysis of captured malicious code.
• Determining if anomalous code is malicious or benign.
• Analyzing volatile data.
• Identifying obfuscation techniques.
• Analyzing malware.
• Conducting bit-level analysis.
• Reverse engineering to identify function and ownership of remote tools.

Syllabus

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Record Keeping

• Refresh of reporting requirements
• Review an incident response plan
• Create a simple incident response plan
• How to report an incident

Linux File Systems

• Understanding the Linux file system and Linux file system structures
• Forensic assessment of a compromised host

Web-Based Attacks

• Identify potentially malicious actions of web pages
• Malicious HTML elements
• Decoding application JavaScript

Windows File Systems

• Understanding Windows files
• Understanding Windows registries
• File permission attributes within Windows (including File Permissions)
• Registry ACLs
• NTFS ADS
• Which registry values are normal?

Document Metadata and Malicious Document Analysis

• Malicious document analysis
• Review of metadata
• Gathering metadata

Email Analysis

• How to access emails
• Analysis of emails (headers / content / encoding)
• Recover deleted emails
• Identify source of emails

Memory Analysis

• Browser history
• Clipboard history
• CMD history
• Temp files
• Identify suspicious activities

Malware Identification

• Identifying suspect files
• Obfuscation (including malware behaviours and anti-forensics)
• Encryption, Steganography, password protection
• Persistence
• Covert storage, covert communication
• Identify malware (live malware analysis)
• Identify methods used for persistence

Analysis of File Types

• Understanding different file types
• Steganography to disguise data
• Identify hidden data within a file
• Understanding rootkits
• Rootkit identification

Exam Preparation