FOR608: Enterprise-Class Incident Response & Threat Hunting

GIAC Enterprise Incident Responder (GEIR)
GIAC Enterprise Incident Responder (GEIR)
  • In Person (6 days)
  • Online
36 CPEs
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.

What You Will Learn

Enterprises today have thousands; maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. Our experience has shown that when sizeable organizations suffer a breach, the attackers seldom compromise one or two systems. Without the proper tools and methodologies, security teams will always find themselves playing catch-up, and the attacker will continue to achieve success.

FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. By using example tools built to operate at enterprise-class scale, students will learn the techniques to collect focused data for incident response and threat hunting. Students will then dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using timeline, graphing, structured, and unstructured analysis techniques.

FOR608: Enterprise-Class Incident Response & Threat Hunting will teach you to

  1. Understand when incident response requires in-depth host interrogation or light-weight mass collection
  2. Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
  3. Collect host- and cloud-based forensic data from large environments
  4. Discuss best practices for responding to Azure, M365, and AWS cloud platforms
  5. Learn analysis techniques for responding to Linux and Mac operating systems
  6. Analyze containerized microservices such as Docker containers
  7. Correlate and analyze data across multiple data types and machines using a myriad of analysis techniques
  8. Conduct analysis of structured and unstructured data to identify attacker behavior.
  9. Enrich collected data to identify additional indicators of compromise
  10. Develop IOC signatures and analytics to expand searching capabilities and enable rapid detection of similar incidents in the future
  11. Track incidents and indicators from beginning to end using built-for-purpose incident response engagement tooling.

Business Takeaways

  • Reduce financial and reputational impact of a breach by more efficiently and precisely managing the response
  • Learn IR management techniques that optimize resource usage during an investigation
  • Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
  • Understand and hunt for techniques attackers use to hide from EDR and application control tools on Windows systems
  • Learn analysis techniques for responding to compromised Linux and macOS systems
  • Be able to respond and analyze containerized microservices such as Docker containers
  • Discuss best practices for responding to the most popular cloud environments - specifically Microsoft365/AzureAD, and AWS.

Syllabus (36 CPEs)

Download PDF
  • Overview

    The FOR608: Enterprise-Class Incident Response & Threat Hunting course begins with discussions on current cyber defense concerns, and how incident responders and threat hunters can take a more active role in detection and response. Collaboration within the team and the community are a focus, as we look to incorporate shared knowledge from sources like the MITRE ATT&CK(R) framework. Furthermore, we discuss taking an active defense approach to slow attackers and facilitate detection. Specific to active detection, the use of honeypots, honey tokens, and canaries are covered, along with ways to deploy them opportunistically. This type of tripwire in the network provides defenders and responders needed visibility to find and respond to intrusions quickly.

    When a compromise does occur, which is an unfortunate but inevitable truth, we continue the discussion with a focus on the processes and techniques that allow for efficient handling of intrusions. Concepts such as leading the response, managing team members, documenting findings, and communicating with stakeholders are covered in detail. The purpose-built Aurora documentation tool is presented as a means for tracking the investigation phases, from initial detection to scoping, containment, indicator development, and remediation.

    We continue the discussion by examining an alert triggered in our example company network as a pivot point into a potential attack. Triage data collected by company personnel has been processed into a timeline and the data imported into Timesketch, a tool developed by the Google IR team. We utilize Timesketch as a powerful platform for scalable and collaborative analysis of forensic data. Later in the class, we also provide techniques to view the same data set with Kibana, which offers additional capabilities, such as creating dashboards for visualizations and saved searches to aid analysis.

    We finish Section 1 with an examination of key threat intelligence concepts, including developing and implementing threat intelligence internally. External projects such as the MITRE ATT&CK(R) Matrix and Sigma are also leveraged. We discuss both MISP and OpenCTI as two comprehensive threat intel platforms for ingesting, tracking, and sharing threat intelligence. A threat intel report on the adversary targeting our example company, Stark Research Labs (SRL), will be presented as we start to look at potential signs of intrusion in the company.


    Development of honey tokens for active detection

    • Documenting an initial alert in Aurora
    • Using Timesketch to analyze a potential breach
    • Using OpenCTI to analyze threat reports of actors targeting our example company's industry
    • Incident Response and Threat Hunting in the Enterprise
      • Taking an Active Defense approach to threat hunting and detection
      • Using Active Defense concepts of Deny, Disrupt, and Degrade for attacker containment
      • Using the Active Defense concept of Deception for detection
      • Pros and cons of using honeypots
      • Pros and cons of canary / honey tokens
      • Deploying canary tokens into an environment for intrusion detection
    • Managing Large-Scale Response
      • Fostering key principles of successful response within the team and organization
      • Structuring teams, roles, and responsibilities
      • Leading the response
      • Managing resources
      • Combining incident response and project management disciplines
      • Effective documentation and communication for tracking and reporting incidents
      • Introduction to Aurora, an open-source incident response documentation utility
    • Scalable & Collaborative Analysis with Timesketch
      • Using Timesketch to perform deep-dive analysis across multiple hosts with multiple analysts
      • Annotate, label, bookmark events of interest to create custom timeline views
      • Apply analytics and visualizers to assist analysis
      • Create stories to convey findings
    • Intel-Driven Incident Response
      • Understand the importance of cyber threat intelligence in incident response
      • Review various sources of threat intelligence and integrating it with the IR process
      • Leverage cyber threat intelligence available from MITRE's ATT&CK(R) Matrix
      • Discuss developing and managing intelligence in your organization
      • Use OpenCTI to catalog, organize, and visualize threat actor TTPs
  • Overview

    Section 2 pivots directly from Section 1 as we continue to move into response mode. We will begin collecting evidence at scale to scope a potential intrusion against our example company, Stark Research Labs. SRL has Endpoint Detection and Response (EDR) tooling in place and we leverage that data to assist scoping. However, attackers sometimes bypass or otherwise subvert EDR technology, so a discussion of common bypass techniques is presented. This provides students with both awareness of EDR limitations, as well as training to look for anomalous activities within the EDR log data.

    Moving beyond the analysis of commonly logged artifacts, we introduce the open-source Velociraptor tool as a powerful platform for incident response and threat hunting at scale. Velociraptor is adept at pulling forensic artifacts from across the enterprise, as well as providing analysts with a tool to deep-dive individual hosts of interest. We will show Velociraptor to be a flexible tool useful for a number of situations, as well as for a number of operating systems and architectures.

    One of many useful features of Velociraptor is its ability to push collected data into Elasticsearch. Elasticsearch is another powerful and flexible tool appropriate for any responder's toolkit. As such, we use Elasticsearch to ingest and process various data types, including data from Velociraptor, from the PowerShell IR framework "Kansa", and from the "Log2timeline" tool. We then use Elasticsearch's SQL API to run fast searches and aggregations against ingested data. This is a little-known capability that can speed up analysis considerably. As an optional lab, students are also guided through the process to create dashboards and visualizations in Kibana for a more traditional approach to searching and analysis using the Elastic Stack.

    After having swept the network looking for indicators of compromise in EDR log data and with tools such as Velociraptor and Kansa, there will inevitably be a subset of hosts that warrant deeper dives. We present rapid response options for targeted data collections at scale, including multi-platform tools such as Velociraptor and CyLR. In the case of Velociraptor, it can be installed on a persistent client-server basis, but also as a standalone collector. We demonstrate how to use it in either case to collect critical artifacts for tracking the adversary's progress. Rapidly post-processing the acquired data for analysis is another important piece of the puzzle. Solutions are presented to quickly take the collected artifact files and process them for analysis in Timesketch, Elasticsearch, or individual artifact review.

