Koulutus: SANS FOR508

SANS FOR508 opettaa edistyneitä taitoja ja keinoja havaita, tunnistaa ja torjua erilaisia järjestäytyneen rikollisuuden, valtiollisten toimijoiden tai hakkereiden aiheuttamia uhkia yritysverkoissa ja keinoja toipua niistä.

Kurssin jälkeen osallistujilla on mahdollisuus suorittaa GIAC Certified Forensic Analyst (GCFA) -sertifikaatti.

Kurssikielenä on englanti.

Kesto: 6 päivää

Ajankohta: Toivo ajankohtaa

Hinta: 7995 €, sertifikaattivoucher 865 €

Peruutusehto: 45 päivää

Viimeinen ilmoittautumispäivä: 28.10.2024

Lisätietoja: smnfi.training@elisa.fi

Ilmoittaudu sähköpostilla

 Advanced Incident Response, Threat Hunting and Digital Forensics

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. 

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". 

FOR508 teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivists. 

This course prepares students for the GIAC Certified Forensic Analyst (GCFA) certification attempt. Prerequisites FOR508 is an advanced incident response and threat hunting course that focuses on detecting and responding to advanced persistent threats and organized crime threat groups. The course does not cover the basics of incident response policies or digital forensics.

For more information: 

SANS Institute

FOR508: Advanced Incident Response and Threat Hunting Course will help you to:

FOR508: Advanced Incident Response and Threat Hunting Course will help you to:

  • Understand attacker tradecraft to perform compromise assessments
  • Detect how and when a breach occurred
  • Quickly identify compromised and infected systems
  • Perform damage assessments and determine what was read, stolen, or changed
  • Contain and remediate incidents of all types
  • Track adversaries and develop threat intelligence to scope a network
  • Hunt down additional breaches using knowledge of adversary techniques
  • Build advanced forensics skills to counter anti-forensics and data hiding from technical subjects

The course exercises and final challenges illustrate real attacker traces found via end point artifacts, event logs, system memory, and more:

  • Phase 1 - Patient zero compromise and malware C2 beacon installation
  • Phase 2 - Privilege escalation, lateral movement to other systems, malware utilities download, installation of additional beacons, and obtaining domain admin credentials
  • Phase 3 - Searching for intellectual property, network profiling, business email compromise, dumping enterprise hashes
  • Phase 4 - Find exfiltration point, collect and stage data for theft
  • Phase 5 - Exfiltrate files from staging server, perform cleanup and set long-term persistence mechanisms (alternatively this phase would be used to deploy ransomware)

Benefits to the Organization:

  • Understand attacker tradecraft to perform proactive compromise assessments
  • Upgrade detection capabilities via better understanding of novel attack techniques, focus on critical attack paths, and knowledge of available forensic artifacts
  • Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
  • Build advanced forensics skills to counter anti-forensics and data hiding from technical subjects for use in both internal and external investigations

Should a breach occur, FOR508 graduates will have the skills to:

  • Detect how and when attack happened
  • Quickly identify compromised and infected systems
  • Perform damage assessments and determine what was read, stolen, or changed
  • Contain and remediate incidents
  • You Will Be Able To:

    • Learn and master the tools, techniques, and procedures necessary to effectively hunt, detect, and contain a variety of adversaries and to remediate incidents.
    • Detect and hunt unknown live, dormant, and custom malware in memory across multiple Windows systems in an enterprise environment
    • Hunt through and perform incident response across hundreds of unique systems simultaneously using PowerShell, Velociraptor, and the SIFT Workstation
    • Identify and track malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue.
    • Determine how the breach occurred by identifying the root cause, the beachhead systems and initial attack mechanisms.
    • Identify living off the land techniques, including malicious use of PowerShell and WMI.
    • Target advanced adversary anti-forensics techniques like hidden and time-stomped malware, along with living off the land techniques used to move in the network and maintain an attacker's presence.
    • Use memory analysis, incident response, and threat hunting tools in the SIFT Workstation to detect hidden processes, malware, attacker command lines, rootkits, network connections, and more.
    • Track user and attacker activity second-by-second on the system you are analyzing through in-depth timeline and super-timeline analysis.
    • Recover data cleared using anti-forensics techniques via Volume Shadow Copy/Restore Point analysis.
    • Identify lateral movement and pivots within your enterprise across your endpoints, showing how attackers transition from system to system without detection.
    • Understand how the attacker can acquire legitimate credentials - including domain administrator rights - even in a locked-down environment.
    • Track data movement as attackers collect critical data and shift it to exfiltration collection points.
    • Recover data cleared using anti-forensics techniques via Volume Shadow Copy and Restore Point analysis and artifact carving.
    • Use collected data to perform effective remediation across the entire enterprise.

    Varaa paikkasi koulutukseen

    Koulutus järjestetään 11.-16.11.2024 ja paikkoja on vain rajattu määrä!

    Ilmoittaudu sähköpostilla


    • CISSP -tutkintoon tähtäävä valmennus

      Valmennus kattaa laajan kirjon kyberturvallisuuden osa-alueita varmistaen monipuolisen asiantuntemuksen. CISSP (Certified Information System Security Professionals) on kansainvälinen ja hyvin tunnettu tietoturvan ammattilaisen sertifikaatti myöntäjänä (ISC)2.

    • Johdanto kyberuhkien torjuntaan

      Kurssilla keskitytään IT-järjestelmien kyber- ja tietoturvauhkiin käytännönläheisesti. Kurssin tarkoituksena on antaa opiskelijalle hyvät tiedot nykyaikaisen kybertietoturvan perusteista.

    • Pilvipalveluiden perusteet

      Kurssin tavoitteena on tutustuttaa osallistuja erilaisiin pilvipalveluihin esim. Amazon AWS ja Microsoft Azure, sekä antaa ymmärrystä pilvipalveluiden arkkitehtuuriin, termistöön ja käyttöönotossa huomioitaviin asioihin.