FOR572: Advanced Network Forensics and Analysis
If you are into disk/memory forensics, you will need this, too!
Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available.
Alexander Bond, Mandiant
Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.
FOR572: ADVANCED NETWORK FORENSICS AND ANALYSIS was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.
This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.
Whether you are a consultant responding to a client's site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of "threat hunters", this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensic alumni from 408 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.
The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the SOF-ELK platform - a VMware appliance pre-configured with the ELK stack. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parse utility, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the Moloch platform is also used. Through all of the in-class labs, your shell scripting abilities will also be used to make easy work of ripping through hundreds and thousands of data records.
FOR572 is truly an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.
Advanced Network Forensics and Analysis Course Topics:
- Foundational network forensics tools: tcpdump and Wireshark refresher
- Packet capture applications and data
- Unique considerations for network-focused forensic processes
- Network evidence types and sources
- Network architectural challenges and opportunities for investigators
- Investigation OPSEC and footprint considerations
- Network protocol analysis
- Domain Name Service
- Hypertext Transfer Protocol
- File Transfer Protocol
- Microsoft protocols
- Simple Mail Transfer Protocol
- Commercial network forensic tools
- Automated tools and libraries
- Collection approaches
- Open-source NetFlow tools
- Wireless networking
- Capturing wireless traffic
- Modes of wireless operation
- Useful forensic artifacts from wireless traffic
- Common attack methods and detection
- Log data to supplement network examinations
- Microsoft Windows Eventing
- HTTP server logs
- Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
- Log collection, aggregation, and analysis
- Web proxy server examination
- Secure HTTP/Secure Sockets Layer
- Deep packet work
- Network protocol reverse engineering
- Payload reconstruction
For multi-course live training events, there will be a set up time from 8:00-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.
|FOR572.1: Off the Disk and Onto the Wire|
Focus: Although many concepts of network forensics are similar to those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.
Network data can be preserved, but only if captured directly from the wire. Whether tactical or strategic, packet capture methods are quite basic. You will re-acquaint yourself with tcpdump and Wireshark, the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then go hands-on to find and extract stolen data from the proxy yourself.
The Linux SIFT virtual machine, which has been specifically loaded with a set of network forensic tools, will be your primary toolkit for the week.
CPE/CMU Credits: 6
|FOR572.2: Core Protocols & Log Aggregation/Analysis|
FOCUS: There are thousands of protocols that may be in use within a production network environment. We will cover several of these that are most likely to benefit the forensicator in typical casework, as well as several that help demonstrate analysis methods useful when facing new, undocumented, or proprietary protocols. By learning the "typical" behaviors of these protocols, we can more readily identify anomalies that may suggest an adversary is misusing that protocol for nefarious purposes. These protocol artifacts and anomalies can be profiled through direct traffic analysis as well as through the log evidence created by systems that have control or purview of that traffic. While this affords the investigator with vast opportunities to analyze the network traffic, efficient analysis of large quantities of source data generally requires tools and methods designed to scale.
Knowing how protocols appear in their normal use is critical if investigators are expected to identify anomalous behaviors. By looking at some of the more commonly-used network communication protocols, we will specifically focus on the ways in which they can be easily misused by an adversary or a malware author.
While no one course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way. The ability to "learn how to learn" is critical, as new protocols are being developed every day. Advanced adversaries develop their own protocols, too, and as you will see later in this class, successfully understanding and counteracting an adversary's undocumented protocol is a similar process to learning those you will see in this section.
Log data is one of the unsung heroes in the realm of network forensics. While the near-perfect knowledge that comes with full-packet capture seems ideal, it suffers from several shortfalls. It is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. When they are in use, network capture systems quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks.
Understanding log data and how it can guide the investigative process is an important network forensicator skill. Examining network-centric logs can also fill gaps left by an incomplete or nonexistent network capture.
In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools. You'll use the SOF-ELK platform for post-incident log aggregation and analysis, bringing quick and decisive insight to a compromise investigation.
CPE/CMU Credits: 6
|FOR572.3: NetFlow and File Access Protocols|
Focus: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations. Whether within a victim's environment or for data exfiltration, adversaries must move their quarry around through the use of various file access protocols. By knowing some of the more common file access and transfer protocols, a forensicator can quickly identify an attacker's theft actions.
Just as even a fuzzy photo can provide valuable leads in a traditional investigation, NetFlow data can provide a network forensicator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed investigative activities.
NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest malicious actions. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly-identified suspicious endpoints or traffic patterns.
In this section, you will learn the contents of typical NetFlow protocols, as well as common collection architectures and analysis methods. You'll also learn how to distill full-packet collections to NetFlow records for quick initial analysis before diving into more cumbersome pcap files.
You'll also examine the File Transfer Protocol, including how to reconstruct specific files from an FTP session. While FTP is commonly used for data exfiltration, it is also an opportunity to refine protocol analysis techniques, due to its multiple-stream nature.
