SANS Digital Forensics and Incident Response Blog

New Advanced Persistent Threat Based - FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT.

Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.

Learn how to hunt for the APT in this completely brand new training course from SANS - FOR508: Advanced Incident Response and Forensics Course.

The NEW FOR508 APT-based course debuted at SANS Security West this May 2012 to some amazing feedback and reviews. The course, almost completely rewritten from scratch (80% new material), focuses on training incident response teams to learn how to hunt down and counter the APT in their networks. Most organizations simply cannot detect and respond to the APT. Using direct knowledge of how the APT operates, we have set up a training environment that will take each student through a scenario that many in the class, who had worked APT cases, said were "dead on" in accuracy and capability for what these adversaries are able to accomplish.

I hope you consider taking the new FOR508 this year. If your network has been compromised by the APT and you need to train more hunters to find them, this course is specifically designed for your incident response and digital forensic teams. Sign up early to guarantee a seat at the next training event.

The course outline and registration location is posted here:

Upcoming Events List:

The course core feature is the APT scenario that took over a year to build. The scenario is extremely detailed, and many in the class who had experience working APT cases said that they felt they were responding to APT-compromised networks. To gain some knowledge as to the extensive careful attention to detail we took to engineer the network and breach, I recommend reading this blog: Is A/V Really Dead? -

Each incident responder/forensicator who attends the course will:
  • Detect unknown live malware and dormant malware in memory across multiple machines in an enterprise environment - Find beacon malware over port 80 that the APT used to access their C2 channel
  • Identify how the breach originally occurred by identifying the beach head and spear phishing attack - Target hidden and time-stomped malware and utility-ware that the APT uses to move in your network and maintain their presences
  • Use memory analysis and forensics using the SIFT Workstation to detect hidden processes, malware, network connections, and more
  • Track the activity of APT second by second on the system you are analyzing through in-depth timeline analysis
  • Recover data cleared through anti-forensic techniques used by the APT via Volume Shadow Copy and Restore Point analysis
  • Discover which systems the APT laterally moved to in your enterprise and how they transitioned from system to system easily without being detected
  • Understand how the APT was able to acquire domain admin rights in a locked down environment
  • Track the APT as they collect critical data and shift it over to a staging system
  • Recover rar files that the APT exfiltrated from the enterprise network
Full review and write up by David Nides, KPMG -
Press Articles about the new FOR508 course:

CSO ONLINE: Advanced Persistent Threats can be beaten, says expert Detection is key, but how you respond to APTs is equally important

SECURITY BISTRO: Understanding and defeating APT, Part 1: Waking up to the who and why behind APT

SECURITY BISTRO: Understanding and defeating APT, Part 2: Fighting the ?forever war' against implacable foes

Some student reviews from the new FOR508 course:

"I was surprised and amazed at how easy it is to do memory analysis and how helpful it is." - Brian Dugay, Apple

"The examples in the course relate to what I need to know to deal with real world threats." - Tim Weaver, Digital Mtn. Inc.

"The level of detail is amazing. The methodology is clearly effective at finding pertinent artifacts." - no name


The brand new FOR508 is now available in On-Demand. —

Save 20% on OnDemand Classes

Through August 22, 2012, SANS invites you to save 20% on all OnDemand courses. Save money and learn from SANS' top instructors without leaving home!

To take advantage of this offer, enter 0724_20 in the Discount Code field when you register for a OnDemand course.