SANS FOR509 Review

Career Development

TLDR

This course focuses on the information that we can leverage from cloud logs and highlights the “gotchas” of when and how they are generated/collected. Compared to traditional forensics, cloud does not offer the same depth of artifacts due to it’s abstracted nature. As a threat hunter, I walked away with a better understanding of where to find various types of activity within the different cloud providers.

Overall Thoughts

Content

FOR509 was a well-paced course without much fluff that dives deep into the content right out the gate on day one. The course knows it’s lane and sticks to it, resulting in 5 days spent on the exact content you need to excel at Cloud Forensics/IR.

Structure

The course was structured to cover one cloud platform per day. This made it easy to start fresh each day without feeling overwhelmed by content building on itself over the course of the week. The downside to this structure is that if you are not working with a particular platform it can be difficult to stay engaged for that day.

Labs

The labs are well written to expose students to different types of logs while highlighting important fields. Each of the lab sections start with the ingestion of raw data in to SOF-ELK rather than preloading it which gives hand on examples how to do it with data from an actual investigation. Pivoting in an investigation is a difficult skill to teach but several of these labs demonstrate how to find something suspicious and then leverage that datapoint to find other related activity.

How does it compare to other SANS forensics classes?

I would not expect to walk away from this course with the same feeling of uncovering hidden or repurposed OS artifacts like 500 or 508 gives you. In traditional forensics we have access to the underlying systems and can leverage artifacts from the OS that were built without forensics in mind. Examples of this in Windows include the efficiency mechanism of prefetch and the wealth of information stored in the registry.

Behind the scenes of these cloud providers there must be an absolutely insane amount of software in place to sustain the various infrastructure/services. The engineers at these companies have direct access to these hidden platforms to troubleshoot and maintain the backend. However, as mere mortals we don’t get access to those underlying systems and must rely on the data that the cloud provider is willing to share through logs.

Instead of focusing on clever artifacts and techniques, this course excels at presenting the nuances of the different cloud providers and how they are represented in the available logs.

What does this course cover in depth?

Core Cloud Services

The service that gets the most attention in each cloud is IAM because this is where access is managed and where we identify things like initial access, privilege escalation, and lateral movement. After the identity section, the material builds on that foundation by looking at the other core services: Compute, Storage, and Networking. These services are covered so you know the basics of the service and where to find important distinctions within the log data but not near deep enough to configure a production environment. While I wouldn’t compare this to the depth of a cloud vendor “Solutions Architect” course, FOR509 spends an appropriate amount of time highlighting the services that are typically relevant in a forensic investigation.

Log Retention/Acquisition

The course clearly outlines what data is logged by default, how long it’s retained and potential cost for adjusting default logging behaviors. It also takes time to showcase how to analyze these logs inside the cloud platform or how to export/forward them out to analyze them in a standalone forensics VM or SIEM. At the end of this course, an incident responder should be able to approach a cloud investigation with the knowledge/tools to acquire data relevant to conduct an investigation.

Log Structure

Each of the cloud platforms have completely different methods for generating and structuring logs. FOR509 clearly explains the different log sources and the type of information you can expect to find in each one. This should guide IR/Forensics folks to the right log source to answer different questions about an intrusion.

What does this course not cover in depth?

Manually Parsing Logs/JSON

Personally wish there was a little more time spent on JQ in this class to help students understand the relationship between the raw logs and the parsed logs they see in SOF-ELK. I also understand that it’s difficult to have enough time to cover deep technical details AND still take the time to teach fairly basic skills like CLI text manipulation. With that said, it might be worth taking the time to brush up on JQ in preparation for the class.

Cloud Attacks

I would also not expect to walk away with a tremendous amount of knowledge around cloud attacks since it isn’t the focus of this course. While there are a few covered in detail, most are mentioned in passing. If you are wanting to learn more about cloud attacks I’d probably look into SEC541 (Cloud Security Attacker Techniques, Monitoring, and Threat Detection) or SEC588 (Cloud Penetration Testing).

Kubernetes Forensics

Only the last 20 slides/pages of the course are reserved for Kubernetes, with about half of those explaining the foundations of Kubernetes (Nodes -> Pods -> Containers). The remaining content covers the different cloud implementations of K8 along with a few case studies on attacks without any hands-on labs. SANS may have a more container/Kubernetes focused course, this one just isn’t it.

Day 6 Challenge

The structure of the challenge follows many SANS Forensics challenges in that:

  • Raw data is provided to the teams
  • The teams are expected to process and analyze that data however they see fit
  • At the end of the allotted time each team will present their findings
  • The winning team will be determined by a classroom vote or by the instructor depending on the class size

This challenge gives students the chance to directly apply the knowledge they gained through the week to raw cloud data. While this dataset wasn’t as large or as noisy as I expected from a forensics course, it did give us the chance to see an adversary pivoting through various cloud environments.

The team I was on worked well together and were able to build a compelling narrative about the intrusion that won us the FOR509 Challenge coin! Here a few tips that worked well for us:

  • Start ingesting data as soon as you can
  • Agree on a method to to document findings and collaborate ( I prefer google sheets)
  • Divide up investigative tasks among team members, ideally matching up with people’s skill sets
  • Break every hour or so to regroup and refocus on tasks, it’s easy to lose a bunch of time down rabbit holes
  • Start building your presentation a few hours before the time limit, it takes longer than you expect and will help you focus on the questions at hand.