Mega-breach or minor incident? The difference is in the speed of detection, effectiveness of containment, and accuracy of scoping. In this technical, hands-on class, we’ll dig into different types of breach scenarios, including cloud account breaches (using Office365 as an example), information stealing malware, and ransomware. Learn strategies for detection and evidence preservation, and techniques for quickly scoping/containing a breach. Each module includes a hands-on lab where you analyze and scope the breach.

We will begin by stepping through an internal network compromise, using the DRAMA model for data breach response. Go hands-on and analyze the case using your own virtual workstation, using Kibana/ElasticStack. We will conduct a full review of the hacked environment, identifying types of evidence for preservation, containment strategies, and methods for scoping the compromise. Along the way, we’ll dig into crisis communications and organizational image repair strategies and discuss how these are intertwined with the technical investigation. The Equifax and Uber breaches are used as case studies to analyze response and notification tactics. We’ll also show common “gotchas” that can dramatically affect data breach investigations, such as the use of public malware analysis services that can reveal internal information about your infrastructure.

In the second module, we’ll analyze data breaches involving regulated data. Payment card data, HIPAA/HITECH information, and personally identifiable information (PII) are three types of sensitive data that can trigger a breach. We will study each of these classes of information and discuss how technical analysts can help gather evidence and respond most effectively in each case. Cyber insurance can help to offset risks and streamline your data breach response.

Throughout our second module, we will conduct an interactive tabletop exercise. We will explore the ways that technical investigators, management, insurers, third-party forensics firms, and other players work together to respond. We’ll assign roles and walk through the incident, with curve balls along the way.

Cloud account breaches have become an epidemic, motivated by attackers hungry for valuable data. In the next module, we’ll explore breaches that occur due to cloud misconfigurations, vulnerabilities, lack of control, and authentication weaknesses. We will study cloud-based evidence preservation, production strategies and limitations, and cloud threat hunting.

Supply-chain risks are closely related, and we will explore breaches involving third- and fourth-party suppliers, as well as underlying technology firms. Finally, we will delve into the Business Email Compromise (BEC) cases, specifically stepping through an Office365 data breach. Together, we will go hands-on again and analyze evidence involving a cloud data breach using our forensics workstation.

Ransomware is on the rise. In our final module, we will study a ransomware case which involves a data breach and identify early actions that could have avoided a breach or minimized the notification. Operational impacts always compete with data breach response measures during the early phases of a ransomware attack. Learn strategies for preserving evidence and balancing operational needs with breach response tactics during a ransomware case.

Every day, another data breach hits the news. Early detection and effective technical response are critical. This intensive, engaging class will give you plenty of “war stories” to share, and hands-on experience in data breach scoping and response.


$1800 Early Bird Price by October 22nd, 2020

$1950 Regular Price by November 5th, 2020

$2100 Late Registration by November 10th, 2020 (CLOSED TO NEW REGISTRATIONS after November 10th)


  • Recognize the signs of a potential data breach, including ransomware, business email compromise, malware and more
  • Respond to a potential data breach
  • Leverage practical investigation techniques to scope and understand the potential breach



  • Cybersecurity analysts and engineers
  • Security Operations Center analysts
  • Incident Response Team Members who respond to complex security incidents intrusions
  • Digital forensics professionals who want to solidify and expand their understanding of network forensic and incident response related topics
  • Law enforcement officers, federal agents, or detectives who may be involved in data breach investigations, or who wish to expand their investigative skill set
  • Network engineers who would like to branch out into data breach response/forensics
  • Systems administrators and IT professionals
  • Anyone with a firm technical background who might be asked to investigate a data breach incident



Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology, as well as a willingness to quickly start learning and using new tools.



Students must bring a laptop with at least 8GB of RAM, and have a decent Internet connection.



Lab workbook

Access to the virtual lab environment for 2 weeks






November 17 & 18, 2020

  • 8am PT/11am ET – 3pm PT/6pm ET



Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by The New York Times. She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more. She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), a noted security text in the private sector and a college textbook for many cybersecurity courses. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and holds her degree in Computer Science and Electrical Engineering from MIT. She has also been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien”.


Matt Durrin

Matt Durrin is the Incident Response Team Manager for LMG Security. He is an instructor at the international Black Hat USA conference, where he teaches “Data Breaches.” He regularly conducts cybersecurity webinars and seminars for hundreds of attendees in all sectors, including banking, retail, health care, government and more. A seasoned forensics professional, Matt specializes in incident response, ransomware cases, cryptojacking, and banking trojans. Matt holds a Bachelor’s Degree in Computer Science from the University of Montana and previously worked as a “blue team” field technician/system administrator for over 10 years. He currently leads LMG’s R&D team, and his malware research has been featured on NBC Nightly News.