3 Days Left to Save $400 on SANS Albuquerque 2014

Security West 2013

San Diego, CA | Tue May 7 - Thu May 16, 2013

FOR508: Advanced Computer Forensic Analysis and Incident Response

NEW FOR508!

-This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics. Don't miss the NEW FOR508!

Overview

DAY 0: A 3-letter government agency contacts you to say that critical information was stolen by a targeted attack on your organization. Don't ask how they know, but they tell you that there are several breached systems within your enterprise. You are compromised by an Advanced Persistent Threat, aka an APT - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.

Over 90% of all breach victims learn of a compromise from third party notification, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Gather your team - it's time to go hunting.

FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine:

  1. How did the breach occur?
  2. What systems were compromised?
  3. What did they take? What did they change?
  4. How do we remediate the incident?

The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack.

During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.

Course Will Prepare You To:

  • Detect unknown live, dormant, and custom malware in memory across multiple windows systems in an enterprise environment
  • Find malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue
  • Identify how the breach occurred by identifying the beach head and spear phishing attack mechanisms
  • Target anti-forensics techniques like hidden and time-stomped malware, along with utility-ware that the attackers uses to move in your network and maintain their presence
  • Use memory analysis and forensic tools in the SIFT Workstation to detect hidden processes, malware, attacker command-lines, rootkits, network connections, and more
  • Track user and attacker activity second by second on the system you are analyzing through in-depth timeline and super-timeline analysis
  • Recover data cleared using anti-forensic techniques via Volume Shadow Copy and Restore Point analysis
  • Learn how filesystems work and discover powerful forensic artifacts like NTFS $I30 indexes, journal parsing, and detailed Master File Table analysis
  • Identify lateral movement and pivoted within your enterprise and show how attackers transition from system to system without being detected
  • Understand how the attacker can acquire legitimate credentials, including domain administrator rights in a locked down environment
  • Track data movement as the attackers collect critical data and shift it to exfiltration systems
  • Recover and analyze rar archive files used by APT-like attackers to exfiltrate sensitive data from the enterprise network

Course Topics

  • Advanced Use of the SIFT Workstation in Incident Response and Digital Forensics
  • Responding to an APT group, Organized Crime Hackers, and Hackivists
  • Incident Response and Intrusion Forensics Methodology
  • Threat and Security Intelligence
  • Remote and Enterprise IR System Analysis
  • Windows Live Incident Response
  • Memory Analysis
  • Timeline Analysis
  • System Restore Points and Volume Shadow Copy Exploitation
  • File System Analysis
  • In-depth Windows NTFS File System Examination
  • Advanced File Recovery and Data Carving
  • Recovering Key Windows Files
  • Discovering Unknown Malware on a System
  • Adversary Threat Intelligence Development, Indicators of Compromise, and Usage
  • Step-by-Step Methodologies to Respond to and Investigate Intrusion Cases

Course Syllabus
Course Contents InstructorsSchedule
  FOR508.1: Enterprise Incident Response Chad Tilbury Thu May 9th, 2013
9:00 AM - 5:00 PM
Overview

Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems. This is simply something that cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will in fact alert the adversary that you are aware and may allow them to quickly exfiltrate sensitive information. In this section, the six-step incident response methodology is examined as it applies to response in an enterprise during a targeted attack. We will show how important development of security intelligence is in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.

CPE/CMU Credits: 6

Topics

SIFT Workstation Overview

  • Layout and Configuration
  • Programs Installed
  • Core Tools Used

Incident Response Methodology

  • Preparation - key tools, techniques, and procedures each IR team needs to properly respond to intrusions
  • Identification- proper scoping an incident and detecting all compromised systems in the enterprise
  • Containment - identify exactly how the breach occurred and what was taken
  • Eradication - determine key steps that must be taken to help stop the current incident
  • Recovery - helps identify threat intelligence to be used to see if the same adversary returns to the enterprise
  • Lessons Learned

Threat and Adversary Intelligence

  • Understanding the "Kill Chain"
  • Threat Intelligence Creation and Use During IR
  • IR Team Life Cycle Overview
  • Deep Dive IR/Forensics - All Activity Across A Specific System
  • Enterprise IR/Forensics - Specific Activity Across All Systems

