Threat Hunting & Digital Forensics Course | SANS FOR508

GIAC Certified Forensic Analyst (GCFA) ... Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team ... Home > Courses > FOR508:AdvancedIncidentResponse,ThreatHunting,andDigitalForensics GIACCertifiedForensicAnalyst(GCFA)RegisterNowCourseDemoInPerson(6days)Online36CPEs ThreathuntingandIncidentresponsetacticsandprocedureshaveevolvedrapidlyoverthepastseveralyears.Yourteamcannolongeraffordtouseantiquatedincidentresponseandthreathuntingtechniquesthatfailtoproperlyidentifycompromisedsystems.Thekeyistoconstantlylookforattacksthatgetpastsecuritysystems,andtocatchintrusionsinprogress,ratherthanafterattackershavecompletedtheirobjectivesanddoneworsedamagetotheorganization.Fortheincidentresponder,thisprocessisknownas"threathunting".FOR508teachesadvancedskillstohunt,identify,counter,andrecoverfromawiderangeofthreatswithinenterprisenetworks,includingAPTnation-stateadversaries,organizedcrimesyndicates,andhactivists. CourseAuthors:ChadTilburyFellowRobLeeFellowMikePilkingtonPrincipalInstructorWhatYouWillLearnSyllabusCertificationPrerequisitesLaptopRequirementsAuthorStatementReviewsTraining&Pricing WhatYouWillLearn ADVANCEDTHREATSARETARGETINGYOURNETWORK-IT'STIMETOGOHUNTING!FOR508:AdvancedIncidentResponseandThreatHuntingCoursewillhelpyouto:DetecthowandwhenabreachoccurredQuicklyidentifycompromisedandaffectedsystemsPerformdamageassessmentsanddeterminewhatwasstolenorchangedContainandremediateincidentsDevelopkeysourcesofthreatintelligenceHuntdownadditionalbreachesusingknowledgeoftheadversaryDAY0:A3-lettergovernmentagencycontactsyoutosayanadvancedthreatgroupistargetingorganizationslikeyours,andthatyourorganizationislikelyatarget.Theywon'ttellhowtheyknow,buttheysuspectthattherearealreadyseveralbreachedsystemswithinyourenterprise.Anadvancedpersistentthreat,akaanAPT,islikelyinvolved.Thisisthemostsophisticatedthreatthatyouarelikelytofaceinyoureffortstodefendyoursystemsanddata,andtheseadversariesmayhavebeenactivelyrummagingthroughyournetworkundetectedformonthsorevenyears.Thisisahypotheticalsituation,butthechancesareveryhighthathiddenthreatsalreadyexistinsideyourorganization'snetworks.Organizationscan'taffordtobelievethattheirsecuritymeasuresareperfectandimpenetrable,nomatterhowthoroughtheirsecurityprecautionsmightbe.Preventionsystemsaloneareinsufficienttocounterfocusedhumanadversarieswhoknowhowtogetaroundmostsecurityandmonitoringtools.Thekeyistoconstantlylookforattacksthatgetpastsecuritysystems,andtocatchintrusionsinprogress,ratherthanafterattackershavecompletedtheirobjectivesanddonesignificantdamagetotheorganization.Fortheincidentresponder,thisprocessisknownas"threathunting".Threathuntingusesknownadversarybehaviorstoproactivelyexaminethenetworkandendpointsinordertoidentifynewdatabreaches.ThreathuntingandIncidentresponsetacticsandprocedureshaveevolvedrapidlyoverthepastseveralyears.Yourteamcannolongeraffordtouseantiquatedincidentresponseandthreathuntingtechniquesthatfailtoproperlyidentifycompromisedsystems,provideineffectivecontainmentofthebreach,andultimatelyfailtorapidlyremediatetheincidentorcontainpropagatingransomware.Incidentresponseandthreathuntingteamsarethekeystoidentifyingandobservingmalwareindicatorsandpatternsofactivityinordertogenerateaccuratethreatintelligencethatcanbeusedtodetectcurrentandfutureintrusions.Thisin-depthincidentresponseandthreathuntingcourseprovidesrespondersandthreathuntingteamswithadvancedskillstohuntdown,identify,counter,andrecoverfromawiderangeofthreatswithinenterprisenetworks,includingAPTnation-stateadversaries,organizedcrimesyndicates,andransomwaresyndicates.Constantlyupdated,FOR508:AdvancedIncidentResponseandThreatHuntingaddressestoday'sincidentsbyprovidinghands-onincidentresponseandthreathuntingtacticsandtechniquesthateliterespondersandhuntersaresuccessfullyusingtodetect,counter,andrespondtoreal-worldbreachcases.Thecourseusesahands-onenterpriseintrusionlab--modeledafterareal-worldtargetedattackonanenterprisenetworkandbasedonadvancedthreatactortactics--toleadyoutochallengesandsolutionsviaextensiveuseoftheSIFTWorkstationandbest-of-breedinvestigativetools.Duringtheintrusionandthreathuntinglabexercises,youwillidentifywheretheinitialtargetedattackoccurredandhowtheadversaryismovinglaterallythroughmultiplecompromisedsystems.Youwillalsoextractandcreatecrucialcyberthreatintelligencethatcanhelpyouproperlyscopethecompromiseanddetectfuturebreaches.Duringatargetedattack,anorganizationneedsthebestincidentresponseteaminthefield.FOR508:AdvancedIncidentResponseandThreatHuntingwilltrainyouandyourteamtorespond,detect,scope,andstopintrusionsanddatabreaches.GATHERYOURINCIDENTRESPONSETEAM-IT'STIMETOGOHUNTINGFOR508CourseTopicsAdvanceduseofawiderangeofbest-of-breedopen-sourcetoolsandtheSIFTWorkstationtoperformincidentresponseanddigitalforensics.Huntingandrespondingtoadvancedadversariessuchasnation-stateactors,organizedcrime,andransomwaresyndicates.Threathuntingtechniquesthatwillaidinquickeridentificationofbreaches.Rapidincidentresponseanalysisandbreachassessment.Incidentresponseandintrusionforensicsmethodology.Remoteandenterpriseincidentresponsesystemanalysis.Windowsliveincidentresponseandscalingcollectionoftriagedata.Performcompromiseassessments.Investigatingandcounteringlivingofthelandattacks,includingPowerShellandWMI.Memoryanalysisduringincidentresponseandthreathunting.Transitioningmemoryanalysisskillstoenterprisedetectionandresponse(EDR)platformsDetailedinstructiononcompromiseandprotectionofWindowsenterprisecredentials.Internallateralmovementanalysisanddetection.Rapidanddeep-divetimelinecreationandanalysis.Volumeshadowcopyexploitationforhuntingthreatsandincidentresponse.Detectionofanti-forensicsandadversaryhidingtechniques.Discoveryofunknownmalwareonasystem.Adversarythreatintelligencedevelopment,indicatorsofcompromise,andusage.Cyber-killchainstrategies.Step-by-steptacticsandprocedurestorespondtoandinvestigateintrusioncasesHands-OnTrainingOneofthebiggestcomplaintsyouhearinthethreathuntingandincidentresponsecommunityisthelackofrealisticintrusiondata.Mostreal-worldintrusiondataaresimplytoosensitivetobeshared.TheFOR508courseauthorscreatedarealisticscenariobasedonexperiencessurveyedfromapanelofresponderswhoregularlycombattargetedAPTattacks.Theyhelpedreviewandguidethetargetedattack"script"usedtocreatethescenario.Theresultisanincrediblyrichandrealisticattackscenarioacrossmultipleenterprisesystems.ThisAPTattacklabformsthebasisfortrainingduringtheweek.Thenetworkwassetuptomimicastandard"protected"enterprisenetworkusingstandardcompliancechecklists:FullauditingturnedonperrecommendedFederalInformationSecurityManagementActguidelinesWindowsdomaincontroller(DC)setupandconfigured;DChardenedsimilarlytowhatisseeninrealenterprisenetworksSystemsinstalledwiththerealsoftwareonthemthatisused(Office,Adobe,Skype,OneDrive,Email,Dropbox,Firefox,Chrome)Fullypatchedsystems(patchesareautomaticallyinstalled)EndpointDetectionandResponse(EDR)agentsEnterpriseA/Vandon-scancapabilitybasedontheDepartmentofDefense'sHost-basedSecuritySystemEndpointProtectionSoftware-Anti-virus,Anti-spyware,Safesurfing,Anti-spam,DeviceControl,OnsiteManagement,HostIntrusionPrevention(HIPS)Firewallonlyallowsinboundport25andoutboundports25,80,443Thisexerciseandchallengeareusedtoshowrealadversarytracesacrosshostsystems,systemmemory,hibernation/pagefiles,andmore:Phase1-PatientzerocompromiseandmalwareC2beaconinstallationPhase2-Privilegeescalation,lateralmovementtoothersystems,malwareutilitiesdownload,installationofadditionalbeacons,andobtainingdomainadmincredentialsPhase3-Searchforintellectualproperty,profilenetwork,dumpemail,dumpenterprisehashesPhase4-Collectdatatoexfiltrateandcopytostagingsystem.Archivedatausing.rarandacomplexpassphrasePhase5-Exfiltrate.rarfilesfromstagingserver,performcleanuponstagingserver(alternativelythisphasewouldbeusedtodeployransomware)YouWillBeAbleToLearnandmasterthetools,techniques,andproceduresnecessarytoeffectivelyhunt,detect,andcontainavarietyofadversariesandtoremediateincidents.Detectandhuntunknownlive,dormant,andcustommalwareinmemoryacrossmultipleWindowssystemsinanenterpriseenvironment.HuntthroughandperformincidentresponseacrosshundredsofuniquesystemssimultaneouslyusingPowerShellorF-ResponseEnterpriseandtheSIFTWorkstation.Identifyandtrackmalwarebeaconingoutboundtoitscommandandcontrol(C2)channelviamemoryforensics,registryanalysis,andnetworkconnectionresidue.Determinehowthebreachoccurredbyidentifyingtherootcause,thebeachheadsystemsandinitialattackmechanisms.Identifylivingoffthelandtechniques,includingmalicioususeofPowerShellandWMI.Targetadvancedadversaryanti-forensicstechniqueslikehiddenandtime-stompedmalware,alongwithlivinggoffthelandtechniquesusedtomoveinthenetworkandmaintainanattacker'spresence.Usememoryanalysis,incidentresponse,andthreathuntingtoolsintheSIFTWorkstationtodetecthiddenprocesses,malware,attackercommandlines,rootkits,networkconnections,andmore.Trackuserandattackeractivitysecond-by-secondonthesystemyouareanalyzingthroughin-depthtimelineandsuper-timelineanalysis.Recoverdataclearedusinganti-forensicstechniquesviaVolumeShadowCopyandRestorePointanalysis.Identifylateralmovementandpivotswithinyourenterpriseacrossyourendpoints,showinghowattackerstransitionfromsystemtosystemwithoutdetection.Understandhowtheattackercanacquirelegitimatecredentials-includingdomainadministratorrights-eveninalocked-downenvironment.Trackdatamovementasattackerscollectcriticaldataandshiftittoexfiltrationcollectionpoints.Recoverdataclearedusinganti-forensicstechniquesviaVolumeShadowCopyandRestorePointanalysisandartifactcarving.Usecollecteddatatoperformeffectiveremediationacrosstheentireenterprise.WhatYouWillReceiveSIFTWorkstationThiscourseextensivelyusestheSIFTWorkstationtoteachincidentrespondersandforensicanalystshowtorespondtoandinvestigatesophisticatedattacks.TheSIFTWorkstationcontainshundredsoffreeandopen-sourcetools,easilymatchinganymodernforensicandincidentresponsecommercialresponsetoolsuite.Avirtualmachineisusedwithmanyofthehands-onclassexercises.UbuntuLinuxLTSBase.64-bitbasesystem.Bettermemoryutilization.Auto-DFIRpackageupdateandcustomizations.Latestforensicstoolsandtechniques.VMwareAppliancereadytotackleforensicsDockerandELKpre-installedCross-compatibilitybetweenLinuxandWindows.Expandedfilesystemsupport(NTFS,HFS,EXFAT,andmore).F-ResponseEnterprise(EndpointCollectionCapability)Enablesincidentresponderstoaccessremotesystemsandphysicalmemoryofaremotecomputerviathenetwork.Givesanyincidentresponseorforensicstoolthecapabilitytobeusedacrosstheenterprise.Perfectforintrusioninvestigationsanddatabreachincidentresponsesituations.Deployableagenttoremotesystems.SIFTWorkstationcompatible.Vendorneutral-workswithjustaboutanytool.Numberofsimultaneousexaminers=unlimited.Numberofsimultaneousagentsdeployed=unlimited.Thesix-monthlicenseallowsF-ResponseEnterprisetocontinuetobeusedandbenchmarkedinyourenvironmentatwork/home.ElectronicDownloadPackagecontaining:APTcaseimages,memorycaptures,SIFTWorkstationvirtualmachines,tools,anddocumentation.SANSDFIRAPTCaseElectronicExerciseWorkbookExerciseworkbookisover500pageslongwithdetailedstep-by-stepinstructionsandexamplestohelpyoumasterincidentresponseSANSDFIRCheatSheetstoHelpUsetheToolsintheField SANSVideo Syllabus (36CPEs)DownloadPDF FOR508.1:AdvancedIncidentResponse&ThreatHunting OverviewTherearewaystogainanadvantageagainstadversariestargetingyou--itstartswiththerightmindsetandknowingwhatworksThelastdecadehasnotbeenkindtonetworkdefenders.Threatstothemodernenterprisearelegionandattackershaveusedtheenormouscomplexityofenterprisenetworksagainstus.Butthetideisshifting.Overthepastdecade,wehaveseenadramaticincreaseinsophisticatedattacksagainstorganizations.Nation-stateattacksoriginatingfromtheintelligenceservicesofcountrieslikeChinaandRussia,oftenreferredtoasAdvancedPersistentThreat(APT)actors,haveproveddifficulttosuppress.Massivefinancialattacksfromthefourcornersoftheglobehaveresultedinbillionsofdollarsinlosses.Ransomwareandextortionbecameanexistentialthreatalmostovernight.Whiletheoddsarestackedagainstus,thebestsecurityteamsareprovingthatthesethreatscanbemanagedandmitigated.FOR508aimstobringthosehard-wonlessonsintotheclassroom.Thiscoursewasdesignedtohelporganizationsincreasetheircapabilitytodetectandrespondtointrusionevents.Thisisanachievablegoalandbeginsbyteachingthetoolsandtechniquesnecessarytofindevilinyournetwork.Thiscourseisdesignedtomakeyouandyourorganizationanintegralpartofthesolution.Tokeeppace,incidentrespondersandthreathuntersmustbearmedwiththelatesttools,analysistechniques,andenterprisemethodologiestoidentify,track,andcontainadvancedadversarieswiththeultimategoalofrapidremediationofincidentsanddamagemitigation.Further,incidentresponseandthreathuntinganalystsmustbeabletoscaletheireffortsacrosspotentiallythousandsofsystemsintheenterprise.Westartthedaybyexaminingthesix-stepincidentresponsemethodologyasitappliestoincidentresponseforadvancedthreatgroups.Theimportanceofdevelopingcyberthreatintelligencetoimpacttheadversaries'"killchain"isdiscussedandforensicliveresponsetechniquesandtacticsaredemonstratedthatcanbeappliedbothtosinglesystemsandacrosstheentireenterprise.Understandingattacksiscriticaltobeingabletodetectandmitigatethem.Westartoureducationofattackertechniquesondayone,learningcommonmalwareandattackcharacteristicsanddivingdeepintotechniquesusedbyadversariestomaintainpersistenceinthenetwork.Persistenceistypicallycompletedearlyintheattackcycleandstudentswilllearnhuntingtechniquestoauditthenetworkandaccomplishearlydiscovery.Livingoffthelandbinaries(localtoolsavailableinmostenvironments),PowerShell,andWMI-basedattacksinparticularhavebecomestandardoperatingprocedureforadvancedadversariesandstudentsgetalotofpracticewithtoolsandtechniquestoidentifysuchattacksatscale.Weendthedaywithanin-depthdiscussionofMicrosoftcredentialing.Thecomplexityofcredentialsinthemodernenterprisecannotbeoverstatedandcredentialsarethenumberonevulnerabilitypresentineverynetwork.Byunderstandingthetoolsandtechniquesbeingusedtotargetcredentials,studentslearnhowtoprevent,detect,andmitigatethesedevastatingattacks.ExercisesForensicLabSetupandOrientationUsingtheSIFTWorkstationMalwarePersistenceDetectionandAnalysisScalingDataCollectionandAnalysisAcrosstheEnterprisesFindingandAnalyzingMaliciousWMIattacksTopicsRealIncidentResponseTacticsPreparation:Keytools,techniques,andproceduresthatanincidentresponseteamneedstorespondproperlytointrusionsIdentification/Scoping:ProperscopingofanincidentanddetectingallcompromisedsystemsintheenterpriseContainment/IntelligenceDevelopment:Restrictingaccess,monitoring,andlearningabouttheadversaryinordertodevelopthreatintelligenceEradication/Remediation:Determiningandexecutingkeystepsthatmustbetakentohelpstopthecurrentincidentandthemovetoreal-timeremediationRecovery:RecordingofthethreatintelligencetobeusedintheeventofasimilaradversaryreturningtotheenterpriseAvoiding"Whack-A-Mole"IncidentResponse:Goingbeyondimmediateeradicationwithoutproperincidentscoping/containmentThreatHuntingHuntingversusReactiveResponseIntelligence-DrivenIncidentResponseBuildingaContinuousIncidentResponse/ThreatHuntingCapabilityForensicAnalysisversusThreatHuntingAcrossEndpointsThreatHuntTeamRolesATT&CK-MITRE'sAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK(TM))ThreatHuntingintheEnterpriseIdentificationofCompromisedSystemsFindingActiveandDormantMalwareDigitallySignedMalwareMalwareCharacteristicsCommonHidingandPersistenceMechanismsFindingEvilbyUnderstandingNormalIncidentResponseandHuntingacrossEndpointsWMIC&PowerShellPowerShellRemotingScalabilityPowerShellRemotingCredentialSafeguardsKansaPowerShellRemotingIRFrameworkMalwareDefenseEvasionandIdentificationServiceHijacking/ReplacementFrequentCompilationBinaryPaddingPacking/ArmoringDormantMalwareSigningCodewithValidCertificatesAnti-Forensics/TimestompingLivingoftheLandBinariesandSecurityToolEvasionMalwarePersistenceIdentificationAutoStartLocations,RunKeysServiceCreation/ReplacementServiceFailureRecoveryScheduledTasksDLLHijackingAttacksWMIEventConsumersPrevention,detection,andmitigationofCredentialTheftPasstheHashCredentialAttackswithMimikatzTokenStealingCachedCredentialsLSASecretsKerberosAttacksGoldenTicketsKerberoastingDCSyncNTDS.DITtheftBloodhoundandActiveDirectoryGraphingCommondumpingtoolsincludingMetasploit,Acehash,WindowsCredentialEditor,andmanyothers. FOR508.2:IntrusionAnalysis OverviewEventhemostadvancedadversariesleavefootprintseverywhere.Learnthesecretsofthebesthunters.Cyberdefendershaveawidevarietyoftoolsandartifactsavailabletoidentify,hunt,andtrackadversaryactivityinanetwork.Eachattackeractionleavesacorrespondingartifact,andunderstandingwhatisleftbehindasfootprintscanbecrucialtobothredandblueteammembers.Attacksfollowapredictablepattern,andwefocusourdetectiveeffortsonimmutableportionsofthatpattern.Asanexample,atsomepointanattackerwillneedtoruncodetoaccomplishtheirobjectives.Wecanidentifythisactivityviaapplicationexecutionartifacts.Theattackerwillalsoneedoneormoreaccountstoruncode.Consequently,accountauditingisapowerfulmeansofidentifyingmalicious.Anattackeralsoneedsameanstomovethroughoutthenetwork,sowelookforartifactsleftbytherelativelysmallnumberofwaystherearetoaccomplishinternallateralmovement.Inthissection,wecovercommonattackertradecraftanddiscussthevariousdatasourcesandforensictoolsyoucanusetoidentifymaliciousactivityintheenterprise.Getreadytohunt!ExercisesHuntingandDetectingEvidenceofExecutionatScalewithPrefetch,ShimcacheandAmcacheDiscoveringCredentialabusewithEventLogCollectionandAnalysisTrackingLateralMovementwithEventLogAnalysisHuntingMalicioususeofWMIandPowerShellTopicsStealingandUtilizationofLegitimateCredentialsPasstheHashSingleSignOn(SSO)DumpingusingMimikatzTokenStealingCachedCredentialsLSASecretsKerberosAttacksNTDS.DITtheftAdvancedEvidenceofExecutionDetectionAttackerTactics,Techniques,andProcedures(TTPs)ObservedViaProcessExecutionPrefetchAnalysisApplicationCompatibilityCache(ShimCache)AmcacheRegistryExaminationScalingShimCacheandAmcacheInvestigationsLateralMovementAdversaryTactics,Techniques,andProcedures(TTPs)CompromisingCredentialsTechniquesRemoteDesktopServicesMisuseWindowsAdminShareAbusePsExecandCobaltStrikeBeaconPsExecActivityWindowsRemoteManagementToolTechniquesPowerShellRemoting/WMICHackingCobaltStrikeLateralMovementandCredentialUseVulnerabilityExploitationLogAnalysisforIncidentRespondersandHuntersProfilingAccountUsageandLogonsTrackingandHuntingLateralMovementIdentifyingSuspiciousServicesDetectingRogueApplicationInstallationFindingMalwareExecutionandProcessTrackingCapturingCommandLinesandScriptsAnti-ForensicsandEventLogClearingInvestigatingWMIandPowerShell-BasedAttacksWMIOverviewWMIAttacksAcrosstheKillChainAuditingtheWMIRepositoryWMIFileSystemandRegistryResidueCommand-LineAnalysisandWMIActivityLoggingPowerShellTranscriptandScriptBlockLoggingDiscoveringCobaltStrikebeaconPowerShellImportActivityDetectingPowerShellInjectionfromCobaltStrike,Metasploit,andEmpirePowerShellScriptObfuscation