SANS Digital Forensics and Incident Response Blog

New Incident Response and Digital Forensic Techniques - Countering the Advanced Persistent Threat

Over the past two years, we have seen a dramatic increase in sophisticated attacks against organizations. Cyber-attacks originating from China named the Advanced Persistent Threat (APT) have proved difficult to suppress. Financial attacks from Eastern Europe and Russia obtain credit card, and financial data resulting in millions of dollars stolen.

Commercial and Federal IT Security are battling multiple intrusions attributed to the Advanced Persistent Threat during the past several years. The adversary is good and getting better. Are we learning how to counter them? Yes we are. Learn how.

Over the past 2 years, we have been updating the forensic and incident response courses at SANS to include the latest tactics at finding and defeating the APT. The course where I have added most of of our efforts to train forensicators to deal with this threat has been taught in FOR508: Advanced Computer Forensic Analysis and Incident Response.

Over the past year we have added and updated key sections aimed at directly responding to advanced adversaries that organization currently face.

  1. Is there malware on this machine? Ever been handed a hard drive and your task is to "Find Evil" but you don't know where to start looking? In FOR508, there is a new section that deals solely with examining compromised systems looking unknown malware . This process utilizes many of the skills a forensicator must have in order to simply "FIND EVIL" when they do not know where to look.
  2. Timeline Analysis and Super-Timeline AnalysisCritical to any case, the past two years has seen the dramatic increase in the necessity of timeline analysis for incident response and digital forensics. Having mastered artifact analysis in FOR408, students will appreciate being able to automatically track system activity at a glance. Through examining file system, Windows OS artifacts, and registry entries from a single machine, an examiner can determine exactly what happened at any time.
  3. Memory AnalysisBeing able to sort through network and active processes from a memory snapshot is a critical skill during an intrusion case to find malware. Moving from malware identification during live response to recovering APT "command and control" channel data, memory analysis is now critical during modern incident response situations.
  4. Enterprise Investigations Investigators must utilize new techniques to not only investigate a single system, but hundreds simultaneously. As a part of this class, we equip each student with F-Response Tactical which allows each student to remotely examine a system without first having to image it. This increase in efficiency is needed in order to quickly scan systems during a large scale breach. Imaging each system to perform forensics is now considered only in rare specific situations. This new addition will change the way you are currently responding to your breaches across your enterprise.

FOR508 has been updated with the latest investigative techniques to help arm you with the correct knowledge to counter advanced adversaries. Our cyber enemies are growing in knowledge and sophistication. FOR508: Advanced Computer Forensic Analysis and Incident Response arms you with the tools and tactics to counter them.