SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response دانلود دوره

SANS FOR572

Whether you are a consultant responding to a client’s site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK(R) platform – a VMware appliance pre-configured with a tailored configuration of the Elastic stack. This “big data” platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Moloch platform is also covered and used in a hands-on lab. Through all of the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands of data records.

FOR572 is truly an advanced course – we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, full-stake networking knowledge (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS…ONE BYTE (OR PACKET) AT A TIME.

Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:

• Foundational network forensics tools: tcpdump and Wireshark refresher
• Packet capture applications and data
• Unique considerations for network-focused forensic processes
  • Network evidence types and sources
  • Network architectural challenges and opportunities for investigators
  • Investigation OPSEC and footprint considerations

• Network protocol analysis
  • Hypertext Transfer Protocol (HTTP)
  • Domain Name Service (DNS)
  • File Transfer Protocol (FTP)
  • Server Message Block (SMB) and related Microsoft protocols
  • Simple Mail Transfer Protocol (SMTP)

• Commercial network forensic tools
• Automated tools and libraries
• NetFlow
  • Introduction
  • Collection approaches
  • Open-source NetFlow tools

• Wireless networking
  • Capturing wireless traffic
  • Useful forensic artifacts from wireless traffic
  • Common attack methods and detection

• Log data to supplement network examinations
  • Syslog
  • Microsoft Windows Event Forwarding
  • HTTP server logs
  • Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
  • Log collection, aggregation, and analysis
  • Web proxy server examination

• Encryption
  • Introduction
  • Meddler-in-the-middle
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

• Deep packet work
  • Network protocol reverse engineering
  • Payload reconstruction