SANS FOR508: I’m now a GIAC Certified Forensic Analyst
After two and a half years in incident response it was time for another SANS course – FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics – with a tough exam I squeezed in just before COVID-19 consigned us all to our homes.
SANS doesn’t seem to stipulate anymore that you should take SEC504: Incident Handling and Hacker Tools and Techniques and FOR500: Windows Forensic Analysis before you approach FOR508, but I would still say that’s a sensible path. I felt FOR508 acted as a nice capstone to the trio, tying together everything I’d learnt on the previous two courses and showing how to apply it to APT-level attacks.
That was the overarching theme, in my opinion. Where the introductory SANS courses taught the basics of how attacks work and how they can be detected and prevented, the examples were always fairly noisy and easy to spot. FOR508 took this to the next level, showing techniques to help incident responders and threat hunters identify activity by adversaries taking significant precautions to hide their movements in a vast enterprise environment where it’s impossible to analyse every endpoint.
Naturally, this meant some additional techniques were covered. Malware (as well as the ways it can be hidden and made persistent) was examined in far greater detail. We were taught how to find and decode commands executed in PowerShell, a mainstay of modern cyber attacks. Memory forensics with Volatility formed a core – and particularly fascinating – part of the content. And the course finished with a deep dive into the inner workings of the NTFS file system, timestamp tampering, and how evidence – or even copies – of deleted files can be dragged up based on the metadata available on the disk.
When all this is combined with the process-focused segments, I believe SANS FOR508 has made me a much better rounded incident responder and threat hunter. If an attacker is trying to cover their tracks with obfuscation and wiping, key evidence exists only in an endpoint’s memory, or malware is hiding like a needle in a haystack across thousands of computers and servers, I think I would have a far better chance of identifying them now and determining how far the activity had spread.
As usual, the final day of the course was devoted to a challenge giving students the chance to put everything they’d learnt into practice. We were supplied with timelines and disk and memory images from across a small enterprise network and tasked with identifying malicious activity, presenting our findings to the rest of the class at the end. I won’t give anything away here, but the exercise was a lot of fun and my team were voted the winners, giving me another SANS challenge coin for my collection.
The GIAC exam was honestly a tough one – definitely the most challenging of the four I’ve taken so far. But that’s in keeping with the tone of the course, where the focus is as much on analysis and judgement as it is on content and knowledge. This was also the first GIAC exam I’ve taken that had a practical element – something I was slightly skeptical of given the state of the PCs in most exam centres.
However, when it came down to it the virtual machine worked without a hitch, and I have to say I actually enjoyed having the opportunity to demonstrate my new skills when it mattered. I walked out with a score of 89 per cent and the GIAC Certified Forensic Analyst (GCFA) certification.
All in all, SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics was a huge course, a massive challenge, and hugely valuable. I would recommend it to anybody working in incident response, threat hunting, or forensics who is looking to take their skills to the next level.