Intrusion Digital Forensics Methodology

  • Volatile Evidence
  • Order of Volatility
  • Forensic Methodology/Incident Response Process Flow
  • Timelines - tracking the hackers step-by-step
  • Media and Artifact Analysis
  • Recover Data

Remote and Enterprise IR System Analysis

  • Logical and Physical System Mounting
  • Remote System Access In The Enterprise
  • Remote System Host-Based Analysis
  • Scalable Host-Based Analysis (1 analyst examining 1,000 systems)
  • Remote Memory Analysis

Windows Live Incident Response

  • Live Incident Response Kit and Tools
  • Volatile Data Collection
  • Comparison of Key Data Collected Via Live Collection, Static Drive, and Memory Analysis Techniques
  • Auto-Start Malware Persistence Checks
  • Trusted Windows Command Shells
  • Finding Evil: Automating Collection Across Enterprise
  • Remote Command Shell Usage - PsExec
  • Incident Response using WMIC
  • Live Response with Triage-IR and FGET
  • Remote Command Prompts

 
  FOR508.2: Memory Forensics Chad Tilbury Fri May 10th, 2013
9:00 AM - 5:00 PM
Overview

Critical to many IR teams detecting advanced threats in the organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. While traditionally solely the domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics armory.

CPE/CMU Credits: 6

Topics

Memory Acquisition

  • Acquisition of System Memory for both Windows 32/64 bit systems
  • Hibernation and Pagefile Memory Extraction and Conversions
  • Virtual Machine Memory Acquisition

Memory Forensics Analysis Process

  • Identify Rogue Processes
  • Analyze process DLLs and Handles
  • Review Network Artifacts
  • Look for Evidence of Code Injection
  • Check for Signs of a Rootkit
  • Acquire Suspicious Processes and Drivers

Memory Forensics Examinations

  • Live Memory Forensics
  • Memory Analysis Techniques with Redline
  • Advanced Memory Analysis with Volatility
  • Registry Examinations via Memory
  • Memory Timelining
  • Memory Event Log Parsing

 
  FOR508.3: Timeline Analysis Chad Tilbury Sat May 11th, 2013
9:00 AM - 5:00 PM
Overview

Timeline Analysis will change the way you approach digital forensics and incident response... forever.

Learn advanced analysis techniques uncovered via timeline analysis directly from the developers that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time based artifacts. Analysis that once took days now takes minutes. This section will step you through the two primary methods of creating and analyzing timelines created during advanced incidents and forensic cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in your cases.

CPE/CMU Credits: 6

Topics

Timeline Analysis Overview

  • Timeline Benefits
  • Prerequisite Knowledge
  • Finding The Pivot Point
  • Timeline Context Clues
  • Timeline Analysis Process

Filesystem Timeline Creation and Analysis

  • MACB Meaning by File System (NTFS vs. FAT)
  • Windows Time Rules (File Copy vs. File Move)
  • Filesystem Timeline Creation using Sleuthkit and fls
  • Bodyfile Analysis and Filtering using the mactime tool

Super Timeline Creation and Analysis

  • Super Timeline Artifact Rules
  • Program Execution, File Knowledge, File Opening, File Deletion
  • Timeline Creation with log2timeline
  • log2timeline input modules
  • log2timeline output modules
  • Filtering the Super Timeline using l2t_process
  • Targeted Super Timeline Creation
  • Automated Super Timeline Creation
  • Super Timeline Analysis

 
  FOR508.4: Deep Dive Forensics And Anti-Forensics Detection Chad Tilbury Sun May 12th, 2013
9:00 AM - 5:00 PM
Overview

A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial. You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to still recover key pieces of the data that no longer exist on the system. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization where an adversary is actively attempting to hide from you.

