We are excited to announce a significant update to the SANS FOR508 Advanced Incident Response, Threat Hunting and Digital Forensics class. It represents a major upgrade to the courseware with a complete replacement of every hands-on exercise in the course.
While we constantly update courses to reflect the speed of change in digital forensics, the new version of FOR508 is the result of over nine months of planning, collaboration, and execution by red and blue team operators in cooperation with the SANS Cyber Ranges team.
In FOR508, students investigate a real network hacked by a professional red team emulating real-world adversaries. It represents the state of the art in showcasing a large cross-section of attacker techniques and teaching the forensic and analysis skills necessary to identify, investigate, and remediate wide-scale computer intrusions. Forensic and threat hunting techniques are used by students to walk through the entire attack cycle, identifying initial reconnaissance, exploit weaponization and delivery, attacker persistence, and post-exploitation behaviors.
Students learn how to perform a complete deep-dive forensic investigation into a compromised system while also using findings as indicators of compromise to scale their efforts across the network.
Solving the final intrusion challenge requires investigating artifacts on over thirty systems including Windows 10 and 11 workstations, DMZ servers, internal development servers, a domain controller, and hosted Exchange email.
Importantly, an emphasis on developing analytical skills and anomaly detection is in the DNA of the course, ensuring that learned skills are transferable to any network and any security tool stack.
There is a huge difference between auditing forensic artifacts left behind by a tool and witnessing a network intrusion through its entire lifecycle. Real attacks leave markers behind not typically seen in sample data sets. Attackers must gain a foothold, probe the environment, take steps to evade host-based security, evaluate how to escalate privileges, identify and extract important credentials, and ultimately find viable paths through the network to achieve their goals. Missteps occur leaving behind telltale signs of attacker activity; reconnaissance, probing and security evasion often trigger low level alerts; and each credential attack and lateral movement technique generates its own unique pattern of artifacts. If you believe hacking a modern and well defended enterprise network is easy, then you clearly have not looked over the shoulders of a penetration testing team! Students get the chance to do just this in FOR508, tracing the forensic results of an attack while also having access to the detailed logs of attacker activity.
Attendees gain experience finding a wide variety of current attack patterns, including advanced credential theft, multiple types of malware persistence, and forensic artifacts left behind by PowerShell, WMI, Cobalt Strike, Sliver, Impacket, Covenant, remote monitoring and management (RMM) tools, and much more. Investigating other common malware families like Meterpreter, Amadey, Emotet, Solar Marker, custom nation state backdoors, rootkits, bootkits, and anti-forensic tools is also baked into the course materials.
Many courseware updates were made to support the new hands-on exercise data set. The hunting across the enterprise section was re-imagined and now includes multiple opportunities for hands-on experience with the Velociraptor incident response platform. The malware persistence and DLL hijack section was updated to reflect new tools and techniques. Event log analysis was updated with the latest changes to PowerShell logging, including PowerShell Core versions, and a new section on Windows Defender logs, Detection History artifacts, and Defender MPLogs. Memory Forensics was brought up to the state of the art with exciting new techniques to leverage YARA signatures to detect advanced malware hiding techniques, a new capability to extract cached files from memory, and more insight into investigating loaded vulnerable drivers. The latter is vitally important as bring your own vulnerable driver (BYOVD) attacks have emerged as one of the most dangerous attacks currently affecting the Windows enterprise. Major updates and capabilities were added to the forensic timelining section, including recent upgrades bringing important artifacts like PowerShell transcripts and Windows Server User Access (SUM) logs into timelines.
All hands-on labs in the course are tailored to ensure students put into practice everything students learn using real-world systems and data.
From an author’s perspective, it feels as if we are in a perpetual update cycle, but the most recent update to FOR508 includes an exceptional number of changes. We are thrilled to get the new material in front of students and to train the next generation of incident responders and threat hunters! You can find a flyer covering many of the latest updates here.
Chad Tilbury has spent over twenty years conducting computer crime investigations ranging from hacking to espionage to multimillion-dollar fraud cases. He is a SANS Institute Fellow and co-author of FOR500 Windows Forensic Analysis and FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics. Find him on Twitter @chadtilbury