FOR508.3:MemoryForensicsinIncidentResponse&ThreatHunting OverviewUsingmemoryanalysissometimesfeelslikecheating--findingactiveattacksshouldn'tbethiseasy.Memoryforensicshascomealongwayinjustafewyears.Itisnowacriticalcomponentofmanyadvancedtoolsuites(notablyEDR)andthemainstayofsuccessfulincidentresponseandthreathuntingteams.Memoryforensicscanbeextraordinarilyeffectiveatfindingevidenceofworms,rootkits,PowerShell,andransomwareprecursors,andadvancedmalwareusedbytargetedattackers.Infact,somefilelessattacksmaybenearlyimpossibletounravelwithoutmemoryanalysis.MemoryanalysiswastraditionallythedomainofWindowsinternalsexpertsandreverseengineers,butnewtools,techniques,anddetectionheuristicshavegreatlyleveledtheplayingfieldmakingitaccessibletodaytoallinvestigators,incidentresponders,andthreathunters.Further,understandingattackpatternsinmemoryisacoreanalystskillapplicableacrossawiderangeofendpointdetectionandresponse(EDR)products,makingthosetoolsevenmoreeffective.Thisextremelypopularsectionwillcovermanyofthemostpowerfulmemoryanalysiscapabilitiesavailableandgiveanalystsasolidfoundationofadvancedmemoryforensicskillstosuper-chargeinvestigations,regardlessofthetoolsetemployed.ExercisesScalingremoteendpointincidentresponse,hunting,andanalysisusingVelociraptorRemoteendpointtriageandmemoryexaminationusingF-ResponseEnterpriseCreatinglocalandremotetriageimageswithKAPEDetectunknownliveanddormantcustommalwareinmemoryacrossmultiplesystemsinanenterpriseenvironmentExamineWindowsprocesstreestoidentifynormalversusanomaliesFindadvanced"beacon"malwareovercommonportsusedbytargetedattackerstoaccesscommandandcontrol(C2)channelsFindresidualattackercommand-lineactivitythroughscanningstringsinmemoryandbyextractingcommandhistorybuffersComparecompromisedsystemmemoryagainstabaselinesystemusingFrequencyofLeastOccurrencestackingtechniquesIdentifyadvancedmalwarehidingtechniques,includingcodeinjectionandrootkitsEmployingindicatorsofcompromisetoautomateanalysisAnalysisofmemoryfrominfectedsystems:StuxnetTDL3/TDSSCozyDukeAPT29RATRundll32andLivingOfftheLandExecutionsZeus/ZbotStormWormRootkitBlackEnergyRootkitWMIandPowerShellCobaltStrikeBeaconsandPowerpickCobaltStrikeSacrificialProcessesMetasploitCustomAPTcommandandcontrolmalwareTopicsRemoteandEnterpriseIncidentResponseRemoteEndpointAccessintheEnterpriseRemoteEndpointHost-basedAnalysisScalableHost-basedAnalysis(oneanalystexamining1,000systems)andDataStackingRemoteMemoryAnalysisVelociraptor,F-Response,andKAPETriageandEndpointDetectionandResponse(EDR)EndpointTriageCollectionEDRCapabilitiesandChallengesEDRandMemoryForensicsMemoryAcquisitionAcquisitionofSystemMemoryHibernationandPagefileMemoryExtractionandConversionVirtualMachineMemoryAcquisitionMemorychangesinWindows10and11MemoryForensicsAnalysisProcessforResponseandHuntingUnderstandingCommonWindowsServicesandProcessesIdentifyRogueProcessesAnalyzeProcessDLLsandHandlesReviewNetworkArtifactsLookforEvidenceofCodeInjectionCheckforSignsofaRootkitAcquireSuspiciousProcessesandDriversMemoryForensicsExaminationsLiveMemoryForensicsAdvancedMemoryAnalysiswithVolatilityWebshellDetectionViaProcessTreeAnalysisCodeInjection,Malware,andRootkitHuntinginMemoryWMIandPowerSheProcessAnomaliesssExtractMemory-ResidentAdversaryCommandLinesInvestigateWindowsServicesHuntingMalwareUsingComparisonBaselineSystemsFindandDumpCachedFilesfromRAMMemoryAnalysisToolsVolatilityF-ResponseVelociraptorStudentswillreceiveafullsix-monthlicenseofF-ResponseEnterpriseEdition,enablingthemtousetheirworkstationortheSIFTworkstationtoconnectandscriptactionsonhundredsorthousandsofsystemsintheenterprise.Thiscapabilityisusedtobenchmark,facilitate,anddemonstratenewincidentresponseandthreathuntingtechnologiesthatenablearespondertolookforindicatorsofcompromiseacrosstheentireenterprisenetworkinmemoryandondisk. FOR508.4:TimelineAnalysis OverviewTimelineanalysiswillchangethewayyouapproachdigitalforensics,threathunting,andincidentresponse...forever.Learnadvancedincidentresponseandhuntingtechniquesuncoveredviatimelineanalysisdirectlyfromtheauthorswhopioneeredtimelineanalysistradecraft.Temporaldataislocatedeverywhereonacomputersystem.Filesystemmodified/access/creation/changetimes,logfiles,networkdata,registrydata,andbrowserhistoryfilesallcontaintimedatathatcanbecorrelatedandanalyzedtorapidlysolvecases.PioneeredbyRobLeeasearlyas2001,timelineanalysishasgrowntobecomeacriticalincidentresponse,hunting,andforensicstechnique.Newtimelineanalysisframeworksprovidethemeanstoconductsimultaneousexaminationsonamultitudeofsystemsacrossamultitudeofforensicartifacts.Analysisthatoncetookdaysnowtakesminutes.Thissectionwillstepyouthroughtwoprimarymethodsofbuildingandanalyzingtimelinesusedduringadvancedincidentresponse,threathunting,andforensiccases.Exerciseswillshowanalystshowtocreatetimelinesandhowtointroducethekeyanalysismethodsnecessarytohelpyouusethosetimelineseffectivelyinyourcases.ExercisesDetectingmalwaredefenseevasiontechniquesUsingtimelineanalysis,trackadversaryactivitybyhuntinganAPTgroup'sfootprintsofmalware,lateralmovement,andpersistenceTargethiddenandtime-stompedmalwareandutilitiesthatadvancedadversariesusetomoveinthenetworkandmaintaintheirpresenceTrackadvancedadversaries'actionssecond-by-secondthroughin-depthsuper-timelineanalysisObservehowattackerslaterallymovetoothersystemsintheenterprisebywatchingatrailleftinfilesystemtimes,registry,eventlogs,shimcache,andothertemporal-basedartifactsIdentifyrootcauseofanintrusionLearnhowtofiltersystemartifact,filesystem,andregistrytimelinestotargetthemostimportantdatasourcesefficientlyTopicsMalwareDefenseEvasionandDetectionIndicatorsofCompromise-YARAEntropyandPackingAnalysisExecutableAnomalyDetectionDigitalSignatureAnalysisTimelineAnalysisOverviewTimelineBenefitsPrerequisiteKnowledgeFindingthePivotPointTimelineContextCluesTimelineAnalysisProcessFilesystemTimelineCreationandAnalysisMACBTimestampsWindowsTimeRules(FileCopyversusFileMove)FilesystemTimelineCreationUsingSleuthkit,flsandMFTECmdBodyfileAnalysisandFilteringUsingthemactimeToolSuperTimelineCreationandAnalysisSuperTimelineArtifactRulesProgramExecution,FileKnowledge,FileOpening,FileDeletionTimelineCreationwithlog2timeline/Plasolog2timeline/PlasoComponentsFilteringtheSuperTimelineUsingpsortTargetedSuperTimelineCreationSuperTimelineAnalysisTechniquesScalingSuperTimelineAnalysiswithElasticSearch(ELK) FOR508.5:IncidentResponse&HuntingAcrosstheEnterprise|AdvancedAdversary&Anti-ForensicsDetection