Two weeks of training and 18 courses available at SANS Virginia Beach - Aug. 19-30. Save $350 thru 6/26.

Sydney 2019

Sydney, Australia | Mon, Nov 4 - Sat, Nov 23, 2019
Event starts in 137 Days
 

This event will feature SANS Community Night presentations or other bonus sessions, free to attend for the local information security community. For a full list of SANS Community Events in Australia, along with details and registration information, please visit www.sans.org/talks.

Please note that courseware for this event (mp3 files, applicable OnDemand bundles and GIAC exams) will be added to student accounts 7-10 days after the conclusion of the event.

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response New

Mon, November 18 - Sat, November 23, 2019

The best part about advanced smartphone forensics is that it provides real-world technologies for forensically investigating devices without the typical point and click approaches.

Brad Warman, PayPal

I’ve always found SANS training to be the best training available, and this one is even more so! The instructor’s teaching methods and the course material are phenomenal. The instructor teaches you the way and how, not just the way to use a too. Really great!

Gary Sanders, LWCC

Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.

It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.

FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was designed to cover the most critical skills needed for the increased focus on network communications and artifacts in today's investigative work, including numerous use cases. Many investigative teams are incorporating proactive threat hunting to their skills, in which existing evidence is used with newly-acquired threat intelligence to uncover evidence of previously-unidentified incidents. Others focus on post-incident investigations and reporting. Still others engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim's environment. In these situations and more, the artifacts left behind from attackers' communications can provide an invaluable view into their intent, capabilities, successes, and failures.

In FOR572, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.

More

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

Most of FOR572's hands-on labs have been developed together with the latest version of FOR508, Advanced Incident Response, Threat Hunting, and Digital Forensics. In these shared scenarios, you'll quickly see a hybrid approach to forensic examination that includes both host and network artifacts is ideal. Although our primary focus is on the network side of that equation, we will point out areas where the host perspective could provide additional context, or where the network perspective gives deeper insight. Both former and future FOR508 students will appreciate the nexus between these extensive evidence sets.

The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK(R) platform - a VMware appliance pre-configured with a tailored configuration of the Elastic stack. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Moloch platform is also covered and used in a hands-on lab. Through all of the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands of data records.

FOR572 is truly an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, full-stake networking knowledge (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.

Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:

  • Foundational network forensics tools: tcpdump and Wireshark refresher
  • Packet capture applications and data
  • Unique considerations for network-focused forensic processes
    • Network evidence types and sources
    • Network architectural challenges and opportunities for investigators
    • Investigation OPSEC and footprint considerations

  • Network protocol analysis
    • Hypertext Transfer Protocol (HTTP)
    • Domain Name Service (DNS)
    • File Transfer Protocol (FTP)
    • Server Message Block (SMB) and related Microsoft protocols
    • Simple Mail Transfer Protocol (SMTP)

  • Commercial network forensic tools
  • Automated tools and libraries
  • NetFlow
    • Introduction
    • Collection approaches
    • Open-source NetFlow tools

  • Wireless networking
    • Capturing wireless traffic
    • Useful forensic artifacts from wireless traffic
    • Common attack methods and detection

  • Log data to supplement network examinations
    • Syslog
    • Microsoft Windows Event Forwarding
    • HTTP server logs
    • Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
    • Log collection, aggregation, and analysis
    • Web proxy server examination

  • Encryption
    • Introduction
    • Meddler-in-the-middle
    • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

  • Deep packet work
    • Network protocol reverse engineering
    • Payload reconstruction

Hide

Notice:

For live training events, there will be a set up time from 8:30-9:00am on the first day of class to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.

Course Syllabus


Ryan Johnson
Mon Nov 18th, 2019
9:00 AM - 5:00 PM
Overview

Focus: Although many fundamental network forensic concepts align with those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.

Network data can be preserved, but only if directly captured or documented while in transit. Whether tactical or strategic, packet capture methods are quite straightforward. You will re-acquaint yourself with tcpdump and Wireshark, some of the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then you'll go hands-on to find and extract stolen data from the proxy.

The Linux SIFT Workstation virtual machine, which has been loaded with network forensic tools, will be your primary toolkit for the week.

