Certification

My "SANS: FOR572" course experience

Philipp Fragstein

3 min read
Photo by Jevgeni Fil / Unsplash

Phil Hagen's FOR572 covers a variety of topics in the field of network forensics. As the course name states ("FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response") also Incident Response as well as Threat Hunting concepts are being presented.

A detailed list of all subjects can be seen on SANS Institute's website:

FOR572: Advanced Network Forensics Course | Threat Hunting & Incident Response | SANS Institute
SANS FOR572, an advanced network forensics course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness.
SANS InstitutePhilip Hagen Fellow

Beside the well described "Business Takeaways" from SANS I want to share my personal experience with this course.

I started the OnDemand course in June 2023. With a background in penetration testing, I was keen to gain knowledge from the opposite side. My learning approach is to not only participate in offensive challenges and trainings but also in blue team trainings/challenges to get a more holistic knowledge.

Before starting any SANS or security course, one should always check whether the course topics align with their current job role. Taking security courses out of curiosity isn't always beneficial as the course subjects should build an intersection to the operations of the current job, you're working in. This leads to a more sustainable learning.

Phil Hagen did a fantastic job keeping the SANS FOR572 up-to-date, which means that recent topics like HTTP2/3, DoH (DNS over HTTPS) and DoT (DNS over TLS) or Zeek are covered.

Forensic Data
FOR572 acknowledges that any data obtained from the network can be voluminous and therefore potentially difficult to process. A PCAP isn't always the best choice when searching for a needle in a haystack. It's a lot about when to use which source of data and how to process large files to get better results. The following network-based data comes into play:

  • Log files (+Proxy Logs)
  • Netflow v5, v7, v9
  • PCAP

Protocols
Beside all the fundamentals the listed protocols are also presented in a more advanced and comprehensive way. I got a much better understanding what really goes over the wire after taking this lecture.

  • HTTP
  • DNS
  • SMTP
  • FTP
  • SMB

Tools
Dozens of tools are covered in all of the different sections from FOR572. What I appreciated was Phil Hagen's skill in guiding me on when to use a particular tool and how to prioritize between them. One tool that stand out is "SOF-ELK" which is from Phil Hagen himself. Take a look at his Github repository:

philhagen - Overview
philhagen has 34 repositories available. Follow their code on GitHub.
GitHub

Do not consider this list as complete but here are some of the tools of the course: 

SOF-ELK, wireshark, tcpdump, tcpflow, jq, zeek, nfcapd, nfpcapd, ntopng, caploader, networkminer, cyberchef, arkime, scapy, dshell, tcpstat, tcpxtract, ngrep, editcap, netspot

There are plenty of other topics that make the course quite valuable. For instance, IEEE 802.11 with all its weaknesses and OPSEC topics that were also well showcased by Phil.

If you find that the subjects of this article can be beneficial for your work than SANS FOR572 might be a good choice for you. I can highly recommend this SANS course.