• Online, Self-Paced
  • Classroom
Course Description

ADVANCED THREATS ARE IN YOUR NETWORK - IT'S TIME TO GO HUNTING!

The FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting course will help you to:

  • Detect how and when a breach occurred
  • Identify compromised and affected systems
  • Perform damage assessments and determine what was stolen or changed
  • Contain and remediate incidents
  • Develop key sources of threat intelligence
  • Hunt down additional breaches using knowledge of the adversary

DAY 0: A 3-letter government agency contacts you to say an advanced threat group is targeting organizations like yours, and that your organization is likely a target. They won't tell how they know, but they suspect that there are already several breached systems within your enterprise. An advanced persistent threat, aka an APT, is likely involved. This is the most sophisticated threat that you are likely to face in your efforts to defend your systems and data, and these adversaries may have been actively rummaging through your network undetected for months or even years.

This is a hypothetical situation, but the chances are very high that hidden threats already exist inside your organization's networks. Organizations can't afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools.

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done significant damage to the organization. For the incident responder, this process is known as "threat hunting." Threat hunting uses known adversary behaviors to proactively examine the network and endpoints in order to identify new data breaches.

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. Incident response and threat hunting teams are the keys to identifying and observing malware indicators and patterns of activity in order to generate accurate threat intelligence that can be used to detect current and future intrusions.

Learning Objectives

  • Learn and master the tools, techniques, and procedures necessary to effectively hunt, detect, and contain a variety of adversaries and to remediate incidents
  • Detect and hunt unknown live, dormant, and custom malware in memory across multiple Windows systems in an enterprise environment
  • Hunt through and perform incident response across hundreds of unique systems simultaneously using PowerShell or F-Response Enterprise and the SIFT Workstation
  • Identify and track malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue
  • Determine how the breach occurred by identifying the beachhead and spear phishing attack mechanisms
  • Target advanced adversary anti-forensics techniques like hidden and time-stomped malware, along with utility-ware used to move in the network and maintain attackers presence
  • Use memory analysis, incident response, and threat hunting tools in the SIFT Workstation to detect hidden processes, malware, attacker command lines, rootkits, network connections, and more
  • Track user and attacker activity second-by-second on the system you are analyzing through in-depth timeline and super-timeline analysis
  • Recover data cleared using anti-forensics techniques via Volume Shadow Copy and Restore Point analysis
  • Identify lateral movement and pivots within your enterprise across your endpoints, showing how attackers transition from system to system without detection
  • Understand how the attacker can acquire legitimate credentials-including domain administrator rights-even in a locked-down environment
  • Track data movement as the attackers collect critical data and shift them to exfiltration collection points
  • Recover and analyze archives and .rar files used by APT-like attackers to exfiltrate sensitive data from the enterprise network
  • Use collected data to perform effective remediation across the entire enterprise

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Incident Response
  • Digital Forensics
  • Cyber Investigation

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.