SANS FOR508 GCFA Advanced Incident Response Threat Hunting Digital Forensics
 
Threat hunting and incident response methodologies have undergone rapid evolution in recent years. It's no longer viable for your team to rely on outdated incident response and threat-hunting techniques that fail to pinpoint compromised systems accurately, provide inadequate containment of breaches, and falter in promptly remediating incidents or containing spreading ransomware. Incident response and threat-hunting teams are pivotal in identifying and monitoring malware indicators and activity patterns to generate precise threat intelligence, which is crucial for detecting present and future intrusions. This comprehensive, advanced incident response and threat-hunting course equips responders and teams with the necessary skills to identify, counter, and recover from various threats within enterprise networks, including those posed by APT nation-state adversaries, organized crime syndicates, and ransomware syndicates.

FOR508: Advanced Incident Response and Threat Hunting Course will empower you to:

- Gain insight into attacker tradecraft to conduct compromise assessments
- Detect the timing and method of a breach
- Swiftly identify compromised and infected systems
- Conduct damage assessments to ascertain what data was accessed, stolen, or altered
- Effectively contain and remediate incidents of all types
- Monitor adversaries and generate threat intelligence to assess network scope
- Pursue additional breaches leveraging knowledge of adversary tactics
- Develop advanced forensics skills to counter anti-forensics and data concealment techniques

The course exercises and final challenges simulate real attacker traces gleaned from endpoint artifacts, event logs, system memory, and more:

- Phase 1: Initial system compromise and malware Command and Control (C2) beacon installation
- Phase 2: Privilege escalation, lateral movement to other systems, additional malware utility download, installation of supplementary beacons, and acquisition of domain admin credentials
- Phase 3: Search for intellectual property, network profiling, business email compromise, and enterprise hash dumping
- Phase 4: Identification of exfiltration points, data collection, and staging for theft
- Phase 5: Extraction of files from the staging server, cleanup operations, and establishment of long-term persistence mechanisms (alternatively, this phase may involve ransomware deployment)

In the event of a breach, FOR508 graduates will possess the skills to:

- Determine the timing and method of attack occurrence
- Rapidly identify compromised and infected systems
- Conduct damage assessments to ascertain data accessed, stolen, or altered
- Contain and remediate incidents
- Pursue additional breaches leveraging knowledge of adversary tactics

Upon completion, you will be equipped to:

- Master the tools, techniques, and procedures essential for effective threat hunting, detection, and containment across various adversaries and incident scenarios
- Detect and hunt unknown, dormant, and custom malware in memory across multiple Windows systems in an enterprise setting
- Conduct incident response and threat hunting across numerous systems simultaneously using PowerShell, F-Response Enterprise, and the SIFT Workstation
- Identify and trace malware beaconing outbound to its C2 channel via memory forensics, registry analysis, and residual network connections
- Determine breach origins, beachhead systems, and initial attack vectors
- Recognize off-the-land techniques, including malicious PowerShell and WMI usage
- Counter advanced adversary anti-forensics techniques and hidden malware
- Utilize memory analysis, incident response, and threat-hunting tools in the SIFT Workstation to detect hidden processes, malware, attacker commands, rootkits, and network connections
- Establish a detailed timeline of user and attacker activity on analyzed systems
- Recover data obscured using anti-forensics methods via Volume Shadow Copy and Restore Point analysis
- Identify lateral movement and pivots within your enterprise across endpoints
- Understand attacker methods for acquiring legitimate credentials, including domain administrator rights
- Track data movement as attackers gather and transfer critical data to exfiltration points
- Utilize collected data for effective enterprise-wide remediation

Course Components:

- FOR508 Instructor-Led Course
- Best Practices In Computer Network Defense
- OS X Incident Response Scripting and Analysis
- Cybersecurity Incident Response How to Contain
- Information Security Handbook
- Digital Forensics and Incident Response
- Hands-On Incident Response And Digital Forensics
- Improving Social Maturity Of Cybersecurity Incident Response Teams
- Incident Response And Computer Forensics
- Incident Response In The Age Of Cloud
- Incident Response Techniques For Ransomware Attacks
- Information Security Handbook
- Intelligence-Driven Incident Response
- Oracle Incident Response And Forensics
- Practical Cyber Intelligence
- Principles Of Incident Response And Disaster Recovery
- What To Do When You Get Hacked: A Practitioner's Guide