SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR577: LINUX Incident Response and Threat Hunting
FOR577Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Tarot (Taz) Wake
Course created by:Tarot (Taz) Wake
- GIAC Linux Incident Responder (GLIR)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 23 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn the skills you need to identify, analyze, and respond to attacks on Linux platforms and how to use threat hunting techniques to find stealthy attackers who can bypass existing controls.
Featured Quote
I would recommend this course to anyone who is planning to respond to any linux based systems. It greatly increased my knowledge and confidence in the area.
Course Overview
This Linux Threat Hunting & Incident Response course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including advanced persistent threat (APT) nation-state adversaries, organized crime syndicates, and hacktivism. Constantly updated, the course addresses today's incidents by teaching hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to combat real-world breach cases. The course also supports preparation for the GLIR certification (GIAC Linux Incident Response), a credential that validates your expertise in Linux threat hunting and Linux incident response within enterprise environments.
What You’ll Learn
- Detect and contain various adversaries, performing incident response on Linux systems with the SIFT Workstation
- Identify and track malware beaconing to command and control (C2) channels
- Investigate breach origins, focusing on beachhead identification and spear phishing
- Perform in-depth timeline and super-timeline analysis to track user and attacker activity
- Detect lateral movement and pivots within the enterprise
- Monitor and trace data movement as attackers exfiltrate critical data
- Recover and analyze archives (.rar, .tar, etc.) used by APT-like attackers
Business Takeaways
- Learn to perform proactive compromise assessments
- Upgrade detection capabilities
- Develop threat intelligence to track targeted adversaries
- Build advanced forensics skills to counter anti-forensics
Meet Your Author
Tarot (Taz) Wake
Certified InstructorWith FOR577, Taz has authored the first course to systematize threat hunting on Linux systems. His operational leadership—from military intelligence to heading a FTSE100 CSIRT—has fortified global cyber defense capabilities across sectors.
Read more about Tarot (Taz) WakeCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR577: LINUX Incident Response and Threat Hunting.
Section 1LINUX Incident Response And Analysis
Section one introduces the fundamentals of incident response, with a focus on threats in Linux environments. It covers the SANS six-step methodology, introduces a hands-on intrusion scenario for practical learning, and emphasizes the use of Linux tools for forensic analysis, threat hunting, and the development of actionable cyber threat intelligence.
Topics covered
- Incident Response
- Introduction to Linux
- Cyber Attacks and Linux Command Line Basics
- Package Management and Investigations
- Endpoint Threat Hunting
Labs
- SIFT Workstation orientation
- Understanding Stark Skunkworks
- Introduction to Linux commands in DFIR
- Reviewing package management evidence
- Threat intelligence and threat hunting
Section 2Disk Analysis and Evidence Collection
This section focuses on the essential skills and tools needed for collecting and analyzing disk evidence. It teaches how to acquire and examine data from storage devices to uncover attack details, understand adversary behavior, and extract forensic artifacts using tools like The Sleuth Kit and disk imaging techniques across various Linux file systems.
Topics covered
- The Sleuth Kit
- Linux File Systems
- Disk Evidence Collection
- Image Mounting
- File Structures and System Artifacts
Labs
- Introduction to the Sleuth Kit
- Reviewing filesystem data
- Disk evidence collection
- Reviewing operating system filesystems
Section 3LINUX Logging and Log Analysis
This section looks at how to use the data logged by the operating system to profile the device and analyze boot sequences, kernel activity, logins and user events. We’ll also cover default log data, Auditd, and the Operating System Journal.
Topics covered
- Device Profiling
- Linux Logs
- AuditD
- The Operating System Journal
Labs
- System and Log Profiling
- Reviewing System Logs
- Analyzing Authentication Logs
- Reviewing Webserver Logs
Section 4Live Response and Volatile Data
This section focuses on scaling incident response for enterprise environments, introducing practical tools like OSSEC and Velociraptor as cost-effective Linux EDR solutions. It also explores Linux memory analysis, emphasizing volatile data collection and live response techniques to efficiently investigate intrusions without full memory dumps.
Topics covered
- Enterprise Response
- Endpoint Detection and Response (EDR)
- Linux Memory and DFIR
- Live Memory Analysis
Labs
- EDR Tools
- Capturing RAM
- Live memory analysis
Section 5Advanced Incident Response Techniques
This section emphasizes rapid triage techniques and timeline analysis to enhance large-scale incident response. It introduces tools for quickly assessing systems, teaches methods for building and analyzing timelines, explores common anti-forensic tactics used by attackers, and concludes with strategies for improving Linux-based IR workflows.
Topics covered
- Triage and DFIR Tools
- Timelines
- Anti-Forensics
- Improving Incident Response
Labs
- Running Triage Tools
- Triage Assessment
- Filesystem Timelines
- Super Timeline Creation
- Super Timeline Analysis
Section 6The APT Incident Response Challenge
This capstone exercise will enable you to leave the course with hands-on experience investigating realistic attacks, curated by a cadre of instructors with decades of experience fighting advanced threats from attackers ranging from nation-states to financial crime syndicates and hacktivist groups.
Topics covered
- Hands-On Incident Response Experience
- Identify and Track Attacker Actions
- Gather Threat Intelligence
- Walk Through Remediation and Recovery
Things You Need To Know
Course Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Tarot WakeDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
London, GB & Virtual (live)
Instructed by Jim ClausingDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Tarot WakeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Tarot WakeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Tarot WakeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
London, GB & Virtual (live)
Instructed by Tarot WakeDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Singapore, SG & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Paris, FR
Instructed by Tarot WakeDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options
Showing 8 of 12
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4A lot of new knowledge and some refresh of forgotten skills.
- Slide 2 of 4I would recommend this course to both newbies and seasoned Linux forensicates as there are a number of key inputs that really help provide some of the fundamentals.
- Slide 3 of 4I would recommend this for those in hunt or forensics teams or anyone who is working primarily with Linux and interested in focusing more heavily on the cybersecurity aspects of their work.
- Slide 4 of 410/10, can't wait to practice what I learned in a real incident.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources