The most trusted source for information security training,

certification, and research

Cybersecurity Training
and Certifications
2018 Catalog

90+
Extraordinary SANS
certified instructors

200+
Live events globally, plus
multiple online options

Curricula
SANS is the best information security training
Cyber Defense Ethical Hacking
Detection and Monitoring Management, Audit, Legal you’ll find anywhere. World-class instructors,
Penetration Testing Secure Development hands-on instruction, actionable information
Incident Response Cyber Threat Intelligence you can really use, and...NetWars!
Digital Forensics ICS/SCADA Security –Jeff Stebelton, Netjets, Inc.

Vol. 2
[Link] Summer/Fall/Winter
SANS
Institute The most trusted source for information security
training, certification, and research

The SANS Institute’s mission is to deliver WHY SANS IS THE BEST TRAINING AND
cutting-edge information security knowledge EDUCATIONAL INVESTMENT
and skills to companies, military organizations,
SANS immersion training is intensive and
and governments in order to protect people
hands-on, and our courseware is unrivaled in
and assets.
the industry.
SANS instructors and course authors are leading
CUTTING-EDGE TRAINING industry experts and practitioners. Their real-
More than 65 unique courses are designed to world experience informs their teaching and
align with dominant security team roles, duties, training content. SANS training strengthens a
and disciplines. The courses prepare students to student’s ability to achieve a GIAC certification.
meet today’s threats and tomorrow’s challenges.
The SANS curriculum spans Cyber Defense, SKILLS VALIDATION
Digital Forensics & Incident Response, Threat
GIAC exams and certifications ensure that
Hunting, Audit, Management, Penetration
professionals have learned and can apply
Testing, Industrial Control Systems Security,
the real-world knowledge and skills taught in
Secure Software Development, and more. Each
class. More than 30 certifications align with
curriculum area offers a progression of courses
SANS training and ensure mastery in critical,
that can take professionals from a subject’s
specialized InfoSec domains and job-specific
foundations right up to top-flight specialization.
roles. See [Link] for more information.
We constantly update and rewrite these
courses to teach the most cutting-edge tools
and techniques that are proven to keep SANS FORMATS
networks safe. More than 200 live SANS training events happen
Our training is designed to be practical. Students each year around the world. SANS training events
are immersed in hands-on lab exercises provide an ideal learning environment, as well
designed for them to practice, hone, and perfect as opportunities to network with other security
what they’ve learned. professionals, SANS instructors, and staff.
SANS training is also delivered online, with
several convenient options to suit your learning
LEARN FROM EXPERTS
style. All SANS online courses include at least
SANS courses are taught by an unmatched four months of access to the course material
faculty of active security practitioners. Each anytime and anywhere, enabling students to
instructor brings a wealth of real-world revisit and rewind content.
experience to every classroom – both live and
online. SANS instructors work for high-profile
organizations as red team leaders, CISOs, THE SANS PROMISE
EXPERIENCE technical directors, and research fellows. At the heart of everything we do is the SANS
Along with their respected technical credentials, Promise: Students will be able to use the new
SANS instructors are also expert teachers. skills they’ve learned as soon as they return
Their passion for the topics they teach shines to work.
through, making the SANS classroom dynamic
and effective.
HOW TO REGISTER FOR SANS TRAINING
Students can learn more and register online by
visiting [Link]
Table of Contents
2 SANS Faculty 60 FOR508 Advanced Digital Forensics, Incident Response, and
Threat Hunting
3 SANS Training Formats
62 FOR572 Advanced Network Forensics and Analysis
4 Securing Approval and Budget for Training
64 FOR500 Windows Forensic Analysis
5 Build a High-Performing Security Organization
66 FOR518 Mac and iOS Forensic Analysis and Incident Response
6 SANS Training Roadmap
68 FOR526 Memory Forensics In-Depth
8 GIAC Certifications
70 FOR578 Cyber Threat Intelligence
9 SANS Flagship Programs and Free Resources
72 FOR585 Advanced Smartphone Forensics
10 SANS Security Awareness
74 FOR610 Reverse-Engineering Malware:
11 SANS Technology Institute
Malware Analysis Tools and Techniques
12 SEC401 Security Essentials Bootcamp Style
76 MGT414 SANS Training Program for CISSP® Certification
14 SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling
78 MGT514 IT Security Strategic Planning, Policy, and Leadership
16 MGT512 SANS Security Leadership Essentials for
80 MGT517 Managing Security Operations: Detection, Response,
Managers with Knowledge Compression™
and Intelligence
18 SEC566 Implementing and Auditing the Critical Security Controls
82 MGT525 IT Project Management, Effective Communication,
– In-Depth
and PMP® Exam Prep
20 SEC503 Intrusion Detection In-Depth
84 AUD507 Auditing & Monitoring Networks, Perimeters,
22 SEC511 Continuous Monitoring and Security Operations and Systems

24 SEC301 Introduction to Cyber Security 85 LEG523 Law of Data Security and Investigations
26 SEC487  pen-Source Intelligence Gathering (OSINT)
O 86 DEV522 Defending Web Applications Security Essentials
and Analysis NEW!
88 DEV540 Secure DevOps and Cloud Application Security
27 SEC530 Defensible Security Architecture NEW!
90 DEV541 Secure Coding in Java/JEE:
28 SEC501 Advanced Security Essentials – Enterprise Defender Developing Defensible Applications

30 SEC505 Securing Windows and PowerShell Automation 91 DEV544 Secure Coding in .NET:
Developing Defensible Applications
32 SEC506 Securing Linux/Unix
92 ICS410 ICS/SCADA Security Essentials
34 SEC545 Cloud Security Architecture and Operations
94 ICS515 ICS Active Defense and Incident Response
36 SEC555 SIEM with Tactical Analytics
96 ICS456 Essentials for NERC Critical Infrastructure Protection
38 SEC579 Virtualization and Software-Defined Security
98 Additional Training Courses
40 SEC599 Defeating Advanced Adversaries – Purple Team Tactics
and Kill Chain Defenses 102 Hosted Courses

42 SEC560 N
 etwork Penetration Testing and Ethical Hacking 103 SANS Voucher Program

44 SEC542 W
 eb App Penetration Testing and Ethical Hacking 104 SANS NetWars Experience

46 SEC460 E nterprise Threat and Vulnerability Assessment NEW! 105 SANS Cybersecurity Summits

48 SEC573 A
 utomating Information Security with Python
50 SEC575 M
 obile Device Security and Ethical Hacking
52 SEC617 W
 ireless Penetration Testing and Ethical Hacking
54 SEC642 A
 dvanced Web App Penetration Testing, “SANS courses give you real-world
Ethical Hacking, and Exploitation Techniques
skills that have an immediate value
56 SEC660 A
 dvanced Penetration Testing, Exploit Writing, and Ethical on the security environment.”
Hacking
– Eric Kaithula, Symetra
58 SEC760 A
 dvanced Exploit Development for Penetration Testers

1
 SANS Faculty
A revered faculty of cybersecurity specialists author and
teach SANS courses, which is why so many professionals
choose SANS training again and again, year after year.

