This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hacktivists. Constantly updated, FOR508: Advanced Incident Response and Threat Hunting addresses today's incidents by providing hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to detect, counter, and respond to real-world breach cases.

Learning Outcome

You will learn:
  • Advanced use of a wide range of best-of-breed open-source tools and the SIFT Workstation to perform incident response and digital forensics
  • Hunting and responding to advanced adversaries such as nation-state actors, organized crime, and hacktivists
  • Threat hunting techniques that will aid in quicker identification of breaches
  • Rapid incident response analysis and breach assessment
  • Incident response and intrusion forensics methodology
  • Remote and enterprise incident response system analysis
  • Windows live incident response and scaling collection of triage data
  • Investigating and countering living of the land attacks, including PowerShell and WMI
  • Memory analysis during incident response and threat hunting
  • Transitioning memory analysis skills to enterprise detection and response (EDR) platforms
  • Detailed instruction on compromise and protection of Windows enterprise credentials
  • Internal lateral movement analysis and detection
  • Rapid and deep-dive timeline creation and analysis
  • Volume shadow copy exploitation for hunting threats and incident response
  • Detection of anti-forensics and adversary hiding techniques
  • Discovery of unknown malware on a system
  • Adversary threat intelligence development, indicators of compromise, and usage
  • Cyber-kill chain strategies
  • Step-by-step tactics and procedures to respond to and investigate intrusion cases

Who should Attend?

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from APT groups/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across endpoints in the enterprise
  • Threat Hunters who are seeking to understand threats more fully and how to learn from them in order to more effectively hunt threats and counter their tradecraft
  • SOC Analysts looking to better understand alerts, build the skills necessary to triage events, and fully leverage advanced endpoint detection and response (EDR) capabilities
  • Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of memory and timeline forensics, investigation of technically advanced individuals, incident response tactics, and advanced intrusion investigations
  • Information Security Professionals who directly support and aid in responding to data breach incidents and intrusions
  • Federal Agents and Law Enforcement Professionals who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions, how common mistakes can compromise operations on remote systems, and how to avoid those mistakes. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit- testing batteries
  • SANS FOR500 and SEC504 Graduates looking to take their skills to the next level

Eligibility Criteria

  • FOR508 is an advanced incident response and threat hunting course that focuses on detecting and responding to advanced persistent threats and organized crime threat groups. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course
  • We recommend that you should have a background in FOR500: Windows Forensics prior to attending this course
This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page

Information is accurate as of 6 August 2019