new

FOR608: Enterprise-Class Incident Response & Threat Hunting

  • In Person (6 days)
  • Online
36 CPEs

FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.

What You Will Learn

Enterprises today have thousands; maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. Our experience has shown that when sizeable organizations suffer a breach, the attackers seldom compromise one or two systems. Without the proper tools and methodologies, security teams will always find themselves playing catch-up, and the attacker will continue to achieve success.

FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. By using example tools built to operate at enterprise-class scale, students will learn the techniques to collect focused data for incident response and threat hunting. Students will then dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using timeline, graphing, structured, and unstructured analysis techniques.

FOR608: Enterprise-Class Incident Response & Threat Hunting will teach you to:

  1. Understand when incident response requires in-depth host interrogation or light-weight mass collection
  2. Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
  3. Collect host- and cloud-based forensic data from large environments
  4. Discuss best practices for responding to Azure, M365, and AWS cloud platforms
  5. Learn analysis techniques for responding to Linux and Mac operating systems
  6. Analyze containerized microservices such as Docker containers
  7. Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
  8. Conduct analysis of structured and unstructured data to identify attacker behavior.
  9. Enrich collected data to identify additional indicators of compromise
  10. Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
  11. Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.

Syllabus (36 CPEs)

Download PDF
  • Overview

    The FOR608: Enterprise-Class Incident Response & Threat Hunting course begins with discussions on current cyber defense concerns, and how incident responders and threat hunters can take a more active role in detection and response. Collaboration within the team and the community are a focus, as we look to incorporate shared knowledge from sources like the MITRE ATT&CK(R) framework. Furthermore, we discuss taking an active defense approach to slow attackers and facilitate detection. Specific to active detection, the use of honeypots, honey tokens, and canaries are covered, along with ways to deploy them opportunistically. This type of tripwire in the network provides defenders and responders needed visibility to find and respond to intrusions quickly.

    When a compromise does occur, which is an unfortunate but inevitable truth, we continue the discussion with a focus on the processes and techniques that allow for efficient handling of intrusions. Concepts such as leading the response, managing team members, documenting findings, and communicating with stakeholders are covered in detail. We'll introduce the 3 priorities of incident response model that aligns incident response with business requirements. The purpose-built Aurora tool is presented as a collaborative platform for tracking the investigation phases, from initial detection to scoping, containment, indicator development, and remediation.

    We continue the day with an examination of key threat intelligence concepts, including developing and implementing threat intelligence internally. External projects such as the MITRE ATT&CK(R) matrix and Sigma are also leveraged. We discuss both MISP and OpenCTI as two comprehensive threat intel platforms for ingesting, tracking, and sharing threat intelligence. A threat intel report on the adversary targeting our example company, Stark Research Labs (SRL), will be presented as we start to look at potential signs of intrusion in the company.

    We finish the day by using an alert triggered in our example company network as a pivot point into a potential attack. Triage data collected by company personnel has been processed into a timeline and the data imported into Timesketch. We utilize Timesketch as a powerful platform for scalable and collaborative analysis of forensic data. Best practices for importing timeline data, providing additional field parsing, and enrichment are introduced to help highlight anomalous activity. Later in the class, we also provide techniques to view the same data set with Kibana, which offers additional capabilities, such as creating dashboards for visualizations and saved searches to aid analysis.

    Exercises

    Development of honey tokens for active detection

    • Documenting an initial alert in Aurora
    • Using OpenCTI to analyze threat reports of actors targeting our example company's industry
    • Using Timesketch to analyze a potential breach in the company
    • Continue documenting findings in Aurora, which tallies team scores in the FOR608 scoreboard

    Topics
    • Incident Response and Threat Hunting in the Enterprise
      • Taking an Active Defense approach to threat hunting and detection
      • Using Active Defense concepts of Deny, Disrupt, and Degrade for attacker containment
      • Using the Active Defense concept of Deception for detection
      • Pros and cons of using honeypots
      • Pros and cons of canary / honey tokens
      • Deploying canary tokens into an environment for intrusion detection
    • Managing Large-Scale Response
      • Fostering key principles of successful response within the team and organization
      • Structuring teams, roles, and responsibilities
      • Leading the response
      • Managing resources
      • Combining incident response and project management disciplines
      • Effective documentation and communication for tracking and reporting incidents
      • Introduction to Aurora, an incident response documentation platform
    • Intel-Driven Incident Response
      • Understand the importance of cyber threat intelligence in incident response
      • Review various sources of threat intelligence and integrating it with the IR process
      • Developing and managing intelligence in your organization
      • Analysis of the ATT&CK(R) Matrix and its importance in mapping out attacker techniques and capabilities
      • Using OpenCTI to catalog, organize, and visualize threat actor TTPs
    • Scalable & Collaborative Analysis with Timesketch
      • Using Timesketch to perform deep-dive analysis across multiple hosts with multiple analysts
      • Annotate, label, bookmark events of interest to create custom timeline views
      • Provide variations on data import allowing for additional field parsing
      • Apply analytics and visualizers to assist analysis
      • Create stories to convey findings

  • Overview

    Section 2 pivots directly from Section 1 as we continue to move into response mode. We will begin collecting evidence at scale to scope a potential intrusion against our example company, Stark Research Labs. SRL has Endpoint Detection and Response (EDR) tooling in place and we leverage that data to assist scoping. However, attackers sometimes bypass or otherwise subvert EDR technology, so a discussion of common bypass techniques is presented. This provides students with both awareness of EDR limitations, as well as training to look for anomalous activities within the EDR log data.

    Moving beyond the analysis of commonly logged artifacts, we introduce the open-source Velociraptor tool as a powerful platform for incident response and threat hunting at scale. Velociraptor is adept at pulling forensic artifacts from across the enterprise, as well as providing analysts with a tool to deep dive individual hosts of interest. We will show Velociraptor to be a flexible tool useful for a number of situations, as well as for a number of operating systems and architectures.

    One of many useful features of Velociraptor is its ability to push collected data into Elasticsearch. Elasticsearch is another powerful and flexible tool appropriate for any responder's toolkit. As such, we use Elasticsearch to ingest and process various data types, including data from Velociraptor, from the PowerShell IR framework "Kansa", and from the "Log2timeline" tool. We then setup dashboards and visualizations in Kibana to perform outlier analysis and perform rapid searches for common attacker TTPs across large data sets.

    After having swept the network looking for indicators of compromise in EDR log data and with tools such as Velociraptor and Kansa, there will inevitably be a subset of hosts that warrant deeper dives. We present rapid response options for targeted data collections at scale, including multi-platform tools such as Velociraptor and CyLR. In the case of Velociraptor, it can be installed on a persistent client-server basis, but also as a standalone collector. We demonstrate how to use it in either case to collect critical artifacts for tracking the adversary's progress. Rapidly post-processing the acquired data for analysis is another important piece of the puzzle. Solutions are presented to quickly take the collected artifacts and process them for analysis in Timesketch, Elasticsearch, or individual artifact review.

    Exercises

    Analyzing Sysmon telemetry and log events for incident scoping/identification

    • Deploy a small Velociraptor client-server environment and perform a hunt for artifacts generated from threat emulation tools
    • Configure Elasticsearch and Kibana in the FOR608 "SIFT" Linux VM. Ingest and analyze data from Velociraptor, Kansa, and Log2timeline.
    • Acquire forensic triage images using Velociraptor and CyLR. Use automation techniques to rapidly process results for timeline analysis.

    Topics
    • EDR and EDR Bypass
      • Analyzing Sysmon telemetry and log events for incident scoping/identification
      • Create custom, incident-focused Sysmon configuration files
      • Discuss attacker techniques for subverting and bypassing EDR tooling
    • Scaling Incident Response with Velociraptor
      • Describing the various use cases for Velociraptor
      • Learn to customize Velociraptor Query Language (VQL) analyzers ("artifacts")
      • Rapidly deploying Velociraptor in a client-server configuration
      • Performing hunts and acquiring forensic evidence
      • Using Velociraptor notebooks for effective post-processing and analysis
      • Export results to Elasticsearch, Splunk, or CSV flat-files for external analysis
    • Scaling Analysis with ELK
      • Utilize the ELK stack (aka Elastic Stack) to ingest and analyze logs
      • Ingest structured and freeform data types into ELK
      • Use dashboards, histograms, graphs, and saved searches to locate attacker TTPs quickly
    • Rapid Response Triage
      • Utilize CyLR and Velociraptor to quickly acquire forensic artifacts from Windows, Linux, and Mac.
      • Create custom acquisition packages for Velociraptor
      • Post-process results for timeline analysis using Timesketch, Elasticsearch, or CSV files

  • Overview

    Section 3 transitions to more traditional host-based forensic artifact analysis. The day starts with a look at some of the latest techniques for attacking Windows systems, including the now too-common ransomware attack. As part of looking for precursors to ransomware attacks, as well as other targeted attacks, we spend time focusing on attackers use of "living-off-the-land" techniques to avoid detection. There are many clever ways attackers leverage built-in binaries and scripts (aka "LOLBAS" "Livinng-Off-the-Land Binaries And Scripts") to accomplish their goals without bringing custom malware onto the host. Learning to proactively detect or retroactively analyze these techniques is critical to investigating many modern-day intrusions.

    Following this initial discussion on Windows, the remaining part of the day focuses on Linux incident response and analysis. Many organizations, large and small, have Linux systems present in their environment. Although intrusions against Linux do not make the headlines as often, it's no secret that attacker regularly exploit vulnerable Linux systems to establish and maintain footholds in victim organizations.

    FOR608 outlines common vulnerabilities in Linux systems and configurations, then covers common attacker exploits targeting these systems. Privilege escalation, persistence, and lateral movement are techniques we commonly associate with attacks against Windows environments, but they apply equally to Linux as well.

    Our Linux discussion continues with coverage of DFIR fundamentals when analyzing Linux systems. Topics that are critical, but often cause confusion, include differences among Linux distributions, Linux file systems, the Logical Volume Manager, key log file locations, and more. Strategies are presented to handle both initial triage and deeper forensic analysis of Linux systems. Searching for unexpected logins, suspicious new files or altered files, and outliers in application logs are just a few of the techniques used to locate malicious behavior. We conclude the section with best practices for hardening systems, enhancing logging configurations, and adding monitoring capabilities to aid future investigations. Providing students with the ability to investigate Linux intrusions is key goal of FOR608. Upon completion of the course, students will leave with important new skills and techniques for responding to large-scale intrusions across diverse enterprise networks.

    Exercises
    • Detecting LOLBAS activity
    • Linux web log analysis
    • Triaging Linux

    Topics
    • Modern Attacks Against Windows
      • Fileless malware in the wild
      • Common "LOLBAS" activity, including precursors to ransomware attacks
      • Hunting amongst the noise for suspicious "LOLBAS" usage
    • Introduction to Linux
      • History of Linux
      • Ubiquitous nature of Linux
      • Challenges organizations face with managing, securing, and monitoring Linux systems
    • Modern Attacks Against Linux
      • Exploiting vulnerable applications or operating system services
      • Misconfigurations or unpatched services lead to successful attacks
      • Attacker techniques for accomplishing the attack lifecycle, including privilege escalation, persistence, lateral movement, and exfiltration
    • Linux DFIR Fundamentals
      • Understanding primary differences in file systems
      • EXT3, EXT4, XFS file system overviews
      • Understanding the Logical Volume Manager (LVM2)
      • Available timestamps in Linux file systems (comparing EXT3, EXT4, XFS, Btrfs, ZFS)
      • Typical Linux file system directory hierarchy
    • Linux Log Analysis
      • Common logs and locations
      • IR strategy for log analysis
      • Reviewing logon activity
      • Mining application logs for suspicious events
    • Linux Triage Collection and Forensic Readiness
      • Collecting key configuration files
      • Collecting artifact-rich logs
      • Scripting collection for simplicity and consistency
      • Hardening Linux configurations
      • Improving audit policies
      • Adding endpoint security tooling

  • Overview

    By this point in the course, students have undertaken a wide-range of tasks, including collecting of host-based data, deployment of live-response tools to catch attackers "in the act", and utilizing "big-data" analysis platforms to find suspicious activity at scale. Students have also taken a deep-dive into the Linux operating system and discovered important ways to respond to the inevitable attacks against these systems.

    In the next module, we move on to look at key aspects of the Apple macOS operating system. These hosts have become more prevalent in many enterprise networks. Therefore, it's important that incident responders have some understanding and training for responding to such systems. Before diving into the incident response techniques, we discuss the history and current ecosystem of macOS and Apple mobile devices. We then move into important topics such as the Apple Filesystem (APFS), the file and directory structure, and important file types for Mac analysis such as the Property List (plist) configuration file.