Just over 90 individuals are currently qualified to hold the

title SANS Certified Instructor. They are the founders of
international cybersecurity organizations, the authors of
top-selling information security books, developers of the
most advanced cyber ranges and CTF challenges, and they
are called on to share their expertise with government
and commercial organizations around the world regularly.

Whether you will train with us live at an event or online,

SANS guarantees that you will be able to apply what you
learn from our instructors and training as soon as you
return to work.

“I have attended several SANS classes

over the years and I am always
impressed with the level of knowledge
and professionalism of the instructors.”
 Ron Foupht, Sirius Computer Solutions

Meet the SANS faculty:

[Link]/instructors

2
SANS Training Formats
After selecting your training path or course, compare SANS multiple live and online training formats for the
structure and schedule that works best for you. SANS is committed to ensuring your training experience
always exceeds expectations.

Live Classroom Instruction Online Training

Training Events Summits SANS Online Training delivers the same world-
renowned instructors, content, and learning
Live SANS training events SANS Summits focus one or two days on results as SANS live training options, with
feature SANS top instructors a single topic of particular interest to the several unique and valuable benefits. Students
teaching multiple courses at a community. Speakers and talks are curated who train online enjoy subject-matter-expert
single location. These events to ensure the greatest applicability to support throughout the course, online access to
feature: participants. all course labs, and the ability to revisit content
• Focused, immersive learning Closely aligned SANS courses are offered without limits.
without the distractions of your before or after each Summit to give No matter where you are or when you can train,
office environment attendees a convenient way to enhance their SANS has courses that will fit around your life.
Summit experience with in-depth training.
• Direct access to SANS Certified
Instructors Top Reasons to Take
• Interactions with and learning
Community SANS Courses SANS Training Online:
from other professionals Same SANS courses, courseware, and labs, • Rewind your training, so you can review
taught by up-and-coming instructors in a complex details or topics
• SANS@Night events, NetWars,
regional area. Smaller classes allow for more
vendor presentations, industry • Revisit content to ensure you master key
extensive instructor interaction. No need to
receptions, and many other concepts
travel; commute each day to a nearby location.
activities
• Reinforce your learning with subject-matter
Our live training events in North
America, serving thousands of
Private Classes experts and labs
• Retain your knowledge of course content with
students, are held in Orlando, Have a SANS Certified Instructor train your staff
four or months of access
Washington DC, Las Vegas, privately on site so that you can incorporate
New Orleans, and San Diego. insights, stories, and questions pertinent Our SANS OnDemand, vLive, Simulcast, and
Regional events with hundreds to your business objectives. Private training SelfStudy formats are backed by nearly 100
of students are held in most allows you to freely discuss sensitive issues professionals who ensure we deliver the same
major metropolitan areas and spend additional time on topics relevant to quality instruction online (including support) as
during the year. your organization. we do at live training events.

“The decision to take five days away from the office is “I love the material, I love the
never easy, but so rarely have I come to the end of a SANS Online delivery, and I want the
course and had no regret whatsoever. This was one of entire industry to take these courses.”
the most useful weeks of my professional life.” —Nick Sewell, IIT
—Dan Trueman, Novae PLC

3
 Securing Approval and
Budget for Training

Packaging matters
Write a formal request
• All organizations are different, but because training requires a significant investment of both time and money,
most successful training requests are made via a written document (short memo and/or a few Powerpoint
slides) that justifies the need and benefit. Most managers will respect and value the effort.
• Provide all the necessary information in one place. In addition to your request, provide all the right context by
including the summary pages on Why SANS?, the Training Roadmap, the instructor bio, and additional benefits
available at our live events or online.

Clearly state the benefits

Be specific
• How does the course relate to the job you need to be doing? Are you establishing baseline skills? Transitioning
to a more focused role? Decision-makers need to understand the plan and context for the decision.
• Highlight specifics of what you will be able to do afterwards. Each SANS course description includes a section
titled “You Will Be Able To.” Be sure to include this in your request so that you make the benefits clear. The
clearer the match between the training and what you need to do at work, the better.

Set the context

Establish longer-term expectations
• Information security is a specialized career path within IT with practices that evolve as attacks change. Because
of this, organizations should expect to spend 6%-10% of salaries to keep professionals current and improve
their skills. Training for such a dynamic field is an annual, per-person expense—not a once-and-done item.
• Take a GIAC Certification exam to prove the training worked. Employers value the validation of skills and
knowledge that a GIAC Certification provides. Exams are psychometrically designed to establish competency for
related job tasks.
• Consider offering trade-offs for the investment. Many professionals build annual training expenses into
their employment agreements even before joining a company. Some offer to stay for a year after they
complete the training.

