SANS Digital Forensics and Incident Response Blog

The APT is already in your network. Time to go hunting — Learn how in new training course SANS FOR508

The Advanced Persistent Threat is already in your network. Time to go hunting.

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including You are compromised by the APT.

What is the APT? The APT is a cyber-adversary displaying advanced logistical and operational capability for long-term intrusion campaigns. Its goal is to maintain access to victim networks and exfiltrate intellectual property data as well as information that is economically and politically advantageous. Typically, the APT has operated and originated from China.

Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.

Learn how to hunt for the APT in the completely brand new training course from SANS FOR508: Advanced Incident Response and Forensics Course

The NEW FOR508 APT based course debuted at SANS SECWEST in San Diego in May 2012 to some amazing feedback and reviews. The course, almost completely rewritten from scratch (80% new material), focuses on training incident response teams to learn how to hunt down and counter the APT in their networks. Most organizations simply cannot detect and respond to the APT and using direct knowledge of how the APT operates, we have set up a training environment that will take each student through a scenario that many in the class that had worked APT cases said were "dead on" in accuracy and capability for what these adversaries are able to accomplish.

I hope you consider taking the new FOR508 this year. If your network has been compromised by the APT and you need to train more hunters to find them, this course is specifically designed for your incident response and digital forensic teams. Sign up early to guarantee a seat at the next training event.

The course outline and registration location is posted here:

Upcoming Events List:

The course core feature is the APT scenario that took over a year to build. The scenario is extremely detailed and many in the class who had experience working APT cases said that they felt they were responding to APT compromised networks. To gain some knowledge as to the extensive careful attention to detail we took to engineer the network and breach, I recommend reading this blog: Is A/V Really Dead?
Each incident responder/forensicator who attends the course will:

  • Detect unknown live malware and dormant malware in memory across multiple machines in an enterprise environment
  • Find beacon malware over port 80 that the APT used to access their C2 channel
  • Identify how the breach originally occurred by identifying the beach head and spear phishing attack
  • Target hidden and time-stomped malware and utility-ware that the APT uses to move in your network and maintain their presences
  • Discover which systems the APT laterally moved to and how they transitioned from system to system easily without being detected
  • Understand how the APT was able to acquire domain admin rights in a fairly locked down environment
  • Track the APT as they collect critical data and shift it over to a staging system
  • Recover rar files that the APT exfiltrated from the enterprise network


Some student reviews from our first run at SECWEST 2012 this month:

"I was surprised and amazed at how easy it is to do memory analysis and how helpful it is." — Brian Dugay, Apple


"The examples in the course relate to what I need to know to deal with real world threats." — Tim Weaver, Digital Mtn. Inc


"The level of detail is amazing. The methodology is clearly effective at finding pertinent artifacts." — no name


Rob Lee Author Statement about the NEW FOR508:

"There are people smarter than you; they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said this when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The Advanced Persistent Threat (APT) has compromised over fifty percent of the fortune 500. Over 90%of these breaches went undetected for months and some even years. The enemy is getting better, bolder, and their success rate is impressive.

During incidents, advanced threats can be stopped. We need to field more sophisticated incident responders and digital forensic investigators. We need trained hunters that can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: Advanced IR and Digital Forensics is crucial training for you to become a lethal hunter to step up to these advanced threats. The enemy is good. We are better. This NEW course will help you become one of the best."

- Rob Lee

If you have specific questions about the exercises in the course, APT scenario, or course material, please feel free to leave a comment or email me at rlee "at"



Posted June 27, 2012 at 6:25 AM | Permalink | Reply

Botnet Tracker

Does Stuxnet qualify as an APT? Who is behind Stuxnet? Will the SANS FOR508 training course teach me how to detect and respond to Stuxnet?

Posted July 6, 2012 at 1:51 AM | Permalink | Reply

Rob Lee

It does to an extent, but the APT is not malware, so the people behind Stuxnet would be a nation state actor and thus probably uses techniques employed in a similar way as the APT. We actually do show to perform memory analysis of stuxnet in the class and show you how to detect it and respond to it.

Posted October 9, 2012 at 7:19 PM | Permalink | Reply

Nitin Kushwaha

Hey Rob,
Gr8 Job!!
Is FinFisher/FinSpy a variant of APT and also Poison Ivvy ?
Nitin Kushwaha