State-sponsored Cybercrime needs a “search and destroy” response from security forensics teams says leading expert

Written by DAWN NICHOLLS | 15 August 2012

Rob Lee to debut new advanced computer forensics course in Prague this October

The rise of Advanced Persistent Threat (APT) is changing how computer forensics and first response teams deal with suspected breaches. In the view of Rob Lee, a leading expert in the field and SANS Faculty Fellow, “When we talk about APT, let’s be clear, we are addressing state sponsored, highly skilled and organised cyber-attacks that are part of a long term strategic assault against economic, military and infrastructure targets.”

Over his 15 year career, Lee has seen the rise of APT. As a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information warfare and later as part of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics.

“Many of the traditional skills that Computer Forensic Analysis and Incident Response teams rely on need to be updated when it comes to APT,” says Lee, “Information security tend to think defensively while an APT attack needs a more robust response. Response teams need to search and destroy the root cause but often across multiple system and vectors in a highly scalable way.”

Lee is the Curriculum Lead for all of SANS’ Forensic courses and was part of the team that rewrote the SANS FORENSICS 508 Advanced Computer Forensic Analysis and Incident Response course with a syllabus that reflects the rise of APT. “The course is normally updated three times a year but we felt that the current landscape of state sponsored cyber-attacks needed to be addressed in a more fundamental way.”

FORENSICS 508 is an advanced course and requires each student to attend FOR408: Computer Forensic Investigation course or pass the FOR408 Assessment Test. One example of the new course’s response to APT is a more detailed section on advanced memory acquisition and analysis of live response and volatile evidence collection.

The new course will make its European debut at SANS first dedicated Digital Forensics training event in Prague in October. The full emersion experience over a 7 day event combines leading experts’ presentations and four in-depth IT forensics courses. The event will kick-off on 7th October with the annual European Digital Forensics and Incident Response Summit which will include respected experts from the IT security community sharing their knowledge and expertise to help senior practitioners fight cybercrime more effectively.

Alongside Rob Lee teaching FOR508, the event will debut the brand new FOR563: Mobile Device Forensics class, which will be taught by Jess Garcia. The impressive line up of instructors is completed with two more course authors and highly respected digital forensics practitioners, Chad Tilbury teaching FOR408: Computer Forensic Investigation – Windows In-Depth, and Lenny Zeltser teaching FOR610: Reverse Engineering Malware