EH-Net

I'm entertaining the idea of taking a Mandiant course at Black Hat USA this year (specifically, Incident Response Black Hat Edition):

https://www.blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_md-ir.html

Have any of you taken this class or other Mandiant class?  I'm curious what the difference is between SANS 504 and this one above.  I'm assuming there's some overlap, but based on:

http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html

I'd assume the Mandiant class is focused on IR much more deeply.

I'm unsure about the Mandiant specific course but common logic dictates that Vendor initiated courses will teach you vendor specific software. Bejtlich runs (or ran) his "TCP Weapons" class at Blackhat and he (in my opinion) is so so. He tends to blurt China on everything under the sun and this is likely because is fixated on an enemy from his years in the USAF. In fact, I believe 90% of what Richard talks about is China in correlation to "threats" but that's neither here nor there.

He wrote the book on Extrusion Detection which was an excellent book however, what he and Mandiant do in their course are up for grabs. My guess is they're nothing more than tailored Mandiant sales pitches with enough technical verbiage to keep students thinking its Incident Response. Had I to choose, I would opt for SANS' or CERT's training on this subject

I've taken SANS 504 as well as Richard's TCP/IP Weapons School 3.0.  I didn't get a whole lot of Mandiant name-dropping in his class or lots of references to China.  Either that or I wasn't paying attention.

But since the Mandiant IR class is indeed Mandiant-branded, I have to wonder as well about how much push there will be for their services or the MIR appliance.

He just started at Mandiant last year when did you attend Weapons ;)


I have yet to attend a vendor specific class where their products weren't the "gist" of the training. Again, this is not to say the class won't be or isn't good, I just opt to choose for vendor neutral courses. Its one of the reasons I have stayed away from the EnCe, CCxx (Cisco), JNCxx (Juniper) classes.

I would think that CERT would have a broader reach because of their visibility and collaboration with gov, businesses and academia. They are also considered to be the fathers of IR. Joe McCray has some interesting classes but then we're getting into name recognition based on your signature: Do you drop "Mandiant Training" versus "Joe McCray" training. Personally, I'd opt for something outside the norm (CERT) however, some of the SANS guys if I'm not mistaken train via Mandiant as well.