SANS FOR508/GCFA Review

Career Development

PLEASE DO NOT ASK FOR MATERIALS FROM THE COURSE OR INSIGHT INTO THE QUESTIONS ON THE EXAM.

TLDR

This course was an incredible dive into host based forensics and I would highly recommend it for anyone interested in expanding their understanding of the incident response process with host artifacts. I walked away from this course with a much better grasp on how attackers move through an environment and where to find the evidence of their activities. Quite simply, I am a stronger security professional for having taken FOR508.

WHAT…. IS ANY OF THIS?

FOR508 is a course offered by SANS that covers Advanced Incident Response, Threat Hunting, and Digital Forensics.
GIAC Certified Forensic Analyst (GCFA)is the corresponding certification to the course.

AUDIENCE

This course is designed for someone who has full access to hosts in an environment in order to pull artifacts for analysis. To apply most of the tools and techniques in the real world, you’ll need the ability to centralize these artifacts on a single analysis machine. Ideally, this person would have the influence to alter an existing threat hunting/ incident response process to include additional artifacts/data sources.

For full transparency, I went into this course not sure if I would be able to keep up or how much I would walk away with. This is not a reflection on FOR508 but a reality of the level of access to machines I have in my current role. As an analyst at an MSSP, I only get direct access to one item on the list below: Windows Event Logs.

Despite the fact that most of the tools/techniques in this course could not be directly applied to my day-to-day role, it exposed me to what is possible once you have access to hosts in an investigation. In all likelihood, I will not master the tools covered in this course until I am in a position to use them on a daily basis. However, I can now speak intelligently when assisting a client with an investigation by providing avenues for further analysis.

COURSE STRUCTURE

SANS courses consist of primarily lectures with breaks throughout the day to get your hands dirty with labs. This back and forth allows you to reinforce the abstract ideas by putting hands on keyboards to watch them in action. The day 6 challenge is an activity that brings together all of the topics and techniques that have been taught over the week.

If you have never taken a SANS course, it’s not uncommon to feel like you’re in control of the info the first and second day. Only to have the waves of knowledge to overwhelm you by the third or fourth day. My advice to anyone taking the course is to take the first couple of evenings to work ahead in the book. This will make portions of the later day less daunting because it will be information that you have at least seen before.

This course was delivered as a live virtual offering that has been expanded due to COVID. With it being virtual I was worried that it would not match up the in-person courses I have taken in the past but that was not an issue. SANS has an awesome setup between GoToTraining (instructor stream) and Slack (student communication). The virtual platforms allow communication among students and instructors without disrupting the class. I even found networking with other students manageable as I could reach out to them on breaks or even before/after class and even walked away with a few solid connections.

COURSE CONTENT

The content for this course was dense like most SANS classes. The first few days seem to jump around to different (seemingly unrelated) pieces of evidence but there is a method to the madness. By day 4 you see these pieces start to come together in timelines to build a holistic picture of the activity in the environment.

Topics covered:

  • Malware Discovery Techniques

  • Evidence of Execution - Shimcache, Prefetch, Amcache

  • Persistence Mechanisms - Autoruns, Sch Tasks, WMI Consumer

  • Windows Event Logs - Authentication, Lat Mvmt, Persistence

  • Memory Acquisition and Analysis

  • Timeline Creation and Analysis

  • Recovering Deleted Files

  • NTFS Structures

The sheer amount of information in this class was overwhelming but there were several reference guides that laid out what data sources could show evidence of certain activity. I would suggest focusing on one or two artifacts/data sources to implement at a time rather than trying to completely overhaul an IR/Threat hunting process at once. Most of the tools they cover are open source and can be used in a production environment without much issue.

CAPSTONE CHALLENGE

The Day 6 exercise completely changed the way that I look at the methods an advanced attacker escalates privileges, propagates malware, and establishes persistence. Each team has 3-5 members and is tasked with tracking an attacker through an environment using host-based data from multiple machines in an environment. At the end, the teams present their findings in a PowerPoint format and the class votes on the strongest presentation. The winning team walks away with pride and a challenge coin for the course.

This scenario is designed to provide a very real situation for an incident responder: Too much data and not enough time.

This team-based scenario CLEARLY illustrated the importance of :

  • Prioritizing efforts to focus on answering core questions and avoid following rabbit trails

  • Dividing tasks among team members based on strengths/background

  • Developing a real-time method to document and share your findings

  • Managing time effectively while being nose down in data

The activity drove home these lessons in a way that reading a book/framework never could and I would recommend this course based on this activity alone.

During my session, I was part of an incredibly talented team that walked away with the FOR508 challenge coin!

GCFA EXAM

I obviously can’t share too much about the exam content itself or else I risk the swift hammer of justice from GIAC. This exam was the toughest one I’ve taken but there were not many “gotcha” questions intended to trip you up. It doesn’t focus on your ability to regurgitate flags for commands but instead your understanding of the artifacts and what they indicate in certain contexts. Having a role where you can work with this data on daily basis will certainly be beneficial in preparing for this exam.

GIAC has recently added a practical portion to this exam which takes the form of 8 questions at the end. This grant you access to a browser based VM and require you to perform certain commands/task to answer the questions. This is a breath of fresh air in a world of multiple-choice exams and gives the candidate a chance to show that they can actually “do the thing”. The questions themselves were not purposefully difficult and stayed mainly in line with the type of activities that were covered in the labs and the day 6 challenge.

BIG PICTURE TAKEAWAYS

  • With the number and diversity of host artifacts, it is near impossible for an attacker to move throughout an environment without leaving some trace.

  • Many of the artifacts we use for forensics are not built with the intention of providing forensics value. The forensics community commandeered them and them for our own purposes.

  • Despite the changing landscape of exploits and vectors, there are a number of gates that the attacker must go through once they gain access. Knowing how to watch these gates has the ability to reduce dwell time substantially.

  • Preparation is so incredibly important to Incident Response, make sure that you have developed communication channels and tested methods for collecting/analyzing artifacts BEFORE the breach happens

TEST FROM HOME - PROCTORU

Due to the current situation with COVID-19, GIAC offers an option to take exams remotely via the service ProctorU.

This solution requires that you follow some basic requirements in order to take the exam:

  • Remote Desktop and VM software are prohibited from being installed on your machine during the time of testing

  • Only a single monitor can be connected

  • A fairly invasive browser extension must be installed into your browser

  • Proctor establishes a remote connection to your machines so they can monitor you during the exam

  • Webcam is used to scan the room and your materials before the exam as well as to monitor you during

Obvious privacy concerns aside, the process went rather smoothly and I did not have any issues connecting with a proctor.