FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. To put it another way: Bad guys are talking - we'll teach you to listen.

Learning Outcomes

You will learn how to:
  • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
  • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
  • Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
  • Decrypt captured SSL traffic to identify attackers' actions and what data they extracted from the victim
  • Use data from typical network protocols to increase the fidelity of the investigation's findings
  • Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
  • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
  • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
  • Learn how attackers leverage man-in-the-middle tools to intercept seemingly secure communications
  • Examine proprietary network protocols to determine what actions occurred on the endpoint systems
  • Analyze wireless network traffic to find evidence of malicious activity
  • Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
  • Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions

Who should Attend?

  • Incident response team members and forensicators
    who are expanding their investigative scope from endpoint systems to the network
  • Hunt team members
    who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
  • Security Operations Center (SOC) personnel and information security practitioners
    who support hunt operations, seeking to identify attackers in their network environments
  • Network defenders
    who are taking on added investigative and/or incident response workloads
  • Law enforcement officers, federal agents, and detectives
    who want to become network forensic subject matter experts
  • Information security managers
    who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
  • Network engineers
    who are proactively orienting their networks to best meet investigative requirements
  • Information technology professionals
    who want to learn how network investigations take place
  • Anyone interested in computer network intrusions and investigations
    who has a solid background in computer forensics, information systems, and information security
This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page

Information is accurate as of 28 June 2018