4
Build a High-Performing
Security Organization

Every professional entrusted with hands-on work should be trained to People & Skills = f (Size of Organization, Value at Risk)
possess a common set of capabilities enabling them to secure systems,
Advanced Skills & Specialized Roles, including:
practice defense-in-depth, understand how attackers work, and Blue Team Operations | Threat Hunting | ICS-SCADA | Secure Development
manage incidents when they occur. Set a high bar for the baseline set Active Defense | Mobile | Malware Reverse Engineering | Legal & Audit
of skills in your security organization.
Four job roles typically emerge as organizations grow in size, risk, Value at Risk Vulnerability Analysis Incident Response & Forensic
& Pen Testing Investigations
and/or complexity:
• S
 ecurity Monitoring & Detection Professionals – The detection of Monitoring & Detection Security Managers
what is happening in your environment requires an increasingly
sophisticated set of skills and capabilities. Vendor training all
too often teaches to the tool, and not how or why the tool works, Professionals with Baseline Defensive Security Capabilities
or how it can be best deployed. Identifying security anomalies
requires increased depth of understanding to deploy detection and Size of Organization
monitoring tools and interpret their output.
• P
 en Testers & Vulnerability Analysts – The professional who can
find weaknesses is often a different breed than one focused exclusively on building defenses. A basic tenet of red team/blue team deployments
is that finding vulnerabilities requires a different way of thinking and different tools, but is essential for defense specialists to improve defenses.
• F orensic Investigators & Incident Responders – Whether you’re seeking to maintain a trail of evidence on host or network systems, or hunting for
threats using similar techniques, larger organizations need specialized professionals who can move beyond first-response incident handling in
order to analyze an attack and develop an appropriate remediation and recovery plan.
• Security Managers – With an increasing number of talented technologists, organizations require effective leaders to manage their teams and
processes. Those managers will not necessarily perform hands-on work, but they must know enough about the underlying technologies and
frameworks to help set strategy, develop appropriate policies, interact with skilled practitioners, and measure outcomes.
Within (or beyond) these four areas, high-performing security organizations will develop individual professionals to either utilize advanced skills
generally, or to meet specialized needs. Along the entire spectrum, from Active Defense to Cloud Defense to Python for Pen Testers to Malware Re-
engineering, SANS offers more than 30 courses for specialized roles or more advanced topics, meeting the needs of nearly all security professionals
at every level.

Practical strategies for building an information security group, based on our research and
observations globally:

Use practical organizing principles to design Prioritize your efforts within these areas using Determine the number and type of
your plan and efforts. Nearly all of the more the CIS Critical Controls as you mature your professionals you require to perform the
complex frameworks may be reduced to a few own organization. hands-on work. Engage in a persistent
simpler constructs, such as “Build and Maintain campaign to develop professionals with
Defenses – Monitor and Detect Intrusion – the appropriate skills and capabilities.
Proactively Self-Assess – Respond to Incidents.” Cybersecurity is a specialized practice area
within IT and demands specialized training.

5
 Training Roadmap | Development Paths
Baseline Skills Focus Job Roles

2 You are experienced in security, preparing for a specialized job

role or focus

Monitoring & Detection Intrusion Detection, Monitoring Over Time

Scan Packets & Networks
[Link]
SEC503 Intrusion Detection
SEC503
Intrusion Detection
GCIA
In-Depth | https://
http://
Monitoring & [Link]
SEC511 Continuous Monitoring and [Link]
SEC511 Security
Operations http:// GMON
Operations | https://
The detection of what is happening in your environment requires an increasingly
sophisticated set of skills and capabilities. Identifying security anomalies requires
increased depth of understanding to deploy detection and monitoring tools and to

1
interpret their output.
You are experienced in technology, but need to learn
hands-on, essential security skills and techniques

Core Techniques Prevent, Defend, Maintain

Penetration Testing Vulnerability Analysis, Ethical Hacking
Every Security Professional Should Know
Every Pen Tester Should Know
Security Essentials [Link]
SEC401 Security Essentials SEC401 http://
Bootcamp Style |https://
GSEC [Link] http://
SEC560 Network Penetration Testing
SEC560 and
Networks
[Link]
SEC504 Hacker Tools, Techniques, [Link]
SEC504Exploits, and Incident Ethical Hacking |https://
[Link] GPEN
Hacker Techniques [Link]
SEC542 Web App Penetration Testing[Link]
and
http://
Handling
All professionals entrusted |https://
GCIH
with hands-on cybersecurity work should be trained SEC542
Web Apps
to possess a common set of capabilities enabling them to secure systems, practice [Link] GWAPT
Ethical Hacking | https://
defense-in-depth, understand how attackers work, and manage incidents when they The professional who can find weakness is often a different breed than one focused
occur. To be secure, you should set a high bar for the baseline set of skills in your exclusively on building defenses. A basic tenet of red team/blue team deployments
security organization. is that finding vulnerabilities requires a different way of thinking, and different tools,
but is essential for defense specialists to improve their defenses.

Incident Response & Threat Hunting Host & Network Forensics

Every Forensics and IR Professional Should Know
Endpoint FOR500 Windows FOR508 Advanced
[Link]
FOR500
[Link] [Link]
FOR508 Digital Forensics, Incident
[Link]
Forensics Forensic Analysis | GCFE
[Link]
[Link] https://
Response, and Threat Hunting |https://
[Link] [Link]
FOR508 [Link] GCFA
Network FOR572 Advanced Network Forensics:
[Link] FOR572 Threat Hunting, Analysis, and
[Link]
Forensics Incident Response | GNFA https://
[Link]

New to Cybersecurity SEC301 Introduction to Cyber Security |https://

GISF
SEC301
[Link] [Link]
Whether you’re seeking to maintain a trail of evidence on host or network systems,
or hunting for threats using similar techniques, larger organizations need specialized
professionals who can move beyond first-response incident handling in order to
analyze an attack and develop an appropriate remediation and recovery plan.

1b You will be responsible for managing security teams or

implementations, but you do not require hands-on skills

Security Management Managing Technical Security Operations

Every Security Manager Should Know
[Link] [Link] CISSP® Training MGT414 SANS Training
[Link] [Link]
MGT414 https://
Program for CISSP® Certification | GISP
MGT512 SANS Security Leadership
MGT512Essentials for Managers with
Leadership Essentials
[Link] GSLC
Knowledge Compression™ | https://
[Link]
SEC566 Implementing and Auditing [Link]
SEC566 the Critical Security
Critical Controls
| GCCC
Controls – In-Depth https://
[Link]
With an increasing number of talented technologists, organizations require effective
leaders to manage their teams and processes. Those managers will not necessarily
perform hands-on work, but they must know enough about the underlying
technologies and frameworks to help set strategy, develop appropriate policies,
interact with skilled practitioners, and measure outcomes.

