Overview

FOR572: Advanced Network Forensics: Threat Hunting, Analysis and Incident Response was designed to cover the most critical skills needed for the increased focus on network communications and artefacts in today's investigative work, including numerous use cases. The course will focus on the knowledge necessary to examine and characterise communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.

Learning Outcome

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. This course will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. This course will also cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.

Who should Attend?

  • Incident response team members and forensicator who are expanding their investigative scope from endpoint systems to the network
  • Hunt team members who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
  • Law enforcement officers, federal agents, and detectives who want to become network forensic subject matter experts
  • Security Operations Center (SOC) personnel and information security practitioners who support hunt operations, seeking to identify attackers in their network environments
  • Network defenders who are taking on added investigative and/or incident response workloads
  • Information security managers who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
  • Network engineers who are proactively orienting their networks to best meet investigative requirements
  • Information technology professionals who want to learn how network investigations take place
  • Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security

Eligibility Criteria

In FOR572, we solve the same caliber of real-world problems without any convenient hard drive or memory images.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, or an on-staff forensic practitioner, this course offers hands-on experience with real-world scenarios that will help take your work to the next level.

  • Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities.
  • SANS Forensic alumni from 408 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. 
This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page


Information is accurate as of 13 June 2020