CPE/CMU Credits: 6

Topics

Windows XP Restore Point Analysis

  • XP Restore Point Analysis
  • Restore Point Historical Registry Analysis

VISTA , Windows 7, Server 2008 Shadow Volume Copy Analysis

  • Shadow Copy Data Analysis
  • Acquiring Shadow Copy Volume Image
  • Raw and Live Shadow Copy Examination using the SIFT Workstation
  • Creating and Analyzing Shadow Volume Timelines

Deep Dive Forensics Analysis

  • Filesystem Based Analysis

    • Allocated, Unallocated, and Slack Space
    • Metadata Layer Fundamentals
    • File Name Layer Fundamentals

  • Sleuthkit Toolset
  • Partition / Volume Analysis

    • Extract Key Data From File System Partition
    • Determine Cluster/Block Size

  • Data Layer Analysis
  • Stream-Based Data Carving

    • Detecting Email, Credit Card Numbers, Phone Numbers
    • Detecting AES Encryption Keys, Search Items
    • Detecting Network Information (TCP, IP, MAC, Domain Names)
    • Histogram Analysis

  • File-Based Data Carving

    • Extract Unallocated and Slack Space
    • Determine Location of Data
    • File Carving Using File Headers/Footers
    • Carving key files from a compromised system (malware, rar files, prefetch files, and shortcut files)

  • NTFS Filesystem Analysis
    • Master File Table (MFT)
    • NTFS System Files
    • NTFS Metadata Attributes ($Standard_Information, $Filename, $Data)
    • Rules of Windows Timestamps for $STDINFO and $Filename
    • NTFS Timestamps
    • Resident vs. Nonresident files
    • Alternate Data Streams
    • Directory Listings and the $I30 file
    • Transaction Logging and the $Logfile and $UsnJrnl
    • What happens when data is deleted from a NTFS file system?

  • FAT/exFAT Filesystem Overview

 
  FOR508.5: Intrusion Forensics Chad Tilbury Mon May 13th, 2013
9:00 AM - 5:00 PM
Overview

PART 1 - INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE

The adversaries are good, we must be better.

Over the years, we have observed that many incident responders have a challenging time finding malware without effective indicators of compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions.

This advanced session will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.

The section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.

PART II - COMPUTER INVESTIGATIVE LAW FOR ANALYSTS AND RESPONDERS

Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator. Therefore, this section has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. This course is designed not for management, but for the Digital Forensic and Incident Response team leaders in charge of an investigation. The content focuses on challenges that every lead investigator needs to understand before, during, and post investigation. Since many investigations can end up in a criminal or civil courtroom, it is essential to understand how to perform a computer-based investigation legally and ethically.

We will confront many of the legal myths that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. Written by one of the foremost computer crime lawyers, the information presented provides an essential legal foundation for professionals managing or working in incident handling teams around the world.

CPE/CMU Credits: 6

Topics

PART 1 - INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE

Step-by-Step Finding Unknown Malware On A System

  • Data Reduction / File Sorting
  • Data Carving
  • Indicators of Compromise (IOC) Search
  • Automated Memory Analysis
  • Evidence of Persistence
  • Supertimeline Examination
  • Packing / Entropy / Density Check
  • System Logs
  • Memory Analysis
  • Automated Malware Lookups
  • MFT Anomalies
  • Timeline Anomalies

Anti-Forensics Detection Methodologies

  • Deleted File
  • Deleted Registry Keys
  • File Wiping
  • Clearing Browsing History
  • Privacy Cleaner
  • Adjusting Timestamps

Methodology to Analyze and Solve Challenging Cases

  • Malware/Intrusion
  • Spear Phishing Attacks
  • Web Application Attacks/SQL Injection
  • Advanced Persistent Threat Actors
  • Detecting Data Exfiltration

PART II - COMPUTER INVESTIGATIVE LAW FOR ANALYSTS AND RESPONDERS

Who Can Investigate and Investigative Process Laws

  • Internal and External Investigations
  • Authority to Investigate
  • Credentials and Training
  • Ramification Of An Incident That Involves Multiple Countries
  • Following Agency/Employer Policy and Procedures
  • Digital Forensic Ethical Standards

Evidence Acquisition/Analysis/Preservation Laws and Guidelines

  • Major Goals Associated With Acquiring Data
  • Legal Authority To Allow For Data Acquisition
  • Stored and Real Time Data
  • Evidence/Information You Can Share With Third Parties and Law Enforcement
  • Legal Authority Necessary To Collect Data

Laws Investigators Should Know

  • Criminal and Civil Law Procedures - Understanding The Laws and Procedures Related To Evidence, Search Authority and Scope.
  • Civil Privacy Laws
  • Wiretapping and Pen Register Trap and Trace Laws

Forensic Reports and Testimony

Legal Testimony

Address Scientific Process, Audience, and Legal Utility

How To Document Work So It Is Repeatable

Scientific Methods That Show Clear Conclusions Based In Factual Evidence

 
  FOR508.6: The Incident Response and Forensic Challenge Chad Tilbury Tue May 14th, 2013
9:00 AM - 5:00 PM
Overview

This incredibly rich and realistic enterprise intrusion exercise based on an real-world APT group brings together some of the most exciting techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary such as an APT. This challenge brings it all together using a simulated intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios, which were put together by a cadre of individuals with many years of experience fighting advanced threats such as an APT group.