6
 Quick Summary Course Code GIAC Certification

Advanced Generalist SEC501 Advanced Security Essentials – Enterprise Defender | GCED

Course Title

Crucial Skills, Specialized Roles

SANS comprehensive course offerings enable professionals to deepen their technical skills in key practice areas. The courses also address other topics and audiences, such
as security training for software developers, industrial control engineers, and non-technical personnel in management, legal, and audit.

3 You are a candidate for specialized

or advanced training

Cyber Defense Operations Harden Specific Defenses

Specialized Defensive Area
Advanced Generalist [Link]
SEC501 Advanced Security Essentials SEC501 [Link] GCED
– Enterprise Defender |https://
Cloud Security [Link]
SEC545 Cloud Security SEC545 [Link]
Architecture and Operations
Windows/ Powershell [Link]
SEC505 Securing Windows and [Link]
PowerShell
SEC505 GCWN
Automation | https://
Linux/ Unix Defense [Link]
SEC506 Securing SEC506 Linux/Unix |[Link] Industrial Control Systems
Virtualized Data Centers [Link]
SEC579 Virtualization and [Link]
Software-Defi
SEC579 ned Security
SIEM [Link]
SEC555 SIEMSEC555 GCDA
with Tactical Analytics | https:// ICS Security Professionals Need
Other Advanced Defense Courses Essentials ICS410 ICS/SCADA Security
[Link] [Link]
ICS410 https://
Essentials | GICSP
[Link]
SEC566 Implementing and Auditing SEC566 [Link]
the Critical Security ICS Defense &
Critical Controls ICS515 ICS Active Defense
[Link] and Incident Response
ICS515
[Link] http:// https://
| GRID
Controls – In-Depth |https://
[Link] http://
[Link]/SEC566 [Link]
GCCC Response
Security Architecture [Link]
SEC530 Defensible SEC530 http://
Security Architecture NERC Protection
[Link]
SEC599 Defeating Advanced Adversaries SEC599 [Link]
– Purple Team Tactics NERC Security [Link]
ICS456 Essentials
ICS456 for NERC Critical
Threat Defense
and Kill Chain Defenses | https://
[Link] http://
[Link]/SEC599 [Link]
GDAT Essentials Infrastructure Protection | GCIP
[Link] [Link]
org/ICS456 [Link]
https://

Specialized Penetration Testing Focused Techniques & Areas Development & Secure Coding
In-Depth Coverage Every Developer Should Know
Vulnerability Assessment [Link]
SEC460 Enterprise Threat and
SEC460 [Link]
Vulnerability Assessment Secure Web Apps DEV522 Defending Web
[Link] Applications Security
[Link]
DEV522 Essentials | https://
[Link] GWEB
[Link] [Link]
SEC660 Advanced PenetrationSEC660
Testing, Exploit Writing, and Ethical Secure DevOps DEV540 Secure DevOps
[Link] andDEV540
Cloud Application
[Link] Security
[Link]

Networks Hacking |https://

GXPN Language-Specific Courses
[Link]
SEC660 http://

[Link]
SEC760 Advanced Exploit [Link]
Development
SEC760 for Penetration Testers [Link]
DEV541 Secure DEV541 Coding in Java/JEE: Developing[Link]
Defensible
JAVA/JEE
[Link]
SEC642 Advanced Web App Testing, [Link]
SEC642 Ethical Hacking, and Applications | GSSP-JAVA https://
[Link] [Link]

Web Apps
org/DEV541 [Link]

Exploitation Techniques
[Link] [Link]
org/SEC642 [Link]
[Link]
DEV544 Secure DEV544 Coding in .NET: Developing http://
.NET https://
Mobile SEC575 Mobile Device Security and Ethical Hacking |https://
SEC575
[Link] [Link] GMOB Defensible Applications | [Link]
[Link] [Link]
org/DEV544 [Link]

Wireless SEC617 Wireless Penetration

[Link] Testing and Ethical Hacking |https://
[Link]
SEC617 GAWN
Hands-On Ranges [Link] Kinetic [Link]
SEC562 CyberCity Hands-onSEC562 Cyber Range Exercise
Python Coding SEC573 Automating Information
[Link] SEC573Security with Python | https://
[Link] GPYC

Specialized
Digital Forensics, Malware Analysis, & Threat Intel Investigative Skills
Malware Analysis
FOR610 Reverse-Engineering
[Link]
FOR610 Malware: Malware Analysis
[Link] Tools and
[Link]
Malware Analysis
Techniques | GREM
[Link]
[Link]
https://
Threat Intelligence
FOR578 Cyber Threat
Cyber Threat Intelligence[Link] http:// | https://
FOR578 Intelligence GCTI
Digital Forensics & Media Exploitation
Smartphones FOR585 Advanced Smartphone
[Link] Forensics |https://
[Link]
FOR585 GASF
Memory Forensics FOR526 Memory Forensics[Link]
FOR526
[Link] In-Depth
Mac Forensics FOR518 Mac Forensic FOR518 Analysis
[Link] [Link]

Advanced Management Advanced Leadership, Audit, Legal

Management Skills
Planning, Policy,
MGT514 Security Strategic Planning, Policy, and Leadership |https://
[Link] [Link]
MGT514 [Link]
Leadership
[Link]
MGT517 Managing Security
MGT517 [Link]
Operations: Detection, Response,
Managing Operations
and Intelligence
[Link] [Link]
org/MGT517 [Link]

MGT525 IT Project Management,

[Link]
MGT525 Effective Communication,
[Link] and
[Link]
Project Management
| GCPM
PMP® Exam Prephttps://
[Link]
[Link]

Audit & Legal

AUD507 Auditing and Monitoring
[Link]
AUD507 Networks,
[Link]
Audit & Monitor
GSNA
Perimeters & Systems |https://
[Link] http://
[Link]/AUD507 [Link]

Law & Investigations LEG523 Law of Data Security and Investigations |https://
[Link] [Link]
LEG523 GLEG

SANSRM 13720181034 7
 GIAC
The Highest Standard in
Cybersecurity Certification

Job-Specific, Specialized Focus “GIAC made the testing

Today’s cyber attacks are highly sophisticated and exploit specific process much better than
vulnerabilities. Broad and general InfoSec certifications are no longer other organizations. The
enough. Professionals need the specific skills and specialized knowledge material is spot on with what
required to meet multiple and varied threats. That’s why GIAC has more
I do at work, daily.”
than 30 certifications, each focused on specific job skills and each
– Jason Pfister, EWEB,
requiring unmatched and distinct knowledge. GIAC Continuous Monitoring
(GMON)
Deep, Real-World Knowledge
Theoretical knowledge is the ultimate security risk. Deep, real-world
knowledge and hands-on skills are the only reliable means to reduce
security risk. Nothing comes close to a GIAC certification to ensure that
this level of real-world knowledge and skill has been mastered.

Most Trusted Certification Design

The design of a certification exam impacts the quality and integrity of a
certification. GIAC exam content and question design are developed
through a rigorous process led by GIAC’s on-staff psychometrician and
reviewed by experts in each area. More than 78,000 certifications have [Link]
been issued since 1999. GIAC certifications meet ANSI standards.

“I think the exam was both fair and practical. These are the kind of
real-world problems I expect to see in the field.”
8 – Carl Hallberg, Wells Fargo, GIAC Reverse Engineering Malware (GREM)
SANS Flagship Programs and
Free Resources

GIAC Certifications SANS Technology Institute - Graduate Degrees

SANS courses are the ideal preparation for a GIAC Certification, and Certificates
the highest standard in cybersecurity certification. More The graduate programs of the SANS Technology Institute are
than 30 GIAC Certifications allow you to demonstrate your built upon proven SANS courses and certifications. Students
unique expertise in specialized areas of cybersecurity. No can earn graduate degrees in Information Security Engineering
other certification program in the world comes close to GIAC or Information Security Management, or graduate certificates
in validating real-world knowledge and skill, due largely to in Cybersecurity Engineering (Core), Cyber Defense Operations,
the extensive exam preparation process and team of expert Penetration Testing and Ethical Hacking, or Incident Response.
contributors. [Link]
[Link]

SANS CyberTalent SANS Security Awareness

SANS CyberTalent provides innovative workforce SANS Security Awareness offers a robust suite of computer-based
development and talent management solutions for the security awareness training modules, support materials, and
cybersecurity industry. Our web-based assessment tools online phishing training that is engaging and effective. You can
and Immersion Academies help organizations build, retain, host our training on any learning management system, in many
and motivate a high-performance cybersecurity team as languages, to create a secure culture within your organization.
well as grow the cybersecurity workforce. [Link]/awareness
[Link]/cybertalent

Join the [Link] Community

to Gain Access to the Following Free Resources and Much More | [Link]/join

Newsletters SANS Webcasts Internet Storm Center

Three SANS e-newsletters, available Live, topical presentations from SANS The Internet’s early warning system
for free experts, instructors, and trusted
20 Critical Controls
vendors
SANS Posters Find supporting courses and case
Tools, tips and techniques to hang in SANS Reading Room studies related to the critical security
your office Constantly updated library of industry controls
white papers
Blogs Security Policy Templates
Read what SANS instructors are Tip of the Day Build your own security policy using
thinking about in practice-area-specific Learn a new tip each day from the one of the provided templates
blogs SANS Security Awareness team

9
 Security awareness is hard.
We make it easy.

Expert
SANS security awareness training content is built by the world’s leading cybersecurity
practitioners. Our team of PhD instructional designers and cybersecurity experts
ensures learners engage with the content in a way that actually changes behavior.

Easy
The Advanced Cybersecurity Learning Platform (ACLP) makes it easy to manage and
deliver your awareness program by reducing the administrative burden through
intuitive design. The ACLP helps you avoid training fatigue by using role- and
rule-based training audiences.

Efficient
SANS delivers the platforms, products, resources and support security awareness
professionals need to do more with less. SANS support is second to none because we
know what it takes to be successful.

SANS Securing The Human Named Leader

in Gartner 2016 Magic Quadrant
SANS content is designed, built and delivered by world-class instructors and cybersecurity
practitioners. These are the experts called in to analyze and fix high-profile, high-stakes
cybersecurity incidents. SANS Institute was named a Leaderin the 2016 Gartner Magic Quadrant
for Security Awareness Computer-Based Training Vendors.

Download the Report

[Link]/gartner

Phishing Training Knowledge Assessments Culture & Behavior Change Managed Services
10
 To be the best,
learn from the best.
Join the only graduate program designed and taught Master’s Degree:
exclusively by world-renowned SANS faculty.
M.S. in Information Security Engineering
Find out why over 500 infosec professionals have chosen
SANS graduate programs to advance their careers while Graduate Certificates:
remaining active in their jobs. Cyber Defense Operations
Cybersecurity Engineering (Core)
Incident Response
Visit [Link] for available programs, Industrial Control Systems
admissions deadlines, and to explore options for funding. Penetration Testing & Ethical Hacking

“As a SANS graduate student,

I learn cutting-edge, hands-on
skills that are immediately
useful at work.”
– Susan Ramsey, MSISE Candidate,
Senior Security Engineer, UCAR

Tuition Reimbursement
Regional accreditation and Title IV eligibility
means tuition meets the requirements for
most corporate tuition reimbursement plans.

Funding for Veterans

Master’s degree and graduate certificate
programs are eligible for VA Education
Benefits.

Interest-free Payment Plan

Qualified master’s candidates can finance
the program in monthly installments
through SANS’ Tuition Payment Program.

Learn more at [Link]

The SANS Technology Institute is accredited by The Middle States Commission on
Higher Education, (3624 Market Street, Philadelphia, PA 19104 – 267-284-5000),
an institutional accrediting agency recognized by the U.S. Secretary of Education
and the Council for Higher Education Accreditation.

