FOR608: Enterprise-Class Incident Response & Threat Hunting

  • Online
18 CPEs

FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on developing the skills and techniques necessary to respond to large-scale intrusions across diverse enterprise networks.

What You Will Learn

Enterprises today have thousands, maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. Our experience has shown that when sizeable organizations suffer a breach, the attackers seldom compromise one or two systems. Without the proper tools and methodologies, security teams will always find themselves playing catch-up, and the attacker will continue to achieve success.

FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. By using example tools built to operate at enterprise-class scale, students will learn the techniques to collect focused data for incident response and threat hunting. Students will then dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using timeline, graphing, structured, and unstructured analysis techniques.

FOR608: Enterprise-Class Incident Response & Threat Hunting will teach you to:

  • Understand when incident response requires in-depth host interrogation or light-weight mass collection
  • Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
  • Collect host- and cloud-based forensic data from large environments
  • Learn analysis techniques for responding to Linux operating systems
  • Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
  • Conduct analysis of structured and unstructured data to identify attacker behavior.
  • Enrich collected data to identify additional indicators of compromise
  • Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
  • Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.

Syllabus (18 CPEs)

Download PDF
  • Overview

    The FOR608: Enterprise-Class Incident Response & Threat Hunting course begins with discussions on current cyber defense concerns, and how incident responders and threat hunters can take a more active role in detection and response. Collaboration within the team and the community are a focus, as we look to incorporate shared knowledge from sources like the MITRE ATT&CK(R) framework. Furthermore, we discuss taking an active defense approach to slow attackers and facilitate detection. Specific to active detection, the use of honeypots, honey tokens, and canaries are covered, along with ways to deploy them opportunistically. This type of tripwire in the network provides defenders and responders needed visibility to find and respond to intrusions quickly.

    When a compromise does occur, which is an unfortunate but inevitable truth, we continue the discussion with a focus on the processes and techniques that allow for efficient handling of intrusions. Concepts such as leading the response, managing team members, documenting findings, and communicating with stakeholders are covered in detail. We will introduce the 3 priorities of incident response model that aligns incident response with business requirements. The purpose-built Aurora tool is presented as a collaborative platform for tracking the investigation phases, from initial detection to scoping, containment, indicator development, and remediation.

    We continue the day with an examination of key threat intelligence concepts, including developing and implementing threat intelligence internally. External projects MITRE ATT&CK(R) matrix and Sigma are also leveraged. We discuss both MISP and OpenCTI as two comprehensive threat intel platforms for ingesting, tracking, and sharing threat intelligence. A threat intel report on the adversary targeting our example company, Stark Research Labs (SRL), will be presented as we start to look at potential signs of intrusion in the company.

    We finish the day by using an alert triggered in our example company network as a pivot point into a potential attack. Triage data collected by company personnel has been processed into a timeline and the data imported into Timesketch. We utilize Timesketch as a powerful platform for scalable and collaborative analysis of forensic data. Best practices for importing timeline data, providing additional field parsing, and enrichment are introduced to help highlight anomalous activity. Later in the class, we also provide techniques to view the same data set with Kibana, which offers additional capabilities, such as creating dashboards for visualizations and saved searches to aid analysis.

    • Development of honey tokens for active detection
    • Documenting an initial alert in Aurora
    • Using OpenCTI to analyze threat reports of actors targeting our example company's industry
    • Using Timesketch to analyze a potential breach in the company
    • Continue documenting findings in Aurora, which tallies team scores in the FOR608 scoreboard


    Incident Response and Threat Hunting in the Enterprise

    • Taking an Active Defense approach to threat hunting and detection
    • Using Active Defense concepts of Deny, Disrupt, and Degrade for attacker containment
    • Using the Active Defense concept of Deception for detection
    • Pros and cons of using honeypots
    • Pros and cons of canary / honey tokens
    • Deploying canary tokens into an environment for intrusion detection

    Managing Large-Scale Response

    • Fostering key principles of successful response within the team and organization
    • Structuring teams, roles, and responsibilities
    • Leading the response
    • Managing resources
    • Combining incident response and project management disciplines
    • Effective documentation and communication for tracking and reporting incidents
    • Introduction to Aurora, an incident response documentation platform

    Intel-Driven Incident Response

    • Understand the importance of cyber threat intelligence in incident response
    • Review various sources of threat intelligence and integrating it with the IR process
    • Developing and managing intelligence in your organization
    • Analysis of the ATT&CK(R) matrix and its importance in mapping out attacker techniques and capabilities
    • Using OpenCTI to catalog, organize, and visualize threat actor TTPs

