Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.
FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was designed to cover the most critical skills needed for the increased focus on network communications and artifacts in today's investigative work, including numerous use cases. Many investigative teams are incorporating proactive threat hunting to their skills, in which existing evidence is used with newly-acquired threat intelligence to uncover evidence of previously-unidentified incidents. Others focus on post-incident investigations and reporting. Still others engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim's environment. In these situations and more, the artifacts left behind from attackers' communications can provide an invaluable view into their intent, capabilities, successes, and failures.
In FOR572, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.
This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high--evel NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.
Whether you are a consultant responding to a client's site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.
Most of FOR572's hands-on labs have been developed together with the latest version of FOR508, Advanced Incident Response, Threat Hunting, and Digital Forensics. In these shared scenarios, you'll quickly see a hybrid approach to forensic examination that includes both host and network artifacts is ideal. Although our primary focus is on the network side of that equation, we will point out areas where the host perspective could provide additional context, or where the network perspective gives deeper insight. Both former and future FOR508 students will appreciate the nexus between these extensive evidence sets.
The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK platform - a VMware appliance pre-configured with a tailored configuration of the Elastic stack. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Moloch platform is also covered and used in a hands-on lab. Through all of the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands of data records.
FOR572 is an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, full-stack networking knowledge (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.
You Will Be Able To
- Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
- Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
- Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
- Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
- Use data from typical network protocols to increase the fidelity of the investigation's findings
- Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
- Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
- Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
- Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
- Examine proprietary network protocols to determine what actions occurred on the endpoint systems
- Analyze wireless network traffic to find evidence of malicious activity
- Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
- Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors
FOR572 Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:
- Foundational network forensics tools: tcpdump and Wireshark refresher
- Packet capture applications and data
- Unique considerations for network-focused forensic processes
- Network evidence types and sources
- Network architectural challenges and opportunities for investigators
- Investigation OPSEC and footprint considerations
- Network protocol analysis
- Hypertext Transfer Protocol (HTTP)
- Domain Name Service (DNS)
- File Transfer Protocol (FTP)
- Server Message Block (SMB) and related Microsoft protocols
- Simple Mail Transfer Protocol (SMTP)
- Commercial network forensic tools
- Automated tools and libraries
- Collection approaches
- Open-source NetFlow tools
- Wireless networking
- Capturing wireless traffic
- Useful forensic artifacts from wireless traffic
- Common attack methods and detection
- Log data to supplement network examinations
- Microsoft Windows Event Forwarding
- HTTP server logs
- Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
- Log collection, aggregation, and analysis
- Web proxy server examination
- Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
- Profiling TLS clients without interception
- Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
- Deep packet work
- Network protocol reverse engineering
- Payload reconstruction
- Round out your teams investigations to include network perspective inherent in all environments
- Build baselines that can be used to proactively identify malicious activity early in a compromise, before large-scale damage is done
- Provide additional value for existing network data collections that support existing operational requirements
- Ensure critical observations from the network are not overlooked in proactive hunting or post-compromise IR actions
What You Will Receive
- Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
- SOF-ELK Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
- Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
- Realistic case data to examine during class, from multiple sources including:
- NetFlow data
- Web proxy, firewall, and intrusion detection system logs
- Network captures in pcap format
- Network service logs
- Electronic Downloadable package loaded with case examples, tools, and documentation
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.
MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VTx". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
- 16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
- USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
- 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs and data sets we distribute
- Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wireless 802.11 Capability - there are no wired networks in the classroom.
MANDATORY FOR572 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Host Operating System: Latest version of Windows 10 or macOS 10.15.x
- On Windows hosts, VMware products cannot coexist with the Hyper-V hypervisor. Disable Hyper-V and ensure VMware can boot a virtual machine. Disabling Hyper-V, Device Guard, and Credential Guard can be accomplished using these instructions.
- Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Linux hosts cannot be supported in the classroom due to their numerous variations. Students that wish to use Linux hosts must be experienced users or administrators, and must also be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS
- Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 30 days)
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Player offers fewer features than VMware Workstation, and Workstation is recommended for a more seamless student experience.
- Download and install 7Zip (for Windows Hosts) or Keka (for macOS)
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"When I first became interested in computer and network security in the mid-1990s, the idea of "attacking" another computer network was still science fiction. Today, commercial, governmental, military, and intelligence entities have robust, integrated information security processes. Within the forensic community, we have seen developments that show the agility we must have to remain effective in the face of dynamic adversaries. Endpoint forensic practices will remain the keystone of digital forensics for the foreseeable futur - this is where the events ultimately occur, after all.
"We created FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response to address the most transient domain of digital forensics. Many enterprises have grown to the scale that identifying which handful of endpoints to examine among thousands is a significant challenge. Additionally, the network has become its own medium for incident response and investigation. Our ability to use evidence from all kinds of network devices as well as from captured network data itself will be critical to our success in addressing threats today and tomorrow. From low-grade "script kiddie" attacks to long-term, strategic state-sponsored espionage activity, the network is one of the few common elements found throughout the life cycle of an incident. FOR572 will provide you with the tools and methods to conduct network investigations within environments of all sizes, using scenarios developed from real-world cases. You will finish the course with valuable knowledge that you will use the first day back on the job, and with the methodologies that will help address future generations of adversaries' capabilities." - Phil Hagen
"When I first started my career in computer security, the term "advanced persistent threat" was unknown, yet I had personally recovered terabytes of data obtained from both commercial and government networks. The biggest cybersecurity threat in the news was the latest worm that would propagate through unsuspecting systems and cause more of a nuisance than actual destruction. What was known as the Russian Business Network wasn't even around yet. Network security monitoring was still in its infancy, with very little formal documentation or best practices, most of which were geared towards system administrators. While the Internet has continued to expand, we have all become more interconnected and the threat against our networks continues to grow. We wrote FOR572 as the class we wish we had when we were entering the field of network forensics and investigations - a class that not only provides background when needed but is primarily tailored toward finding evil using multiple data sources and performing a full scope investigation. I am confident this course provides the most up-to-date training covering topics both old and new, based on real-life experiences and investigations." - Mat Oldham
"Phil is probably one of the best instructors I've ever learned from. He's an excellent guy, smart, has a ton of relevant industry knowledge that he can bring in while teaching, and knows how to keep the content interesting." - Ronald Bartwitz, Southern Company