FOR572: Advanced Network Forensics: Threat Hunting, Analysis and Incident Response
Kurssilla opitaan tärkeimmät edistyneet taidot ja tiedot, joita tarvitaan verkkoviestinnän ja artefaktien forensiikassa. Oppiminen tapahtuu lukuisten käytännön esimerkkien kautta.
Kurssilla keskitytään tietoon, joka on tarpeen menneen tai edelleen jatkuvan viestinnän tutkimisessa ja luokittelussa. Samalla opetellaan tutkintatyökalut, -tekniikat ja -menetelmät, joita tarvitaan verkkotapahtumien analysoinnissa.
Kurssin jälkeen osallistujilla on mahdollisuus suorittaa GIAC Network Forensic Analyst (GNFA) -sertifikaatti.
Kurssikielenä on englanti.
Kesto: 6 päivää
Ajankohta: 19.-24.5.2025
Hinta: 7995 €, sertifikaattivoucher 865 €. Hintamuutos mahdollinen.
Peruutusehto: 45 päivää
Lisätietoja: smnfi.training@elisa.fi
Advanced Network Forensics: Threat Hunting, Analysis and Incident Response
In FOR572, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker has compromised a system with an undetectable exploit, the system must still communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: bad actors are talking - we'll teach you to listen.
This course covers the investigative tools, techniques, and procedures required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high level NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.
The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK® platform - a VMware appliance pre-configured with the Elastic stack and tailored to DFIR and security operations workflows. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK® configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Arkime platform is also covered and used in a hands-on lab. Through all the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands or even millions of data records.
After this course participants can enhance their expertise by taking the GIAC Network Forensic Analyst (GNFA) certification exam.
More information: SANS Institute.
FOR572: Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course detailed introduction
The course will help you learn how to:
- Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
- Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
- Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
- Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
- Use data from typical network protocols to increase the fidelity of the investigation's findings
- Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
- Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
- Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
- Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
- Examine proprietary network protocols to determine what actions occurred on the endpoint systems
- Analyze wireless network traffic to find evidence of malicious activity
- Use scripting techniques to scale analysis to an arbitrarily large collection of evidence
- Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors
Agenda:
- Off the Disk and Onto the Wire
- Core Protocols & Log Aggregation/Analysis
- NetFlow and File Access Protocols
- Commercial Tools, Wireless, and Full-Packet Hunting
- Encryption, Protocol Reversing, OPSEC, and Intel
- Network Forensics Capstone Challenge
SANS SEC504: Hacker Tools, Techniques and Incident Handling
Kurssilla opitaan soveltamaan verkkohyökkäykseen vastaamiseen dynaamista lähestymistapaa. Hyökkäyksen indikaattorien avulla harjoitellaan, miten vastata tehokkaasti Windows-, Linux- ja pilvialustoihin kohdistuviin hyökkäyksiin.
Kurssin jälkeen siihen osallistuneilla on mahdollisuus suorittaa GIAC Certified Incident Handler (GCIH) -sertifikaatti.
SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics
Kurssilla opitaan edistyneitä taitoja ja keinoja niin havaita, kuin tunnistaa ja torjua erilaisia järjestäytyneen rikollisuuden, valtiollisten toimijoiden tai hakkereiden aiheuttamia uhkia yritysverkoissa ja keinoja toipua niistä.
Kurssin antaa valmiudet suorittaa GIAC Certified Forensic Analyst (GCFA) -sertifikaatti.
SANS SEC565: Red Team Operations and Adversary Emulation
Kurssilla kehitetään ja parannetaan Red Teamin toimintoja tietoturvavalvontaa varten vastustajaemuloinnin, kyberuhkien tunnistamisen, Red Teamin kaupankäynnin ja tilannesuunnittelun avulla.
Kurssi antaa valmiudet suorittaa GIAC Red Team Professional (GRTP) -sertifikaatti.