11
 SEC401: Security Essentials GSEC
Bootcamp Style
Security Essentials
[Link]/gsec

6 46 Laptop Learn the most effective steps to prevent attacks and detect adversaries with actionable
Day Program CPEs Required techniques that you can directly apply when you get back to work. Learn tips and tricks from
the experts so that you can win the battle against the wide range of cyber adversaries that
want to harm your environment.
You Will Be Able To Is SEC401: Security Essentials Bootcamp Style the right course for you?
▐▐ Apply what you learned directly to your
STOP and ask yourself the following questions:
job when you go back to work
▐▐ Design and build a network architecture
▐▐ Do you fully understand why some organizations get compromised and others do not?
using VLANs, NAC, and 802.1x based on ▐▐ If there were compromised systems on your network, are you confident that you would
advanced persistent threat indicators of be able to find them?
compromise
▐▐ Run Windows command line tools to
▐▐ Do you know the effectiveness of each security device and are you certain that they are
analyze the system looking for high-risk all configured correctly?
items ▐▐ Are proper security metrics set up and communicated to your executives to drive
▐▐ Run Linux command line tools (ps, security decisions?
ls, netstat, etc.) and basic scripting
to automate the running of programs If you do not know the answers to these questions, then SEC401 will provide the information
to perform continuous monitoring of security training you need in a bootcamp-style format that is reinforced with hands-on labs.
various tools Learn to build a security roadmap that can scale today and into the future.
▐▐ Install VMWare and create virtual SEC401: Security Essentials Bootcamp Style is focused on teaching you the essential
machines to create a virtual lab to test
and evaluate tools/security of systems
information security skills and techniques you need to protect and secure your
organization’s critical information assets and business systems. Our course will show you
▐▐ Create an effective policy that can be
how to prevent your organization’s security problems from being headline news in the
enforced within an organization and
design a checklist to validate security Wall Street Journal!
and create metrics to tie into training Prevention is ideal but detection is a must.
and awareness
With the rise in advanced persistent threats, it is almost inevitable that organizations will
▐▐ Identify visible weaknesses of a
be targeted. Whether the attacker is successful in penetrating an organization’s network
system using various tools and, once
vulnerabilities are discovered, cover depends on the effectiveness of the organization’s defense. Defending against attacks is an
ways to configure the system to be more ongoing challenge, with new threats emerging all of the time, including the next generation
secure of threats. Organizations need to understand what really works in cybersecurity. What has
▐▐ Build a network visibility map that can worked, and will always work, is taking a risk-based approach to cyber defense. Before your
be used for hardening of a network – organization spends a dollar of its IT budget or allocates any resources or time to anything
validating the attack surface and covering in the name of cybersecurity, three questions must be answered:
ways to reduce that surface by hardening
and patching
▐▐ What is the risk?
▐▐ Sniff open protocols like telnet and ftp ▐▐ Is it the highest priority risk?
and determine the content, passwords, ▐▐ What is the most cost-effective way to reduce the risk?
and vulnerabilities using WireShark
Security is all about making sure you focus on the right areas of defense. In SEC401 you
will learn the language and underlying theory of computer and information security. You
will gain the essential and effective security knowledge you will need if you are given the
responsibility for securing systems and/or organizations. This course meets both of the key
promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can
put into practice immediately upon returning to work; and (2) You will be taught by the best
security instructors in the industry.

SEC401 is available via (subject to change):

Virginia Beach Virginia Beach, VA Aug 26-31 Houston Houston, TX Oct 29 - Nov 3
Featured Training Events
Chicago Chicago, IL Aug 20-25 Dallas Fall Dallas, TX Nov 5-10
SANSFIRE Washington, DC Jul 16-21
San Francisco Summer San Francisco, CA Aug 26-31 San Diego Fall San Diego, CA Nov 12-17
Pittsburgh Pittsburgh Jul 30 - Aug 4
Tampa-Clearwater Tampa, FL Sep 4-9 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
Boston Summer Boston, MA Aug 6-11
Baltimore Fall Baltimore, MD Sep 10-15 Austin Austin, TX Nov 26 - Dec 1
San Antonio San Antonio, TX Aug 6-11
Network Security Las Vegas, NV Sep 23-28 Nashville Nashville, TN Dec 3-8
New York City Summer New York City, NY Aug 13-18
Denver Denver, CO Oct 15-20 Santa Monica Santa Monica, CA Dec 3-8
N VA – Alexandria Alexandria, VA Aug 13-18
12 Seattle Fall Seattle, WA Oct 15-20 CDI Washington, DC Dec 13-18
Course Day
Descriptions

DAY 1: Network Security Essentials DAY 2: Defense-In-Depth and Attacks Who Should Attend
A key way that attackers gain access to a company’s To secure an enterprise network, you must understand ▐▐ Security professionals who
resources is through a network connected to the Internet. the general principles of network security. On Day 2, we want to fill the gaps in their
A company wants to try to prevent as many attacks look at threats to our systems and take a “big picture” understanding of technical
as possible, but in cases where it cannot prevent an look at how to defend against them. You will learn that information security
attack, it must detect it in a timely manner. Therefore, an protections need to be layered – a principle called ▐▐ Managers who want to
understanding and ability to create and identify the goals defense-in-depth. We explain some principles that will
understand information
of building a defensible network architecture are critical. serve you well in protecting your systems. You will also
security beyond simple
It is just as important to know and understand the learn about key areas of network security.
terminology and concepts
architecture of the system, types of designs, communication Topics: Defense-in-Depth; Access Control and Password
flow and how to protect against attacks using devices Management; Security Policies; Critical Controls;
▐▐ Operations personnel who
such as routers and firewalls. These essentials, and more, Malicious Code and Exploit Mitigations; Advanced do not have security as their
will be covered on this first day in order to provide a firm Persistent Threat (APT) primary job function but need
foundation for the consecutive days of training. an understanding of security
to be effective
Topics: Defensible Network Architecture; Virtualization
and Cloud Security; Network Device Security; Networking ▐▐ IT engineers and supervisors
and Protocols; Securing Wireless Networks; Securing Web who need to know how to
Communications build a defensible network
against attacks
DAY 3: Threat Management DAY 4: C
 ryptography, Risk Management, ▐▐ Administrators responsible
for building and maintaining
Whether targeting a specific system or just searching the and Response
Internet for an easy target, an attacker uses an arsenal systems that are being
There is no silver bullet when it comes to security. targeted by attackers
of tools to automate finding new systems, mapping
However, there is one technology that would help solve
out networks, and probing for specific, exploitable ▐▐ Forensic specialists,
a lot of security issues, though few companies deploy it
vulnerabilities. This phase of an attack is called penetration testers, and
correctly. This technology is cryptography. Concealing the
reconnaissance, and it can be launched by an attacker auditors who need a solid
meaning of a message can prevent unauthorized parties
any amount of time before exploiting vulnerabilities and foundation of security
from reading sensitive information. This course section
gaining access to systems and networks. In fact, evidence principles to be as effective as
looks at various aspects of encryption and how it can be
of reconnaissance activity can be a clue that a targeted possible at their jobs
used to secure a company’s assets. A related area called
attack is on the horizon.
steganography, or information hiding, is also covered. ▐▐ Anyone new to information
Topics: Vulnerability Scanning and Penetration Testing; security with some background
Topics: Cryptography; Cryptography Algorithms and
Network Security Devices; Endpoint Security; SIEM/Log in information systems and
Deployment; Applying Cryptography; Incident Handling
Management; Active Defense networking
and Response; Contingency Planning – BCP/DRP; IT Risk
Management

DAY 5: Windows Security DAY 6: Linux Security

Remember when Windows was simple? Windows XP While organizations do not have as many Unix/Linux “SEC401 is a great
desktops in a little workgroup…what could be easier? A
lot has changed over time. Now, we have Windows tablets,
systems, those that they do have are often some of
the most critical systems that need to be protected.
intro and overview of
Azure, Active Directory, PowerShell, Office 365, Hyper-V, This final course day provides step-by-step guidance network security. It
Virtual Desktop Infrastructure (VDI), and so on. Microsoft to improve the security of any Linux system. The
is battling Google, Apple, [Link], and other cloud course combines practical “how to” instructions with covered just enough
giants for supremacy. The trick is to do it securely, of
course. Windows is the most widely-used and targeted
background information for Linux beginners, as well as
security advice and best practices for administrators
information to get
operating system on the planet. At the same time, the of all levels of expertise. This module discusses the a baseline level of
complexities of Active Directory, PKI, BitLocker, AppLocker, foundational items that are needed to understand how
and User Account Control represent both challenges and to configure and secure a Linux system. It also provides knowledge without
opportunities. This section will help you quickly master an overview of the operating system and mobile markets. going too in-depth on
the world of Windows security while showing you the To lay a foundation, it provides an overview of the
tools that can simplify and automate your work. You will different operating systems that are based on Linux. any one topic.”
complete the day with a solid grounding in Windows Topics: Linux Security: Structure, Permissions and Access; -Josh Winter,
security by looking at automation, auditing and forensics. Hardening and Securing Linux Services; Monitoring and
Topics: Windows Security Infrastructure; Service Packs, Attack Detection; Security Utilities Washington County, MN
Hot Fixes, and Backups; Windows Access Controls;
Enforcing Security Policy; Securing Windows Network
Services; Automation, Auditing, and Forensics

OnDemand Mentor Events Simulcast

E-learning available anytime, anywhere, at your pace Jacksonville, FL Jul 17 - Aug 28 Online Training Jul 16-21
Online Training Aug 6-11
Community Events vLive Online Training Aug 13-18

Bethesda, MD Jul 23-28 Online Training Sep 11 - Oct 18 Online Training Nov 12-17

Bethesda, MD Nov 5-10 Online Training Dec 11 - Jan 29

Private Training
All courses are available through Private Training. 13
 SEC504: Hacker Tools, Techniques, Exploits, GCIH
and Incident Handling
Incident Handler
[Link]/gcih

6 46 Laptop The Internet is full of powerful hacking tools and bad guys using them extensively. If your
Day Program CPEs Required organization has an Internet connection and one or two disgruntled employees (and whose
does not!), your computer systems will get attacked. From the five, ten, or even one hundred
daily probes against your Internet infrastructure to the malicious insider slowly creeping
You Will Be Able To through your most vital information assets, attackers are targeting your systems with
▐▐ Apply incident handling processes increasing viciousness and stealth. As defenders, it is essential we understand these hacking
in-depth, including preparation, tools and techniques.
identification, containment, eradication,
This course enables you to turn the tables on computer attackers by helping you
and recovery, to protect enterprise
environments understand their tactics and strategies in detail, giving you hands-on experience in finding
vulnerabilities and discovering intrusions, and equipping you with a comprehensive
▐▐ Analyze the structure of common attack
techniques in order to evaluate an
incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the
attacker’s spread through a system and “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of
network, anticipating and thwarting merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step
further attacker activity process for responding to computer incidents, and a detailed description of how attackers
▐▐ Utilize tools and evidence to determine undermine systems so you can prepare for, detect, and respond to them. In addition, the
the kind of malware used in an attack, course explores the legal issues associated with responding to computer attacks, including
including rootkits, backdoors, and trojan employee monitoring, working with law enforcement, and handling evidence. Finally,
horses, choosing appropriate defenses students will participate in a hands-on workshop that focuses on scanning, exploiting, and
and response tactics for each
defending systems. This course will enable you to discover the holes in your system before
▐▐ Use built-in command-line tools such as the bad guys do!
Windows tasklist, wmic, and reg as well
as Linux netstat, ps, and lsof to detect an The course is particularly well-suited to individuals who lead or are a part of an incident
attacker’s presence on a machine handling team. General security practitioners, system administrators, and security architects
▐▐ Analyze router and system ARP tables will benefit by understanding how to design, build, and operate their systems to prevent,
along with switch CAM tables to track an detect, and respond to attacks.
attacker’s activity through a network and
identify a suspect
▐▐ Use memory dumps and the Volatility
tool to determine an attacker’s activities
on a machine, the malware installed,
and other machines the attacker used as
pivot points across the network
▐▐ Gain access to a target machine using
Metasploit, and then detect the artifacts
and impacts of exploitation through “I will almost always recommend SEC504 as a baseline so that
process, file, memory, and log analysis
▐▐ Analyze a system to see how attackers
everyone is speaking the same language. I want my sys-
use the Netcat tool to move files, create admins to take it, my network admins to take it, even my devs
backdoors, and build relays through a
target environment to take it, regardless of whether they’re going to eventually
▐▐ Run the Nmap port scanner and Nessus move into an incident handling role. In my opinion it is the
vulnerability scanner to find openings
on target systems, and apply tools such most critical, foundational class that SANS offers.”
as tcpdump and netstat to detect and -Kevin Wilcox, Information Security Specialist
analyze the impacts of the scanning
activity

SEC504 is available via (subject to change):

