This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics. Don't miss the NEW FOR508!
DAY 0: A 3-letter government agency contacts you to say that critical information was stolen by a targeted attack on your organization. Don't ask how they know, but they tell you that there are several breached systems within your enterprise. You are compromised by an Advanced Persistent Threat, aka an APT - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.
Over 90% of all breach victims learn of a compromise from third party notification, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Gather your team - it's time to go hunting.
FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine:
The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack.
During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.
Course Will Prepare You To:
Mon May 92th, 2014 | 9:00 AM - 5:00 PM
Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems. This is simply something that cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will in fact alert the adversary that you are aware and may allow them to quickly exfiltrate sensitive information. In this section, the six-step incident response methodology is examined as it applies to response in an enterprise during a targeted attack. We will show how important development of security intelligence is in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.
CPE/CMU Credits: 6
SIFT Workstation Overview
Incident Response Methodology
Threat and Adversary Intelligence
Intrusion Digital Forensics Methodology
Remote and Enterprise IR System Analysis
Windows Live Incident Response
Tue May 20th, 2014 | 9:00 AM - 5:00 PM
Critical to many IR teams detecting advanced threats in the organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. While traditionally solely the domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics armory.
CPE/CMU Credits: 6
Memory Forensics Analysis Process
Memory Forensics Examinations
Wed May 21th, 2014 | 9:00 AM - 5:00 PM
Timeline Analysis will change the way you approach digital forensics and incident response... forever.
Learn advanced analysis techniques uncovered via timeline analysis directly from the developers that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time based artifacts. Analysis that once took days now takes minutes. This section will step you through the two primary methods of creating and analyzing timelines created during advanced incidents and forensic cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in your cases.
CPE/CMU Credits: 6
Timeline Analysis Overview
Filesystem Timeline Creation and Analysis
Super Timeline Creation and Analysis
Thu May 22th, 2014 | 9:00 AM - 5:00 PM
A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial. You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to still recover key pieces of the data that no longer exist on the system. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization where an adversary is actively attempting to hide from you.
CPE/CMU Credits: 6
Windows XP Restore Point Analysis
VISTA , Windows 7, Server 2008 Shadow Volume Copy Analysis
Deep Dive Forensics Analysis
Fri May 23th, 2014 | 9:00 AM - 5:00 PM
The adversaries are good, we must be better.
Over the years, we have observed that many incident responders have a challenging time finding malware without effective indicators of compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions.
This advanced session will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.
The section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.
CPE/CMU Credits: 6
INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE
Step-by-Step Finding Unknown Malware On A System
Anti-Forensics Detection Methodologies
Methodology to Analyze and Solve Challenging Cases
Sat May 24th, 2014 | 9:00 AM - 5:00 PM
This brand new exercise created in 2012 brings together some of the most exciting techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary such as an APT. This challenge brings it all together using a simulated intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios, which were put together by a cadre of individuals with many years of experience fighting advanced threats such as an APT group.
CPE/CMU Credits: 6
The Intrusion Forensic Challenge will have each Incident Response team analyzing multiple systems in the Enterprise network.
Each Incident Response team will be asked to answer the following key questions during the challenge just like they would during a real-breach in their organizations:
IDENTIFICATION AND SCOPING:
CONTAINMENT AND SECURITY INTELLIGENCE GATHERING:
REMEDIATION AND RECOVERY
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
Download the latest version of the SIFT Workstation here: http://computer-forensics.sans.org/community/downloads. You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. For MACs, we recommend setting up Boot Camp and running Windows directly on your MAC. We have had challenges with VMware Fusion products with several exercises in class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this articlealso provides good instructions for Windows users to determine more about the CPU and OS capabilities.
Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:
The student should have the capability to have Local Administrator Access within their host operating system
MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):
OPTIONAL ITEMS TO BRING TO CLASS
If you have additional questions about the laptop specifications, please contact email@example.com.
One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.
Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.
Enterprise A/V and On-Scan capability based on DoD's Host Based Security System - HBSS
This exercise and challenge will be used to show real adversary traces across host systems, system memory, hibernation/pagefiles and more.
In the end, we will have created authentic memory captures on each box, network captures, malware samples, in addition to full disk images w/Restore Points (XP) and VSS for (Win7 and Win2008) systems
SIFT Workstation Virtual Machine used with many of the class hands-on exercise
"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE
"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.
"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple
"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name
"I'VE TAKEN OTHER NETWORK INTRUSION CLASSES BUT NOTHING THIS IN-DEPTH. THE CLASS IS OUTSTANDING!" -- Craig Goldsmith, FBI
"CUTTING EDGE EXPERTISE TAUGHT BY WORLD CLASS EXPERTS." -Joseph Murray, Deloitte
"IM A DIFFERENT MAN AS A RESULT OF THIS COURSE." - Travis Farral, XTO Energy
"ABSOLUTELY ESSENTIAL KNOWLEDGE. TRADITIONAL KNOWLEDGE IS USEFUL, BUT THIS COURSE PROVIDES THE PRACTICAL SIDE OF A GROWING TREND." -Erik Musick, Arkansas State Police
"THIS IS A GREAT CLASS AND SHOULD BE MANDATORY FOR ANYONE IN THE FORENSIC FIELD. GREAT JOB, ROB!" -Mark Merchant, State of Alaska/State Security Office
"COME PREPARED TO LEARN A LOT." -Todd Black Lee, The Golden 1 Credit Union
"YOU CAN DELETE IT, HIDE IT, RENAME IT, BUT WE WILL FIND IT." -Edward Fuller, Department of Defense
"GREAT COURSE! THIS NOT ONLY HELPS ME IN FORENSICS BUT ALSO IN CREATING USE-CASES FOR OUR OTHER INTRUSION ANALYSIS TOOLS." -Joseph Murray, Deloitte
"ITS HARD TO REALLY SAY SOMETHING THAT WILL PROPERLY CONVEY THE AMOUNT OF MENTAL GROWTH IVE EXPERIENCED THIS WEEK." -Travis Farral, XTI Energy
"EXCELLENT COURSE, INVALUABLE HANDS-ON EXPERIENCE TAUGHT BY PEOPLE WHO NOT ONLY KNOW THE TOOLS AND TECHNIQUES, BUT KNOW THEIR QUIRKINESS THROUGH PRACTICAL, REAL-WORLD EXPERIENCE." -John Alexander, US Army
"THIS COURSE (FOR508) REALLY TAKES YOU FROM 0-60 IN UNDERSTANDING THE CORE CONCEPTS OF FORENSICS, ESPECIALLY THE FILE SYSTEM." -Matthew Harvey, U.S. Department of Justice
"IF YOU NEED TO TRACK DOWN WHAT HAPPENED IN YOUR ENVIRONMENTS, THIS IS A MUST HAVE COURSE!" -Fran Moniz, American National Insurance
"THE CAPSTONE EXERCISE IS AWESOME, PUTS TRACKING THE APT INTO PRACTICE." -Gavin Worden, SD-LECC
"BEST FORENSICS TRAINING I'VE HAD SO FAR. I THOUGHT THE SOME OTHERS COURSES WERE GREAT BUT 508 IS A LOT MORE CURRENT AND APPLICABLE TO THE REAL WORLD! EXCELLENT COURSE AND INSTRUCTOR OVERALL!" -Marc Bleicher, Bit9
FULL REVIEW AND WRITE UP OF FOR508 BY DAVID NIDES, KPMG-
PRESS ARTICLES ABOUT THE NEW FOR508 COURSE:
Should I take SANS 408 or 508? (part 1) - http://digitalforensicstips.com/category/training_reviews/
SANS 508 Compared to 408 Part Two (part 2) - http://digitalforensicstips.com/2013/04/sans-508-compared-to-408-part-two-plus-a-side-of-610/
"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The results over the past several years clearly indicate that hackers employed by nation states and organized crime are racking up success after success. The Advanced Persistent Threat has compromised hundreds of organizations. Organized crime organizations, utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.
The enemy is getting better, bolder, and their success rate is impressive.
We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensic investigators. We need lethal digital forensic experts who can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: ADVANCED COMPUTER FORENSIC ANALYSIS AND INCIDENT RESPONSE is crucial training for you to become a lethal forensicator so that you can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best. - Rob Lee
INQUIRIES ON SANS TRAINING: training(at)accrete(dot)com(dot)my
No 95-2 Jalan Nautika B U20/B,
TSB Commercial Center,
40160 Sungai Buloh,
Phone: +603 6143 4526
Fax: +603 2178 4884
Information Security and Digital Forensics department in Accrete Technologies Sdn. Bhd. (Accrete) offers three pillar of services that is training, consulting services and solutions. SANS Institute (USA) in-Depth Security Training is offered by Accrete which is also HRDF Claimable for the first time. Accrete’s security solutions line up include ICS SCADA Security, Web Online Financial Transaction and eCommerce security, Retail Intelligence analysis, Comprehensive Vulnerabilities Intelligence and Patch Management, Data Leak Prevention solution and few others. (more....)