The URL can be used to link to this page

Home My WebLink AboutDES_SLCGP_Grant_Application DES Montana Disaster & Emergency Services City of Bozeman Prepared by Jason Kolman for Montana Disaster and Emergency Services FY22 SLCGP Primary Contact: Jamie Grabinski DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Opportunity Details Opportunity Information Title FY22 SLCGP Description OVERVIEW: The purpose of the FY 2022 State and Local Cybersecurity Grant Program(SLCGP)is to strengthen cybersecurity practices and resilience of state and local governments.The SLCGP provides funding from the Infrastructure Investment and Jobs Act to implement investments that improve the security of critical infrastructure and improve the resilience of the services governments provide their communities.The grant is a reimbursable pass-through grant program with an overall goal to improve the cybersecurity posture of state and local government organizations by providing assistance for managing and reducing systemic cyber risk through the following objectives: Objective 1: Develop and establish appropriate governance structures, including developing, implementing,or revising cybersecurity plans,to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations. Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation,and structured assessments. Objective 3: Implement security protections commensurate with risk. Objective 4: Ensure organization personnel are appropriately trained in cybersecurity,commensurate with responsibility. IMPORTANT Please review and follow the State and Local Cybersecurity Grant Program(SLCGP)state guidance document.The SLCGP grant requires the state to develop a Cybersecurity Plan,establish a Cybersecurity Planning Committee to support the development of the plan,adopt key cybersecurity best practices,and identify projects to implement using the SLCGP funding. The cybersecurity committee has identified key efforts in the Cybersecurity Plan to strengthen cybersecurity across the state.All project applications must align with at least one of the focus areas identified in the plan. These focus areas are: -Build cybersecurityawareness -Build a professional cybersecurityworkforce -Server and workstation behavior-based endpoint protection -Network monitoring and management intrusion detection systems for county networks Each application must demonstrate how the project relates to improving, preventing, preparing for, protecting against, and responding to cybersecurity incidents and best practices. Awarding Agency Name Montana Disaster and Emergency Services Agency Contact Name Amanda Avard Agency Contact Phone 406-324-4777 Agency Contact Email mtdesprep@mt.gov Fund Activity Categories Category Explanation Departments Page 2of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Montana Disaster and Emergency Services Subjects Opportunity Manager Amanda Avard Opportunity Posted Date 7/16/2024 Opportunity Archive Date Announcement Type Initial Announcement Funding Opportunity Number Agency Opportunity Number Assistance Listings Number Public Link https://mt.amplifund.com/Public/Opportunities/Detai Is/2abc780e-2a8f-4fc4-99ad-6a96535bc030 Is Published Yes Funding Information Opportunity Funding $0.00 Funding Sources Federal Or Federal Pass Through Award Information Award Type Competitive Capital Grant No Indirect Costs Allowed No Matching Requirement No Submission Information Submission Window 07/16/2024 10:00 AM-09/13/2024 11:55 PM Submission Timeline Type One Time Submission Timeline Additional Information Page 3of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman For FY2022 SLCGP funds,each county,tribe,city,or special district may applyfor funding in all focus areas. Projects must be prioritized due to limited federal funding available. Allow Multiple Applications No Application Review Start Date/Pre-Qualification Deadline 6/3/2024 Other Submission Requirements Cost share or match is not required for the FFY2022 SLCGP. Future awards will have cost share requirements. Match amounts for each year are as follows: FY2023 20%, FY2024 30%, FY2025 40%. Local match may be in-kind/soft from eligible activities. Question Submission Information Attachments • FY22 State and Local Cybersecurity Grant State Guidance-Released 7-16-2024 Eligibility Information Eligibility Type Public Additional Eligibility Information Eligible Applicants for competitive awards include local and tribal governments. Local government means a city,town, county,consolidated city-county,special district,or school district or subdivision of these entities. Nonprofit,for-profit, and other entities not deemed as a local government entity are not eligible to receive SLCGP funds. Additional Information Additional Information URL