OverviewAdvancedadversariesarealwaysimproving.WemustkeeppaceAttackerscommonlytakestepstohidetheirpresenceoncompromisedsystems.Whilesomeanti-forensicsstepscanberelativelyeasytodetect,othersaremuchhardertodealwith.Assuch,it'simportantthatforensicprofessionalsandincidentrespondersareknowledgeableonvariousaspectsoftheoperatingsystemandfilesystemwhichcanrevealcriticalresidualevidence.Criminalandransomwaresyndicateshavebecomeparticularlyaggressiveintheiruseofanti-forensictechniques.Inthissection,wefocusonrecoveringfiles,filefragments,andfilemetadataofinteresttotheinvestigation.Thesetraceartifactscanhelptheanalystuncoverdeletedlogs,attackertools,malwareconfigurationinformation,exfiltrateddata,andmore.ThisoftenresultsinadeeperunderstandingoftheattackerTTPsandprovidesmorethreatintelligenceforrapidscopingofanintrusionandmitigatingdamage.Insomecases,thesedeep-divetechniquescouldbetheonlymeansforprovingthatanattackerwasactiveonasystemofinterestandultimatelydeterminingrootcause.Whileverygermanetointrusioncases,thesetechniquesareapplicableinnearlyeveryforensicinvestigation.ExercisesVolumeshadowsnapshotanalysisTimelinesincorporatingvolumeshadowsnapshotdataAnti-ForensicsanalysisusingNTFSfilesystemcomponentsTimestompidentificationandsuspiciousfiledetectionsAdvanceddatarecoverywithrecordscarvinganddeletedvolumeshadowcopyrecoveryTopicsVolumeShadowCopyAnalysisVolumeShadowCopyServiceOptionsforAccessingHistoricalDatainVolumeSnapshotsAccessingShadowCopieswithvshadowmountVolumeShadowCopyTimeliningAdvancedNTFSFilesystemTacticsNTFSFilesystemAnalysisMasterFileTable(MFT)CriticalAreasNTFSSystemFilesNTFSMetadataAttributesRulesofWindowsTimestampsfor$StdInfoand$FilenameDetectingTimestampManipulationResidentversusNonresidentFilesAlternateDataStreamsNTFSDirectoryAttributesB-TreeIndexOverviewandBalancingFindingWiped/DeletedFilesusingthe$I30indexesFilesystemFlightRecorders:$Logfileand$UsnJrnlCommonActivityPatternsintheJournalsUsefulFiltersandSearchesintheJournalsWhatHappensWhenDataIsDeletedfromanNTFSFilesystem?AdvancedEvidenceRecoveryMarkersofCommonWipersandPrivacyCleanersDeletedRegistryKeysDetecting"Fileless"MalwareintheRegistryFileCarvingVolumeShadowCarvingCarvingforNTFSartifactsandEventLogRecordsEffectiveStringSearchingNTFSConfigurationChangestoCombatAnti-Forensics FOR508.6:TheAPTThreatGroupIncidentResponseChallenge OverviewThisincrediblyrichandrealisticenterpriseintrusionexerciseisbasedonareal-worldadvancedpersistentthreat(APT)group.Itbringstogethertechniqueslearnedearlierinthecourseandtestsyournewlyacquiredskillsinaninvestigationintoanattackbyanadvancedadversary.ThechallengebringsitalltogetherusingarealintrusionintoacompleteWindowsenterpriseenvironment.Youwillbeaskedtouncoverhowthesystemswerecompromisedintheinitialintrusion,findothercompromisedsystemsviaadversarylateralmovement,andidentifyintellectualpropertystolenviadataexfiltration.Youwillwalkoutofthecoursewithhands-onexperienceinvestigatingarealattack,curatedbyacadreofinstructorswithdecadesofexperiencefightingadvancedthreatsfromattackersrangingfromnation-statestofinancialcrimesyndicatesandhacktivistgroups.TopicsTheIntrusionForensicChallengewillaskeachincidentresponseteamtoanalyzemultiplesystemsinanenterprisenetworkwithmanyendpoints.Learntoidentifyandtrackattackeractionsacrossanentirenetworkfindinginitialexploitation,reconnaissance,persistence,credentialdumping,lateralmovement,elevationtodomainadministrator,anddatatheft/exfiltrationWitnessandparticipateinateam-basedapproachtoincidentresponse.DiscoverevidenceofsomeofthemostcommonandsophisticatedattacksinthewildincludingCobaltStrike,Metasploit,PowerShellexploitframeworks,andcustomnation-statemalware.Duringthechallenge,eachincidentresponseteamwillbeaskedtoanswerkeyquestionsandaddresscriticalissuesinthedifferentcategorieslistedbelow,justastheywouldduringarealbreachintheirorganizations:IDENTIFICATIONANDSCOPING:1.Howandwhenwasthenetworkbreached?2.ListallcompromisedsystemsbyIPaddressandspecificevidenceofcompromise.3.Whenandhowdidtheattackersfirstlaterallymovetoeachsystem?CONTAINMENTANDTHREATINTELLIGENCEGATHERING:4.Howandwhendidtheattackersobtaindomainadministratorcredentials?5.Onceonothersystems,whatdidtheattackerslookforoneachsystem?6.Findexfiltratedemailfromexecutiveaccountsandperformdamageassessment.7.Determinewhatwasstolen:Recoveranyattackerarchives,findencryptionpasswords,andextractthecontentstoverifyexfiltrateddata.8.Collectandlistallmalwareusedintheattack.9.Developandpresentcyberthreatintelligencebasedonhostandnetworkindicatorsofcompromise.REMEDIATIONANDRECOVERY:10.Whatlevelofaccountcompromiseoccurred.Isafullpasswordresetrequiredduringremediation?11.Basedontheattackertechniquesandtoolsdiscoveredduringtheincident,whataretherecommendedstepstoremediateandrecoverfromthisincident?a.Whatsystemsneedtoberebuilt?b.WhatIPaddressesneedtobeblocked?c.Whatcountermeasuresshouldwedeploytosloworstoptheseattackersiftheycomeback?d.Whatrecommendationswouldyoumaketodetecttheseintrudersinournetworkagain?ADDITIONALNOTES:IfyouhaveattendedFOR500,youmaywanttobringyourcopyoftheFOR500-WindowsSIFTWorkstationVirtualMachine,asyoucanuseitforthefinalchallengeandformanyoftheexercisesinFOR508.Bring/installanyotherforensictoolyoufeelcouldbeuseful(Splunk,EnCase,FTK,etc.).Forthefinalchallengeattheendofthecourse,youcanutilizeanyforensictooltohelpyouandyourteamperformtheanalysis,includingcommercialcapabilities.Ifyouhaveanydongles,licensedsoftware,etc.,youarefreetousethem.PleasedonotplantousetheversionoftheSIFTWorkstationdownloadedfromtheInternet.WewillprovideyouwithaversionspecificallyconfiguredfortheFOR508materialsonDay1ofthecourse.Ifyouhaveadditionalquestionsaboutthelaptopspecifications,[email protected]. GIACCertifiedForensicAnalyst TheGCFAcertifiesthatcandidateshavetheknowledge,skills,and abilitytoconductformalincidentinvestigationsandhandleadvanced incidenthandlingscenarios,includinginternalandexternaldatabreach intrusions,advancedpersistentthreats,anti-forensictechniquesused byattackers,andcomplexdigitalforensiccases.TheGCFAcertification focusesoncoreskillsrequiredtocollectandanalyzedatacomputer systems. AdvancedIncidentResponseandDigitalForensicsMemoryForensics,TimelineAnalysis,andAnti-ForensicsDetectionThreatHuntingandAPTIntrusionIncidentResponse MoreCertificationDetails Prerequisites FOR508isanadvancedincidentresponseandthreathuntingcoursethatfocusesondetectingandrespondingtoadvancedpersistentthreatsandorganizedcrimethreatgroups.Wedonotcovertheintroductionorbasicsofincidentresponse,Windowsdigitalforensics,orhackertechniquesinthiscourse.WerecommendthatyoushouldhaveabackgroundinFOR500:WindowsForensicspriortoattendingthiscourse. LaptopRequirements Important!Bringyourownsystemconfiguredaccordingtotheseinstructions!Aproperlyconfiguredsystemisrequiredtofullyparticipateinthiscourse.Ifyoudonotcarefullyreadandfollowtheseinstructions,youwilllikelyleavetheclassunsatisfiedbecauseyouwillnotbeabletoparticipateinhands-onexercisesthatareessentialtothiscourse.Therefore,westronglyurgeyoutoarrivewithasystemmeetingalltherequirementsspecifiedforthecourse.Thisiscommonsense,butwewillsayitanyway.Backupyoursystembeforeclass.Betteryet,donothaveanysensitivedatastoredonthesystem.SANScan'tresponsibleforyoursystemordata.MANDATORYFOR508SYSTEMHARDWAREREQUIREMENTS:CPU:64-bitInteli5/i7(4thgeneration+)-x64bit2.0+GHzprocessorormorerecentprocessorismandatoryforthisclass(Important-PleaseRead:a64-bitsystemprocessorismandatory)CRITICALNOTE:ApplesystemsusingtheM1processorlinecannotperformthenecessaryvirtualizationfunctionalityandthereforecannotinanywaybeusedforthiscourse.ItiscriticalthatyourCPUandoperatingsystemsupport64-bitsothatour64-bitguestvirtualmachinewillrunonyourlaptop.VMwareprovidesafreetoolforWindowsthatwilldetectwhetherornotyourhostsupports64-bitguestvirtualmachines.Forfurthertroubleshooting,thisarticlealsoprovidesgoodinstructionsforWindowsuserstodeterminemoreabouttheCPUandOScapabilities.ForMacs,pleaseusethissupportpagefromAppletodetermine64-bitcapability.BIOSsettingsmustbesettoenablevirtualizationtechnology,suchas"Intel-VT".BeabsolutelycertainyoucanaccessyourBIOSifitispasswordprotected,incasechangesarenecessary.Testit!16GB(Gigabytes)ofRAMorhigherismandatoryforthisclass(Important-PleaseRead:16GBofRAMorhigherofRAMismandatoryandminimum.USB3.0Type-Aportisrequired.AtleastoneopenandworkingUSB3.0Type-Aportisrequired.(AType-CtoType-Aadaptermaybenecessaryfornewerlaptops.)(Note:SomeendpointprotectionsoftwarepreventstheuseofUSBdevices-testyoursystemwithaUSBdrivebeforeclasstoensureyoucanloadthecoursedata.)350GigabytesofFreeSpace-Notethatabout150GBisrequiredfordownloadedevidencefiles.ThisdatacanbestoredonanexternaldriveLocalAdministratorAccessisrequired.Thisisabsolutelyrequired.Don'tletyourITteamtellyouotherwise.Ifyourcompanywillnotpermitthisaccessforthedurationofthecourse,thenyoushouldmakearrangementstobringadifferentlaptop.Wireless802.11CapabilityMANDATORYFOR508HOSTOPERATINGSYSTEMREQUIREMENTS:HostOperatingSystem:LatestversionofWindows10ormacOS10.15.xPleasenote:ItisnecessarytofullyupdateyourhostoperatingsystempriortotheclasstoensureyouhavetherightdriversandpatchesinstalledtoutilizethelatestUSB3.0devices.PLEASEINSTALLTHEFOLLOWINGSOFTWAREPRIORTOCLASS:DownloadandinstallVMwareWorkstationPro15.5.X+,VMwarePlayer15.5.X+orFusion11.5+onyoursystempriortoclassbeginning.IfyoudonotownalicensedcopyofVMwareWorkstationorFusion,youcandownloadafree30-daytrialcopyfromVMware.VMwarewillsendyouatime-limitedserialnumberifyouregisterforthetrialattheirwebsite.Downloadandinstall7Zip(forWindowsHosts)orKeka(macOS).Yourcoursemediawillnowbedeliveredviadownload.Themediafilesforclasswillbelarge,inthe40-50GBrange.Youneedtoallowplentyoftimeforthedownloadtocomplete.Internetconnectionsandspeedvarygreatlyandaredependentonmanydifferentfactors.Therefore,itisnotpossibletogiveanestimateofthelengthoftimeitwilltaketodownloadyourmaterials.Pleasestartyourcoursemediadownloadsassoonasyougetthelink.Youwillneedyourcoursemediaimmediatelyonthefirstdayofclass.WaitinguntilthenightbeforetheclassstartstobeginyourdownloadhasahighprobabilityoffailureSANShasbegunprovidingprintedmaterialsinPDFform.ThisclassusesanelectronicworkbookinadditiontothePDFs.Wehavefoundthatasecondmonitorand/oratabletdevicecanbeusefulforkeepingtheclassmaterialsvisiblewhiletheinstructorispresentingorwhileyouareworkingonlabexercises. AuthorStatement "Indescribingtheadvancedpersistentthreat(APT)andadvancedadversaries,manyexpertshavesaid,'Therearepeoplesmarterthanyou,whohavemoreresourcesthanyou,andwhoarecomingforyou.Goodluckwiththat.'Theywerenotjoking.Theresultsoverthepastseveralyearsclearlyindicatethathackersemployedbynation-statesandorganizedcrimearerackingupsuccessaftersuccess.TheAPThascompromisedhundredsoforganizations.OrganizedcrimeorganizationsusingbotnetsareexploitingAutomatedClearingHouse(ACH)frauddaily.Similargroupsarepenetratingbanksandmerchants,stealingcreditcarddata.Fortune500companiesarebeginningtodetaildatabreachesandhacksintheirannualstockholderreports."Inotherwords,theenemyisgettingbetterandbolder,andtheirsuccessrateisimpressive."Wecanstopthem,buttodoso,weneedtofieldmoresophisticatedincidentrespondersanddigitalforensicsinvestigators.Weneedlethaldigitalforensicsexpertswhocandetectanderadicateadvancedthreatsimmediately.Aproperlytrainedincidentrespondercouldbetheonlydefenseyourorganizationhasleftduringacompromise.Forensics508:AdvancedDigitalForensics,IncidentResponse,andThreatHuntingiscrucialtrainingforyoutobecometheanalystwhocanstepuptotheseadvancedthreats.Theenemyisgood.Wearebetter.Thiscoursewillhelpyoubecomeoneofthebest."-RobLee"Weliveinaworldofunimaginableamountsofdatastoredonimmenselylargeandcomplicatednetworks.Ouradversariesusethiscomplexityagainstustoslicethroughourdefensesandtakevirtuallyanythingtheywant,anytimetheywantit.Whilethisisourcurrentstate,itwillnotbeourfuture.Incidentresponseisataninflectionpoint.Oldmodelsarebeingupgradedtomakedefendersmoreeffectiveandnimblerinresponsetomoresophisticatedandaggressiveattackers.Themostsuccessfulincidentresponseteamsareevolvingrapidlyduetonear-dailyinteractionwithadversaries.Newtoolsandtechniquesarebeingdeveloped,providingbettervisibilityandmakingthenetworkmoredefensible.Thereareanincreasingnumberofsuccessstories,withorganizationsquicklyidentifyingintrusionsandrapidlyremediatingthem.Wecreatedthiscoursetobuilduponthosesuccesses.Likethefielditself,thecourseiscontinuouslyupdated,bringingthelatestadvancesintotheclassroom.Whetheryouarejustmovingintotheincidentresponsefieldorarealreadyleadinghuntteams,FOR508facilitateslearningfromothers'experiencesanddevelopsthenecessaryskillstotakeyoutothenextlevel."-ChadTilbury WaystoLearn OnDemandStudyandprepareforGIACCertificationwithfourmonthsofonlineaccess.Includeslabsandexercises,andsupport.LiveOnlineLive,interactivesessionswithSANSinstructorsoverthecourseofoneormoreweeks,attimesconvenienttostudentsworldwide.InPerson(6days)Trainingeventsandtopicalsummitsfeaturepresentationsandcoursesinclassroomsaroundtheworld. WhoShouldAttendFOR508? WhoShouldAttendIncidentResponseTeamMemberswhoregularlyrespondtocomplexsecurityincidents/intrusionsfromAPTgroups/advancedadversariesandneedtoknowhowtodetect,investigate,remediate,andrecoverfromcompromisedsystemsacrossendpointsintheenterprise.ThreatHunterswhoareseekingtounderstandthreatsmorefullyandhowtolearnfromtheminordertomoreeffectivelyhuntthreatsandcountertheirtradecraft.SOCAnalystslookingtobetterunderstandalerts,buildtheskillsnecessarytotriageevents,andfullyleverageadvancedendpointdetectionandresponse(EDR)capabilities.ExperiencedDigitalForensicAnalystswhowanttoconsolidateandexpandtheirunderstandingofmemoryandtimelineforensics,investigationoftechnicallyadvancedindividuals,incidentresponsetactics,andadvancedintrusioninvestigations.InformationSecurityProfessionalswhodirectlysupportandaidinrespondingtodatabreachincidentsandintrusions.FederalAgentsandLawEnforcementProfessionalswhowanttomasteradvancedintrusioninvestigationsandincidentresponse,andexpandtheirinvestigativeskillsbeyondtraditionalhost-baseddigitalforensics.RedTeamMembers,PenetrationTesters,andExploitDeveloperswhowanttolearnhowtheiropponentscanidentifytheiractions,howcommonmistakescancompromiseoperationsonremotesystems,andhowtoavoidthosemistakes.Thiscoursecoversremotesystemforensicsanddatacollectiontechniquesthatcanbeeasilyintegratedintopost-exploitoperatingproceduresandexploit-testingbatteries.SANSFOR500andSEC504Graduateslookingtotaketheirskillstothenextlevel. Seeprerequisites Needtojustifyatrainingrequesttoyourmanager? Usethisjustificationlettertemplatetosharethekeydetailsofthistrainingandcertificationopportunitywithyourboss. DownloadtheLetterRelatedProgramsDoDD8140(CNDSPIncidentResponder) SeehowthisandotherSANSCoursesandGIACCertificationsalignwiththeDepartmentofDefenseDirective8140. MastersProgram Thiscourseandcertificationcanbeappliedtoamaster'sdegreeprogramattheSANSTechnologyInstitute. ReviewsPreviousNext Ihavebeendoingdigitalforensicsfor13+years.Thiscoursehasstillmanagedtobuildonmyexistingknowledgeandmademechallengesomepre-conceptions.Ithasgivenmetonsofideastotakehomeanddeveloptoimproveourenterprisessecurityposture. IanHoward Tesco FOR508exceededmyexpectationsineveryway.Itprovidedmetheskills,knowledge,andtoolstoeffectivelyrespondtoandhandleAPTsandotherenterprise-widethreats. JoshM. USFederalAgency It'shardtoreallysaysomethingthatwillproperlyconveytheamountofmentalgrowthIhaveexperiencedinthistraining. TravisFarral XTOEnergy Displaytimesin Africa/Abidjan Africa/Accra Africa/AddisAbaba Africa/Algiers Africa/Asmara Africa/Asmera Africa/Bamako Africa/Bangui Africa/Banjul Africa/Bissau Africa/Blantyre Africa/Brazzaville Africa/Bujumbura Africa/Cairo Africa/Casablanca Africa/Ceuta Africa/Conakry Africa/Dakar Africa/DaresSalaam Africa/Djibouti Africa/Douala Africa/ElAaiun Africa/Freetown Africa/Gaborone Africa/Harare Africa/Johannesburg Africa/Juba Africa/Kampala Africa/Khartoum Africa/Kigali Africa/Kinshasa Africa/Lagos Africa/Libreville Africa/Lome Africa/Luanda Africa/Lubumbashi Africa/Lusaka Africa/Malabo Africa/Maputo Africa/Maseru Africa/Mbabane Africa/Mogadishu Africa/Monrovia Africa/Nairobi Africa/Ndjamena Africa/Niamey Africa/Nouakchott Africa/Ouagadougou Africa/Porto-Novo Africa/SaoTome Africa/Timbuktu Africa/Tripoli Africa/Tunis Africa/Windhoek America/Adak America/Anchorage America/Anguilla America/Antigua America/Araguaina America/Argentina/BuenosAires America/Argentina/Catamarca America/Argentina/ComodRivadavia America/Argentina/Cordoba America/Argentina/Jujuy America/Argentina/LaRioja America/Argentina/Mendoza America/Argentina/RioGallegos America/Argentina/Salta America/Argentina/SanJuan America/Argentina/SanLuis America/Argentina/Tucuman America/Argentina/Ushuaia America/Aruba America/Asuncion America/Atikokan America/Atka America/Bahia America/BahiaBanderas America/Barbados America/Belem America/Belize America/Blanc-Sablon America/BoaVista America/Bogota America/Boise America/BuenosAires America/CambridgeBay America/CampoGrande America/Cancun America/Caracas America/Catamarca America/Cayenne America/Cayman America/Chicago America/Chihuahua America/CoralHarbour America/Cordoba America/CostaRica America/Creston America/Cuiaba America/Curacao America/Danmarkshavn America/Dawson America/DawsonCreek America/Denver America/Detroit America/Dominica America/Edmonton America/Eirunepe America/ElSalvador America/Ensenada America/FortNelson America/FortWayne America/Fortaleza America/GlaceBay America/Godthab America/GooseBay America/GrandTurk America/Grenada America/Guadeloupe America/Guatemala America/Guayaquil America/Guyana America/Halifax America/Havana America/Hermosillo America/Indiana/Indianapolis America/Indiana/Knox America/Indiana/Marengo America/Indiana/Petersburg America/Indiana/TellCity America/Indiana/Vevay America/Indiana/Vincennes America/Indiana/Winamac America/Indianapolis America/Inuvik America/Iqaluit America/Jamaica America/Jujuy America/Juneau America/Kentucky/Louisville America/Kentucky/Monticello America/KnoxIN America/Kralendijk America/LaPaz America/Lima America/LosAngeles America/Louisville America/LowerPrinces America/Maceio America/Managua America/Manaus America/Marigot America/Martinique America/Matamoros America/Mazatlan America/Mendoza America/Menominee America/Merida America/Metlakatla America/MexicoCity America/Miquelon America/Moncton America/Monterrey America/Montevideo America/Montreal America/Montserrat America/Nassau America/NewYork America/Nipigon America/Nome America/Noronha America/NorthDakota/Beulah America/NorthDakota/Center America/NorthDakota/NewSalem America/Nuuk America/Ojinaga America/Panama America/Pangnirtung America/Paramaribo America/Phoenix America/Port-au-Prince America/PortofSpain