FOR577: SANS Munich March 2025

Provided by

Enquire about this course

What You Will Learn

FOR577: Linux Threat Hunting & Incident Response provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including advanced persistent threat (APT) nation-state adversaries, organized crime syndicates, and hactivism. Constantly updated, the course addresses today's incidents by teaching the hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to combat real-world breach cases.

FOR577 teaches the skills needed to identify, analyze, and respond to attacks on Linux platforms and how to use threat hunting techniques to find the stealthy attackers who can bypass existing controls. The concepts taught are built on common foundations in that we gather evidence, analyze it, and make decisions based on this analysis, all the while focusing on the specifics of the Linux platform. By using the tools built into the SANS SIFT Workstation, the course provides an all-inclusive solution that enables responders to quickly and effectively react to sophisticated intrusions.

During the course you will work through a number of exercises culminating in a final capstone, challenge built around a realistic attack with endpoint evidence, log data, and other artifacts you will encounter during day-to-day incident response activities. You will uncover evidence of an advanced threat actor working through a multiple-phase attack, going from reconnaissance to initial intrusion, then moving laterally throughout the organization's network. During the capstone you will bring together everything you have learned during the course and present your findings and recommendations on how security can be improved.
You Will Be Able To
  • Use the tools, techniques, and procedures necessary to effectively hunt, detect, and contain a variety of adversaries and to remediate incidents
  • Hunt through and perform incident response on Linux systems using the SIFT Workstation
  • Identify and track malware beaconing outbound to its command and control (C2) channel via analytical techniques.
  • Determine how the breach occurred by identifying the beachhead and spear phishing attack mechanisms
  • Track user and attacker activity second-by-second on the system you are analyzing through in-depth timeline and super-timeline analysis
  • Identify lateral movement and pivots within your enterprise, showing how attackers transition from system to system without detection.
  • Track data movement as the attackers collect critical data and shift those data to exfiltration collection points
  • Recover and analyze archives and archive files (.rar, .tar, etc.) used by APT-like attackers to exfiltrate sensitive data from the enterprise network
  • Use collected data to perform effective remediation across the entire enterprise.
Business Takeaways
  • Understand attacker tradecraft in order to perform proactive compromise assessments
  • Upgrade detection capabilities by having a better understanding of novel attack techniques and available forensic artifacts, and by focusing on critical attack paths
  • Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
  • Build advanced forensics skills to counter anti-forensics and data hiding from technical subjects for use in both internal and external investigations.
Course Topics
  • Advanced use of a wide range of best-of-breed open-source tools in the SIFT Workstation to perform incident response and digital forensics
  • Hunting and responding to advanced adversaries such as nation-state actors, organized crime, and hacktivists
  • Threat hunting techniques that will aid in quicker identification of breaches
  • Rapid incident response analysis and breach assessment
  • An incident response and intrusion forensics methodology
  • Evidence collection, including disk and memory, during incident response and threat hunting
  • Internal lateral movement analysis and detection
  • Rapid and deep-dive timeline creation and analysis
  • Adversary threat intelligence development, indicators of compromise, and usage
  • Cyber-kill chain strategies
  • Step-by-step tactics and procedures to respond to and investigate intrusion cases
What You Will Receive With This Course
  • SIFT Workstation
This course uses the SIFT Workstation extensively to teach incident responders and forensic analysts how to investigate and respond to sophisticated attacks. The workstation contains hundreds of free and open-source tools, easily matching any modern forensic and incident response commercial response tool suite. A virtual machine is used with many of the hands-on class exercises. Features of the SIFT Workstation include:
  • Ubuntu Linux LTS base
  • 64-bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensics tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross-compatibility between Linux and Windows
  • Expanded file system support (NTFS, HFS, EXFAT, and more)
  • Electronic Download Package
    • Case images (disk and memory) from systems compromised by an APT intrusion
    • SIFT Workstation virtual machines, tools, and documentation
    • Exercise book is over 250 pages long with detailed step-by-step instructions and examples to help you become a master incident responder.

Enquire

Start date Location / delivery
24 Mar 2025 Munich Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...