Lastly, you'll explore a variety of the network protocols unique to a Microsoft Windows or Windows-compatible environment. Attackers frequently use these protocols to "live off the land" within the victim's environment. By using existing and expected protocols, the adversary can hide in plain sight and avoid deploying malware that could tip off the investigators to their presence and actions.
CPE/CMU Credits: 6
|FOR572.4: Commercial Tools, Wireless, and Full-Packet Hunting|
Focus: Commercial tools are a mainstay in the network forensicator's toolkit. We'll explore the various roles that commercial tools generally fill, as well as how they can be best integrate to an investigative workflow. With the runaway adoption of wireless networking, investigators must also be prepared to address the unique challenges this technology brings to the table. However, regardless of the protocol being examined or budget used to perform the analysis, having a means of exploring full-packet capture is a necessity, and having a toolkit to perform this at scale is critical.
Commercial tools hold clear advantages in some situations a forensicator may typically encounter. Most commonly, this centers on scalability. Many open-source tools are designed for tactical or small-scale use. Whether using them for large-scale deployments or for specific niche functionalities, these tools can immediately address many investigative needs. You'll look at the typical areas where commercial tools in the network forensic realm tend to focus, and discuss the value each may provide for your organizational requirements or those of your clients.
Additionally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examinations, as well as what interesting artifacts can be recovered from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be covered, including how attackers can leverage those weaknesses during an attack, and how they can be detected.
Finally, we will look at methods that can improve at-scale hunting from full-packet captures, even without commercial tooling. We will look at the open-source Moloch platform and how it can be used in live and forensic workflows. You'll receive a ready-to-use Moloch virtual machine and load source data from an incident we previously investigated, seeking ground truth from the previously-captured full-packet data.
CPE/CMU Credits: 6
|FOR572.5: Encryption, Protocol Reversing, OPSEC, and Intel|
Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Strong encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses even in the most advanced adversaries' methods. As we learn what the attackers have deliberately hidden from us, we must operate carefully to avoid tipping our hats regarding the investigative progress - or the attacker can quickly pivot, nullifying our progress.
Encryption is frequently cited as the most significant hurdle to effective network forensics - and for good reason. When properly implemented, encryption can be a brick wall in between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. We will discuss the basics of encryption and how to approach it during an investigation. The section will also cover flow analysis to characterize encrypted conversations.
We will also discuss undocumented protocols and the reuse of existing protocols for nefarious purposes. Specifically, we will address how to derive intelligence value with limited or nonexistent knowledge of the carrier protocol.
Finally, we will look at how common missteps can provide the attacker with clear insight to the forensicator's progress. This often leads to the attacker changing their tactics, confounding the investigator and even erasing all the progress made to that point. We'll address best practices on conducting investigations and in a compromised environment and ways to share hard-earned intelligence that mitigate that mitigate the risks involved.
CPE/CMU Credits: 6
|FOR572.6: Network Forensics Capstone Challenge|
Focus: This section will combine all of what you have learned prior to and during this week. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available - only the network and its infrastructure.
Students will test their understanding of network evidence and their ability to articulate and support hypotheses through presentations made to the instructor and class. The audience will include senior-level decision makers, so all presentations must include executive summaries as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.
CPE/CMU Credits: 6
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Apple OS X users, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player Plus 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player Plus is a free download that does not need a commercial license. Please note that other virtualization software is not supported in the lab environment, and may not successfully run the supplied virtual machines.
MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY FOR572 SYSTEM SOFTWARE REQUIREMENTS (Install the following prior to the beginning of the class):
OPTIONAL ITEMS TO BRING TO CLASS
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
"We had to deal with a DDoS where the only available data was a 600GB PCAP file. We reduced to NetFlow and loaded that to the SOF-ELK VM. It quickly showed the waves of attack and how effective the countermeasures were." -David D.
"You won't get exposure to the breadth of info on network forensics in any other course." - Devin Johnson, SaskPower
"NetFlow is Cool. We've been receiving massive NetFlow feeds but were unable to fully utilize them apart from DDoS. With this course, I'm getting so many ideas how to use them in hunting." - SANS Student, FOR572 Singapore
"I literally was alerted to a potential incident from work on day 5 and used things I'd learned in class to analyze and help remediate." - P Cake, PeaceHealth
"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.
"This is an incredible curriculum. This class NEEDED to happen and I am glad it did." - Peter Steinmann
"Cutting edge - puts me ahead in the job market." - Anonymous
"Very good real-world material." - Jason Lawrence
"Great resource. Only true network forensics course I know of." - Jeremy Robbins
"If you are into disk/memory forensics, you will need this, too!" - Wouter Jansen
"This class is immediately applicable to my work environment." - Thomas Heffron
"No FLUFF - focused and targeted learning!" - Jackie Stokes
"Awesome! Best SANS course I have taken!" - Jim Horvath
"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large scale APT breach will not have full packet capture available for what could be over a year of attacker activity, but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander Bond, Mandiant
"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
"SANS Institute has many valuable assets - Phil Hagen is one of them." - Anonymous
"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous
"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.
"Phil shared an example with pastesite.com extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous
"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.