America/PortoAcre America/PortoVelho America/PuertoRico America/PuntaArenas America/RainyRiver America/RankinInlet America/Recife America/Regina America/Resolute America/RioBranco America/Rosario America/SantaIsabel America/Santarem America/Santiago America/SantoDomingo America/SaoPaulo America/Scoresbysund America/Shiprock America/Sitka America/StBarthelemy America/StJohns America/StKitts America/StLucia America/StThomas America/StVincent America/SwiftCurrent America/Tegucigalpa America/Thule America/ThunderBay America/Tijuana America/Toronto America/Tortola America/Vancouver America/Virgin America/Whitehorse America/Winnipeg America/Yakutat America/Yellowknife Antarctica/Casey Antarctica/Davis Antarctica/DumontDUrville Antarctica/Macquarie Antarctica/Mawson Antarctica/McMurdo Antarctica/Palmer Antarctica/Rothera Antarctica/SouthPole Antarctica/Syowa Antarctica/Troll Antarctica/Vostok Arctic/Longyearbyen Asia/Aden Asia/Almaty Asia/Amman Asia/Anadyr Asia/Aqtau Asia/Aqtobe Asia/Ashgabat Asia/Ashkhabad Asia/Atyrau Asia/Baghdad Asia/Bahrain Asia/Baku Asia/Bangkok Asia/Barnaul Asia/Beirut Asia/Bishkek Asia/Brunei Asia/Calcutta Asia/Chita Asia/Choibalsan Asia/Chongqing Asia/Chungking Asia/Colombo Asia/Dacca Asia/Damascus Asia/Dhaka Asia/Dili Asia/Dubai Asia/Dushanbe Asia/Famagusta Asia/Gaza Asia/Harbin Asia/Hebron Asia/HoChiMinh Asia/HongKong Asia/Hovd Asia/Irkutsk Asia/Istanbul Asia/Jakarta Asia/Jayapura Asia/Jerusalem Asia/Kabul Asia/Kamchatka Asia/Karachi Asia/Kashgar Asia/Kathmandu Asia/Katmandu Asia/Khandyga Asia/Kolkata Asia/Krasnoyarsk Asia/KualaLumpur Asia/Kuching Asia/Kuwait Asia/Macao Asia/Macau Asia/Magadan Asia/Makassar Asia/Manila Asia/Muscat Asia/Nicosia Asia/Novokuznetsk Asia/Novosibirsk Asia/Omsk Asia/Oral Asia/PhnomPenh Asia/Pontianak Asia/Pyongyang Asia/Qatar Asia/Qostanay Asia/Qyzylorda Asia/Rangoon Asia/Riyadh Asia/Saigon Asia/Sakhalin Asia/Samarkand Asia/Seoul Asia/Shanghai Asia/Singapore Asia/Srednekolymsk Asia/Taipei Asia/Tashkent Asia/Tbilisi Asia/Tehran Asia/TelAviv Asia/Thimbu Asia/Thimphu Asia/Tokyo Asia/Tomsk Asia/UjungPandang Asia/Ulaanbaatar Asia/UlanBator Asia/Urumqi Asia/Ust-Nera Asia/Vientiane Asia/Vladivostok Asia/Yakutsk Asia/Yangon Asia/Yekaterinburg Asia/Yerevan Atlantic/Azores Atlantic/Bermuda Atlantic/Canary Atlantic/CapeVerde Atlantic/Faeroe Atlantic/Faroe Atlantic/JanMayen Atlantic/Madeira Atlantic/Reykjavik Atlantic/SouthGeorgia Atlantic/StHelena Atlantic/Stanley Australia/ACT Australia/Adelaide Australia/Brisbane Australia/BrokenHill Australia/Canberra Australia/Currie Australia/Darwin Australia/Eucla Australia/Hobart Australia/LHI Australia/Lindeman Australia/LordHowe Australia/Melbourne Australia/NSW Australia/North Australia/Perth Australia/Queensland Australia/South Australia/Sydney Australia/Tasmania Australia/Victoria Australia/West Australia/Yancowinna Brazil/Acre Brazil/DeNoronha Brazil/East Brazil/West CET CST6CDT Canada/Atlantic Canada/Central Canada/Eastern Canada/Mountain Canada/Newfoundland Canada/Pacific Canada/Saskatchewan Canada/Yukon Chile/Continental Chile/EasterIsland Cuba EET EST EST5EDT Egypt Eire Etc/GMT Etc/GMT+0 Etc/GMT+1 Etc/GMT+10 Etc/GMT+11 Etc/GMT+12 Etc/GMT+2 Etc/GMT+3 Etc/GMT+4 Etc/GMT+5 Etc/GMT+6 Etc/GMT+7 Etc/GMT+8 Etc/GMT+9 Etc/GMT-0 Etc/GMT-1 Etc/GMT-10 Etc/GMT-11 Etc/GMT-12 Etc/GMT-13 Etc/GMT-14 Etc/GMT-2 Etc/GMT-3 Etc/GMT-4 Etc/GMT-5 Etc/GMT-6 Etc/GMT-7 Etc/GMT-8 Etc/GMT-9 Etc/GMT0 Etc/Greenwich Etc/UCT Etc/UTC Etc/Universal Etc/Zulu Europe/Amsterdam Europe/Andorra Europe/Astrakhan Europe/Athens Europe/Belfast Europe/Belgrade Europe/Berlin Europe/Bratislava Europe/Brussels Europe/Bucharest Europe/Budapest Europe/Busingen Europe/Chisinau Europe/Copenhagen Europe/Dublin Europe/Gibraltar Europe/Guernsey Europe/Helsinki Europe/IsleofMan Europe/Istanbul Europe/Jersey Europe/Kaliningrad Europe/Kiev Europe/Kirov Europe/Lisbon Europe/Ljubljana Europe/London Europe/Luxembourg Europe/Madrid Europe/Malta Europe/Mariehamn Europe/Minsk Europe/Monaco Europe/Moscow Europe/Nicosia Europe/Oslo Europe/Paris Europe/Podgorica Europe/Prague Europe/Riga Europe/Rome Europe/Samara Europe/SanMarino Europe/Sarajevo Europe/Saratov Europe/Simferopol Europe/Skopje Europe/Sofia Europe/Stockholm Europe/Tallinn Europe/Tirane Europe/Tiraspol Europe/Ulyanovsk Europe/Uzhgorod Europe/Vaduz Europe/Vatican Europe/Vienna Europe/Vilnius Europe/Volgograd Europe/Warsaw Europe/Zagreb Europe/Zaporozhye Europe/Zurich GB GB-Eire GMT GMT+0 GMT-0 GMT0 Greenwich HST Hongkong Iceland Indian/Antananarivo Indian/Chagos Indian/Christmas Indian/Cocos Indian/Comoro Indian/Kerguelen Indian/Mahe Indian/Maldives Indian/Mauritius Indian/Mayotte Indian/Reunion Iran Israel Jamaica Japan Kwajalein Libya MET MST MST7MDT Mexico/BajaNorte Mexico/BajaSur Mexico/General NZ NZ-CHAT Navajo PRC PST8PDT Pacific/Apia Pacific/Auckland Pacific/Bougainville Pacific/Chatham Pacific/Chuuk Pacific/Easter Pacific/Efate Pacific/Enderbury Pacific/Fakaofo Pacific/Fiji Pacific/Funafuti Pacific/Galapagos Pacific/Gambier Pacific/Guadalcanal Pacific/Guam Pacific/Honolulu Pacific/Johnston Pacific/Kiritimati Pacific/Kosrae Pacific/Kwajalein Pacific/Majuro Pacific/Marquesas Pacific/Midway Pacific/Nauru Pacific/Niue Pacific/Norfolk Pacific/Noumea Pacific/PagoPago Pacific/Palau Pacific/Pitcairn Pacific/Pohnpei Pacific/Ponape Pacific/PortMoresby Pacific/Rarotonga Pacific/Saipan Pacific/Samoa Pacific/Tahiti Pacific/Tarawa Pacific/Tongatapu Pacific/Truk Pacific/Wake Pacific/Wallis Pacific/Yap Poland Portugal ROC ROK Singapore Turkey UCT US/Alaska US/Aleutian US/Arizona US/Central US/East-Indiana US/Eastern US/Hawaii US/Indiana-Starke US/Michigan US/Mountain US/Pacific US/Samoa UTC Universal W-SU WET Zulu Filters: ClearAll TrainingFormats OnDemandInPersonLiveOnline Location AmericasEurope&MiddleEastAsia-Pacific Dates AllDatesSelectaDateRange2022-06-04Selecteddate2023-06-04SelecteddateApplyRegisterforFOR508InPersonTrainingeventsandtopicalsummitsfeaturepresentationsandcoursesinclassroomsaroundtheworld.LearnmoreLiveOnlineLive,interactivesessionswithSANSinstructorsoverthecourseofoneormoreweeks,attimesconvenienttostudentsworldwide.LearnmoreOnDemandStudyandprepareforGIACCertificationwithfourmonthsofonlineaccess.Includeslabsandexercises,andsupport.LearnmoreLoading...