You are not your thoughts, they are just the finger pointing at the moon
My review of the Sans Enterprise Forensics and Threadhunting Course - SANS FOR608
Some thoughts and Idears about what OpenBSD and Zen have in Common - OpenBSD and Zen
This is my intro post for my blog About
Course description from SANS 1 :
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.
Forensic analysis in computer science investigates digital evidence to solve cybercrimes and security incidents. In enterprise environments, it involves analyzing devices, networks, and cloud storage. Key applications include incident response, compliance with regulations, investigations, and predictive analytics.
Tools like Timesketch, Velociraptor or Wireshark, and cloud forensics platforms aid in the analysis. Collaboration between IT and law enforcement is also crucial for successful investigations.
The goal of forensic analysis is to reconstruct events, identify perpetrators, and determine damage extent, ensuring organizations can respond effectively to security threats and maintain compliance with regulations.
The FOR608 course begins in chapter 1 by discussing current cyber defense concerns and the importance of collaboration among incident responders and threat hunters. It emphasizes the need for sharing knowledge from sources like the MITRE ATT&CK framework and explores the concept of active defense, including the use of honeypots, honey tokens, and canaries to slow down attackers and facilitate detection.
When a compromise does occur, the course focuses on efficient handling of intrusions, covering topics such as leading the response, managing team members, documenting findings, and communicating with stakeholders. The Aurora documentation tool is introduced as a means for tracking investigation phases from initial detection to remediation.
The chapter then dives into an example scenario where an alert is triggered in a company network, and triage data is analyzed using Timesketch, a powerful platform for scalable and collaborative analysis of forensic data. Additionally, techniques are shared for viewing the same data set with Kibana, which offers capabilities such as creating dashboards and saved searches to aid analysis.
Chapter 608.1 concludes by examining key threat intelligence concepts, including developing and implementing internal threat intelligence. External projects like MITRE ATT&CK and Sigma are leveraged, and two comprehensive threat intel platforms, MISP and OpenCTI, are introduced. A threat intel report on the adversary targeting Stark Research Labs is presented to kick off the investigation into potential signs of intrusion in the company.
The course continues from chapter 1 by focusing on response actions. Students learn how to collect evidence at scale to scope a potential intrusion by leveraging EDR tooling data from EDR Solutions like Sysmon. However, they also discuss common bypass techniques that attackers use to evade EDR technology.To aid in this analysis, the Velociraptor tool is introduced as a powerful platform for incident response and threat hunting.
The chapter shows how Velociraptor can collect forensic artifacts from across the enterprise and provide deep-dive capabilities into individual hosts of interest. Additionally, Elasticsearch is used to ingest and process data from various tools, allowing for fast searches and aggregations. Students also learn about rapid response options for targeted data collections at scale using tools like Velociraptor and CyLR. Finally, solutions are presented for quickly processing acquired data for analysis in tools like Timesketch and individual artifact review.
The third chapter of the course shifts focus from network-based analysis to traditional host-based forensic artifact analysis. It begins by discussing modern attack techniques on Windows systems, including ransomware and “living-of-the-land” (LOTB) attacks that avoid detection by using built-in binaries and scripts. The use of Sigma rules is highlighted as a way to facilitate rapid detection and response.
The section also covers Linux incident response and analysis, starting with common vulnerabilities and exploits targeting Linux systems. It then dives into DFIR fundamentals for analyzing Linux systems, including key concepts such as differences among Linux distributions and file systems, and strategies for handling initial triage and deeper forensic analysis. The chapter concludes by providing best practices for hardening Linux systems and enhancing logging configurations to aid future investigations.
The course now focuses on Apple macOS incident response, building on the foundation established earlier. This includes understanding the history, ecosystem, and details of the Apple Filesystem (APFS), file structure, and important file types such as Property List (plist) configuration files. A discussion of challenges and opportunities in responding to macOS incidents follows, covering topics like acquiring disk and triage data, reviewing acquisitions, and identifying suspicious activity in logs and artifacts.
This part of the course then transitions to containerized microservices and Docker analysis, focusing on the architecture and management of Docker containers and providing a specific triage workflow for quick and effective response against individual containers as well as the container host.
This part of the course focuses on incident response in major cloud platforms from Microsoft and Amazon, covering log analysis techniques, architecture designs, and automation initiatives that can be applied across various cloud providers. It highlights unique challenges and opportunities in cloud environments, particularly through the use of the MITRE ATT&CK framework’s Cloud Matrix.
In-depth discussion follows on Microsoft 365 (M365) and Azure, including popular SaaS offerings like Entra ID, Exchange, SharePoint, and Teams, as well as common attack scenarios against these platforms. The importance of log analysis is emphasized, particularly in identifying suspicious user logon and email activity from Unified Audit Logs.
The course then addresses the Recovery phase, covering security enhancements to detect or prevent similar attacks in the future for M365 and Azure.
Next, it delves into Amazon Web Services (AWS), covering its general architecture and components, as well as numerous logs and services providing critical detection and analysis data for responders. Discussions focus on architecting for response in the cloud, including setting up security accounts for a secure enclave within AWS, using template VMs (AMIs) for analysis, and automating IR tasks with AWS Lambda and Step Functions.
The final section of the course is a capstone exercise that allows students to apply their knowledge by working on a simulated breach scenario. They will receive a dataset from a compromised environment that spans multiple host operating systems and cloud environments, and use tools and techniques learned throughout the course to uncover the steps of the breach.
During the SANS FOR608 course, I learned key concepts and skills that enabled me to do effective incident response team management and coordination, including enterprise-level incident detection and to deploy threat hunting strategies. The course covered large-scale event correlation and timeline analysis techniques to identify patterns and trends in incidents, as well as multi-platform artifact analysis for incident response.
Specifically, I gained hands-on experience analyzing artifacts from various platforms, including Windows devices, Linux systems, macOS devices, containerized environments, and cloud-based infrastructure. This comprehensive training has equipped me with the knowledge and tools needed to detect, analyze, and respond to complex threats in enterprise environments.
Based on the provided course materials, I have analyzed my learning outcomes and their application in real-world scenarios. Through my analysis, I have gained a deeper understanding of the key concepts and skills required for effective cloud response and analysis, container DFIR fundamentals, detecting modern attacks, enterprise incident response management, enterprise visibility and incident scoping, foundational cloud concepts, Linux DFIR fundamentals, macOS DFIR fundamentals, macOS essentials, rapid response triage at scale.
I have also gained practical knowledge of how to correlate large volumes of data to identify patterns and trends in incidents.
In particular, my experience with cloud-based infrastructure has highlighted the need for a comprehensive understanding of foundational cloud concepts, including popular cloud services that enterprises use to support business operations. I have also gained familiarity with common data source types in an enterprise environment and strategies to aggregate telemetry from disparate resources.
My analysis of learning outcomes suggests that effective application of these skills requires a combination of technical expertise, analytical thinking, and communication skills. By mastering these skills, I am confident in my ability to respond effectively to complex incidents and provide value to organizations as a security professional.
The SANS FOR608 course is a comprehensive training program that provides students with a strong foundation in incident response, threat hunting, and digital forensic analysis. Through its curriculum, the course covers key concepts and skills related to managing incident response teams, detecting threats in enterprise environments using advanced analytics tools, correlating large volumes of data to identify patterns and trends in incidents, analyzing artifacts from various platforms including Windows devices, Linux systems, macOS devices, containerized environments, and cloud-based infrastructure.
Analysis:
Summary:
From my opinion the SANS FOR608 course is highly effective in providing students with a comprehensive understanding of incident response and digital forensic analysis. Through its comprehensive coverage, hands-on exercises, and emphasis on practical skills, the course provides security professionals with the knowledge and skills needed to respond effectively to incidents. Overall, the course is well-structured, engaging, and relevant to real-world scenarios, making it an excellent choice for individuals looking to improve their incident response and digital forensic analysis skills.
Before enrolling in a forensic analysis course, try to gain as much practical experience as possible for example practicing Sherlocks on hack the box or try yourself in Malware analysis challanges This could also involve setting up your own home lab, participating in bug bounty programs, or volunteering to help a friend or family member with their computer issues. The more hands-on experience you have, the better equipped you’ll be to learn and apply forensic analysis skills.
Forensic analysis requires strong analytical skills, including attention to detail, critical thinking, and problem-solving. Practice these skills by working on puzzles, brain teasers, or other activities that challenge your mind. You can also try analyzing data sets, network traffic logs, or system logs to develop your skills.
As a forensic analyst, it’s essential to understand cloud computing and how it affects the analysis of digital evidence. Take online courses or attend webinars that teach you about cloud security, compliance, and investigation techniques. This will help you stay up-to-date with the latest trends and technologies.
Linux and macOS are popular operating systems used by many organizations, including those in the finance, healthcare, and government sectors. Take online courses or attend workshops that teach you about these operating systems, including their command-line interfaces, file systems, and security features.
Joining online communities, such as Reddit’s r/learnprogramming or r/netsec, can be a great way to connect with other professionals in the field, ask questions, and learn from their experiences. You can also participate in online forums, attend webinars, or join online study groups to stay updated on the latest forensic analysis techniques.
Forensic analysis is a broad field that encompasses many areas, including computer forensics, mobile device forensics, and digital evidence collection. Consider specializing in a specific area that interests you the most, such as incident response or threat hunting. This will help you develop deeper knowledge and skills in that area.
The field of forensic analysis is constantly evolving, with new technologies and techniques emerging regularly. Stay up-to-date with industry developments by attending conferences, webinars, or online courses that focus on the latest trends and advancements.
Hi! I’m Dirk, a security engineer with a passion for Skateboarding and Forensics. By day, I help my Company safeguard their networks and systems from the ever-evolving threats in the cybersecurity landscape.
But when the sun goes down, my true self emerges. Skateboarding is not just my hobby - it’s my passion, my center, and my identity. For me, Skatelife is more than just lifestyle; it’s a way of life that embodies creativity, freedom, and community and Family. I’ve been skating for years, and I still get that same feel every time I’m on my board.
In addition to my love for skateboarding, I’m also a big enthusiast of OpenBSD - the most secure, yet accessible operating system out there. I’ve built my own OpenBSD-based router and infrastructure for threat hunting, which allows me to stay one step ahead in the game of cybersecurity. There’s something about the simplicity, elegance, and power of OpenBSD that resonates deeply with me. You can also read about the smilarities I see between OpenBSD and Zen
As a nerd, I have to mention my love affair with Emacs - the most flexible, and customizable text editor out there. I’ve been using it for over 12 years now, and I still can’t imagine working without it. Whether I’m writing code, weblogging, or just tinkering with snippets of text, Emacs is always by my side.
As I navigate the world of cybersecurity, I’m always looking for ways to improve my skills, stay ahead of the curve, and when I’m not geeking out over security patches or network protocols, you can find me:
Stay tuned for more updates on my journey as a security engineer, skateboarder, OpenBSD enthusiast, and Zen student”
And since I am searching for a new employer right now I will update this part soon with a more professional CV like part.
As someone who is into security, I’ve always been fascinated by the world of Unix operating systems. Among them, OpenBSD stands out for its commitment to security, stability, and simplicity. But what sets it apart from other OSes? And how does it relate to my journey with Zen meditation?
At first glance, OpenBSD and Zen might seem like vastly different concepts. One is a powerful operating system, while the other is a spiritual practice that originated in ancient China. However, as I dived deeper into both worlds, I discovered some intriguing commonalities.
OpenBSD’s minimalist approach to software design resonates deeply with the principles of Zen Buddhism. In Zen, simplicity is key to achieving inner clarity and balance. By stripping away unnecessary complexity, OpenBSD aims to create a stable and secure foundation for users. Similarly, in meditation, simplicity helps to quiet the mind and focus on the present moment.
Both OpenBSD and Zen emphasize the importance of attention to detail. In software development, this means carefully crafting each line of code to ensure stability and security. In Zen practice, it means paying close attention to one’s breath, posture, and mental state to achieve a state of mindfulness. By focusing on these details, both OpenBSD and Zen strive for perfection.
OpenBSD’s commitment to consistency is evident in its codebase, where each code change follows a code review. Zen practice, consistency is also crucial, as it helps to establish a sense of routine and stability. By establishing a daily meditation practice, I’ve found that consistency is key to making progress on my spiritual journey.
Finally, both OpenBSD and Zen recognize the beauty in imperfection. In software development, imperfections can often be corrected or mitigated through careful design and testing. In Zen practice, imperfections are seen as opportunities for growth and self-awareness. By embracing our imperfections, we can cultivate a sense of humility and compassion.
As I continue on my journey with OpenBSD and Zen, I’m struck by the ways in which these two seemingly disparate worlds intersect. By embracing simplicity, attention to detail, consistency, and the beauty of imperfection, both OpenBSD and Zen offer unique insights into the nature of software development and personal growth.
Stay tuned for more updates from my adventures in the world of security, coding, and spiritual growth!
Ideas for future posts: