Enterprises today have thousands – maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. Our experience has shown that when sizeable organizations suffer a breach, the attackers seldom compromise one or two systems. Without the proper tools and methodologies, security teams will always find themselves playing catch-up, and the attacker will continue to achieve success.
Gone are the days where an analyst can image every machine and analyze it individually. FOR608: Enterprise-Class Incident Response & Threat Hunting course will teach analysts to identify and respond to intrusions whether it’s affecting 10 or 10,000 machines using a wide variety of techniques and tools.
SANS Instructors and FOR608: Enterprise-Class Incident Response & Threat Hunting course authors, Mike Pilkington, Taz Wake and Mathias Fuchs are developing this 3-day new course that focuses on identifying and responding to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. By using example tools built to operate at enterprise-class scale, students will learn the techniques to collect focused data for incident response and threat hunting. Students will then dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using timeline, graphing, structured, and unstructured analysis techniques.
"The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you," says course co-author Taz Wake
FOR608 is designed to pick up where the FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics class leaves off. In FOR508, students take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there’s still plenty more ground to cover in FOR608!
This course is aimed at digital forensics, incident response, intrusion detection, and threat hunting professionals in medium to large organizations, who constantly face battles with enterprise scale and complexity.
"Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs
FOR608: Enterprise-Class Incident Response & Threat Hunting will teach you to:
- Understand when incident response requires in-depth host interrogation or light-weight mass collection
- Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
- Collect host- and cloud-based forensic data from large environments
- Learn analysis techniques for responding to Linux operating systems
- Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
- Conduct analysis of structured and unstructured data to identify attacker behavior.
- Enrich collected data to identify additional indicators of compromise
- Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
- Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.
"We are excited to introduce an initial 3-day version of FOR608 to continue the investigative journey. FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today.” says course co-author Mike Pilkington
Check out our new SANS DFIR Landing page packed with the latest tools, free resources and information for the DFIR Community. Check out all tools and free resources SANS has for you here
To be notified about new DFIR Courses register here