https://des.mt.gov/Grant-Programs/State-Local-Cyber-Security-Grant-Program Award Administration Information State Award Notices This is a competitive state grant,and there are often more funding requests than funding available.The Cybersecurity Planning Committee will make the final decision on projects to be included in the state application to FEMA in late spring.All applicants will be informed as to the status of their projects after the state application has been submitted. Please note-the project period of performance is projected to begin October 1,2024. Reporting For those projects awarded, preparedness reports(a.k.a.status reports),will be due by the 10th day after the end of each quarter until the project is complete and until a closeout request is submitted to your grant coordinator. State Awarding Agency Contacts State Awarding Agency Contacts Amanda Avard-State Authorized Representative Pam Fruh Pam.Fruh@mt.gov 406-439-5917 Emi ly Schuff Emily.Schuff@mt.gov 406-417-9236 Page 4of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Project Information Application Information Application Name City of Bozeman Award Requested $22,250.00 Total Award Budget $22,250.00 Primary Contact Information Name Jamie Grabinski Email Address jgrabinski@bozeman.net Address 121 N. Rouse Ave, P.O. Box 1230 Bozeman, MT 59715 Phone Number 406 5822364 Page 5of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Project Description Applicant Entity Information Entity Information Entity Name City of Bozeman Entity Street Address 121 N. Rouse Ave Entity City Bozeman Entity State Montana Entity Zip 59715 County Located In United States Entity Signatory Authority Information The signatory authority listed has been informed of the submission of this grant and may receive notices about reports submitted by the Authorized Representative. Name of Signatory Authority Chuck Winn Title City Manager Signatory Authority Email Address cwinn@bozeman.net Signatory Authority Phone Number(xxx-xxx-)o=) 406-582-2307 Project Manager(Authorized Representative) Project Manager First Name Scott Project Manager Last Name McMahan Project Manager Phone Number(xxx-xxx-)o=) 406-582-2277 Project Manager Email Address smcmahan@bozeman.net Project Manager Street Address Page 6of15 (:ES Montana Disaster City of Bozeman &Emergency Services Jason Kolman 20 E Olive Street Project Manager City Bozeman Project Manager State Montana Project Manager Zip 59715 Fiscal Officer/Agent Information Fiscal Officer Name Melissa Hodnett Title Finance Director Organization City of Bozeman Fiscal Officer Telephone Number(xxa-xxa->0000 4065822318 Fiscal Officer Email Address mhodnett@bozeman.net Administrative Organization TypE O County Government O Tribal Government * Local/City Government O Special District(School, Solid Waste,etc.) O None of the Above UEI Number Provide your valid Unique Entity Identification(UEI) number. This is NOT your Employer Identification Number (EIN). The Unique Entity Identification(UEI) number is now the required means of entity identification for tederal awards government-wide.If you are registered in SAM.gov,youVe been assigned a UEI.IYs viewable in your SAM.gov entity registration record.If you do not know your UEI number,ask your local clerk and recorder or finance person, they will typically have that information. Refer to the link provided for more information and how to obtain a UEI number. Click Here for Unique Entity Identifier Update Information Applicant's Unique Entity Identification(UEI)Number(UEI is a 12 digit number with a combination of letters and numbers) EEAPKALAEM35 Page 7of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Applicant Assessment Fiscal Assessment Has applicant organization substantially changed their financial management and/or grant administration systems in the last 24 months? O Yes *i No Does applicant organization's fiscal officer maintain written policies and procedures regarding the operation of all financial management systems? *i Yes O No Has applicant organization received federal awards directly from a Federal Awarding agency over the last 24 months? #Yes O No If yes to above, list the grant name,year(s)received and awarding agency name. If there are to many to list enter the most recent 5. 1. Bridgers DUI Vets Treatment Court Grant, Received 10/01/2023 from U.S. Department of Justice. 