Loading Events


Black Hat returns to Marina Bay Sands in Singapore, March 31 – April 3, 2020. The information security community comes together for esteemed Trainings taught by industry experts, innovative research presentations at Briefings, the latest open-source tool demos in Arsenal, and the Business Hall featuring top-tier solutions and service providers.

Join LMG Security on March 31st and April 1st for the epic training – DATA BREACH INVESTIGATION AND RESPONSE



Mega-breach or minor incident? The difference is in the speed of detection, effectiveness of containment, and accuracy of scoping.
In this technical, hands-on class, we’ll dig into different types of breach scenarios, including cloud account breaches (using Office365 as an example), internal compromise, and ransomware. Learn strategies for detection and evidence preservation, and techniques for quickly scoping/containing a breach. Each module includes a hands-on lab where you analyze and scope the breach. We will begin by exploring the concept of “dark breaches” and dissect data breach detection and reporting statistics. Next, we will discuss how data is hazardous material, and step through the 5 Data Breach Risk Factors, leveraging real-world cases and actual examples of stolen data for sale on the dark web. We’ll dissect the first modern “mega-breach,” using the DRAMA model for data breach response.


From there, we will go hands-on and analyze a modern network compromise with pivoting/lateral movement, using Kibana/ElasticStack on our virtual workstation. We will conduct a full review of the internal environment, identify types of evidence for preservation, containment strategies, and methods for tracking the compromise through your internal environment. Along the way, we’ll show common “gotchas” that can dramatically affect data breach investigations, such as the use of public malware analysis services that can reveal internal information about your infrastructure.


In the second module, we will dig into crisis communications and organizational image repair strategies and discuss how these are intertwined with the technical investigation. The Equifax and Uber breaches are used as case studies to analyze response and notification tactics. We will explore how the dark web drives fraud and data theft, and touch upon key technologies such as onion routing and cryptocurrency that drive the dark web.


Payment card data, HIPAA/HITECH information, and personally identifiable information (PII) are three core types of data that can trigger a breach. We will study each of these classes of information and discuss how technical analysts can help gather evidence and respond most effectively in each case. Cyber insurance can help to offset risks and streamline data breach response.


The capstone of our second module is an interactive tabletop exercise. We will explore the ways that technical investigators, management, insurers, third-party forensics firms, and other players work together to respond. We’ll assign roles and walk through a multicomponent incident, with curve balls along the way.


Cloud account breaches have become an epidemic, motivated by attackers hungry for valuable data. In the next module, we’ll explore breaches that occur due to cloud misconfigurations, vulnerabilities, lack of control, and authentication weaknesses. We will study cloud-based evidence preservation and production strategies and limitations.Supply-chain risks are closely related, and we will explore breaches involving third- and fourth-party suppliers, as well as underlying technology firms. Finally, we will delve into the Business Email Compromise (BEC) cases, specifically stepping through an Office365 data breach. Together, we will go hands-on again and analyze evidence involving a cloud data breach using our forensics workstation.


Ransomware is on the rise. In our final module, we will study a ransomware case which involves a data breach and identify early actions that could have avoided a breach or minimized the notification. We will compare and contrast the two types of ransomware cases (confidentiality vs. availability). Early on in ransomware cases, operational issues often trump evidence preservation, which can lead to far bigger data breach problems down the road. Learn strategies for preserving evidence early on in ransomware cases, in order to minimize the potential impact down the road.


Every day, another data breach hits the news. Early detection and effective technical response are critical. This intensive, engaging class will give you plenty of “war stories” to share, and hands-on experience in data breach scoping and response.



  • Recognize the signs of a potential data breach.
  • Respond to a potential data breach.
  • Leverage practical investigation techniques to scope and understand the potential breach.


  • Cybersecurity analysts and engineers
  • Security Operations Center analysts
  • Incident Response Team Members who respond to complex security incidents intrusions.
  • Digital forensics professionals who want to solidify and expand their understanding of network forensic and incident response related topics.
  • Law enforcement officers, federal agents, or detectives who may be involved in data breach investigations, or who wish to expand their investigative skill set.
  • Network engineers who would like to branch out into data breach response/forensics
  • Systems administrators and IT professionals
  • Anyone with a firm technical background who might be asked to investigate a data breach incident.


  • Students must bring a laptop with at least 4GB of RAM, a USB-A port, and the latest version of VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare’s web site).


  • Lab workbook
  • USBs containing a custom Virtual Machine ISO and lab data


Matt Durrin is a Cybersecurity consultant and trainer for LMG Security. Matt is an instructor at the international Black Hat USA conference, where he teaches “Data Breaches.” He regularly conducts cybersecurity webinars and seminars for hundreds of attendees in all sectors, including banking, retail, health care, government and more. A seasoned forensics professional, Matt specializes in incident response, ransomware cases, cryptojacking, and banking trojans. Matt holds a Bachelor’s Degree in Computer Science from the University of Montana and previously worked as a “blue team” field technician/system administrator for over 10 years. He currently leads LMG’s R&D team, and his malware research was recently featured on NBC Nightly News.


Ross Miewald is a Senior Security Consultant for LMG Security. Ross graduated from the University of Montana with a bachelor’s degree in Management Information Systems, and a minor in Chinese. Ross works closely with our security testing team performing Internal and External Penetration Tests, Vulnerability Assessments, Web Application Testing, Wireless Assessments, and Social Engineering. Ross is currently a certified Nexpose Certified Administrator (NCA), GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), and is expected to complete the GIAC Certified Forensic Analyst (GCFA) exam in 2019.