FOR608: Enterprise-Class Incident Response & Threat Hunting
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.
What You Will Learn
Enterprises today have thousands; maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. Our experience has shown that when sizeable organizations suffer a breach, the attackers seldom compromise one or two systems. Without the proper tools and methodologies, security teams will always find themselves playing catch-up, and the attacker will continue to achieve success.
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. By using example tools built to operate at enterprise-class scale, students will learn the techniques to collect focused data for incident response and threat hunting. Students will then dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using timeline, graphing, structured, and unstructured analysis techniques.
FOR608: Enterprise-Class Incident Response & Threat Hunting will teach you to:
- Understand when incident response requires in-depth host interrogation or light-weight mass collection
- Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
- Collect host- and cloud-based forensic data from large environments
- Discuss best practices for responding to Azure, M365, and AWS cloud platforms
- Learn analysis techniques for responding to Linux and Mac operating systems
- Analyze containerized microservices such as Docker containers
- Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
- Conduct analysis of structured and unstructured data to identify attacker behavior.
- Enrich collected data to identify additional indicators of compromise
- Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
- Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.
Business Takeaways
- Reduce financial and reputational impact of a breach by more efficiently and precisely managing the response
- Learn IR management techniques that optimize resource usage during an investigation
- Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
- Understand and hunt for techniques attackers use to hide from EDR and application control tools on Windows systems
- Learn analysis techniques for responding to compromised Linux and macOS systems
- Be able to respond and analyze containerized microservices such as Docker containers
- Discuss best practices for responding to the most popular cloud environments - specifically Microsoft365/AzureAD, and AWS.
Syllabus
This link is hidden for visitors. Please Log in or register now.
GIAC Enterprise Incident Responder
The GIAC Enterprise Incident Response (GEIR) certification validates a practitioner's mastery of enterprise-class incident response and threat hunting tools and techniques. GEIR certification holders have demonstrated the ability to use analysis methodologies to understand attacker movement across varying functions and operating systems.- Incident Response Team Management and Coordination
- Enterprise Incident Detection and Threat Hunting
- Large Scale Event Correlation and Timeline Analysis
- Multi-platform Artifact Analysis
- Analysis of Windows Artifacts
- Analysis of Linux Artifacts
- Analysis of macOS Artifacts
- Analysis of Container Artifacts
- Analysis of Cloud Environment Artifacts
This link is hidden for visitors. Please Log in or register now.
Prerequisites
FOR608 is an advanced level course that skips over introductory material of Windows host- and network-based forensics and incident response. This class is not necessarily more technical than our 500-level classes, but it does assume that knowledge so that topics and concepts are not repeated.
Students must have multiple years of DFIR experience and/or have taken classes such as:
, and/or
Students must have multiple years of DFIR experience and/or have taken classes such as:
This link is hidden for visitors. Please Log in or register now.
This link is hidden for visitors. Please Log in or register now.
Laptop Requirements
Important! Bring your own system configured according to these instructions.A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.
Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.
MANDATORY FOR608 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
- CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
- 16GB of RAM or more is required.
- 350GB of free storage space or more is required.
- At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
- Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY FOR608 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
- Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
- Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
- Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
- Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
- Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
- On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
- Download and install
(for Windows Hosts) orThis link is hidden for visitors. Please Log in or register now.(for macOS hosts). These tools are also included in your downloaded course materials.This link is hidden for visitors. Please Log in or register now.
Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.
Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.
If you have additional questions about the laptop specifications, please contact
This link is hidden for visitors. Please Log in or register now.
Author Statement
"Incident Response in large environments requires successful Incident Responders to master a multitude of different disciplines. Broad forensic knowledge forms the foundation. A good choice of the technical approach allows for scalability. Beyond the pure technical challenge of investigating a network with a 6 figure number of machines, there lies the management aspect of things. Successful Incident Response includes all measures to minimize the impact of the breach on the victim as much as possible and make sure that the attacker can not come back as quickly as before.
Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs
"FOR608 is designed to pick up where the FOR508 class leaves off. In FOR508, we take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there is still plenty more ground to cover in FOR608!
We are excited to introduce FOR608 to continue the investigative journey. FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux, Mac, and cloud environments operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today"- Mike Pilkington
"Many years ago, Incident Response was very much focused on a single responder dealing with a single system. Times have changed dramatically, and we face advanced adversaries who spread across entire enterprises aggressively and effectively. Often by the time an attack is detected you might find hundreds of systems compromised. It is important that we responders scale up our processes, using the tools and techniques available, to meet this threat. This is what FOR608 will help you achieve.
The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you." - Taz Wake
Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs
"FOR608 is designed to pick up where the FOR508 class leaves off. In FOR508, we take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there is still plenty more ground to cover in FOR608!
We are excited to introduce FOR608 to continue the investigative journey. FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux, Mac, and cloud environments operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today"- Mike Pilkington
"Many years ago, Incident Response was very much focused on a single responder dealing with a single system. Times have changed dramatically, and we face advanced adversaries who spread across entire enterprises aggressively and effectively. Often by the time an attack is detected you might find hundreds of systems compromised. It is important that we responders scale up our processes, using the tools and techniques available, to meet this threat. This is what FOR608 will help you achieve.
The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you." - Taz Wake
![Certified Exploit Development Professional [CEDP]](/data/resource_icons/0/128.jpg?1753658993){kind=icon}