    • Analyzing Sysmon telemetry and log events for incident scoping/identification
    • Utilize a "precooked" Velociraptor installation to analyze data collected during the intrusion of Stark Research Labs
    • Deploy a small Velociraptor client-server setup in the student VM to perform hunts for artifacts generated from threat emulation tooling
    • Use the Elasticsearch SQL API to quickly find anomalous activity
    • Acquire forensic triage images using Velociraptor and CyLR. Use automation techniques to rapidly process results for timeline analysis.
    • EDR and EDR Bypass
      • Review the capabilities and challenges of endpoint detection and response (EDR)
      • Analyze Sysmon telemetry and log events for incident scoping/identification
      • Discuss attacker techniques for subverting and bypassing EDR tooling
    • Scaling Incident Response with Velociraptor
      • Describe the various use cases for Velociraptor
      • Learn to customize Velociraptor Query Language (VQL) analyzers ("artifacts")
      • Rapidly deploying Velociraptor in a client-server configuration
      • Performing hunts and acquiring forensic evidence
      • Use Velociraptor notebooks for effective post-processing and analysis
      • Export results to Elasticsearch, Splunk, or CSV flat-files for external analysis
    • Scaling Analysis with ELK
      • Utilize the ELK stack (aka Elastic Stack) to ingest and analyze logs
      • Ingest structured and freeform data types into the Elastic Stack
      • Use dashboards, histograms, graphs, and saved searches to locate attacker TTPs quickly
      • Utilize the Elasticsearch SQL API for fast data aggregation and filtering
    • Rapid Response Triage
      • Execute CyLR and Velociraptor to quickly acquire forensic artifacts from Windows, Linux, and Mac.
      • Create custom acquisition packages for Velociraptor
      • Post-process results for timeline analysis using Timesketch, Elasticsearch, or CSV files
  • Overview

    Section 3 transitions to more traditional host-based forensic artifact analysis. The section starts with a look at some of the latest techniques for attacking Windows systems, including the all-too-common ransomware attack. As part of looking for precursors to ransomware attacks, as well as other targeted attacks, we spend time focusing on attackers' use of "living-off-the-land" techniques to avoid detection. There are many clever ways attackers leverage built-in binaries and scripts (aka "LOLBAS" "Living-Off-the-Land Binaries and Scripts") to accomplish their goals without bringing custom malware onto the host. Learning to proactively detect and retroactively analyze these techniques is critical to investigating many modern-day intrusions.

    To facilitate more rapid detection and response, we focus on the use of actionable cyber threat intelligence using Sigma rules. We use Sigma rules to hunt for suspicious activity in logs ingested into Elasticsearch. Another exercise focuses on leveraging Sigma rules packaged into the Hayabusa tool for searching Windows event logs directly. These are powerful techniques which help responders solve cases more quickly at scale.

    Following the discussion on Windows threats, the remaining part of Section 3 focuses on Linux incident response and analysis. Many organizations, large and small, have Linux systems present in their environment. Although intrusions against Linux do not make the headlines as often, it's no secret that attackers regularly exploit vulnerable Linux systems to establish and maintain footholds in victim organizations.

    FOR608 discusses common vulnerabilities in Linux systems and configurations, then covers common attacker exploits targeting these systems. Privilege escalation, persistence, and lateral movement are techniques we frequently associate with attacks against Windows environments, but they apply equally to Linux as well.

    Our Linux discussion continues with coverage of DFIR fundamentals when analyzing Linux systems. Topics that are critical, but often cause confusion, include differences among Linux distributions, Linux file systems, the Logical Volume Manager, key log file locations, and more. Strategies are presented to handle both initial triage and deeper forensic analysis of Linux systems. Searching for unexpected logins, suspicious new files or altered files, and outliers in application logs are just a few of the techniques used to locate malicious behavior. We conclude the section with best practices for hardening systems, enhancing logging configurations, and adding monitoring capabilities to aid future investigations. Providing students with the ability to investigate Linux intrusions is a key goal of FOR608. Upon completion of the course, students will leave with important new skills and techniques for responding to large-scale intrusions across diverse enterprise networks.