Exercises
  • Lab Environment Preparation
  • tcpdump and Wireshark Hands-On
  • Carve Exfiltrated Data

CPE/CMU Credits: 6

Topics
  • Web Proxy Server Examination
    • Role of a web proxy
    • Proxy solutions - commercial and open source
    • Squid proxy server
    • Configuration
      • Logging
      • Automated analysis
      • Cache extraction

  • Foundational Network Forensics Tools: tcpdump and Wireshark
    • tcpdump re-introduction
      • pcap file format
      • Berkeley Packet Filter (BPF)
      • Data reduction
    • Useful command-line parameters
      • Wireshark re-introduction
      • User interface
      • Display filters
      • Useful features for network forensic analysis

  • Network Evidence Acquisition
    • Three core types: full-packet capture, Logs, NetFlow
    • Capture devices: switches, taps, Layer 7 sources, NetFlow
    • Planning to capture: strategies; commercial and home-built platforms

  • Network Architectural Challenges and Opportunities
    • Challenges provided by a network environment
    • Future trends that will affect network forensics


Ryan Johnson
Tue Nov 19th, 2019
9:00 AM - 5:00 PM
Overview

FOCUS: There are countless network protocols that may be in use in a production network environment. We will cover those that are most likely to benefit the forensicator in typical casework, as well as several that help demonstrate analysis methods useful when facing new, undocumented, or proprietary protocols. By learning the "typical" behaviors of these protocols, we can more readily identify anomalies that may suggest misuse of the protocol for nefarious purposes. These protocol artifacts and anomalies can be profiled through direct traffic analysis as well as through the log evidence created by systems that have control or visibility of that traffic. While this affords the investigator with vast opportunities to analyze the network traffic, efficient analysis of large quantities of source data generally requires tools and methods designed to scale.

Knowing how protocols appear in their normal use is critical if investigators are to identify anomalous behaviors. By looking at some of the more frequently-used and high-impact network communication protocols, we will specifically focus on the ways in which they can be easily misused by an adversary or a malware author.

While no one course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way. The ability to "learn how to learn" is critical, as new protocols are developed every day. Advanced adversaries also develop their own protocols. As you will see later in this class, successfully understanding and counteracting an adversary's undocumented protocol is a similar process to learning those you will see in this section.

Log data is one of the unsung heroes in the realm of network forensics. While the near-perfect knowledge that comes with full-packet capture seems ideal, it suffers from several shortfalls. It is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. When they are in use, network capture systems quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks. The increasing use of encryption for most network traffic also provides a significant barrier to analysis when using full-packet capture, leaving logs from a terminal point of the communication as the artifact with the most potential impact.

In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools. You'll use the SOF-ELK(R) platform for post-incident log aggregation and analysis, bringing quick and decisive insight to a compromise investigation.

Exercises
  • HTTP Profiling
  • Firewall and Zeek NSM Analysis
  • SOF-ELK(R) Log Aggregation and Analysis

CPE/CMU Credits: 6

Topics
  • Hypertext Transfer Protocol (HTTP) Part 1: Protocol
    • Forensic value
    • Request/response dissection
    • Useful HTTP fields
    • HTTP tracking cookies
    • HTTP/2 artifacts
    • Artifact extraction

  • Hypertext Transfer Protocol (HTTP) Part 2: Logs
    • Log formats
    • Expanded mod_forensic logging
    • Analysis methods

  • Domain Name Service (DNS): Protocol and Logs
    • Architecture and core functionality
    • Tunneling
    • Fast flux and domain name generation algorithms (DGAs)
    • Logging methods
    • Amplification attacks

  • Firewall, Intrusion Detection System, and Network Security Monitoring Logs
    • Firewalls
      • Families of firewall solutions
      • Additional features
      • Syntax and log formats
    • Intrusion Detection Systems (IDS) and Network Security Monitoring (NSM) Platforms
      • Rules and signatures
      • Families of IDS and NSM solutions
      • Zeek NSM
      • Basics and use cases
      • Logging
      • Signature engine

  • Logging Protocol and Aggregation
  • Syslog
    • Dual role: server and protocol
    • Source and collection platforms
    • Event dissection
    • rsyslog configuration
  • Microsoft Eventing
    • Deployment model and capabilities
    • Windows Event Forwarding
    • Architecture
    • Analysis mode
  • Log Data Collection, Aggregation, and Analysis
    • Benefits of aggregation: scale, scope, independent validation, efficiency
    • Known weaknesses and mitigations
    • Evaluating a comprehensive log aggregation platform

  • Elastic Stack and the SOF-ELK(R) Platform
    • Basics and pros/cons of the Elastic stack
    • SOF-ELK(R)
      • Inputs
      • Log-centric dashboards
      • Use as a data exploration platform


Ryan Johnson
Wed Nov 20th, 2019
9:00 AM - 5:00 PM
Overview

Focus: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations. Whether for moving within a victim's environment or for data exfiltration, adversaries must move their quarry around through the use of various file access protocols. By knowing some of the more common file access and transfer protocols, a forensicator can quickly identify an attacker's theft actions.

