Advanced Network Forensics & Threat Hunting – FOR572 2024 Edition

Next-Generation Network Forensics Training

🛡️ 80M+ log events | 125M NetFlow records | 150GB PCAP data
🛡️ 50% hands-on labs with real-world attack scenarios
🛡️ Updated for cloud/on-prem hybrid environments

What’s New in FOR572 2024?

1. Enterprise-Scale Incident Response Lab Overhaul

• All-new adversary simulation dataset based on 2023-2024 attack patterns
• Expanded cloud forensics modules (AWS/Azure/GCP traffic analysis)
• Updated MITRE ATT&CK v12 mapping across all exercises

2. Cutting-Edge Toolset Updates

3. Protocol Deep Dives

• HTTP/3 (QUIC) forensic analysis
• DoH (DNS-over-HTTPS) investigation techniques
• SMBv3.1.1 compression artifacts
• TLS 1.3 fingerprinting bypass detection

Core Learning Objectives

1. Threat Hunting at Scale

80M LogsSOF-ELK125M NetFlows150GB PCAPsArkimeThreat IndicatorsATT&CK TTP Mapping

2. Cloud Network Forensics

AWS VPC Flow Log Analysis:

<BASH># Identify suspicious instance communicationsaws logs filter-log-events \  --log-group-name VPCFlowLogs \  --filter-pattern '[version, account, eni, srcaddr != 10..., dstport > 1024]'

Azure NSG Flow Log Processing:

<KUSTO>// KQL query for lateral movementAzureNetworkAnalytics_CL| where FlowType_s == "S2S" | where DestPort_d > 30000| summarize count() by SrcIP_s, DestIP_s

Hands-On Lab Highlights

1. Adversary Infrastructure Mapping

• Reconstruct C2 frameworks from partial PCAPs
• Cluster related attacker IPs using JA3/JA4 fingerprints
• Trace cloud attacker pivots through VPC peering

2. Encrypted Traffic Analysis

• TLS 1.3 forensic workarounds
• QUIC protocol metadata extraction
• Tor/Onion routing detection techniques

3. Network Artifact Timeline Reconstruction

<BASH># Create unified timeline from multiple sourceszeek-cut -d < conn.log | awk '{print $1,$3,$4,$5,$6,$7,$8,$9}' > network_timeline.csvmoloch-capture --export-timeline=* --strip-headers > arkime_timeline.json

Enterprise-Grade Forensic Methodologies

1. Baseline Development

<PYTHON># Network behavior profilingfrom sklearn.ensemble import IsolationForestclf = IsolationForest().fit(netflow_data)anomalies = clf.predict(netflow_data)

2. Evidence Correlation Matrix

3. Incident Response Playbooks

Ransomware Pattern Detection:

<SQL>-- Arkime SQL for C2 beaconingSELECT *FROM sessions WHERE (tags LIKE '%heartbeat%' AND duration > 300)   OR (ja3.hash IN (SELECT hash FROM threat_intel.ja3_blacklist))

Toolkit Deep Dives

1. SOF-ELK for Large-Scale Analysis

<JSON>// Custom dashboard for lateral movement{  "aggs": {    "unusual_smb": {      "terms": {"field": "event_data.SourceIp", "size": 10},      "aggs": {"port_filter": {"filter": {"term": {"DestinationPort": 445}}}}    }  }}

2. NetworkMiner Pro Tips

<BASH># Extract files from encrypted streamsnetworkminer -r capture.pcap --regex "(?i)\.doc[xm]?$" --output /forensics/files

3. Zeek Scripting for Custom Logs

<ZEEK>export {    redef enum Log::ID += { TLS_FINGERPRINT_LOG };    type Info: record {        ts: time &log;        uid: string &log;        ja3: string &log;    };}

Who Should Attend?

✅ SOC Analysts needing deeper network forensic skills
✅ Incident Responders handling enterprise breaches
✅ Threat Hunters building detection content
✅ Cloud Security Engineers investigating VPC threats

“FOR572 students demonstrated 47% faster incident containment in red team exercises compared to non-trained peers.”
— 2024 SANS Cyber Defense Survey

Continued Learning Pathways

📚 Pre-Course Reading:

• “Network Forensics: Tracking Hackers Through Cyberspace” (2nd Ed.)
• “Zeek (Bro) Network Security Monitor” by O’Reilly

🎓 Follow-On Courses:

• FOR508: Enterprise Incident Response
• SEC555: SIEM with Tactical Analytics