FOR608: Enterprise-Class Incident Response & Threat Hunting

Section one focuses on proactive cyber defense through early detection, rapid response, and collaboration using frameworks like MITRE ATT&CK. It covers active defense tactics like honeypots and canaries, as well as efficient incident response with tools like Aurora. We conclude with threat intelligence fundamentals and using platforms like MISP and OpenCTI.

Section two shifts to active response, starting with scoping an intrusion at Stark Research Labs. It highlights EDR evasion techniques and introduces Velociraptor for large-scale incident response. The section also covers integrating Velociraptor with Elasticsearch and emphasizes rapid, targeted data collection on specific hosts.

Section three focuses on host-based forensics, covering Windows attacks like ransomware and LOLBAS, with detection using Sigma rules, Elasticsearch, and Hayabusa. It then shifts to Linux DFIR, addressing exploits, file systems, logging, and hardening—building skills to investigate both Windows and Linux intrusions.

This section covers macOS incident response, including its ecosystem, data acquisition, log analysis, and key artifacts. It also introduces containerized environments, focusing on Docker and its role in modern enterprise investigations.

This section covers incident response in Microsoft Azure, M365, and AWS, highlighting unique cloud challenges and the MITRE ATT&CK® Cloud Matrix. It focuses on common attack scenarios, key logs, and tools like GuardDuty. It concludes with strategies for cloud response using security accounts, AMIs, and automation tools like Lambda and Step Functions.

Section six is the capstone exercise, where students apply course concepts to analyze a multi-platform breach. Using real-world tools and techniques, they’ll investigate an end-to-end incident across hosts and cloud systems, working in teams to simulate real-world response.