    After a discussion of the fundamentals, we turn our attention to the challenges and opportunities for responding to macOS incidents. Questions such as how best to acquire disk and triage data, how to review those acquisitions, and which logs and other artifacts are most useful in spotting suspicious activity, are all covered in detail.

    After establishing a solid foundation for Linux and Mac forensic analysis, we then turn our attention to the concept of containerized microservices. Containers are a popular way to deploy applications and services in a reliable and repeatable way. The most common platform for containers is Docker, which is where we focus our attention in FOR608. Discussions on the architecture and management of Docker containers help students understand where to focus their analysis. A specific triage workflow is also covered to arm analysts with a repeatable process for quick and effective response.

    Exercises
    • Mount and analyze APFS disk images
    • Review macOS artifacts and logs
    • Docker administration and logs
    • Docker triage and IR

    Topics
    • macOS Foundations
      • A history of Apple operating systems
      • Apple in the enterprise
    • Apple Filesystems
      • APFS characteristics
      • macOS timestamps
      • macOS file & directory structure
      • Key file types such as Property List (.plist) files
    • Mac Incident Response
      • Challenges with forensic acquisitions
      • Options for mounting disk images
      • Profiling users and system configurations
      • Review common persistence methods
      • Log analysis for macOS
      • Scripting live triage acquisitions
    • Containers in the Enterprise
      • Conceptual overview of containers
      • Introduction to Docker
      • Attacks against containers
      • Forensic challenges
    • DFIR for Containers
      • Metadata collection and analysis
      • Using snapshots to save containerized files
      • Log analysis for Docker
      • Gather ephemeral data
      • Review image files and history

  • Overview

    This day is focused on responding to incidents in the major cloud platforms from Microsoft and Amazon. Although the analysis focuses on those platforms, we cover log analysis techniques, architecture designs, and automation initiatives that can be applied to just about any cloud provider. We also cover attacks instigated from cloud environments and the artifacts that may be left behind in such cases.

    Cloud environments provide unique challenges for incident response, but some exciting opportunities too. A quick intro into these factors will start the day. Once again, we find that the MITRE ATT&CK(R) framework is useful for organizing our defenses and detections-- specifically the Cloud Matrix.

    Moving into Microsoft 365 (M365) and Azure, several popular SaaS offerings are discussed. These include M365 and Azure AD for hosted services like Exchange, SharePoint, and Active Directory authentication. Many organizations subscribe to these services, and predictably, attackers have become proficient at finding weaknesses in their implementations. We therefore look at many common attack scenarios against M365 and Azure. Log analysis is critical to solving these cases, so log acquisition and review is a major focus for discussion. Specifically, we look for suspicious user logon and email activity from the Unified Audit Logs (UAL) as a common method for detection. The Azure AD Audit log (and others discussed) are useful resources as well.

    Important for any incident response is the Recovery phase, which typically includes implementing security enhancements to detect or prevent similar attacks in the future. Therefore, we cover some of the more useful security enhancements in M365 and Azure as well.

    The second part of the day delves into the Amazon Web Services (AWS) cloud platform. Its general architecture and components are covered to provide a solid foundation for those new to AWS. We then go into detail on the many logs and services that provide critical detection and analysis data for responders. This includes CloudTrail logs, VPC flow logs, GuardDuty alerts, and more.

    The section concludes with discussions on architecting for response in the cloud for faster and more effective analysis. This involves setting up security accounts for a secure enclave within AWS. Template VMs (AMIs) are also recommended for performing analysis against volume snapshots, network packet captures, and more. Finally, we look at common IR tasks that can be automated and how to do it rather seamlessly using AWS Lamda and Step Functions. While the solutions presented in this section are AWS-centric, the concepts can (and should) be applied to almost any cloud platform with significant use by an organization.

    Exercises
    • M365 log analysis
    • Finding attacker cloud exfil infrastructure
    • AWS CloudTrail log analysis
    • AWS VPC Flow log analysis

    Topics
    • DFIR in the Cloud
      • Cloud service models (IaaS, PaaS, SaaS)
      • Cloud forensics vs. traditional forensics
      • MITRE ATT&CK(R) Cloud Matrix
    • Incident Response in Azure & M365
      • M365/O365 SaaS offerings
      • Azure IaaS and PaaS platform
      • Azure AD architecture
      • Common attack scenarios
      • Important log sources & log extraction
      • Investigating suspicious user logons and email activity
      • Securing M365 & Azure
    • Attackers in the Cloud
      • Investigating attacks that leverage the cloud
      • Discover host-based artifacts from attacker's cloud infrastructure
    • AWS Foundations
      • Organizational and account hierarchy
      • AWS Identity and Access Management (IAM)
      • Authentication and identity types
      • AWS regions and API endpoints
      • AWS computing, storage, and networking constructs
    • Incident Response in AWS

      • Leveraging the AWS Incident Response Guide
      • AWS incident domains
      • Critical log sources such as CloudTrail and CloudWatch
      • Threat detection and response services such as GuardDuty and Detective
      • Network analysis with VPC flow logs and traffic mirroring
      • Architecting for analysis in the cloud
      • Acquiring logs and snapshots
      • Planning and practicing likely scenarios
    • IR Automation in AWS
      • Identifying tasks for automation
      • Using AWS VM templates (AMIs) for quick response
      • Leveraging AWS Lamda and Step Functions for automation and orchestration

  • Overview

    Section 6 will serve as a capstone for the class and a chance for students to put into practice the knowledge gained thus far. We will be providing an all-new Capture-the-Flag ("CTF") style exercise that focuses on utilizing the tools and techniques discussed in the previous five sections. Students will be provided a data set from a compromised environment and will need to utilize the tools and techniques they've learned to uncover the steps of the breach, end-to-end.

    As in most real-world incident response scenarios, students will work in teams to divide and conquer the analysis to solve this complex case most efficiently. As they work throughout the day, they will submit flags on a scoreboard and the winning team will be crowned at the end of the day based on the highest score.

    Exercises

    Day 6 CTF Challenge

Prerequisites

FOR608 is an advanced level course that skips over introductory material of Windows host- and network-based forensics and incident response. This class is not necessarily more technical than our 500-level classes, but it does assume that knowledge so that topics and concepts are not repeated.

Students must have multiple years of DFIR experience and/or have taken classes such as:

FOR500 (Windows Forensics Analysis), and/or

FOR508 (Advanced Digital Forensics, Incident Response, and Threat Hunting)

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.

MANDATORY FOR608 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit Intel-based guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit Intel-based capability for your particular model.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT"
  • Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 32 GB of RAM is highly recommended. 16 GB (Gigabytes) of RAM is minimum.
  • 350 Gigabytes of Free Space - Note that about 150 GB is required for downloaded evidence files. This data can be stored on an external drive
  • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 Capability

MANDATORY FOR608 HOST OPERATING SYSTEM REQUIREMENTS:

  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

  • Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
  • Download and install 7Zip (for Windows Hosts) or Keka (macOS)

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure. SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"Incident Response in large environments requires successful Incident Responders to master a multitude of different disciplines. Broad forensic knowledge forms the foundation. A good choice of the technical approach allows for scalability. Beyond the pure technical challenge of investigating a network with a 6 figure number of machines, there lies the management aspect of things. Successful Incident Response includes all measures to minimize the impact of the breach on the victim as much as possible and make sure that the attacker can not come back as quickly as before.

Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs

"FOR608 is designed to pick up where the FOR508 class leaves off. In FOR508, we take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there is still plenty more ground to cover in FOR608!

We are excited to introduce FOR608 to continue the investigative journey. FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux, Mac, and cloud environments operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today"- Mike Pilkington

"Many years ago, Incident Response was very much focused on a single responder dealing with a single system. Times have changed dramatically, and we face advanced adversaries who spread across entire enterprises aggressively and effectively. Often by the time an attack is detected you might find hundreds of systems compromised. It is important that we responders scale up our processes, using the tools and techniques available, to meet this threat. This is what FOR608 will help you achieve.

The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you." - Taz Wake

Reviews

The elastic work was very impressive. I have been using it for a number of years, but it introduced me to new ways to ingest data that could have saved me a lot of work in the past.
Simon H.
CyberCX
The course content covers a lot of important topics focused on detection and response. I enjoyed the sections on Threat Driven Intelligence and TimeSketch for creating incident timelines.
Reggie M.
Amazon
Good overview of structure, characteristics and challenges of engagements. That's the value for me, putting alle the tools and strategies into context.
Oliver S.
Hisolutions

    Register for FOR608

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more

    Loading...