SANS FOR572 / GNFA Overview

darkdefender
4 min readFeb 17, 2020

--

When you read the title of the course, “Advanced Network Forensics, Threat Hunting, Analysis, and Incident Response”, it straight out sounds intimidating. Upon choosing to take SANS FOR572 last November, there weren’t that many reviews about it aside from what was stated on the SANS website. Now that I’ve completed the course and have successfully obtained my first (security) certification, I thought it might be beneficial to write about the experience and give more of an indication of what it was all about from start to finish.

Intended Audience / Prerequisites

I had 3 years of networking experience under my belt before taking this course. It included becoming certified with Juniper and Fortinet, and looking at network logs for a significant portion of time. Perhaps this is why I felt at ease throughout the course and certification process, however I would still recommend it to those who have had more experience than I have. Not only will it fill gaps in your knowledge regarding general IR/triaging of network traffic, but you will learn intricate details of protocols that you probably haven’t come across before.

For those who haven’t had much experience, I’ll go with the general opinion given about SANS courses: “it will be a firehose of information that you can’t prepare for”. Aside from being educated on protocols, the course also gives you the skills needed to threat hunt for “artefacts of communication”, evidence of compromise, understand what malicious activity looks like, and scope out an incident.

In terms of prerequisites:

  • Be familiar with Linux tools (grep, awk, file), Wireshark, tcpdump, and tshark; the course does not focus on Wireshark, it forces you to use other tools so that you’re able to manipulate a pcap for more efficient analysis, which are mostly Linux based.
  • Have a rough comprehension of the TCP/IP model. You’ll be taught to read network traffic from all layers of this model, so you should know how they interact.
  • I wouldn’t say its a prerequisite, but knowing forensic techniques or understanding forensic methodology helped, especially in the labs and the capstone challenge on the final day.

Course Overview

Firstly, I wanted to thank the course instructor Ryan Johnson. I truly believe the usefulness of a course derives from the experience of the instructor, and the real world battle stories they have to share along the way.

The SANS link that I’ve shared at the top of the article has a detailed syllabus, but here’s a rough breakdown of the course:

  • Core Protocols: HTTP, DNS, FTP, SMTP, SMB
    You’ll learn packet and file headers, commands, architectures, how the protocol can be exploited, configurations, artefact extraction, and analysing traffic using capture and display filters.
  • Tools: Netflow, nfcapd, nfpcapd, tcpdump, tshark, editcap etc.
    There’s more than one way to analyse network traffic, and this for me was the biggest takeaway of the course.
  • Wireless: Architecture, attacks, tools
  • Encoding/Encryption: Base64, Symmetric and Public Key Encryption, Perfect Forward Secrecy, TLS/SSL
  • Web Proxies: Squid
  • Logging: Zeek, Syslog, Moloch, Elastic Search

The labs were a great way to test your knowledge and put learnings into practice. Honestly, the SANS team have done a fantastic job with the data you receive as part of the course. It was heaven for a network forensic nerd like me. You can take it home, have a play around with different tools and try to come to the same answer.

On the final day of the course, you’re gifted with 100GB+ pcap files and data. Your mission is to use the tools you’ve learnt throughout the course to discover malicious activity. It was created specifically so that you can’t just use Wireshark to find all your answers; there’s no better way to learn than to be out of your comfort zone.

Practice Tests

The practice tests and exam are open book assessments. Free rein right? Well when you’re given five 100+ page textbooks for the course, you can use as many post-it notes as you like, but come exam time, you still won’t know where everything is.

I’ve never used an index in my life. Before taking this course, I’ve heard people mention it but I didn’t actually know what it was. Thankfully, I was saved by hacks4pancakes’ blog post: https://tisiphone.net/2015/08/18/giac-testing/. The reason why it’s suggested to create one is because an index helps you quickly identify what textbook a specific topic is in. I like to think of it as a glorified contents page in a book.

Some tips:

  • Do the practice exams; it’s a solid way of understanding where your knowledge gaps are and what you need to continue studying
  • I went through all of the labs before taking the exam. This was a good way to re-iterate what I already knew, highlight improvement areas, and create a little cheat sheet of linux commands in case they’re ever tested (hint: they were)
  • Try not to rely on the books; see how much you know without them. At the same time, I would suggest creating an index before you take the practice tests so that you can see if there‘s anything you’ve missed in the index
  • After completing the first practice test, take a week or so to brush up on weak areas, then do the second practice test
  • Personally, I scheduled the exam to be a week after I had finished the practice tests so it’s still all fresh in my brain.

Exam

The practice tests weren’t too similar to what the exam was like. Whilst it was good studying preparation, I felt as though I had to refer to the books more frequently than originally intended. Obviously I can’t give anything away, but know the intricacies of core protocols well and understand different types of networking attacks.

I hope this helps anyone who wants to tackle FOR572. Feel free to ask me any questions.

--

--

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.