Talk With an Expert

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

FOR508Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Steve AnsonMike Pilkington
Steve Anson & Mike Pilkington
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Course created by:
Steve AnsonMike Pilkington
Steve Anson & Mike Pilkington
  • GIAC Certified Forensic Analyst (GCFA)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 35 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Learn the advanced incident response and threat hunting skills you need to identify, counter, and recover from a wide range of threats within enterprise networks.

Course Overview

Threat hunting, incident response, and digital forensics tactics and procedures continue to evolve rapidly. Your team cannot afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". This threat hunting training course teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within Microsoft Windows-based enterprise networks, including APT state-sponsored adversaries, organized crime syndicates, ransomware operators, and hacktivists.

What You’ll Learn

  • Master tools and techniques to detect, contain, and remediate adversaries
  • Detect live, dormant, and custom malware across enterprise
  • Windows systems
  • Hunt threats and perform incident response at scale
  • Identify malware beaconing, lateral movement, and C2 activity via memory analysis and Windows host forensics
  • Analyze breaches to determine root cause, attack vectors, and persistence mechanisms
  • Counter anti-forensics techniques, recover cleared data, and track attacker activity
  • Use forensic tools to remediate threats and secure the enterprise

Business Takeaways

  • Understand attacker tradecraft to perform proactive compromise assessments
  • Upgrade detection capabilities
  • Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
  • Build advanced forensics skills to counter anti-forensics

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.

Section 1Advanced Incident Response & Threat Hunting

We start by examining the six-step incident response methodology as it applies to incident response for advanced threat groups. We discuss the importance of developing cyber threat intelligence to impact the adversaries' objectives and demonstrate forensic live response techniques that can be applied both to single systems and across the entire enterprise.

Topics covered

  • Real Incident Response Tactics
  • Threat Hunting in the Enterprise
  • Incident Response and Hunting Across the Enterprise
  • Malware Defense Evasion and Persistence Identification
  • Prevention and Mitigation of Credential Theft

Labs

  • APT Incident Response Scenario Introduction
  • Malware Persistence Detection and Analysis
  • Creating Local and Remote Triage Evidentiary Images
  • Scaling Remote Endpoint Incident Response

Section 2Intrusion Analysis

In Section two, we cover common attacker tradecraft and discuss the various data sources and forensic tools you can use to identify malicious activity in the enterprise. Get ready to hunt!

Topics covered

  • Advanced Evidence of Execution Detection
  • Lateral Movement Adversary Tactics and Techniques
  • Log Analysis for Incident Responders and Hunters
  • Investigating WMI and PowerShell-Based Attacks

Labs

  • Hunting and Detecting Evidence of Execution at Scale
  • Discovering Credential Abuse
  • Tracking Lateral Movement
  • Hunting Malicious use of WMI and PowerShell
  • Microsoft Defender Log Analysis

Section 3Memory Forensics in Incident Response & Threat Hunting

Section three will cover many of the most powerful memory analysis capabilities available and give analysts a solid foundation of advanced memory forensic skills to super-charge investigations, regardless of the toolset employed.

Topics covered

  • Endpoint Detection and Response
  • Memory Acquisition and Forensics Analysis
  • Memory Forensics Examinations
  • Memory Analysis Tools

Labs

  • Detect Custom Malware in Memory
  • Examine Windows Process Trees
  • Locate Advanced "Beacon" Malware
  • Identify Advanced Malware Hiding Techniques
  • Analyze Memory from Multiple Infected Systems

Section 4Timeline Analysis

This section will step you through two primary methods of building and analyzing timelines used during advanced incident response, threat hunting, and forensic cases. Exercises will show analysts how to create timelines and how to introduce the key analysis methods necessary to help you use those timelines effectively in your cases.

Topics covered

  • Malware Detection and Field Triage
  • Timeline Analysis Overview
  • Filesystem Timeline Creation and Analysis
  • Super Timeline Creation and Analysis

Labs

  • Malware Discovery
  • Tracking Adversary Activity with Super-Timeline Analysis
  • Observe Attacker Movements Through Systems
  • Identify Intrusion Root Causes

Section 5Incident Response & Hunting Across the Enterprise | Advanced Adversary & Anti-Forensics Detection

In section five, we focus on recovering files, file fragments, and file metadata for the investigation. These trace artifacts can help the analyst uncover deleted logs, attacker tools, malware configuration information, exfiltrated data, and more. While very germane to intrusion cases, these techniques are applicable in nearly every forensic investigation.

Topics covered

  • Volume Shadow Copy Analysis
  • Advanced NTFS Filesystem Tactics
  • Advanced Evidence Recovery

Labs

  • Volume Shadow Snapshot Analysis
  • Timelines
  • Anti-Forensics Analysis using NTFS
  • Timestomp Identification
  • Advanced Data Recovery

Section 6The APT Threat Group Incident Response Challenge

This incredibly rich and realistic enterprise intrusion exercise brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised initially, find other compromised systems via adversary lateral movement, and identify intellectual property stolen via data exfiltration.

Things You Need To Know

Relevant Job Roles

All-Source Collection Manager (DCWF 311)

DoD 8140: Intelligence (Cyberspace)

Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.

Explore learning path

All-Source Collection Requirements Manager (DCWF 312)

DoD 8140: Intelligence (Cyberspace)

Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.

Explore learning path

Forensics Analyst (DCWF 211)

DoD 8140: Cyber Enablers

Investigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.

Explore learning path

Digital Forensics Analyst

Digital Forensics and Incident Response

This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.

Explore learning path

Cyber Defense Forensics Analyst (DCWF 212)

DoD 8140: Cybersecurity

Analyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.

Explore learning path

Cyber Defense Analyst (DCWF 511)

DoD 8140: Cybersecurity

Monitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Steve Anson
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Steve Anson
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Eric Zimmerman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    San Antonio, TX, US & Virtual (live)

    Instructed by Marcus Guevara
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Melbourne, VIC, AU & Virtual (live)

    Instructed by Joshua Lemon
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Steve Anson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by Jason Jordaan
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Eric Zimmerman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 43

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources