DOWNLOAD THE COURSE UPDATE FLYER HERE
SANS is releasing a major update to FOR572, Advanced Network Forensics and Analysis: Threat Hunting, Analysis, and Incident Response. This course release includes a massive overhaul to the enterprise-scale incident response scenario and dataset. Nearly every hands-on lab is all-new or has been re-written with the new data set, representing the latest in investigative tools, techniques, and procedures as well as adversarial tradecraft.
FOR572 has always been heavy on hands-on content, and this version brings more than ever.
With 50% of the six-day course spent on hands-on lab material, there is ample opportunity to put concepts into practice using real-world data, tools, and methodologies. All of the lab content is drawn directly from real-world case experience. All labs include additional bonus content, allowing students to further refine their expertise after their class ends. This includes additional dozens of hours of hands-on content using expanded data sets, additional tools, and more. However, since FOR572’s labs are fully standalone and self-contained, the class doesn’t ever really “end” because students can re-approach all labs at their convenience and on their own timeline - with no expiration.
This FOR572 update is the result of nearly a year of work coordinating with a dedicated adversary simulation team, enterprise system architects, and investigative experts from across the DFIR spectrum. It was created in conjunction with the team behind SANS FOR508, Enterprise Incident Response, Threat Hunting, and Digital Forensics.
This reality-first approach, combining the network coverage in FOR572 and endpoint perspective in FOR508, means our attack and investigative scenario represents the most realistic and comprehensive DFIR learning experience in the industry.
This update brings new versions of all the major tools covered in the course including:
SANS SIFT Workstation: This staple of every forensicator’s toolkit is actually a collection of thousands of DFIR tools in a bootable Linux build now based on Ubuntu 22.04. A custom version created just for FOR572 is now used for the hands-on labs in this course.
SOF-ELK®: The Security Operations and Forensic ELK VM is an appliance-like implementation of the Elastic Stack, built to support educational and operational requirements involving large collections of logs and NetFlow evidence.
Arkime: This full-packet capture and analysis tool is a game-changer for network forensics because it brings enterprise-class and scale capabilities to bear in a free and open source package.
Zeek: This Network Security Monitoring tool extracts metadata from observed network traffic and stores it in easily parsed logs that give deep application-layer insight to network communications that may have ended in the distant past.
NetworkMiner: A versatile object extraction tool that can reconstruct files that were transferred using a wide variety of protocols, presenting results in a convenient graphical user interface.
Wireshark and tshark: For two of most venerable network traffic analysis tools, FOR572 covers the specific network forensic workflows they can enable or optimize.
And many, many more.
Students are immersed in a consistent investigative scenario woven throughout the entire course. Network evidence provided includes over 80 million log events, more than 125 million NetFlow records, and approximately 150 gigabytes of packet capture data. The sheer volume of evidence alone requires careful investigative planning and execution, which is addressed from day 1. By prioritizing the best evidence for each different lead they follow, students learn the most efficient and effective methods to investigate at scale. By leveraging each different type of network evidence to its strengths, the shortcomings of other types can be overcome. The result is a focused investigator, who is best suited to provide reliable answers on as fast a timeline as possible.
In FOR572, we’ll cover multiple ways of establishing baselines of network traffic and other user activity in the enterprise, then use those to identify outliers that warrant further investigation. We’ll also dive deep into the artifacts of common protocols, and explore how they are evolving in modern everyday use. While sometimes this involves examining individual samples of traffic, we’ll then pivot to evidence collections containing those same artifacts from the focused samples but on the order of thousands or more.
Whether your enterprise is mostly on-premises, all-in on cloud, or a hybrid between the two, your systems are communicating - do you have the perspective and skills necessary to incorporate those network communications into your DFIR investigations? In FOR572, we’ll lay the foundation for exactly that skill set.
This version of the course has been updated to include the latest protocol variants of HTTP, DNS, SMB, TLS, and more. In many ways, these still retain strong similarities to their legacy counterparts, but exhibit some unique new behaviors that require new perspectives for proper analysis. As always, legacy protocol versions also persist even in the most modern enterprise environment - so we’ll make sure to cover investigative TTPs that still cover those bases.
Network communications are widely varied but represent a critical component for all modern DFIR cases. Modern adversaries use a wide range of techniques to attempt to conceal their activities, and investigating the artifacts their communications leave behind often presents the fastest way to identify them.
DOWNLOAD THE COURSE UPDATE FLYER HERE