Just as even a fuzzy photo can provide valuable leads in a traditional investigation, NetFlow data can provide a network forensicator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed investigative activities.

NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest malicious actions. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly-identified suspicious endpoints or traffic patterns.

In this section, you will learn the contents of typical NetFlow protocols, as well as common collection architectures and analysis methods. You'll also learn how to distill full-packet collections to NetFlow records for quick initial analysis before diving into more cumbersome pcap files.

You'll then examine the File Transfer Protocol, including how to reconstruct specific files from an FTP session. While FTP is commonly used for data exfiltration, it is also an opportunity to refine protocol analysis techniques, due to its multiple-stream nature.

Lastly, you'll explore a variety of the network protocols unique to a Microsoft Windows or Windows-compatible environment. Significant time will be spent exploring the SMB protocol, used for file transfers and countless other purposes in a Microsoft Windows domain structure. Attackers frequently use these protocols to "live off the land" within the victim's environment. By using existing and expected protocols, the adversary can hide in plain sight and avoid deploying malware that could tip off the investigators to their presence and actions.

Exercises
  • Visual NetFlow Analysis with SOF-ELK(R)
  • Tracking Lateral Movement with NetFlow
  • SMB Session Analysis and Reconstruction

CPE/CMU Credits: 6

Topics
  • NetFlow Collection and Analysis
    • Origins and evolution
    • NetFlow v5 and v9 protocols
    • Architectural components
    • NetFlow artifacts useful for examining encrypted traffic

  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data
      • SiLK
      • nfcapd, nfpcapd, and nfdump
      • SOF-ELK: NetFlow ingestion and dashboards

  • File Transfer Protocol (FTP)
    • History and current use
    • Shortcomings in today's networks
    • Capture and analysis
    • File extraction

  • Microsoft Protocols
    • Architecture and capture positioning
    • Exchange/Outlook
    • SMB v2, and v3

Ryan Johnson
Thu Nov 21st, 2019
9:00 AM - 5:00 PM
Overview

Focus: Commercial tools are a mainstay in the network forensicator's toolkit. We'll explore the various roles that commercial tools generally fill, as well as how they can best be integrated to an investigative workflow. With the runaway adoption of wireless networking, investigators must also be prepared to address the unique challenges this technology brings to the table. However, regardless of the protocol being examined or budget used to perform the analysis, having a means of exploring full-packet capture is a necessity, and having a toolkit to perform this at scale is critical.

Commercial tools hold clear advantages in some situations a forensicator may typically encounter. Most commonly, this centers on scalability. Many open-source tools are designed for tactical or small-scale use. Whether using them for large-scale deployments or for specific niche functionalities, these tools can immediately address many investigative needs. You'll look at the typical areas where commercial tools in the network forensic realm tend to focus and discuss the value each may provide for your organizational requirements or those of your clients.

Additionally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examinations, as well as what interesting artifacts can be recovered from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be covered, including how attackers can leverage those weaknesses during an attack, and how they can be detected.

Finally, we will look at methods that can improve at-scale hunting from full-packet captures, even without commercial tooling. We will look at the open-source Moloch platform and how it can be used in live and forensic workflows. You'll receive a ready-to-use Moloch virtual machine and load source data from an incident we previously investigated, seeking ground truth from the previously-captured full-packet data.

Exercises
  • Commercial Network Forensic Tools
  • Using Command-Line Tools for Analysis
  • Network Forensic Analysis Using Moloch

CPE/CMU Credits: 6

Topics
  • Simple Mail Transfer Protocol (SMTP)
    • Lifecycle of an email message
    • Adaptations and extensions

  • Commercial Network Forensic Tools
    • Trade-offs between commercial and open-source solutions
    • Common commercial platforms that you may encounter
    • Using existing platforms and tools in a client environment

  • Wireless Network Forensics
    • Translating analysis of wired networks to the wireless domain
    • Capture methodologies: Hardware and Software
    • Useful protocol fields
    • Typical attack methodologies based on protection mechanisms

  • Automated Tools and Libraries
    • Common tools that can facilitate large-scale analysis and repeatable workflows
    • Libraries that can be linked to custom tools and solutions
    • Chaining tools together effectively

  • Full-Packet Hunting with Moloch
    • Moloch basics and architecture
    • Session awareness, filtering, typical forensic use cases


Ryan Johnson
Fri Nov 22nd, 2019
9:00 AM - 5:00 PM
Overview

Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Strong encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses even in the most advanced adversaries' methods. As we learn what the attackers have deliberately hidden from us, we must operate carefully to avoid tipping our hats regarding the investigative progress - or the attacker can quickly pivot, nullifying our progress.

Encryption is frequently cited as the most significant hurdle to effective network forensics - for good reason. When properly implemented, encryption can be a brick wall in between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. We will discuss the basics of encryption and how to approach it during an investigation. The section will also cover flow analysis to characterize encrypted conversations.

We will also discuss undocumented protocols and the misuse of existing protocols for nefarious purposes. Specifically, we will address how to derive intelligence value with limited or nonexistent knowledge of the carrier protocol.

Finally, we will look at how common missteps can provide the attacker with clear insight to the forensicator's progress. This often leads to the attacker changing their tactics, confounding the investigator and even erasing all the progress made to that point. We'll address best practices on conducting investigations and in a compromised environment and ways to share hard-earned intelligence that mitigate the risks involved.

Exercises
  • SSL/TLS Profiling
  • Undocumented Protocol Features
  • Mini-Comprehensive Investigation

CPE/CMU Credits: 6

Topics
  • Encoding, Encryption, and SSL/TLS
    • Encoding algorithms
    • Encryption algorithms
      • Symmetric
      • Asymmetric
    • Profiling SSL/TLS connections with useful negotiation fields
    • Analytic mitigation
    • Perfect forward secrecy

  • Meddler-in-the-Middle (MITM)
    • Malicious uses
    • Benevolent uses
    • Common MITM tools
    • Artifacts of common MITM techniques

  • Network Protocol Reverse Engineering
    • Using known protocol fields to dissect unknown underlying protocols
    • Pattern recognition for common encoding algorithms
    • Addressing undocumented binary protocols
    • What to do after breaking the protocol

  • Investigation OPSEC and Threat Intel
  • Operational Security
    • Basic analysis can tip off attackers
    • How to mitigate risk without compromising quality
  • Intelligence
    • Plan to share smartly
    • Protect intelligence to mitigate risks


Ryan Johnson
Sat Nov 23rd, 2019
9:00 AM - 5:00 PM
Overview

Focus: This section will combine all of what you have learned prior to and during this week. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available - only the network and its infrastructure.

Students will test their understanding of network evidence and their ability to articulate and support hypotheses through presentations made to the instructor and class. The audience will include senior-level decision makers, so all presentations must include executive summaries as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.

Exercises
  • Capstone Lab

CPE/CMU Credits: 6

Topics
  • Network Forensic Case
    • Analysis using only network-based evidence
      • Determine the original source of an advanced attacker's compromise
      • Identify the attacker's actions while in the victim's environment
      • Confirm what data the attacker stole from the victim
    • Reporting
      • Present executive-level summaries of your findings at the end of the day-long lab
      • Document and provide low-level technical backup for findings
      • Establish and present a timeline of the attacker's activities

Additional Information

!! IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS !!

  • You can use any 64-bit version of Windows, Apple macOS, or Linux as your core operating system that also can install and run VMware virtualization products.
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines or not.
  • For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.
  • For Apple macOS users, please use this support page from Apple to determine 64-bit capability.
  • Additionally, Windows users must ensure that Credential Guard is disabled per these instructions.
  • Please download and install VMware Workstation 14, VMware Fusion 10, or VMware Player Plus 14 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. VMware Player Plus is a free download that does not need a commercial license. Please note that other virtualization software is not supported in the lab environment and may not successfully run the supplied virtual machines.

MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - a 64-bit system processor is mandatory! Test your VMware Software before coming to class. Some BIOS configurations may require special settings (such as "VT-x" and/or "no-execute memory protection") to allow virtualization. You must also have administrative access to your BIOS, in case changes are needed when in class.)
  • RAM: 16 GB of RAM is strongly recommended. Laptops with 8 GB of RAM may still permit labs to function but will be significantly slow and severely limited.
  • Host Operating System: Fully patched and updated Windows 10 or Apple macOS 10.14 that can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player. Windows 7 and older versions of macOS may work but are not recommended. Students should always fully update their host operating system prior to the class. Students that use Linux hosts are warned that this configuration is unsupported in the classroom due to the complexity of testing such a wide variety of operation system distributions. Expert students who use Linux hosts must be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules. Again, this is unsupported in the classroom and is not recommended for novice Linux users.
  • Disable Credential Guard if enabled. Credential Guard, which is required for Hyper-V virtualization, conflicts with the VMware products required for the course.
  • Networking: Wireless 802.11 B, G, or N
  • Hardware:
    • USB 3.0 port(s) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
    • 200 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)

MANDATORY FOR572 SYSTEM SOFTWARE REQUIREMENTS (Install the following prior to the beginning of the class):

  • The student should have Local Administrator Access within their host operating system as well as the BIOS for the laptop, if applicable. We have found several cases where the BIOS virtualization settings must be changed from their factory defaults prior to running 64-bit operating systems as VMware guests.
  • Install VMware Workstation 14, VMware Fusion 10, or VMware Player Plus 14 (higher versions are ok).
  • Download and install 7Zip (Windows, macOS, or Linux) or Keka (macOS).

OPTIONAL ITEMS TO BRING TO CLASS

  • Bring/install any other forensic tool you feel could be useful (Maltego, NetWitness, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, etc. you are free to use them.
  • Although SANS is not responsible for the security of your personal effects, you might want to consider bringing a laptop lock.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Incident response team members and forensicators who are expanding their investigative scope from endpoint systems to the network
  • Hunt team members who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
  • Law enforcement officers, federal agents, and detectives who want to become network forensic subject matter experts
  • Security Operations Center (SOC) personnel and information security practitioners who support hunt operations, seeking to identify attackers in their network environments
  • Network defenders who are taking on added investigative and/or incident response workloads
  • Information security managers who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
  • Network engineers who are proactively orienting their networks to best meet investigative requirements
  • Information technology professionals who want to learn how network investigations take place
  • Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

  • Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
  • SOF-ELK(R) Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
  • Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
  • Realistic case data to examine during class, from multiple sources including:
    • NetFlow data
    • Web proxy, firewall, and intrusion detection system logs
    • Network captures in pcap format
    • Network service logs
  • SB drive(s) loaded with case examples, tools, and documentation

  • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
  • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
  • Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
  • Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
  • Use data from typical network protocols to increase the fidelity of the investigation's findings
  • Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
  • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
  • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
  • Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
  • Examine proprietary network protocols to determine what actions occurred on the endpoint systems
  • Analyze wireless network traffic to find evidence of malicious activity
  • Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
  • Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

"Essential to any investigators skill set. This course makes the advanced network forensics techniques easily graspable." - Casey Brooks, Leidos Cyber

"This course is fantastic. It has prepared me with new ideas to take back to work." - Ryan Fletcher, Fulton Financial Corp

"First course I've taken that gives insight into the forensic mindset required for investigating incidents." - Tyler Whittington, PWC

"Single word: Relevancy. Techniques and methodologies taught in his class will immediately improve your IR posture." - Nathan Hwang, Strategic Investment Group

"Useful, real world scenarios make the training relevant. Walkthrough labs are extremely helpful!" - Roisin Cullen, NCA

"All of the material has been very informative and beneficial. One of the best courses I've ever taken." - Chris Pardo, Relia Quest

"The exposure to top-notch instruction, relevant information, & hands-on activities (labs) provides a comprehensive learning experience." - Ryan Paros, NCCI Holdings, Inc.

"Content is excellent and the course is very intense. I've improved my knowledge and tool use skills. I think all IR engineers should take this course." - Yigit Turak, ING Bank

"We had to deal with a DDoS where the only available data was a 600GB PCAP file. We reduced to NetFlow and loaded that to the SOF-ELK VM. It quickly showed the waves of attack and how effective the countermeasures were." -David D.

"FOR572 is the best SANS course I have taken. The labs and course material are outstanding and everything I have learned is usable in real world application." - Lionel B.

