Review of SANS FOR 508 & Winning the CTF Coin

So, just before the end of a remarkably interesting and odd 2020 year. I decided to go ahead and take the FOR 508 class on Advanced Incident Response, Threat Hunting, and Digital Forensics. I felt this was a course that could really benefit security practitioners for understanding best practices & methods related to IR. As well as, learning new techniques for threat hunting in a large enterprise environment. I decided to put up a post listing our what you can plan to learn from this course should you decide to take it.

Winning the Coin

One of the coolest parts of the class is Day 6 (more details listed later). You get a chance to join into teams and compete in a class APT Threat group challenge. The team that wins the CTF gets an award in the sign of a special course specific SANS Coin. On top of that, SANS will add your name to the Community DFIR Coin holders list! It is a great achievement, and I have to say the challenge was very realistic and fun to tackle.

Personal Thoughts

Before I get into each day and what you will learn. I would like to list out some personal opinions of the course itself. If you are looking for an advanced course that will provide a very deep dive into forensic artifacts and investigating through an enterprise. This course is going to do that for you, and out of all the course I have taken so far. This one takes the prize when it comes to how detailed the course is even within 6 days of coursework. I found the EDR section helpful, as it has been an area I have heavily been working towards recently. The Section on the MITRE Framework was excellent. It was useful on how you can utilize it for threat hunting in an environment, and I felt it was something worthy of note taking.

I started off taking this course via vLive since COVID19 basically put any in-person training off limits for at least the next year or two. The tools provided (Slack), and Virtual video were perfect and caused no issue at all. And, all of the USB content you normally would get for the labs was downloadable online on the SANS course ware website.

Day 1 – Advanced Incident Response and Threat Hunting

Day 1 usually for most courses can be the drier day with a lot of information most people may already be aware of. The start of this course and section goes back to learning the IR methodology. The course dives right away into Threat hunting and even goes into a bit of the MITRE Framework. There is some good information on threat hunting across endpoints, where let’s face it most attacks will occur from much of the time. For most security practitioners, Day 1 is a great refresher and gets you thinking about how to look for attacks within an environment.

Day 2 – Intrusion Analysis

On Day 2 you will spend a good amount of time on methods for identifying intrusions. Detailed topics on lateral movement, Credential harvesting, log analysis. At the end of the day, the attackers need to eventually run code on a device to execute their attack. Therefore, they will always end up leaving some trace of evidence and artifacts. And you will learn different tools and areas where you can retrieve and find these artifacts to get a better understanding of when/if an intrusion has occurred in the environment.

Day 3 – Memory Forensics in Incident Response and Threat Hunting

Day 3 pretty much mostly deals with Memory Forensics and many great tools that can help conduct Incident response. If you work in an Enterprise setting, the tools and methods you learn on this day will be extremely useful to take back to work and try out. And you will get to learn about various memory forensics tools you can utilize in your forensic arsenal. There is an importance of understanding how memory forensics plays an effective role in detecting APT attackers. And, how memory can play a vital role for more advanced “fileless” malware and attacks.

Day 4 – Timeline Analysis

On Day 4, most of it is spent on building timelines, viewing patterns using timelines and figuring out if any odd outliers or trends can be seen from all the gathered evidence and artifacts. Most may not think of it, but timeline analysis plays a huge role during an Incident. It allows for building a larger picture of all the activities that took place during an incident and on every machine.

Day 5 – Incident Response & Hunting Across the Enterprise | Advanced Adversary and Anti-Forensics Detection

On Day 5, a large portion of it investigates IR techniques and Threat hunting methods within an Enterprise. For those that are working within a large organization. The techniques you will learn will investigate things such as having rich threat intelligence looking for known APT’s and their TTP’s. And tools and methods you can utilize to find these more advanced adversaries possibly targeting or those that may have already penetrated your environment.

Day 6 – The APT Threat Group Incident Response Challenge

Day 6 was a fun one and you get to use your newfound skills and put them to the test. You get put into teams and will work on a full day challenge to identify an intrusion and list out what type of activities transpired. Imagine, building a timeline of what took place, how, who, when, where and possibly why. This challenge prepares you for the real world if you already have not worked on a real IR incident after the fact.

I will not ruin the surprise of the challenge itself. What I will say is follow the typical patterns of an attacker.

How do most attackers get in?

What do they typically do after getting in?

How do they cover their tracks? 

What do they want when they get in?

Thinking like an attacker and then looking for artifacts and evidence that may corroborate that activity and will help you tremendously in the Day 6 challenge. Good luck everyone!


The lab work in this course is also top notch. There are a lot of “homework” or “out of class” lab work that you skip during the course week. But I would advise you work on all of the labs even the optional homework labs. There is a lot of information to learn, analyze and understand. So, expect that even though SANS gives a decent amount of lab time per a day. You will want to re-work on all the labs one again at a slower pace to really learn all the functions of each tool.

Future Plans

So, after taking this class my plans next are to challenge the GCFA exam. There is a lot of content to absorb and learn in this advanced course.  I am also planning to take either Sec 503 (leading into the GCIA cert), or FOR 578 (leading into the GCTI cert). There are a lot of interesting new SANS courses being offers, so lately there has been a lot to choose from compared to 5 years ago. I’ve also been keen on their new Cloud Security Pen testing course, as I’ve had the same instructor for a former course, and he was amazing to learn from.

I will also have a future post after my GCFA exam to cover my study methods and other helpful information for others.

Have any questions or want to share your own experience? Comment below.

No Responses to “Review of SANS FOR 508 & Winning the CTF Coin”


  1. Passing the GCFA exam - StealthBay - […] I highly advise everyone take the SANS FOR 508 course. You can read my review of it here ->…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.