SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
FOR508Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Steve Anson & Mike Pilkington
Course created by:Steve Anson & Mike Pilkington
- GIAC Certified Forensic Analyst (GCFA)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 35 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn the advanced incident response and threat hunting skills you need to identify, counter, and recover from a wide range of threats within enterprise networks.
Featured Quote
So much content! I am finally able to get into the weeds and learn about things that have been a mystery for so long! FOR508 training really breaks down the complicated in a way that is easy to understand while still leaving so much more to be done. I love this class.
Course Overview
Threat hunting, incident response, and digital forensics tactics and procedures continue to evolve rapidly. Your team cannot afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". This threat hunting training course teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT state-sponsored adversaries, organized crime syndicates, ransomware operators, and hacktivists.
What You’ll Learn
- Master tools and techniques to detect, contain, and remediate adversaries
- Detect live, dormant, and custom malware across enterprise
- Windows systems
- Hunt threats and perform incident response at scale
- Identify malware beaconing, lateral movement, and C2 activity via memory analysis and Windows host forensics
- Analyze breaches to determine root cause, attack vectors, and persistence mechanisms
- Counter anti-forensics techniques, recover cleared data, and track attacker activity
- Use forensic tools to remediate threats and secure the enterprise
Business Takeaways
- Understand attacker tradecraft to perform proactive compromise assessments
- Upgrade detection capabilities
- Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
- Build advanced forensics skills to counter anti-forensics
Meet Your Authors
- Slide 1 of 2
Steve Anson
Principal InstructorSteve has transformed global cybersecurity by leading complex digital crime investigations for the FBI and DoD, and by training national cyber units in over 60 countries. His work has set the global standard for incident response and threat hunting.
Read more about Steve Anson - Slide 2 of 2
Mike Pilkington
Senior InstructorAs a senior researcher at the SANS Research Operations Center and former incident response lead at Shell, Mike’s work has redefined enterprise-scale incident response and directly advanced the global community’s ability to combat cyber adversaries.
Read more about Mike Pilkington
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.
Section 1Advanced Incident Response & Threat Hunting
We start by examining the six-step incident response methodology as it applies to incident response for advanced threat groups. We discuss the importance of developing cyber threat intelligence to impact the adversaries' objectives and demonstrate forensic live response techniques that can be applied both to single systems and across the entire enterprise.
Topics covered
- Real Incident Response Tactics
- Threat Hunting in the Enterprise
- Incident Response and Hunting Across the Enterprise
- Malware Defense Evasion and Persistence Identification
- Prevention and Mitigation of Credential Theft
Labs
- APT Incident Response Scenario Introduction
- Malware Persistence Detection and Analysis
- Creating Local and Remote Triage Evidentiary Images
- Scaling Remote Endpoint Incident Response
Section 2Intrusion Analysis
In Section two, we cover common attacker tradecraft and discuss the various data sources and forensic tools you can use to identify malicious activity in the enterprise. Get ready to hunt!
Topics covered
- Advanced Evidence of Execution Detection
- Lateral Movement Adversary Tactics and Techniques
- Log Analysis for Incident Responders and Hunters
- Investigating WMI and PowerShell-Based Attacks
Labs
- Hunting and Detecting Evidence of Execution at Scale
- Discovering Credential Abuse
- Tracking Lateral Movement
- Hunting Malicious use of WMI and PowerShell
- Microsoft Defender Log Analysis
Section 3Memory Forensics in Incident Response & Threat Hunting
Section three will cover many of the most powerful memory analysis capabilities available and give analysts a solid foundation of advanced memory forensic skills to super-charge investigations, regardless of the toolset employed.
Topics covered
- Endpoint Detection and Response
- Memory Acquisition and Forensics Analysis
- Memory Forensics Examinations
- Memory Analysis Tools
Labs
- Detect Custom Malware in Memory
- Examine Windows Process Trees
- Locate Advanced "Beacon" Malware
- Identify Advanced Malware Hiding Techniques
- Analyze Memory from Multiple Infected Systems
Section 4Timeline Analysis
This section will step you through two primary methods of building and analyzing timelines used during advanced incident response, threat hunting, and forensic cases. Exercises will show analysts how to create timelines and how to introduce the key analysis methods necessary to help you use those timelines effectively in your cases.
Topics covered
- Malware Detection and Field Triage
- Timeline Analysis Overview
- Filesystem Timeline Creation and Analysis
- Super Timeline Creation and Analysis
Labs
- Malware Discovery
- Tracking Adversary Activity with Super-Timeline Analysis
- Observe Attacker Movements Through Systems
- Identify Intrusion Root Causes
Section 5Incident Response & Hunting Across the Enterprise | Advanced Adversary & Anti-Forensics Detection
In section five, we focus on recovering files, file fragments, and file metadata for the investigation. These trace artifacts can help the analyst uncover deleted logs, attacker tools, malware configuration information, exfiltrated data, and more. While very germane to intrusion cases, these techniques are applicable in nearly every forensic investigation.
Topics covered
- Volume Shadow Copy Analysis
- Advanced NTFS Filesystem Tactics
- Advanced Evidence Recovery
Labs
- Volume Shadow Snapshot Analysis
- Timelines
- Anti-Forensics Analysis using NTFS
- Timestomp Identification
- Advanced Data Recovery
Section 6The APT Threat Group Incident Response Challenge
This incredibly rich and realistic enterprise intrusion exercise brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised initially, find other compromised systems via adversary lateral movement, and identify intellectual property stolen via data exfiltration.
Things You Need To Know
Relevant Job Roles
Threat Hunter
Digital Forensics and Incident ResponseThis expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathAll-Source Collection Manager (DCWF 311)
DoD 8140: Intelligence (Cyberspace)Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.
Explore learning pathForensics Analyst (DCWF 211)
DoD 8140: Cyber EnablersInvestigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.
Explore learning pathCyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathDigital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigation (OPM 221)
NICE: InvestigationResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathIntrusion Detection/SOC Analysts
Digital Forensics and Incident ResponseAnalyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning pathIncident Response Team Member
Digital Forensics and Incident ResponseThis dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Explore learning pathCyber Defense Incident Responder (DCWF 531)
DoD 8140: CybersecurityResponds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.
Explore learning pathIntrusion Detection / (SOC) Analyst
Cyber DefenseSecurity Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Explore learning pathCyber Defense Forensics Analyst (DCWF 212)
DoD 8140: CybersecurityAnalyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathDigital Evidence Analysis (OPM 211)
NICE: InvestigationResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathCyber Defense Analyst (DCWF 511)
DoD 8140: CybersecurityMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Steve AnsonDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Steve AnsonDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Munich, DE
Instructed by Mathias FuchsDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options - Location & instructor
London, GB & Virtual (live)
Instructed by Adam HarrisonDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Steve AnsonDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Carlos CajigasDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Eric ZimmermanDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
San Antonio, TX, US & Virtual (live)
Instructed by Marcus GuevaraDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 48
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4FOR508 exceeded my expectations in every way. It provided me the skills, knowledge, and tools to effectively respond to and handle APTs and other enterprise-wide threats.
- Slide 2 of 4It's hard to really say something that will properly convey the amount of mental growth I have experienced in this training.
- Slide 3 of 4The content from the first day alone has quite a bit I can take back to work. There’s so much information as far as tools and techniques; if I hadn't taken this course (FOR508), I wouldn't have come across them.
- Slide 4 of 4I have been doing digital forensics for 13+ years. This course has still managed to build on my existing knowledge and made me challenge some pre-conceptions. It has given me tons of ideas to take home and develop to improve our enterprises security posture.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources