FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. SANS FOR572 covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.

What You Will Learn

Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.

It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.

FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was designed to cover the most critical skills needed for the increased focus on network communications and artifacts in today's investigative work, including numerous use cases. Many investigative teams are incorporating proactive threat hunting to their skills, in which existing evidence is used with newly-acquired threat intelligence to uncover evidence of previously-unidentified incidents. Others focus on post-incident investigations and reporting. Still others engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim's environment. In these situations and more, the artifacts left behind from attackers' communications can provide an invaluable view into their intent, capabilities, successes, and failures.

In FOR572, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high--evel NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

Most of FOR572's hands-on labs have been developed together with the latest version of FOR508, Advanced Incident Response, Threat Hunting, and Digital Forensics. In these shared scenarios, you'll quickly see a hybrid approach to forensic examination that includes both host and network artifacts is ideal. Although our primary focus is on the network side of that equation, we will point out areas where the host perspective could provide additional context, or where the network perspective gives deeper insight. Both former and future FOR508 students will appreciate the nexus between these extensive evidence sets.

The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK platform - a VMware appliance pre-configured with a tailored configuration of the Elastic stack. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Moloch platform is also covered and used in a hands-on lab. Through all of the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands of data records.

FOR572 is an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, full-stack networking knowledge (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.

You Will Be Able To

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation's findings
• Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
• Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
• Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
• Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
• Examine proprietary network protocols to determine what actions occurred on the endpoint systems
• Analyze wireless network traffic to find evidence of malicious activity
• Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
• Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

FOR572 Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:

• Foundational network forensics tools: tcpdump and Wireshark refresher
• Packet capture applications and data
• Unique considerations for network-focused forensic processes
  • Network evidence types and sources
  • Network architectural challenges and opportunities for investigators
  • Investigation OPSEC and footprint considerations
• Network protocol analysis
  • Hypertext Transfer Protocol (HTTP)
  • Domain Name Service (DNS)
  • File Transfer Protocol (FTP)
  • Server Message Block (SMB) and related Microsoft protocols
  • Simple Mail Transfer Protocol (SMTP)
• Commercial network forensic tools
• Automated tools and libraries
• NetFlow
  • Introduction
  • Collection approaches
  • Open-source NetFlow tools
• Wireless networking
  • Capturing wireless traffic
  • Useful forensic artifacts from wireless traffic
  • Common attack methods and detection
• Log data to supplement network examinations
  • Syslog
  • Microsoft Windows Event Forwarding
  • HTTP server logs
  • Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
  • Log collection, aggregation, and analysis
  • Web proxy server examination
• Encryption
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
  • Profiling TLS clients without interception
  • Introduction
  • Meddler-in-the-middle
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Deep packet work
  • Network protocol reverse engineering
  • Payload reconstruction

What You Will Receive

• Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
• SOF-ELK Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
• Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
• Realistic case data to examine during class, from multiple sources including:
  • NetFlow data
  • Web proxy, firewall, and intrusion detection system logs
  • Network captures in pcap format
  • Network service logs
• Electronic Downloadable package loaded with case examples, tools, and documentation

Syllabus (36 CPEs) GIAC Network Forensic Analyst

The GIAC Network Forensic Analyst (GNFA) certification validates a practitioner’s ability to perform examinations employing network forensic artifact analysis. GNFA certification holders have demonstrated an understanding of the fundamentals of network forensics, normal and abnormal conditions for common network protocols, processes and tools used to examine device and system logs, and wireless communication and encrypted protocols.

• Network architecture, network protocols, and network protocol reverse engineering

• Encryption and encoding, NetFlow analysis and attack visualization, security event & incident logging

• Network analysis tools and usage, wireless network analysis, & open source network security proxies