    • Detecting LOLBAS activity via Sigma
    • Rapid event log analysis with Hayabusa
    • Linux web log analysis
    • Triaging Linux hosts
    • Modern Attacks Against Windows
      • Fileless malware in the wild
      • Common "LOLBAS" activity, including precursors to ransomware attacks
      • Hunting amongst the noise for suspicious "LOLBAS" usage
    • Detect and Respond to Modern Attacks
      • Leverage the Sigma Project for threat detection against log data
      • Build new Sigma rules for maintaining and sharing threat intelligence
      • Perform Sigma rule searches against centralized log servers
      • Perform Sigma rule searches directly against Windows event logs
    • Introduction to Linux
      • History of Linux
      • Ubiquitous nature of Linux
      • Challenges organizations face with managing, securing, and monitoring Linux systems
    • Modern Attacks Against Linux
      • Exploiting vulnerable applications or operating system services
      • Misconfigurations or unpatched services lead to successful attacks
      • Attacker techniques for accomplishing the attack lifecycle, including privilege escalation, persistence, lateral movement, and exfiltration
    • Linux DFIR Fundamentals
      • Exploiting vulnerable applications or operating system services
      • Misconfigurations or unpatched services lead to successful attacks
      • Attacker techniques for accomplishing the attack lifecycle, including privilege escalation, persistence, lateral movement, and exfiltration
    • Linux DFIR Fundamentals
      • Understanding primary differences in file systems
      • EXT3, EXT4, XFS file system overviews
      • Understanding the Logical Volume Manager (LVM2)
      • Available timestamps in Linux file systems (comparing EXT3, EXT4, XFS, Btrfs, ZFS)
      • Typical Linux file system directory hierarchy
    • Linux Log Analysis
      • Common logs and locations
      • IR strategy for log analysis
      • Reviewing logon activity
      • Mining application logs for suspicious events
    • Linux Triage Collection and Forensic Readiness
      • Collecting key configuration files
      • Collecting artifact-rich logs
      • Scripting collection for simplicity and consistency
      • Hardening Linux configurations
      • Improving audit policies
      • Adding endpoint security tooling
  • Overview

    By this point in the course, students have undertaken a wide-range of tasks, including collecting of host-based data, deployment of live-response tools to catch attackers "in the act", and utilizing "big-data" analysis platforms to find suspicious activity at scale. Students have also taken a deep dive into the Linux operating system and discovered important ways to respond to the inevitable attacks against these systems.

    In the next module, we move on to look at key aspects of the Apple macOS operating system. These hosts have become more prevalent in many enterprise networks. Therefore, it's important that incident responders have some understanding and training for responding to such systems. Before diving into the incident response techniques, we discuss the history and current ecosystem of macOS and Apple mobile devices. We then move into important topics such as the Apple Filesystem (APFS), the file and directory structure, and important file types for Mac analysis such as the Property List (plist) configuration file.

    After a discussion of the fundamentals, we turn our attention to the challenges and opportunities for responding to macOS incidents. Questions such as how best to acquire disk and triage data, how to review those acquisitions, and which logs and other artifacts are most useful in spotting suspicious activity are all covered in detail.

    After establishing a solid foundation for Linux and Mac forensic analysis, we then turn our attention to the concept of containerized microservices. Containers are a popular way to deploy applications and services in a reliable and repeatable way. The most common platform for containers is Docker, which is where we focus our attention in FOR608. Discussions on the architecture and management of Docker containers help students understand where to focus their analysis. A specific triage workflow is also covered to arm analysts with a repeatable process for quick and effective response against individual containers as well as the container host.

    • Mount and analyze APFS disk images
    • Review macOS artifacts and logs
    • Docker administration and logs
    • Docker triage and IR
    • macOS Foundations
      • A history of Apple operating systems
      • Apple in the enterprise
    • Apple Filesystems
      • APFS characteristics
      • macOS timestamps
      • macOS file & directory structure
      • Key file types such as Property List (.plist) files
    • Mac Incident Response
      • Challenges with forensic acquisitions
      • Options for mounting disk images
      • Profiling users and system configurations
      • Review common persistence methods
      • Log analysis for macOS
    • Containers in the Enterprise
      • Conceptual overview of containers
      • Containers vs. virtual machines
      • Introduction to Docker
      • Attacks against containers
      • Forensic challenges of containerized environments
    • DFIR for Containers
      • Metadata collection and analysis
      • Using snapshots to save containerized files
      • Log analysis for Docker
      • Gather ephemeral data
      • Review image files and history
  • Overview

    This day is focused on responding to incidents in the major cloud platforms from Microsoft and Amazon. Although the analysis focuses on those platforms, we cover log analysis techniques, architecture designs, and automation initiatives that can be applied to just about any cloud provider. We also cover ways attackers leverage cloud environments and the artifacts that might be left behind in such cases.