    Scalable & Collaborative Analysis with Timesketch

    • Using Timesketch to perform deep-dive analysis across multiple hosts with multiple analysts
    • Annotate, label, bookmark events of interest to create custom timeline views
    • Provide variations on data import allowing for additional field parsing
    • Apply analytics and visualizers to assist analysis
    • Create stories to convey findings

  • Overview

    Section 2 pivots directly from Section 1 as we continue to move into response mode. We will begin collecting evidence at scale to scope a potential intrusion against our example company, Stark Research Labs. SRL has Endpoint Detection and Response (EDR) tooling in place and we leverage that data to assist scoping. However, attackers sometimes bypass or otherwise subvert EDR technology, so a discussion of common bypass techniques is presented. This provides students with both awareness of EDR limitations, as well as training to look for anomalous activities within the EDR log data.

    Moving beyond the analysis of commonly logged artifacts, we introduce the open-source Velociraptor tool as a powerful platform for incident response and threat hunting at scale. Velociraptor is adept at pulling forensic artifacts from across the enterprise, as well as providing analysts with a tool to deep dive individual hosts of interest. We will show Velociraptor to be a flexible tool useful for a number of situations, as well as for a number of operating systems and architectures.

    One of many useful features of Velociraptor is its ability to push collected data into Elasticsearch. Elasticsearch is another powerful and flexible tool appropriate for any responder's toolkit. As such, we use Elasticsearch to ingest and process various data types, including data from Velociraptor, from the PowerShell IR framework, Kansa, and from the Log2timeline tool. We then setup dashboards and visualizations in Kibana to perform outlier analysis and perform rapid searches for common attacker TTPs across large data sets.

    After having swept the network looking for indicators of compromise in EDR log data and with tools such as Velociraptor and Kansa, there will inevitably be a subset of hosts that warrant deeper dives. We present rapid response options for targeted data collections at scale, including multi-platform tools such as Velociraptor and CyLR. In the case of Velociraptor, it can be installed on a persistent client-server basis, but also as a standalone collector. We demonstrate how to use it in either case to collect critical artifacts for tracking the adversary's progress. Rapidly post-processing the acquired data for analysis is another important piece of the puzzle. Solutions are presented to quickly take the collected artifacts and process them for analysis in Timesketch, Elasticsearch, or individual artifact review.

    • Analyzing Sysmon telemetry and log events for incident scoping/identification
    • Deploy a small Velociraptor client-server environment and perform a hunt for artifacts generated from threat emulation tools
    • Configure Elasticsearch and Kibana in the FOR608 SIFT Liinux VM. Ingest and analyze data from Velociraptor, Kansa, and Log2timeline.
    • Acquire forensic triage images using Velociraptor and CyLR. Rapidly process results for timeline analys



    EDR and EDR Bypass

    • Analyzing Sysmon telemetry and log events for incident scoping/identification
    • Create custom, incident-focused Sysmon configuration files
    • Discuss attacker techniques for subverting and bypassing EDR tooling

    Scaling Incident Response with Velociraptor

    • Describing the various use cases for Velociraptor
    • Learn to customize Velociraptor Query Language (VQL) analyzers ("artifacts")
    • Rapidly deploying Velociraptor in a client-server configuration
    • Performing hunts and acquiring forensic evidence
    • Using Velociraptor notebooks for effective post-processing and analysis
    • Export results to Elasticsearch, Splunk, or CSV flat-files for external analysis

    Scaling Analysis with ELK

    • Utilize the ELK stack (aka Elastic Stack) to ingest and analyze logs
    • Ingest structured and freeform data types into ELK
    • Use dashboards, histograms, graphs, and saved searches to locate attacker TTPs quickly

    Rapid Response Triage

    • Utilize CyLR and Velociraptor to quickly acquire forensic artifacts from Windows, Linux, and Mac.
    • Create custom acquisition packages for Velociraptor
    • Post-process results for timeline analysis using Timesketch, Elasticsearch, or CSV files

  • Overview

    Section 3 transitions to more traditional host-based forensic artifact analysis. The day starts with a look at some of the latest techniques for attacking Windows systems, including the now too-common ransomware attack. As part of looking for precursors to ransomware attacks, as well as other targeted attacks, we spend time focusing on attackers use of "living-off-the-land" techniques to avoid detection. There are many clever ways attackers leverage built-in binaries and scripts (aka "LOLBAS", "Living-Off-the-Land Binaries And Scripts") to accomplish their goals without bringing custom malware onto the host. Learning to proactively detect or retroactively analyze these techniques is critical to investigating many modern-day intrusions.

    Following this initial discussion on Windows, the remaining part of the day focuses on Linux incident response and analysis. A full Linux Day" is planned for the final 6-day version of FOR608 and we are happy to present most of it in the 3-day version of the class. Many organizations, large and small, have Linux systems present in their environment. Although intrusions against Linux do not make the headlines as often, it's no secret that attacker regularly exploit vulnerable Linux systems to establish and maintain footholds in victim organizations.

