SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
FOR508Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Steve Anson & Mike Pilkington
Course created by:Steve Anson & Mike Pilkington
- GIAC Certified Forensic Analyst (GCFA)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 35 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn the advanced incident response and threat hunting skills you need to identify, counter, and recover from a wide range of threats within enterprise networks.
Featured Quote
So much content! I am finally able to get into the weeds and learn about things that have been a mystery for so long! FOR508 training really breaks down the complicated in a way that is easy to understand while still leaving so much more to be done. I love this class.
Course Overview
Threat hunting, incident response, and digital forensics tactics and procedures continue to evolve rapidly. Your team cannot afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". This threat hunting training course teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within Microsoft Windows-based enterprise networks, including APT state-sponsored adversaries, organized crime syndicates, ransomware operators, and hacktivists.
What You’ll Learn
- Master tools and techniques to detect, contain, and remediate adversaries
- Detect live, dormant, and custom malware across enterprise
- Windows systems
- Hunt threats and perform incident response at scale
- Identify malware beaconing, lateral movement, and C2 activity via memory analysis and Windows host forensics
- Analyze breaches to determine root cause, attack vectors, and persistence mechanisms
- Counter anti-forensics techniques, recover cleared data, and track attacker activity
- Use forensic tools to remediate threats and secure the enterprise
Business Takeaways
- Understand attacker tradecraft to perform proactive compromise assessments
- Upgrade detection capabilities
- Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
- Build advanced forensics skills to counter anti-forensics
Meet Your Authors
- Slide 1 of 2
Steve Anson
Principal InstructorSteve has transformed global cybersecurity by leading complex digital crime investigations for the FBI and DoD, and by training national cyber units in over 60 countries. His work has set the global standard for incident response and threat hunting.
Read more about Steve Anson - Slide 2 of 2
Mike Pilkington
Senior InstructorAs a senior researcher at the SANS Research Operations Center and former incident response lead at Shell, Mike’s work has redefined enterprise-scale incident response and directly advanced the global community’s ability to combat cyber adversaries.
Read more about Mike Pilkington
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.
Section 1Advanced Incident Response & Threat Hunting
We start by examining the six-step incident response methodology as it applies to incident response for advanced threat groups. We discuss the importance of developing cyber threat intelligence to impact the adversaries' objectives and demonstrate forensic live response techniques that can be applied both to single systems and across the entire enterprise.
Topics covered
- Real Incident Response Tactics
- Threat Hunting in the Enterprise
- Incident Response and Hunting Across the Enterprise
- Malware Defense Evasion and Persistence Identification
- Prevention and Mitigation of Credential Theft
Labs
- APT Incident Response Scenario Introduction
- Malware Persistence Detection and Analysis
- Creating Local and Remote Triage Evidentiary Images
- Scaling Remote Endpoint Incident Response
Section 2Intrusion Analysis
In Section two, we cover common attacker tradecraft and discuss the various data sources and forensic tools you can use to identify malicious activity in the enterprise. Get ready to hunt!
Topics covered
- Advanced Evidence of Execution Detection
- Lateral Movement Adversary Tactics and Techniques
- Log Analysis for Incident Responders and Hunters
- Investigating WMI and PowerShell-Based Attacks
Labs
- Hunting and Detecting Evidence of Execution at Scale
- Discovering Credential Abuse
- Tracking Lateral Movement
- Hunting Malicious use of WMI and PowerShell
- Microsoft Defender Log Analysis
Section 3Memory Forensics in Incident Response & Threat Hunting
Section three will cover many of the most powerful memory analysis capabilities available and give analysts a solid foundation of advanced memory forensic skills to super-charge investigations, regardless of the toolset employed.
Topics covered
- Endpoint Detection and Response
- Memory Acquisition and Forensics Analysis
- Memory Forensics Examinations
- Memory Analysis Tools
Labs
- Detect Custom Malware in Memory
- Examine Windows Process Trees
- Locate Advanced "Beacon" Malware
- Identify Advanced Malware Hiding Techniques
- Analyze Memory from Multiple Infected Systems
Section 4Timeline Analysis
This section will step you through two primary methods of building and analyzing timelines used during advanced incident response, threat hunting, and forensic cases. Exercises will show analysts how to create timelines and how to introduce the key analysis methods necessary to help you use those timelines effectively in your cases.
Topics covered
- Malware Detection and Field Triage
- Timeline Analysis Overview
- Filesystem Timeline Creation and Analysis
- Super Timeline Creation and Analysis
Labs
- Malware Discovery
- Tracking Adversary Activity with Super-Timeline Analysis
- Observe Attacker Movements Through Systems
- Identify Intrusion Root Causes
Section 5Incident Response & Hunting Across the Enterprise | Advanced Adversary & Anti-Forensics Detection
In section five, we focus on recovering files, file fragments, and file metadata for the investigation. These trace artifacts can help the analyst uncover deleted logs, attacker tools, malware configuration information, exfiltrated data, and more. While very germane to intrusion cases, these techniques are applicable in nearly every forensic investigation.
Topics covered
- Volume Shadow Copy Analysis
- Advanced NTFS Filesystem Tactics
- Advanced Evidence Recovery
Labs
- Volume Shadow Snapshot Analysis
- Timelines
- Anti-Forensics Analysis using NTFS
- Timestomp Identification
- Advanced Data Recovery
Section 6The APT Threat Group Incident Response Challenge
This incredibly rich and realistic enterprise intrusion exercise brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised initially, find other compromised systems via adversary lateral movement, and identify intellectual property stolen via data exfiltration.
Things You Need To Know
Relevant Job Roles
All-Source Collection Manager (DCWF 311)
DoD 8140: Intelligence (Cyberspace)Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.
Explore learning pathAll-Source Collection Requirements Manager (DCWF 312)
DoD 8140: Intelligence (Cyberspace)Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.
Explore learning pathForensics Analyst (DCWF 211)
DoD 8140: Cyber EnablersInvestigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.
Explore learning pathDigital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathCyber Defense Forensics Analyst (DCWF 212)
DoD 8140: CybersecurityAnalyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.
Explore learning pathCyber Defense Analyst (DCWF 511)
DoD 8140: CybersecurityMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Steve AnsonDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Steve AnsonDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesRegistration Options - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Eric ZimmermanDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
San Antonio, TX, US & Virtual (live)
Instructed by Marcus GuevaraDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Melbourne, VIC, AU & Virtual (live)
Instructed by Joshua LemonDate & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Steve AnsonDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes - Location & instructor
Virtual (live)
Instructed by Jason JordaanDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Eric ZimmermanDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 43
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4FOR508 exceeded my expectations in every way. It provided me the skills, knowledge, and tools to effectively respond to and handle APTs and other enterprise-wide threats.
- Slide 2 of 4It's hard to really say something that will properly convey the amount of mental growth I have experienced in this training.
- Slide 3 of 4The content from the first day alone has quite a bit I can take back to work. There’s so much information as far as tools and techniques; if I hadn't taken this course (FOR508), I wouldn't have come across them.
- Slide 4 of 4I have been doing digital forensics for 13+ years. This course has still managed to build on my existing knowledge and made me challenge some pre-conceptions. It has given me tons of ideas to take home and develop to improve our enterprises security posture.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources