The rise of Advanced Persistent Threat (APT) is changing how computer forensics and first response teams deal with suspected breaches. In the view of Rob Lee, a leading expert in the field and SANS Faculty Fellow, “When we talk about APT, let’s be clear, we are addressing state sponsored, highly skilled and organised cyber-attacks that are part of a long term strategic assault against economic, military and infrastructure targets.” (TZ)
Over his 15 year career, Lee has seen the rise of APT. As a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information warfare and later as part of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics.
“Many of the traditional skills that Computer Forensic Analysis and Incident Response teams rely on need to be updated when it comes to APT,” says Lee, “Information security tend to think defensively while an APT attack needs a more robust response. Response teams need to search and destroy the root cause but often across multiple system and vectors in a highly scalable way.”
Lee is the Curriculum Lead for all of SANS’ Forensic courses and was part of the team that rewrote the SANS FORENSICS 508 Advanced Computer Forensic Analysis and Incident Response course with a syllabus that reflects the rise of APT. “The course is normally updated three times a year but we felt that the current landscape of state sponsored cyber-attacks needed to be addressed in a more fundamental way.”
FORENSICS 508 is an advanced course and requires each student to attend FOR408: Computer Forensic Investigation course or pass the FOR408 Assessment Test. One example of the new course’s response to APT is a more detailed section on advanced memory acquisition and analysis of live response and volatile evidence collection.
The new course will make its European debut at SANS first dedicated Digital Forensics training event in Prague in October. The full emersion experience over a 7 day event combines leading experts’ presentations and four in-depth IT forensics courses. The event will kick-off on 7th October with the annual European Digital Forensics and Incident Response Summit which will include respected experts from the IT security community sharing their knowledge and expertise to help senior practitioners fight cybercrime more effectively.
Alongside Rob Lee teaching FOR508, the event will debut the brand new FOR563: Mobile Device Forensics class, which will be taught by Jess Garcia. The impressive line up of instructors is completed with two more course authors and highly respected digital forensics practitioners, Chad Tilbury teaching FOR408: Computer Forensic Investigation – Windows In-Depth, and Lenny Zeltser teaching FOR610: Reverse Engineering Malware.
Full details of the SANS Forensics Prague 2012 is available at https://www.sans.org/forensics-prague-2012/
About SANS. (www.sans.org)
Established in 1989 as a cooperative research and education organisation. Its programs reach more than 400,000 security professionals, auditors, system administrators, and network administrators who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.