    FOR608 outlines common vulnerabilities in Linux systems and configurations, then covers common attacker exploits targeting these systems. Privilege escalation, persistence, and lateral movement are techniques we commonly associate with attacks against Windows environments, but they apply equally to Linux as well.

    Our Linux discussion continues with coverage of DFIR fundamentals when analyzing Linux systems. Topics that are critical, but often cause confusion, include differences among Linux distributions, Linux file systems, the Logical Volume Manager, key log file locations, and more. Strategies are presented to handle both initial triage and deeper forensic analysis of Linux systems. Searching for unexpected logins, suspicious new files or altered files, and outliers in application logs are just a few of the techniques used to locate malicious behavior. We conclude the section with best practices for hardening systems, enhancing logging configurations, and adding monitoring capabilities to aid future investigations. Providing students with the ability to investigate Linux intrusions is key goal of FOR608. Upon completion of the course, students will leave with important new skills and techniques for responding to large-scale intrusions across diverse enterprise networks.

    • Detecting "LOLBAS" activity
    • Linux web log analysis
    • Triaging Linux


    Modern Attacks Against Windows

    • Fileless malware in the wild
    • Common "LOLBAS" activity, including precursors to ransomware attacks
    • Hunting amongst the noise for suspicious "LOLBAS" usage

    Introduction to Linux

    • History of Linux
    • Ubiquitous nature of Linux
    • Challenges organizations face with managing, securing, and monitoring Linux systems

    Modern Attacks Against Linux

    • Exploiting vulnerable applications or operating system services
    • Misconfigurations or unpatched services lead to successful attacks
    • Attacker techniques for accomplishing the attack lifecycle, including privilege escalation, persistence, lateral movement, and exfiltration

    Linux DFIR Fundamentals

    • Understanding primary differences in file systems
    • EXT3, EXT4, XFS file system overviews
    • Understanding the Logical Volume Manager (LVM2)
    • Available timestamps in Linux file systems (comparing EXT3, EXT4, XFS, Btrfs, ZFS)
    • Typical Linux file system directory hierarchy

    Linux Log Analysis

    • Common logs and locations
    • IR strategy for log analysis
    • Reviewing logon activity
    • Mining application logs for suspicious events

    Linux Triage Collection and Forensic Readiness

    • Collecting key configuration files
    • Collecting artifact-rich logs
    • Scripting collection for simplicity and consistency
    • Hardening Linux configurations
    • Improving audit policies
    • Adding endpoint security tooling


FOR608 is an advanced level course that skips over introductory material of Windows host- and network-based forensics and incident response. This class is not necessarily more technical than our 500-level classes, but it does assume that knowledge so that topics and concepts are not repeated.

Students must have multiple years of DFIR experience and/or have taken classes such as:

  • FOR500 (Windows Forensics Analysis),
  • FOR508 (Advanced Digital Forensics, Incident Response, and Threat Hunting), and/or
  • FOR572 (Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response).

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit Intel-based guest virtual machine will run on your laptop. VMware provides a free tool or Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit Intel-based capability for your particular model. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT"
  • Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 32 GB of RAM is highly recommended. 16 GB (Gigabytes) of RAM is minimum.
  • 350 Gigabytes of Free Space - Note that about 150 GB is required for downloaded evidence files. This data can be stored on an external drive
  • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 Capability


  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.


  • Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
  • Download and install 7Zip (for Windows Hosts) or Keka (macOS)

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failurSANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"Incident Response in large environments requires successful Incident Responders to master a multitude of different disciplines. Broad forensic knowledge forms the foundation. A good choice of the technical approach allows for scalability. Beyond the pure technical challenge of investigating a network with a 6 figure number of machines, there lies the management aspect of things. Successful Incident Response includes all measures to minimize the impact of the breach on the victim as much as possible and make sure that the attacker can not come back as quickly as before.

Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs

"FOR608 is designed to pick up where the FOR508 class leaves off. In FOR508, we take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there is still plenty more ground to cover in FOR608! We are excited to introduce an initial 3-day version of FOR608 to continue the investigative journey.

FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today." - MikePilkington

"Many years ago, Incident Response was very much focused on a single responder dealing with a single system. Times have changed dramatically, and we face advanced adversaries who spread across entire enterprises aggressively and effectively. Often by the time an attack is detected you might find hundreds of systems compromised. It is important that we responders scale up our processes, using the tools and techniques available, to meet this threat. This is what FOR608 will help you achieve.

The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you." - Taz Wake

Register for FOR608

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more