SANS: Lethal Network Forensics
LETHAL NETWORK FORENSICS focuses on expanding your forensic mindset to include transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still had to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Whether your threats include nation-state actors, insider threats, script kiddies, or other online miscreants, the knowledge acquired in this course ensure you are prepared to face such dynamic adversaries in a rapidly changing environment.
This course provides you with the skill set necessary to investigate a compromised network environment or design solutions for an existing environment that will minimize the time and cost necessary to investigate a potential compromise in the future. We use hands-on exercises derived from real-world attacks to ensure you are prepared to address the threats that every Internet-facing network faces daily. Because the ephemeral nature of network-based data means that raw packet captures are not always available for analysis, we also discuss how to glean insight into past network activities from the variety of log data created by various infrastructure devices that operate on a typical network.
The material covers low-level packet capture approaches and techniques to use high-level data for scoping a compromise, identifying attack traffic, and routing out network-based data theft. Students use a wide range of tools, including tcpdump, Wireshark, nfdump, Logstash, hex editors, visualization tools, and more.
Students receive the Linux-based SIFT Workstation, with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course. Using only open-source tools, we show how you can effectively conduct network investigations covering a wide range of attack profiles.