2. Sustainable Organics Management Program, Received 04/01/2024 from Environmental Protection Agency 3. Safe Streets for All, Received 05/01/2024 from U.S. Department of Transportation, FHWA Has the applicant organization applied for any other grant funding to support the project that is being submitted? O Yes *i No Have there been any audit/financial findings for your organization within the last 24 months? O Yes *i No Procurement Procedures Does your jurisdiction/agency have a locallywritten and approved procurement policy? #i Yes O No If yes to above, please upload your local procurement policy(if applicable) Administrative Order 2023-03 Procurement Policy,Training &Travel,and AP&Credit Card Use.pdf Conflict of Interest Does the jurisdiction have a potential or real conflict of interest? O Yes #i No .GOV Domain Interest MT DES is gathering information for future grant opportunities.At this time funding is not available to migrate entities to.GOV domains.Please answer the questions below to assist MT DES in collecting interest in future migration efforts. Please note public schools are are not eligible for.GOV migration. Does your organization currently use a .GOV domain? O Yes #i No Is your organization interested in migrating to a .GOV domain? Page 8of15 UES Montanaoisaster City of Bozeman &Emergency Services Jason Kolman O Yes O No *i I Don't Know O Not Eligible,Applicant Entity is a Public School Page 9of15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman SLCGP Baseline Requirements BYACCEPTING THIS AWARD THE APPLICANT AGREES TO COMPLETE, MAINTAIN,AND REPORT ON THE FOLLOWING SLCGP REQUIRED OBJECTIVES OR INFORMATON: 1.Verify and maintain contact information for staff managing the SLCGP and inform MT DES of any changes to personnel and contact information. 2.Submit quarterly performance reports using the Performance Progress Report form in the AmpliFund grant management system detailing milestones and work accomplished during the reporting period. 3.Complete the no cost Nationwide Cybersecurity Review(NCSR)assessment administered by MS-ISAC during the first year of the sub-award period of performance and annually until grant closeout. 4. Register and maintain CISA's no cost Cyber Hygiene(CyHy)Services: A. Vulnerability Services: evaluates external network presence by executing continuous scans of public,static Ips for accessible services and vulnerabilities.This service provides weekly vulnerability reports and ad-hoc alerts. B. Web Application Services: an"internet scan n ing-as-a-service."This service assesses the "health"of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. Additionally,CISA can recommend ways to enhance security in accordance with industry and government best practices and standards. C. Get started by emailing vulnerability( cisaAhs.gov with the subject line"Requesting Cyber Hygiene Services." 5.Sign the local consent form that allows the state to utilize the funds to provide services to local governments. Local Consent Form-If an entity is unable to digitally sign the PDF due to technical restrictions,the form may be printed and signed before attaching a scanned copy. FY22 SLCGP Local Consent Form.pdf Upload the signed Local Consent Form. Form is provided above. FY22_SLCGP_Local_Consent Form_l.O.pdf Agreement I acknowledge that the applicant entity agrees to complete the above SLCGP requirements during this applications grant period of performance? *i Yes Signature Chuck Winn Date 9/3/2024 Page 10 of 15 DES Montana Disaster City of Bozeman &Emergency services Jason Kolman SLCGP Focus Area Information Instructions APPLICATIONS ARE DUE NO LATER THAN 11:55 PM FRIDAY,September 13,2024. The Cybersecurity Committee has identified key efforts in the Cybersecurity Plan to strengthen cybersecurity across the state.Applicants are not guaranteed to receive funding even if the project aligns with a focus area identified within the Cybersecurity Plan.Upon review of the application the Cybersecurity Planning Committee may have additional questions or information requests. FY 2022 Focus Areas Include: • Build Cybersecurity Awareness • Build a Professional Cybersecurity Workforce • Server and Workstation Behavior Based Endpoint Protection • Network Monitoring and Management Intrusion Detection System for County Networks List your Entity Name City of Bozeman Build Cybersecurity Awareness This focus area will provide funding for cybersecurity end user training.The cybersecurity training must be annual at a minimum and includes simulated phishing attacks,domain monitoring,security awareness training,and phishing campaign configuration.Applicants may request up to$3.50 per license.An option to purchase the KnowBe4 diamond-tier cybersecurity training off the state Information and Technology Service Division(SITSD)contract is available.See additional information for diamond-tier features attached below. Applicants may choose to purchase cybersecurity awareness training from a different vendor. KnowBe4 Website: https://www.knowbe4.com/ KnowBe4's Diamond-Tier Key Features KnowBe4 Diamond-Tier Key Features Fact Sheet.pdf Are funds for Building Cybersecurity Awareness being requested in this application? 0 Yes Q No Build a Professional Cybersecurity Workforce This focus area provides cybersecurity training for IT privileged users and cyber professionals.Applicants may request up to$4,500.00 for this training; there is no guarantee that requested funds will be awarded.An option to purchase trainings through SANS Institute off of the State Information and Technology Service Division (SITSD)contract is available; in this case,the state will purchase and issue out each training voucher.Only one voucher per entity will be provided.Applicants may choose to purchase other cybersecurity trainings for their IT professional(s). SANS Institute,Courses and Certificates Website: hftps://www.sans.org/cyber-security-courses/ Are funds for Building a Cybersecurity Workforce being requested in this application? #i Yes O No Page 11 of 15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Explain how the requested cybersecurity training provides benefit to your entity and relates to improving, preventing, preparing for, protecting against,and responding to cybersecurity incidents and best practices. The Cybersecuritytraining will benefit our entity by improving our ability to be more proactive in prevention and protecting against cyber incidents.This training will equip our staff with the skills and knowledge needed to address emerging cyber security threats more effectively when they do occur. What type of cybersecuritytraining is being requested for your IT personnel? *i SANS Institute through SITSD O Other Cybersecurity Professional Training List the course provider,course name and description for the training being requested. SANS Institute: FOR572:Advanced Network Forensics:Threat Hunting,Analysis,and Incident Response What is the estimated cost?Additional costs above$4,500.00 will be the responsibility of the applicant. $8,525.00 Provide a job description forthe IT professional(s)receiving this cybersecuritytraining. Systems Administrator I:The principal function of an employee in this class is to administer the Citys advanced local and wide area networks,servers, IP telephony systems,and personal computers and related peripherals. Special emphasis on the network and all security aspects of it including,firewalls, Intrusion Detection Systems,and Intrusion Prevention Systems. Recommended: Upload job description for IT personnel. Sys Admin 1 class spec.pdf Server and Workstation Behavior-Based Endpoint Protection For whole of state cybersecurity this project is for SentinelOne antivirus software through State Information and Technology Division (SITSD).Applicants may request an estimated$63.00 per endpoint license and/or $84.00 per server for a one year service agreement for SentinelOne antivirus software through SITSD. SentinelOne Website: hftps://www.sentinelone.com/ Are funds for SentinelOne behavior-based endpoint protection services being requested in this application? O Yes #i No Network Monitoring and Management Intrusion Detection Systems for County Networks This focus area provides Albert Sensor Network Monitoring and Management Intrusion Detection Systems (IDS)for an additional layer of alerting and visibility to County Governments,Critical Infrastructure, Election, and Emergency Services.Applicants may request up to$13,560.00(Small Average Utilization OMB-100MB)or $16,800.00(Medium/Large Average Utilization 101 MB-1.OGB)for a one year service agreement including hardware for Albert Sensor IDS to provide security alerts for known cyber threats.The grant will also cover the one-time set-up fee of$950.00 per sensor.See Albert Sensor fact sheet attached below for more information. Albert Sensor IDS Fact Sheet CIS-Albert Network Monitoring and Management.pdf Are funds for an Albert Sensor Intrusion Detection System being requested in this application? *i Yes O No The entity acknowledges and understands there is a fiscal responsibility to pay local match for future grant years. Match Page 12 of 15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman amounts for each year are as follows: FY2023 20%, FY2024 30%, FY2025 40%. Local match may be in-kind/soft from eligible activities. *Yes The entity acknowledges and understands to share Albert Sensor alerts with the Montana Analysis and Technical Information Center(MATIC). Yes Explain how the requested Albert Sensor Intrusion Detection System provides benefit to your entity and relates to improving, preventing, preparing for, protecting against, and responding to cybersecurity incidents and best practices. Albert will provide deeper visibility into network traffic.With real time monitoring we can more quickly respond to issues that come up. Having our traffic going through and being analyzed by a SOC will be a huge step forward for our network analysis. What size Albert Sensor does your entity anticipate supporting with grant funds? • Small Average Utilization OMB-100MB for Service NOT Including Hardware-$11,160.00 • Small Average Utilization OMB-100MB for Service with Hardware-$13,560.00 • Medium/Large Average Utilization 101 MB-1.OGB for Service NOT Including Hardware-$14,400.00 • Medium/Large Average Utilization 101 MB-1.OGB for Service with Hardware-$16,800.00 How many Albert Sensors are being requested?The grant will cover a one-time set-up fee of$950.00 per sensor. 