    Cloud environments provide unique challenges for incident response, but some exciting opportunities too. A quick intro into these factors will start the day. Once again, we find that the MITRE ATT&CK(R) framework is useful for organizing our defenses and detections - specifically the Cloud Matrix.

    Moving into Microsoft 365 (M365) and Azure, several popular SaaS offerings are discussed. These include Entra ID (formerly known as Azure AD) for the underlying identity provider service, which supports other hosted services such as Exchange, SharePoint, and Teams. Many organizations subscribe to these services, and predictably, attackers have become proficient at finding weaknesses in their implementations. We therefore review a variety of common attack scenarios against M365 and Azure. Log analysis is critical to solving these cases, so log acquisition and review is a major focus for discussion. Specifically, we look for suspicious user logon and email activity from the Unified Audit Logs (UAL) as a common method for detection. The Entra ID (Azure AD) Audit log and others are useful resources as well.

    Important for any incident response is the Recovery phase, which typically includes implementing security enhancements to detect or prevent similar attacks in the future. Therefore, we cover some of the more useful security enhancements in M365 and Azure.

    The second part of the day delves into the Amazon Web Services (AWS) cloud platform. Its general architecture and components are covered to provide a solid foundation for those new to AWS. We then go into detail on the many logs and services that provide critical detection and analysis data for responders. This includes CloudTrail logs, VPC flow logs, GuardDuty alerts, and more.

    The section concludes with discussions on architecting for response in the cloud for faster and more effective analysis. This involves setting up security accounts for a secure enclave within AWS. Template VMs (AMIs) are also recommended for performing analysis against volume snapshots, network packet captures, and log data. Finally, we look at common IR tasks that can be automated and how to do it rather seamlessly using AWS Lamda and Step Functions. While the solutions presented in this section are AWS-centric, the concepts can (and should) be applied to almost any cloud platform with significant use by an organization.

    • M365 log analysis
    • Finding attacker cloud exfil infrastructure
    • AWS CloudTrail log analysis
    • AWS VPC Flow log analysis
    • DFIR in the Cloud
      • Cloud service models (IaaS, PaaS, SaaS)
      • Cloud forensics vs. traditional forensics
      • MITRE ATT&CK(R) Cloud Matrix
    • Incident Response in Azure & M365
      • M365/O365 SaaS offerings
      • Azure IaaS and PaaS platform
      • Entra ID (formerly Azure AD) architecture
      • Common attack scenarios
      • Important log sources & log extraction
      • Investigating suspicious user logons and email activity
      • Securing M365 & Azure
    • Attackers in the Cloud
      • Investigating attacks that leverage the cloud
      • Discover host-based artifacts from attacker's cloud infrastructure
    • AWS Foundations
      • Organizational and account hierarchy
      • AWS Identity and Access Management (IAM)
      • Authentication and identity types
      • AWS regions and API endpoints
      • AWS computing, storage, and networking constructs
    • Incident Response in AWS
      • Leveraging the AWS Incident Response Guide
      • AWS incident domains
      • Critical log sources such as CloudTrail, CloudWatch, and S3 access logs
      • Threat detection and response services such as GuardDuty and Detective
      • Network analysis with VPC flow logs and traffic mirroring
      • Architecting for analysis in the cloud
      • Acquiring logs and snapshots
      • Planning and practicing likely scenarios
    • IR Automation in AWS
      • Identifying tasks for automation
      • Using AWS VM templates (AMIs) for quick response
      • Leveraging AWS Lamda and Step Functions for automation and orchestration
  • Overview

    Section 6 will serve as a capstone for the class and a chance for students to put into practice the knowledge they've gained thus far. We will be providing an exercise that focuses on utilizing the tools and techniques discussed in the previous five sections of the course. Students will be provided with a data set from a compromised environment spanning multiple host operating systems and cloud environments. Students will utilize tools and techniques learned throughout the course to uncover the steps of the breach, end-to-end. In the live classroom setting, students will work in small teams to divide and conquer the analysis in order to solve this complex case most efficiently, similar to real-world incident response scenarios.

    • Day 6 CTF Challenge

GIAC Enterprise Incident Responder

The GIAC Enterprise Incident Response (GEIR) certification validates a practitioner's mastery of enterprise-class incident response and threat hunting tools and techniques. GEIR certification holders have demonstrated the ability to use analysis methodologies to understand attacker movement across varying functions and operating systems.

  • Incident Response Team Management and Coordination
  • Enterprise Incident Detection and Threat Hunting
  • Large Scale Event Correlation and Timeline Analysis
  • Multi-platform Artifact Analysis
    • Analysis of Windows Artifacts
    • Analysis of Linux Artifacts
    • Analysis of macOS Artifacts
    • Analysis of Container Artifacts
    • Analysis of Cloud Environment Artifacts
More Certification Details


FOR608 is an advanced level course that skips over introductory material of Windows host- and network-based forensics and incident response. This class is not necessarily more technical than our 500-level classes, but it does assume that knowledge so that topics and concepts are not repeated.

Students must have multiple years of DFIR experience and/or have taken classes such as:

FOR500 (Windows Forensics Analysis), and/or

FOR508 (Advanced Digital Forensics, Incident Response, and Threat Hunting)

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 350GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Incident Response in large environments requires successful Incident Responders to master a multitude of different disciplines. Broad forensic knowledge forms the foundation. A good choice of the technical approach allows for scalability. Beyond the pure technical challenge of investigating a network with a 6 figure number of machines, there lies the management aspect of things. Successful Incident Response includes all measures to minimize the impact of the breach on the victim as much as possible and make sure that the attacker can not come back as quickly as before.

Successful Incident Response Leads need to manage their resources and the victim wisely, make sure no information gets lost along the way, provide knowledge for efficient and safe recovery and support appropriate internal and external communication during the breach. While we apply many well-known forensic and incident response principles and make them scale in FOR608, we will also go a step further and teach you how to run and control large-scale investigations. I believe the best Incident Response is the one that reduces the costs of a breach, including the loss of reputation as much as possible, while at the same time leaving the victims safer than they were before the beach." - Mathias Fuchs

"FOR608 is designed to pick up where the FOR508 class leaves off. In FOR508, we take a deep look at the techniques attackers commonly use to breach Windows-based networks, and the resulting artifacts that help incident responders follow the trail from initial intrusion to data compromise. A lot is accomplished in the 6 days of training in FOR508, but there is still plenty more ground to cover in FOR608!

We are excited to introduce FOR608 to continue the investigative journey. FOR608 covers important aspects of incident response in the enterprise, such as active defense and detection, case and team management, large-scale data analysis, and investigating attacks against Linux, Mac, and cloud environments operating systems. These are just some of the important subjects we believe are critical for effective response in the enterprise. Mastering these next-level techniques and supporting tools will provide students with the capabilities necessary to handle the scale and variety of threats facing most organizations today"- Mike Pilkington

"Many years ago, Incident Response was very much focused on a single responder dealing with a single system. Times have changed dramatically, and we face advanced adversaries who spread across entire enterprises aggressively and effectively. Often by the time an attack is detected you might find hundreds of systems compromised. It is important that we responders scale up our processes, using the tools and techniques available, to meet this threat. This is what FOR608 will help you achieve.

The course is built around a realistic scenario, working the students through the phases of IR at scale using tools which help drive a deep understanding. We cover a range of technologies and a lot of data, exactly as you might expect to see in your own enterprise. By learning how to target our response, share CTI and leverage our tools, we truly step up our IR capabilities to meet even the most dedicated adversary. For anyone charged with incident response in an enterprise, this course is for you." - Taz Wake


The course content covers a lot of important topics focused on detection and response. I enjoyed the sections on Threat Driven Intelligence and TimeSketch for creating incident timelines.
Reggie M.
The elastic work was very impressive. I have been using it for a number of years, but it introduced me to new ways to ingest data that could have saved me a lot of work in the past.
Simon H.
Good overview of structure, characteristics and challenges of engagements. That's the value for me, putting alle the tools and strategies into context.
Oliver S.

    Register for FOR608

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.