"This was the best course I've ever been to. Nothing but the best to say about SANS and this course. SANS stuff is really expensive, but I know why now. It was incredibly helpful to our duties here." - Anonymous

"You won't get exposure to the breadth of info on network forensics in any other course." - Devin J.

"NetFlow is cool. We've been receiving massive NetFlow feeds but were unable to fully utilize them apart from DDoS. With this course, I'm getting so many ideas how to use them in hunting." - Anonymous

"I literally was alerted to a potential incident from work on day 5 and used things I'd learned in class to analyze and help remediate." - Patterson C.

"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.

"This is an incredible curriculum. This class NEEDED to happen, and I am glad it did." - Peter S.

"Cutting edge - puts me ahead in the job market." - Anonymous

"Very good real-world material." - Jason L.

"Great resource. Only true network forensics course I know of." - Jeremy R.

"If you are into disk/memory forensics, you will need this, too!" - Wouter J.

"This class is immediately applicable to my work environment." - Thomas H.

"No FLUFF - focused and targeted learning!" - Jackie S.

"Awesome! Best SANS course I have taken!" - Jim H.

"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large-scale APT breach will not have full packet capture available for what could be over a year of attacker activity but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander B.

"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous

"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.

"Phil shared an example of extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous

"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.

Course Authors' Statements

When I first became interested in computer and network security in the mid-1990s, the idea of "attacking" another computer network was still science fiction. Today, commercial, governmental, military, and intelligence entities have robust, integrated information security processes. Within the forensic community, we have seen developments that show the agility we must have to remain effective in the face of dynamic adversaries. Endpoint forensic practices will remain the keystone of digital forensics for the foreseeable future - this is where the events ultimately occur, after all.

"We created FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response to address the most transient domain of digital forensics. Many enterprises have grown to the scale that identifying which handful of endpoints to examine among thousands is a significant challenge. Additionally, the network has become its own medium for incident response and investigation. Our ability to use evidence from all kinds of network devices as well as from captured network data itself will be critical to our success in addressing threats today and tomorrow. From low-grade "script kiddie" attacks to long-term, strategic state-sponsored espionage activity, the network is one of the few common elements found throughout the life cycle of an incident. FOR572 will provide you with the tools and methods to conduct network investigations within environments of all sizes, using scenarios developed from real-world cases. You will finish the course with valuable knowledge that you will use the first day back on the job, and with the methodologies that will help address future generations of adversaries' capabilities." - Phil Hagen

"When I first started my career in computer security, the term "advanced persistent threat" was unknown, yet I had personally recovered terabytes of data obtained from both commercial and government networks. The biggest cybersecurity threat in the news was the latest worm that would propagate through unsuspecting systems and cause more of a nuisance than actual destruction. What was known as the Russian Business Network wasn't even around yet. Network security monitoring was still in its infancy, with very little formal documentation or best practices, most of which were geared towards system administrators. While the Internet has continued to expand, we have all become more interconnected and the threat against our networks continues to grow. We wrote FOR572 as the class we wish we had when we were entering the field of network forensics and investigations - a class that not only provides background when needed but is primarily tailored toward finding evil using multiple data sources and performing a full scope investigation. I am confident this course provides the most up-to-date training covering topics both old and new, based on real-life experiences and investigations." - Mat Oldham

Pricing
Paid by Sep 18 Paid by Oct 2 Paid after Oct 2 Options
6,620 USD 6,770 USD 6,970 USD
  • VAT Pricing: 10% of VAT will be added. Tax number ABN 57184 162 842
Event starts in 137 Days
 
Share
Latest Whitepapers

JumpStart Guide for Endpoint Security in AWS
By David Hazar

Analysis of a Multi-Architecture SSH Linux Backdoor
By Angel Alonso-Parrizas

SANS 2019 State of OT/ICS Cybersecurity Survey
By Barbara Filkins

Last 25 Papers »

Latest Tweets @SANSInstitute

Discover new tools, ideas, and the latest solutions at an up [...]
June 20, 2019 - 7:45 PM

Many #SANSTraining events are open for registration, includi [...]
June 20, 2019 - 6:15 PM

Webcast | June 24th at 1 PM ET: https://t.co/asjfew9ObS Add [...]
June 20, 2019 - 5:15 PM

Contact Us

Mon-Fri: 9am-8pm ET (phone/email)
Sat-Sun: 9am-5pm ET (email only)
301-654-SANS(7267)
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health and Security

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP