KK is one of the pioneers of information security in India. Having begun his firm as a one-man show in 2001, it has
now grown to a team of over 250 consultants spread across multiple locations in India and the Middle East. He is a
trusted consultant and trainer to organizations all across the globe on various aspects of information security. He
is well-versed with the security challenges of various industry verticals, and also with international standards and
frameworks such as ISO 27001, PCI DSS, COBIT, HIPAA, etc.
He is the author of two books (on Linux Security and on the Metasploit Framework) and of numerous articles on information
security. He was the first security researcher from India to present at Blackhat in 2004 (on ‘Detection and Evasion
of Web Application Attacks’) and since then has spoken at numerous conferences such as Interop, OWASP, NullCon, etc.
He is currently overseeing the research activities within NII focused on use of big data in security, building various
automation solutions, and security impact of the Internet of Things.
Wasim is one of the senior most consultants at NII. He started as a fresher about 8 years back and since then has been
involved in various technical assessments in different industries and business verticals within India and internationally.
He is currently serves as the Head of Innovations and Research (InR) team at NII, where he is responsible for introducing
new ideas, tools and vectors for the Security Assessment practice. He also works to introduce new service models that
NII can provide to it’s clients.
As part of his current research, he is leading a team to overcome limitations within existing security monitoring solutions
by exploiting advancements in Big Data, Analytics and Machine Learning, to improve threat intelligence and monitoring
and enabling early detection of advance threat actors.
Wasim is also actively involved in the Info-Sec community in India. He leads the NULL chapter in Mumbai and has participated
in conferences like OWASP, SecurityByte, and Malcon.
Module 1 - Introduction
- Brief introduction to the incident management process. It is expected that the audience has a generally good
understanding of the overall incident management process. Participants are expected to be well-versed with
the broad understanding of security controls such as firewalls, intrusion detection systems, security incident
and event management systems, etc.
Module 2 - Attacks Against Web & SSH Servers
- This module covers alerts related to accepted inbound port scans or aggressive SSH connections. You are tasked
with carrying out the investigation from scratch. The target server is a website that runs either on Apache
or on IIS. You are required to understand the log formats, parse the logs using a tool of your choice, request
for live forensics data of the server, and develop your hypothesis.
- Tools/Technologies covered: SSH server logs, web server logs, Unix utils etc.
Module 3 - Advanced Persistent Threats
- This module dives straight into an advanced threat detected within your organization. You are given the symptoms
of the attack, and then are required to investigate the incident using an actual network setup for this purpose.
You are provided with logs that you request based on the hypothesis you are building along with access to
endpoints for live forensics.
- Tools/Technologies covered: Web proxy logs, Active Directory, Windows endpoint, anti-virus, Sysinternals Suite
Module 1 - Data Leakage
- You have been informed by a particular manager within the marketing department that there is a suspicion of
a user or particular set of users leaking out customer data to the competition. You are required to investigate
- Technologies covered: DLP logs, proxy logs, endpoint, Active Directory, etc.
Module 2 - Ransomware Infection
- Your systems are being impacted with ransomware. Your anti-virus is unable to protect your endpoints, and
the infection may begin spreading rapidly. You need to investigate this ransomware quickly and understand
how it spreads.
- Tools/Technologies covered: Ransomware samples, malware analysis, reverse engineering, Cuckoo sandbox, etc.
Module 3 - Payment System Compromised
- You have received notification from your Fraud Control Unit that some counterparties have informed them of
a potential breach on the SWIFT payment system. You are required to undertake the investigation end to end
and determine the source of the leakage and also carry out a root-cause analysis.
- Technologies covered: Unix system logs, Windows system logs, application logs
Module 4 - Wrap-Up & Lessons Learnt
- From the hands-on case studies covered, what changes would you make to your existing incident management processes
and toolkits? What modifications would you make to your runbooks?