FOR509: SANS Live Online Europe March 2022 Volume 1

Provided by

What You Will Learn

Find the Storm in the Cloud

FOR509: Enterprise Cloud Forensics and Incident Response will help you:
  • Understand forensic data only available in the cloud
  • Implement best practices in cloud logging for DFIR
  • Properly handle rapid triage in cloud environments
  • Learn how to leverage Microsoft Azure, AWS and Google Cloud Platform resources to gather evidence
  • Understand what Microsoft 365 has available for analysts to review
  • Learn how to move your forensic process to the cloud for fast processing where the data lives
With Enterprise Cloud Forensics examiners will learn how each of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Cloud Platform) are extending analyst's capabilities with new evidence sources not available in traditional on-premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation, forensics is not dead. It is reborn with new technologies and capabilities.

The new world does not end there. More organizations are moving critical resources into the cloud with Microsoft 365. Examiners no longer have direct access to the email servers and datastores for recovering actions; which means they need to learn the new methods available to them to recreate the same data. But why stop at recreation? These new platforms allow us to extend our reach to data we could not easily access before, which when properly configured, can allow for detection and remediation faster than ever before.

The assumption that a change in where or how data is stored always seems to lead to the false assumption that forensics is dead. With the cloud, forensics is given new capabilities and depth that do not exist in the on-premise world. Learn to preserve, configure and examine new sources of evidence that only exist in the Cloud. Learn how to bring your examination into the cloud and how to triage within the same environment. Constantly updated, the Enterprise Cloud Forensics course (FOR509) addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments, where their most valuable data is now stored.

Numerous hands-on labs throughout the course will allow examiners to access evidence generated based on the most common incidents and investigations. Examiners will learn where to pull data from and how to analyze it to find evil.

Incident response and forensics are primarily about following breadcrumbs left behind by attackers. These breadcrumbs are mostly found in logs. Your knowledge of the investigation process is far more important than the mechanics of acquiring the logs. As such, the labs will not directly access the cloud as such a requirement would encounter issues with expiring logs, cloud provider changes, and delays in log availability.

Before, during, and after an investigation cloud resources are constantly changing, FOR509: Enterprise Cloud Forensics will train you and your team to turn on the logs you need for the future, work with the data you have today, and prepare to automate for tomorrow.

FOR509 ENTERPRISE CLOUD FORENSICS WILL PREPARE YOUR TEAM TO:
  • Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
  • Identify and utilize new data only available from Cloud environments
  • Quickly parse and filter large data sets, using scalable technologies such as the Elastic Stack
  • Learn how to profile attackers in different cloud environments
  • Understand what data is available in different cloud environments
FOR509 ENTERPRISE CLOUD FORENSICS COURSE TOPICS
  • Cloud Infrastructure and IR data sources
  • Microsoft 365 and Graph API
  • AWS Incident Response
  • Azure Incident Response
  • GCP Incident Response
WHAT YOU WILL RECEIVE
  • SOF-ELK(R) Virtual Machine - a publicly available appliance running the Elastic Stack and the author's custom set of configurations and lab data. The VM is preconfigured to ingest cloud logs from AWS, Azure, and GCP, and will be used during the class to help students wade through the large number of records they are likely to encounter during a typical investigation.
  • Realistic case data to examine during class.
  • Exercise book with detailed step-by-step instructions and examples to help you master cloud forensics
WHAT TO TAKE NEXT
  • FOR500: Windows Forensic Analysis
  • FOR508: Advanced Incident Response, Threat Hunting & Digital Forensics
  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • SEC541: Cloud Security Monitoring and Threat Detection
  • SEC510: Public Cloud Security: AWS, Azure & GCP
  • SEC588: Cloud Penetration Testing

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...