SANS FOR509 in Copenhagen – What a week
Thanks Antti for the image
Last week I attended SANS FOR509 – Enterprise Cloud Forensics and Incident Response in Copenhagen. The course is focused on cloud investigations across Microsoft 365, Azure, AWS, Google Workspace and Kubernetes. It was taught by Korstiaan Stam, who brought tons of experience.
Before the course I had worked quite a bit with Azure and had handled a few BEC cases in M365. I had no real experience with AWS, GCP or Kubernetes. That changed quickly. The course does a great job at tying things together and focusing on what matters during an investigation.
The labs were solid. You spend most of the time digging through log data, correlating events, getting to know what each service in each platform was, and trying to make sense of what an attacker did. This is not theoretical fluff. It is practical, hands-on and based on real-world techniques.
However one of the biggest downsides to this course that you did not get access to any of the Cloud platforms. So if you didn’t have access to a tenant beforehand you were a bit lost. However it was shown in class.
Capstone Challenge
On day six we did the capstone challenge. I ended up on a team two guys from the Norway and Finland. We struggled a bit in the beginning as we didn’t prepare the data the day before (as the other team did), as we decided to play NetWars instead. And I actually managed to win the NetWars DFIR Coin together with my team, but I was tired after two days of hardcore CTF.
However, we had ton of fun, and decided to work together as a team to solve the incident very structured. I was the IR-lead for the investigation.
At the end you had to present your findings of your investigation, and it included events from all the major Cloud providers. The context switch was very difficult, but super immersive.
We managed to win the FOR509 coin which I is now proudly sitting at my desk, next to my FOR509 Challenge coin.
A month later I went for the GIAC GCFA exam and managed to score 93%.
If you work with cloud and incident response, I highly recommend this course. It teaches you where to look, what is useful, and how to build timelines and stories out of cloud logs. No buzzwords. Just solid DFIR work.