CPE/CMU Credits: 6

Topics

The Intrusion Forensic Challenge will have each Incident Response team analyzing multiple systems in the Enterprise network.

Each Incident Response team will be asked to answer the following key questions during the challenge just like they would during a real-breach in their organizations:

IDENTIFICATION AND SCOPING:

  1. How and when did the APT group breach our network?
  2. List all compromised systems by IP address and specific evidence of compromise.
  3. When and how did the attackers first laterally move to each system?

CONTAINMENT AND SECURITY INTELLIGENCE GATHERING:

  1. How and when did the attackers obtain domain administrator credentials?
  2. Once on other systems, what did the attackers look for on each system?
  3. Email was extracted from executives and system administrators in the enterprise. Are there specific types of email the attackers appeared interested in?
  4. There is a concern among management that compromised critical intellectual property has been exfiltrated from the network. Determine what was stolen: Recover any .rar files or archives exfiltrated, find the .rar encoding password, and extract the contents to verify extracted data.
  5. Collect and list all malware used in the attack.
  6. Develop and present security intelligence or an Indicator of Compromise (IOC) for the APT-group "beacon" malware for both host and network based enterprise scoping.
  7. What specific indicators exists for the use of this malware?

REMEDIATION AND RECOVERY

  1. Do we need to change the passwords for every user in domain or just the ones affected by the systems compromised?
  2. Based on the attacked techniques and tools discovered during incident, what are the recommended steps to remediate and recover from this incident?

    • What systems need to be rebuilt?
    • What IP addresses need to be blocked?
    • What countermeasures should we deploy to slow or stop these attackers if they come back?
    • What recommendations would you make in order to detect these intruders in our network again?

 
Additional Information
 
  Laptop Required

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

Download the latest version of the SIFT Workstation here: http://computer-forensics.sans.org/community/downloads. You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. For MACs, we recommend setting up Boot Camp and running Windows directly on your MAC. We have had challenges with VMware Fusion products with several exercises in class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel® x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
  • RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 6 GB of RAM or higher to get the most out of the course)
  • Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player) Please note, those with MACs generally do better with Boot Camp installed and running Windows from your MAC. While it works on OSX, some students have experienced problems with VMware Fusion during the course.
  • Networking: Wireless 802.11 B, G, or N
  • DVD/CD Combo Drive
  • USB 2.0 or higher Port(s)
  • 200 Gigabyte Host System Hard Drive minimum
  • ~1000 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence --64 GB--we will be adding to your system)
  • The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

OPTIONAL ITEMS TO BRING TO CLASS

  • If you attended FOR408, please bring your copy of the FOR408 - Windows SIFT Workstation Virtual Machine as you can use it for the final challenge.
  • If you are using an Apple Laptop / MacBook with OSX as your operating system it is required you additionally bring a Windows Virtual System (Win7 or Win8 - Any Version) to class or install bootcamp
  • Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Information Security Professionals who respond to data breach incidents and intrusions
  • Incident Response Team Members who respond to complex security incidents/intrusions from an APT group / advanced adversaries and need to know how to detect, investigate, recover, and remediate compromised systems across an enterprise.
  • Experienced Digital Forensic Analysts who want to solidify and expand their understanding of file system forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations targeting APT groups.
  • Federal Agents and Law Enforcement, who want to master advanced intrusion investigations, incident response, and expand their investigative skill beyond traditional host-based digital forensics
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.
  • SANS FOR408 and SEC504 Graduates looking to take their skills to the next level

 
  Prerequisites

FOR508 (Advanced Forensics and Incident Response) and FOR408 (Computer Forensic Investigations - Windows In-Depth) are designed to be companion courses with skills that build upon one another. While we suggest taking FOR408 prior to FOR508, students will benefit from taking the courses in any order. SANS has a free forensic skill assessment that might be useful to take if you are unsure which class is right for you. The assessment can be found here: http://computer-forensics.sans.org/training/assessment

 
  HANDS-ON APT Enterprise Intrusion Lab

One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.

Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.

  • Full auditing turned on per recommended FISMA guidelines
  • Windows DC set up and configured. DC not tightened down the network more than what is expected in real enterprise networks
  • Systems installed and have real software on it that is used (Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome)
  • Fully patched (Patches are automatically installed)
  • Enterprise Incident Response agents
  • Enterprise A/V and On-Scan capability based on DoD's Host Based Security System - HBSS

    • McAfee Endpoint Protection -Anti-virus, Anti-spyware, Safe surfing, Anti-spam, Device Control, Onsite Management, Host Intrusion Prevention (HIPS)
  • Firewall only allowed inbound port 25 and outbound ports 25, 80, 443 only.

This exercise and challenge will be used to show real adversary traces across host systems, system memory, hibernation/pagefiles and more.

  • Phase 1 - Spearphishing attack and malware C2 beacon installation
  • Phase 2 - Lateral movement to other systems, malware utilities download, install additional beacons, and obtain domain admin credentials
  • Phase 3 - Search for intellectual property, profile network, dump email, dump enterprise hashes
  • Phase 4 - Collect data to exfiltrate and copy to staging system. Archive data using rar and a complex passphrase
  • Phase 5 - Exfiltrate rar files from staging server, perform cleanup on staging server.

In the end, we will have created authentic memory captures on each box, network captures, malware samples, in addition to full disk images w/Restore Points (XP) and VSS for (Win7 and Win2008) systems

 
  Why Take This Course?

What you Will Learn

  • Applying incident response processes, threat intelligence, and digital forensics to investigate breached enterprise environments from Advanced Persistent Threat (APT) groups, organized crime syndicates, or hackivists.
  • Discover every system compromised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing attack mechanisms, lateral movement, and data exfiltration techniques.
  • Using the SIFT Workstations capabilities, perform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first allowing for immediate response and scalable analysis to take place across the enterprise.
  • Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.
  • Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redlines Malware Rating Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach
  • Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversarys movements in your network via timeline analysis using the log2timeline toolset
  • Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach
  • Perform filesystem surgery using the sleuthkit tool to discover how filesystems work and uncover powerful forensic artifacts such as NTFS $I30 directory file indexes, journal parsing, and detailed Master File Table analysis
  • Using volume shadow snapshot examinations, XP restore point analysis, and NTFS examination tools in the SIFT Workstation, recover artifacts hidden by anti-forensic techniques such as timestomping, file wiping, rootkit hiding, and privacy cleaning.
  • Discover an adversarys persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

 
  What You Will Receive

  • SIFT Workstation Virtual Machine used with many of the class hands-on exercise

    • This course uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks. SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response tool suite.

  • F-Response TACTICAL
    • TACTICAL enables incident responders to access remote systems and physical memory of a remote computer via the network
    • Gives any IR or forensic tool the capability to be used across the enterprise
    • Perfect for intrusion investigations and data breach incident response situations
  • Best-selling book "File System Forensic Analysis" by Brian Carrier
  • Course DVD loaded with case examples, tools, and documentation
 
  You Will Be Able To
  • Apply incident response processes, threat intelligence, and digital forensics to investigate breached enterprise environments from Advanced Persistent Threat (APT) groups, organized crime syndicates, or hackivists.
  • Discover every system comprised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing at- tack mechanisms, lateral movement, and data exfiltration techniques.
  • Using the SIFT Workstation's capabilities, preform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first, allowing for immediate response and scalable analysis to take place across the enterprise.
  • Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.
  • Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redlines Malware Rat- ing Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach
  • Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversarys movements in your network via timeline analysis using the log2timeline toolset
  • Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach
  • Preform filesystem surgery using the sleuth kit tool to discover how filesystems work and uncover powerful forensic artifacts such as NTFS $I30 directory file indexes, journal parsing, and detailed Master File Table analysis
  • Using volume shadow snapshot examinations, XP restore point analysis, and NTFS examination tools in the SIFT Workstation, recover artifacts hidden by anti-forensic techniques such as timestomping, file wiping, rootkit hiding, and privacy cleaning.
  • Discover an adversary's persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

 
  Press & Reviews

"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE

"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.

"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple

"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name

"I'VE TAKEN OTHER NETWORK INTRUSION CLASSES BUT NOTHING THIS IN-DEPTH. THE CLASS IS OUTSTANDING!" -- Craig Goldsmith, FBI

"CUTTING EDGE EXPERTISE TAUGHT BY WORLD CLASS EXPERTS." -Joseph Murray, Deloitte

"IM A DIFFERENT MAN AS A RESULT OF THIS COURSE." - Travis Farral, XTO Energy

"ABSOLUTELY ESSENTIAL KNOWLEDGE. TRADITIONAL KNOWLEDGE IS USEFUL, BUT THIS COURSE PROVIDES THE PRACTICAL SIDE OF A GROWING TREND." -Erik Musick, Arkansas State Police

"THIS IS A GREAT CLASS AND SHOULD BE MANDATORY FOR ANYONE IN THE FORENSIC FIELD. GREAT JOB, ROB!" -Mark Merchant, State of Alaska/State Security Office

"COME PREPARED TO LEARN A LOT." -Todd Black Lee, The Golden 1 Credit Union

"YOU CAN DELETE IT, HIDE IT, RENAME IT, BUT WE WILL FIND IT." -Edward Fuller, Department of Defense

"GREAT COURSE! THIS NOT ONLY HELPS ME IN FORENSICS BUT ALSO IN CREATING USE-CASES FOR OUR OTHER INTRUSION ANALYSIS TOOLS." -Joseph Murray, Deloitte

"ITS HARD TO REALLY SAY SOMETHING THAT WILL PROPERLY CONVEY THE AMOUNT OF MENTAL GROWTH IVE EXPERIENCED THIS WEEK." -Travis Farral, XTI Energy

"EXCELLENT COURSE, INVALUABLE HANDS-ON EXPERIENCE TAUGHT BY PEOPLE WHO NOT ONLY KNOW THE TOOLS AND TECHNIQUES, BUT KNOW THEIR QUIRKINESS THROUGH PRACTICAL, REAL-WORLD EXPERIENCE." -John Alexander, US Army

"THIS COURSE (FOR508) REALLY TAKES YOU FROM 0-60 IN UNDERSTANDING THE CORE CONCEPTS OF FORENSICS, ESPECIALLY THE FILE SYSTEM." -Matthew Harvey, U.S. Department of Justice

"IF YOU NEED TO TRACK DOWN WHAT HAPPENED IN YOUR ENVIRONMENTS, THIS IS A MUST HAVE COURSE!" -Fran Moniz, American National Insurance

"THE CAPSTONE EXERCISE IS AWESOME, PUTS TRACKING THE APT INTO PRACTICE." -Gavin Worden, SD-LECC

"BEST FORENSICS TRAINING I'VE HAD SO FAR. I THOUGHT THE SOME OTHERS COURSES WERE GREAT BUT 508 IS A LOT MORE CURRENT AND APPLICABLE TO THE REAL WORLD! EXCELLENT COURSE AND INSTRUCTOR OVERALL!" -Marc Bleicher, Bit9

FULL REVIEW AND WRITE UP OF FOR508 BY DAVID NIDES, KPMG-

PRESS ARTICLES ABOUT THE NEW FOR508 COURSE:

Should I take SANS 408 or 508? (part 1) - http://digitalforensicstips.com/category/training_reviews/

SANS 508 Compared to 408 Part Two (part 2) - http://digitalforensicstips.com/2013/04/sans-508-compared-to-408-part-two-plus-a-side-of-610/

 

Author Statement

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The results over the past several years clearly indicate that hackers employed by nation states and organized crime are racking up success after success. The Advanced Persistent Threat has compromised hundreds of organizations. Organized crime organizations, utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, bolder, and their success rate is impressive.

We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensic investigators. We need lethal digital forensic experts who can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: ADVANCED COMPUTER FORENSIC ANALYSIS AND INCIDENT RESPONSE is crucial training for you to become a lethal forensicator so that you can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best. - Rob Lee