1 Does your agency currently have an existing contract for an Intrusion Detection System? Federal funds can not be used to supplant existing IDS. 0 Yes * No Ranking of Focus Areas by Priority Applicants may request funding in each of the focus areas identified within the Cybersecurity Plan. Due to limited federal funding available there may not be sufficient funds to award all applications.Please rank each focus area by priority 1,2,3,or 4 for your entity(1 being top priority and 4 being last priority).This will help the Cybersecurity Planning Committee better understand applicants existing needs based on priority level. Focus Areas Include: • Build Cybersecurity Awareness • Build a Professional Cybersecurity Workforce • Server and Workstation Behavior Based Endpoint Protection • Network Monitoring and Management Intrusion Detection System for County Networks What priority level does your entity rank Build Cybersecurity Awareness? Third Priority What priority level does your entity rank Build a Professional Cybersecurity Workforce? First Priority J What priority level does your entity rank Server and Workstation Behavior-Based Endpoint Protection? Fourth Priority What priority level does your entity rank Network Monitoring and Management Intrusion Detection Systems for County Networks? Second Priority J Page 13 of 15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman Budget Proposed Budget Summary Expense Budget Grant Funded Total Budgeted 2.Build a Professional Cybersecurity Workforce SANS Training Course: FOR572 $4,500.00 $4,500.00 Subtotal $4,500.00 $4,500.00 4. Network Monitoring and Management Intrusion Detection System for County Networks Albert Sensor $17,750.00 $17,750.00 Subtotal $17,750.00 $17,750.00 Total Proposed Cost $22,250.00 $22,250.00 Revenue Budget Grant Funded Total Budgeted Grant Funding Award Requested $22,250.00 $22,250.00 Subtotal $22,250.00 $22,250.00 Total Proposed Revenue $22,250.00 $22,250.00 Proposed Budget Detail See attached spreadsheet. Proposed Budget Narrative 2. Build a Professional Cybersecurity Workforce To help fill out the budget information please reference the responses provided in the SLCGP Focus Area Information form found in the Application Forms section.When filling out the Budget section,applicants may provide one lump sum total for costs being requested in each of the four project focus areas. Include specific information in the narrative section(i.e.what type of costs and total amount being requested). SANS Training Course: FOR572 Requesting funding for one IT professional to take a SANS course: FOR572. 4. Network Monitoring and Management Intrusion Detection System for County Networks To help fill out the budget information please reference the responses provided in the SLCGP Focus Area Information form found in the Application Forms section.When filling out the Budget section,applicants may provide Page 14 of 15 DES Montana Disaster City of Bozeman &Emergency Services Jason Kolman one lump sum total for costs being requested in each of the four project focus areas. Include specific information in the narrative section(i.e.what type of costs,and total amount being requested). Albert Sensor Requesting 1 large Albert Sensor with hardware and Setup Page 15 of 15 Docusign Envelope ID:428F2983-205D-443D-B961-334C9B719C3D DEPARTMENT OF MILITARY AFFAIRS STATE OF M O NTANA rD�S 0A 0/8Disaster &Emergency Services Division +1956 MT MAJO STREET-PO BOX 4789 En r FORT HARRISON,MONTANA 59636-4789 v 406.324.4777 6�S A 3,0 THE HONORABLE GREG GIANFORTE MAJOR GENERAL JOHN P.HRONEK GOVERNOR ADJUTANT GENERAL FEDERAL FISCAL YEAR 2022 STATE AND LOCAL CYBERSECURITY GRANT PROGAM LOCAL CONSENT AGREEMENT 1 Chuck Winn (printed name), the authorized agent on behalf of the City of Bozeman (Local Governmental Entity) located at 121 N. Rouse Ave., Bozeman, MT 59715 (physical address) hereby expressly consent to the State of Montana's State Administrative Agency(SAA), namely the Montana Disaster and Emergency Services Division (MT DES), undertaking the following acts in accordance with the State and Local Cybersecurity Grant Program (SLCGP) for Fiscal Year(FY) 2022, Funding Opportunity Number DHS-22-137- 000-01, as authorized by Section 2220A of the Homeland Security Act of 2002, as amended (Pub. L. No. 107- 296) (6 U.S.C. § 665g): • Retain up to $485,573 in SLCGP funds for FY 2022 at the State Level for Management and Administration, whole of state coordination, and training. • Utilize $1,942,293 in SLCGP funding for the following projects approved in the State of Montana Cybersecurity Plan on behalf of and for the benefit of local governments: o $167,293 for end user security awareness training o $75,000 for cyber professionals training o $1,250,000 for behavior-based end-point detection and response solution o $450,000 for network monitoring and management intrusion detection systems Funds and/or services provided to local and rural areas will align to the FY2022 SLCGP pass-through requirements. A minimum of 80%of federal funds, equivalent valued services, or a combination of funds and services provided under the grant will be provided to local governments, including a minimum of 25%to rural areas. This consent is given freely and with the understanding that the Local Governmental Entity may receive items, services, capabilities, and activities (e.g. hardware, software, services) in lieu of funds from the SLCGP. This consent is only effective for the FY 2022 SLCGP funds. Signed, Signed by: E00iV" 9/3/24 19BDA472 Signature Date Chuck Winn Printed Name City Manager Title Non-Grant Category Item Type Name Funded Grant-Funded Cash Match In-Kind Match Other Funding Direct Cost Narrative Attachments Requesting funding for one IT 2.Build a Professional SANS Training professional to take a SANS course: Cybersecurity Workforce Non Personnel Course:FOR572 No $4,500.00 $0.00 $0.00 $0.00 $4,500.00 FOR572. SANS_Institute_FOR572_Brochure.pdf 4.Network Monitoring and Management Intrusion Requesting 1 large Albert Sensor with Detection System for County Non Personnel Albert Sensor No $17,750.00 $0.00 $0.00 $0.00 $17,750.00 hardware and Setup SANSThe most trusted source for cybersecurity training,certifications, GIAC degrees,and research CERTIFICATIONS FOR572: Advanced Network Forensics: Threat ® GNFA Hunting, Analysis, and Incident Response Network Forensic Analyst giac.org/gnfa 6 36 Laptop Take your system-based forensic knowledge onto the wire.Incorporate network evidence into your Day Program I CPEs I Required investigations,provide better findings,and get the job done faster. It is exceedingly rare to work any forensic investigation that doesn't have a network component. You Will Be Able To Endpoint forensics will always be a critical and foundational skill for this career but overlooking Extractfiles from network packet captures their network communications is akin to ignoring security camera footage of a crime as it was and proxy cache files,definitive data toss committed.Whether you handle an intrusion incident,data theft case,employee misuse scenario, malware analysis or definitive data loss determinations or are engaged in proactive adversary discovery,the network often provides an unparalleled view Use historical NetFlow data to identify of the incident. Its evidence can provide the proof necessary to show intent,uncover attackers relevant past network occurrences, that have been active for months or longer,or may even prove useful in definitively proving a allowing accurate incident scoping Reverse engineer custom network crime actually occurred. protocols to identify an attacker's FOR572 was designed to cover the most critical skills needed for the increased focus on network command-and-control abilities and actions communications and artifacts in today's investigative work,including numerous use cases.Many Decrypt captured SSL/TLS traffic to investigative teams are incorporating proactive threat hunting to their skills,in which existing identify attackers'actions and what data evidence is used with newly-acquired threat intelligence to uncover evidence of previously- they extracted from the victim unidentified incidents.Others focus on post-incident investigations and reporting.Still others Use data from typical network protocols to engage with an adversary in real time,seeking to contain and eradicate the attacker from the victim's increase the fidelity of the investigation's findings environment.In these situations and more,the artifacts left behind from attackers'communications Identify opportunities to collect can provide an invaluable view into their intent,capabilities,successes,and failures. additional evidence based on the existing systems and platforms within a network In FOR572,we focus on the knowledge necessary to examine and characterize communications architecture that have occurred in the past or continue to occur.Even if the most skilled remote attacker Examine traffic using common network compromised a system with an undetectable exploit,the system still has to communicate protocols to identify patterns f activity or specific actions that warrantt further over the network.Without command-and-control and data extraction channels,the value of a investigation compromised computer system drops to almost zero.Put another way:Bad guys are talking— Incorporate log data into a comprehensive we'll teach you to listen. analytic process,filling knowledge gaps that may be far in the past This course covers the tools,technology,and processes required to integrate network evidence Learn how attackers leverage meddler-in- sources into your investigations,with a focus on efficiency and effectiveness.You will leave the-middle tools to intercept seemingly this week with a well-stocked toolbox and the knowledge to use it on your first day back on the secure communications Examine proprietary network protocols to job.We will cover the full spectrum of network evidence,including high--eve[NetFlow analysis, determine what actions occurred on the low-level pcap-based dissection,ancillary network log examination,and more.We cover how to endpoint systems leverage existing infrastructure devices that may contain months or years of valuable evidence as Analyze wireless network traffic to find well as how to place new collection platforms while an incident is underway. evidence of malicious activity Learn how to modify configuration on Whether you are a consultant responding to a client's site,a law enforcement professional typical network devices such asfirewalls assisting cybercrime victims and seeking prosecution of those responsible,an on-staff forensic and intrusion detection valuesystemsoft increase the intelligence value of their practitioner,or a member of the growing ranks of threat hunters,this course offers hands-on logs and alerts during an investigation experience with real-world scenarios that will help take your work to the next level. Previous SANS Apply the knowledge you acquire during SEC curriculum students and other network defenders will benefit from the FOR572 perspective the week in a full-day capstone lab, on security operations as they take on more incident response and investigative responsibilities. modeled after real-world nation-state intrusions and threat actors SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily.In FOR572,we solve the same caliber of real-world problems without the use of disk or memory images. FOR572 is an advanced course—we hit the ground running on day one. Bring your entire bag of skills:forensic techniques and methodologies,full-stack networking knowledge (from the wire all the way up to user-facing services),Linux shell utilities,and everything in between.They will all benefit you throughout the course material as you FIGHT CRIME.UNRAVEL INCIDENTS...ONE BYTE(OR PACKET)ATATIME sans.org/for572 Online,- Discover how to take this course: Section Descriptions SECTION 1:Off the Disk and Onto the Wire SECTION 2:Core Protocols and Log Who Should Attend Although many fundamental network forensic concepts Aggregation/Analysis Incident response team members align with those of any other digital forensic investigation, There are countless network protocols that may be in and forensicators the network presents many nuances that require special use in a production network environment.We will cover Hunt team members attention.Today you will learn how to apply what you those that are most likely to benefit the forensicator in already know about digital forensics and incident typical casework,as well as several that help demonstrate Law enforcement officers,federal response to network-based evidence.You will also become analysis methods useful when facing new,undocumented, agents,and detectives acclimated to the basic tools of the trade. or proprietary protocols.By learning the"typical"behaviors Security Operations Center TOPICS:Evaluating Web Proxy Data;Network Evidence of these protocols,we can more readily identify anomalies personnel and information security Acquisition;Network Challenges and Opportunities; that may suggest misuse of the protocol for nefarious practitioners Hypertext Transfer Protocol(HTTP)Part 1:Protocol purposes.These protocol artifacts and anomalies can be Network defenders profiled through direct traffic analysis as well as through Information security managers the log evidence created by systems that have control or visibility of that traffic.While this affords the investigator Network engineers First course I've taken that gives with vast opportunities to analyze the network traffic, IT professionals insight into the forensic mindset efficient analysis of large quantities of source data Anyone interested in computer required for investi gating incidents.„ generally requires tools and methods designed to scale. network intrusions and investigations TOPICS:Hypertext Transfer Protocol Part 2:Logs;Domain —Tyler Whittington,PWC Name Service:Protocol and Logs;Forensic Network Security NICE Framework Work Roles Monitoring;Logging Protocols and Aggregation;Elastic Stack and the SOF-ELK®Platform Cyber Defense Incident Responder (OPM 531) SECTION 3:NetFlow,and File Access Protocols SECTION 4:Commercial Tools,Wireless, Cyber Operator(OPM 321) Network connection logging,commonly called NetFlow, and Full-Packet Hunting Cyber Crime Investigator(OPM 221) may be the single most valuable source of evidence Commercial tools are an important part of a network Law Enforcement/Counterintelligence in network investigations.Many organizations have forensicator's toolkit.We'll discuss the benefits specific Forensics Analyst (OPM 211) extensive archives of flow data due to its minimal storage commercial tools may provide,as well as how they may Cyber Defense Forensics Analyst requirements.Since NetFlow does not capture any content best be integrated into an investigative workflow.With the (OPM 212) of the transmission,many legal issues with long-term runaway adoption of wireless networking,investigators retention are mitigated.Even without content,NetFlow must also be prepared to address the unique challenges provides an excellent means of guiding an investigation this technology brings to the table.However,regardless of and characterizing an adversary's activities from pre-attack the protocol being examined or budget used to perform the through operations.Whether within a victim's environment analysis,having a means of exploring full-packet capture ® GNFA or for data exfiltration,adversaries must move their quarry is a necessity,and having a toolkit to perform this at scale ME Network Forensic Analyst around through the use of various file access protocols.By is critical. ® giac.org/gnfa knowing some of the more common file access and transfer TOPICS:Simple Mail Transfer Protocol;Object Extraction protocols,a forensicator can quickly identify an attacker's with NetworkMiner;Wireless Network Forensics;Automated GIAC Network Forensic Analyst theft actions. Tools and Libraries;Full-Packet Hunting with Arkime The GIAC Network Forensic Analyst TOPICS:NetFlow Collection and Analysis;Open-Source Flow (GNFA)certification validates a Tools;File Transfer Protocol;Microsoft Protocols practitioner's ability to perform examinations employing network SECTION 5:Encryption,Protocol Reversing, SECTION 6:Network Forensics Capstone forensic artifact analysis.GNFA OPSEC,and Intel Challenge certification holders have demonstrated an understanding of the Advancements in common technology have made it This section will combine all of what you have learned fundamentals of network forensics, easier to be a bad actor and harder for us to track them. prior to and during this week.In groups,you will examine normal and abnormal conditions Strong encryption methods are readily available and network evidence from a real-world compromise by an for common network protocols, custom protocols are easy to develop and employ.Despite advanced attacker.Each group will independently analyze processes and tools used to examine this,there are still weaknesses in the methods of even data,form and develop hypotheses,and present findings. device and system logs,and wireless the most advanced adversaries.As we learn what the No evidence from endpoint systems is available—only communication and encrypted attackers have deliberately hidden from us,we must the network and its infrastructure.Students will test their protocols. operate carefully to avoid tipping our hats regarding the understanding of network evidence and their ability to Network architecture,network investigative progress—or the attacker can quickly pivot, articulate and support hypotheses through presentations protocols,and network protocol nullifying our progress. made to the instructor and class.The audience will reverse engineering TOPICS:Encoding,Encryption,and SSL/TLS;Meddler- include senior-level decision makers,so all presentations in-the-Middle;Network Protocol Reverse Engineering; must include executive summaries as well as technical Encryption and encoding,NetFlow Investigation OPSEC and Threat Intel;Capstone Challenge details.Time permitting,students should also include analysis and attack visualization, Kickoff recommended steps that could help to prevent,detect,or security event&incident logging mitigate a repeat compromise. Network analysis tools and usage, TOPICS:Network Forensic Case wireless network analysis,&open source network security proxies The most SAMdegrees, source for rCERTIFICATIONS