SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsApply your credits to renew your certifications
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Apply what you learn with hands-on exercises and labs
Learn the advanced incident response and threat hunting skills you need to identify, counter, and recover from a wide range of threats within enterprise networks.
So much content! I am finally able to get into the weeds and learn about things that have been a mystery for so long! FOR508 training really breaks down the complicated in a way that is easy to understand while still leaving so much more to be done. I love this class.
Threat hunting, incident response, and digital forensics tactics and procedures continue to evolve rapidly. Your team cannot afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". This threat hunting training course teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within Microsoft Windows-based enterprise networks, including APT state-sponsored adversaries, organized crime syndicates, ransomware operators, and hacktivists.
Steve has transformed global cybersecurity by leading complex digital crime investigations for the FBI and DoD, and by training national cyber units in over 60 countries. His work has set the global standard for incident response and threat hunting.
Read more about Steve AnsonAs a senior researcher at the SANS Research Operations Center and former incident response lead at Shell, Mike’s work has redefined enterprise-scale incident response and directly advanced the global community’s ability to combat cyber adversaries.
Read more about Mike PilkingtonExplore the course syllabus below to view the full range of topics covered in FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.
We start by examining the six-step incident response methodology as it applies to incident response for advanced threat groups. We discuss the importance of developing cyber threat intelligence to impact the adversaries' objectives and demonstrate forensic live response techniques that can be applied both to single systems and across the entire enterprise.
In Section two, we cover common attacker tradecraft and discuss the various data sources and forensic tools you can use to identify malicious activity in the enterprise. Get ready to hunt!
Section three will cover many of the most powerful memory analysis capabilities available and give analysts a solid foundation of advanced memory forensic skills to super-charge investigations, regardless of the toolset employed.
This section will step you through two primary methods of building and analyzing timelines used during advanced incident response, threat hunting, and forensic cases. Exercises will show analysts how to create timelines and how to introduce the key analysis methods necessary to help you use those timelines effectively in your cases.
In section five, we focus on recovering files, file fragments, and file metadata for the investigation. These trace artifacts can help the analyst uncover deleted logs, attacker tools, malware configuration information, exfiltrated data, and more. While very germane to intrusion cases, these techniques are applicable in nearly every forensic investigation.
This incredibly rich and realistic enterprise intrusion exercise brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised initially, find other compromised systems via adversary lateral movement, and identify intellectual property stolen via data exfiltration.
Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.
Explore learning pathEvaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.
Explore learning pathInvestigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.
Explore learning pathThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathAnalyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.
Explore learning pathMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
FOR508 exceeded my expectations in every way. It provided me the skills, knowledge, and tools to effectively respond to and handle APTs and other enterprise-wide threats.
It's hard to really say something that will properly convey the amount of mental growth I have experienced in this training.
The content from the first day alone has quite a bit I can take back to work. There’s so much information as far as tools and techniques; if I hadn't taken this course (FOR508), I wouldn't have come across them.
I have been doing digital forensics for 13+ years. This course has still managed to build on my existing knowledge and made me challenge some pre-conceptions. It has given me tons of ideas to take home and develop to improve our enterprises security posture.
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources