DOWNLOAD THE COURSE UPDATE FLYER HERE
We’re excited to announce a major content update to the SANS FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™ course. This release reflects our continued mission to ensure FOR508 evolves alongside attacker tradecraft and the changing enterprise environment.
This update comes at a critical time. According to the newly released 2025 SANS Threat Hunting Survey, organizations are shifting away from outsourcing and prioritizing internal threat hunting expertise. Only 30% now fully outsource, down from 37% last year, while 45% update their methodologies as needed, up from 35%. Teams are focused on agility, structured processes, and building internal capacity to counter increasingly sophisticated adversaries.
The Spring 2025 update addresses these priorities directly, with major upgrades including a full rewrite of credential theft material, expanded lateral movement analysis, additional coverage of hybrid cloud environments like Microsoft Entra ID (formerly Azure AD), and updated content and labs for memory forensics.
These improvements align closely with top challenges from the survey, such as cloud visibility, log normalization, and the widespread use of “living off the land” (LOTL) techniques by adversaries—reported by 76% of respondents in nation-state incidents.
While AI-driven hunting and automation are on the rise, the survey shows their detection impact is still limited, reinforcing the need for the practical, hands-on training that FOR508 delivers.
This version includes a broad refresh across nearly half of the course. Starting with revised introductory material, we’ve updated incident response statistics to reflect current industry trends and added new insights into threat hunting methodology, cyber threat intelligence integration, and modern use of the MITRE ATT&CK® framework.
To help students sharpen their analytical mindset, we’ve added new explainer slides focused on practical detection challenges, including:
- Structuring a threat hunting investigation
- Common C2 frameworks and evasion techniques
- File hiding tricks using homoglyphs and misspellings
- Malicious use of legitimate third-party tools (e.g., remote access or file sharing)
- Dynamic-link library (DLL) hijacking and abuse
The credential theft refresh emphasizes key concepts like the difference between authentication and authorization, and adds modern attack techniques such as coercion, relays, and delegation abuse. New visualizations illustrate how Windows logs events across systems, helping students better interpret distributed authentication artifacts.
The lateral movement section now includes increased coverage of lesser known but impactful methods like Remote Registry and DCOM abuse, with reorganized content and log anomaly walkthroughs for clarity.
We’ve also added key updates for Microsoft Entra ID and hybrid cloud visibility, ensuring students can effectively investigate attacks across cloud-connected infrastructures.
In memory forensics, the course now features updated acquisition tools, hibernation processing techniques, and new content on detecting malicious Windows drivers ("LOLdrivers").
Other areas, like malware discovery, timeline analysis, and anti-forensics, also received thoughtful improvements.
FOR508 is a constantly evolving course, built to meet the real-world challenges defenders face today. The Spring 2025 update is a forward-looking enhancement designed to give incident responders and threat hunters the most relevant tools and techniques.
Whether you're tracking credential abuse, lateral movement, memory artifacts, or building behavior-based hunts, FOR508 is here to sharpen your skills and prepare you for the road ahead.
See how the Spring 2025 refresh of SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics prepares you to tackle modern threats with practical techniques and hands-on experience. Register for an upcoming course or sign up for a demo to learn more.