Chicago Chicago, IL Aug 20-25 Houston Houston, TX Oct 29 - Nov 3
Featured Training Events
San Francisco Summer San Francisco, CA Aug 26-31 DFIRCON Miami Miami, FL Nov 5-10
SANSFIRE Washington, DC Jul 16-21
Tampa-Clearwater Tampa, FL Sep 4-9 Dallas Fall Dallas, TX Nov 5-10
Pittsburgh Pittsburgh Jul 30 - Aug 4
Baltimore Fall Baltimore, MD Sep 10-15 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
Boston Summer Boston, MA Aug 6-11
Network Security Las Vegas, NV Sep 23-28 Austin Austin, TX Nov 26 - Dec 1
San Antonio San Antonio, TX Aug 6-11
N VA Fall – Tysons Tysons, VA Oct 15-20 Nashville Nashville, TN Dec 3-8
New York City Summer New York City, NY Aug 13-18
Denver Denver, CO Oct 15-20 Santa Monica Santa Monica, CA Dec 3-8
N VA – Alexandria Alexandria, VA Aug 13-18
Seattle Fall Seattle, WA Oct 15-20 CDI Washington, DC Dec 11-18
14 Virginia Beach Virginia Beach, VA Aug 20-31
Course Day
Descriptions

DAY 1: Incident Handling Step-by-Step DAY 2: Computer and Network Hacker Who Should Attend
and Computer Crime Investigation Exploits – Part 1 ▐▐ Incident handlers
The first part of this section looks at the invaluable Seemingly innocuous data leaking from your network ▐▐ Leaders of incident handling
Incident Handling Step-by-Step Model, which was created could provide the clue needed by an attacker to blow teams
through a consensus process involving experienced your systems wide open. This day-long course covers the ▐▐ System administrators who are
incident handlers from corporations, government agencies, details associated with reconnaissance and scanning,
on the front lines defending
and educational institutes, and has been proven effective the first two phases of many computer attacks.
their systems and responding
in hundreds of organizations. This section is designed to Topics: Reconnaissance; Scanning; Intrusion Detection to attacks
provide students a complete introduction to the incident System Evasion; Hands-on Exercises for a List of Tools
handling process, using the six steps (preparation, ▐▐ Other security personnel who
identification, containment, eradication, recovery, and are first responders when
lessons learned) necessary to prepare for and deal with systems come under attack
a computer incident. The second part of this section
examines from-the-trenches case studies to understand
what does and does not work in identifying computer
attackers. This section provides valuable information on
the steps a systems administrator can take to improve the
chances of catching and prosecuting attackers.
Topics: Preparation; Identification; Containment;
Eradication; Recovery; Special Actions for Responding to
Different Types of Incidents; Incident Record-Keeping;
Incident Follow-Up

DAY 3: Computer and Network Hacker DAY 4: Computer and Network Hacker
Exploits – Part 2 Exploits – Part 3
Computer attackers are ripping our networks and systems This course day starts out by covering one of attackers’
apart in novel ways while constantly improving their favorite techniques for compromising systems: worms. We
techniques. This course day covers the third phase of will analyze worm developments over the last two years
many hacker attacks – gaining access. Attackers employ
a variety of strategies to take over systems from the
and project these trends into the future to get a feel for “The training offered
the coming Super Worms we will face. Then the course
network level up to the application level. This section turns to another vital area often exploited by attackers: at SANS is the best
covers the attacks in depth, from the details of buffer web applications. Because most organizations’ homegrown
overflow and format string attack techniques to the latest web applications do not get the security scrutiny of in the industry, and
in session hijacking of supposedly secure protocols. commercial software, attackers exploit these targets the SEC504 course
Topics: Network-Level Attacks; Gathering and Parsing using SQL injection, cross-site scripting, session cloning,
Packets; Operating System and Application-Level Attacks; and a variety of other mechanisms discussed in detail. is a must for any IT
Netcat: The Attacker’s Best Friend; Hands-on Exercises
with a List of Tools
Topics: Password Cracking; Web Application Attacks; security professional –
Denial of Service Attacks; Hands-on Exercises with a List
of Tools highly recommended.”
- Michael Hoffman,
DAY 5: Computer and Network Hacker DAY 6: Hacker Tools Workshop Shell Oil Products US
Exploits – Part 4 Over the years, the security industry has become smarter
and more effective in stopping hackers. Unfortunately,
This course day covers the fourth and fifth phases of
hacker tools are becoming smarter and more complex.
many hacker attacks: maintaining access and covering
One of the most effective methods to stop the enemy is
their tracks. Computer attackers install backdoors, apply
to actually test the environment with the same tools and
Rootkits, and sometimes even manipulate the underlying
tactics an attacker might use against you. This workshop
kernel itself to hide their nefarious deeds. Each of these
lets you put what you have learned over the past week
categories of tools requires specialized defenses to protect
into practice.
the underlying system. In this course, we will analyze the
most commonly used malicious code specimens, as well as Topics: Hands-on Analysis
explore future trends in malware, including BIOS-level and
combo malware possibilities.
Topics: Maintaining Access; Covering the Tracks; Putting It
All Together; Hands-on Exercises with a List of Tools

OnDemand Mentor Events vLive

E-learning available anytime, anywhere, at your pace Cincinnati, OH Aug 21 - Oct 2 Online Training Oct 16 - Nov 29

Summit Events Simulcast

Security Awareness Charleston, SC Aug 10-15 Online Training Jul 16-21 Private Training
Online Training Aug 6-11 All courses are available through Private Training.
Threat Hunting & IR New Orleans, LA Sep 6-13
Alaska Anchorage, AK Sep 10-15 Online Training Aug 13-18
Oil & Gas Cybersecurity Houston, TX Oct 1-6 Online Training Sep 8-13
Pen Test HackFest Bethesda, MD Nov 14-19 Online Training Sep 23-28 15
 MGT512: S
 ANS Security Leadership Essentials GSLC
for Managers with Knowledge
Security Leadership
[Link]/gslc

Compression™
5 33 Laptop This completely updated course is designed to empower advancing managers who want
Day Program CPEs Required to get up to speed quickly on information security issues and terminology. You won’t just
learn about security, you will learn how to manage security. Lecture sections are intense;
the most common student comment is that it’s like drinking from a fire hose. The diligent
You Will Be Able To manager will learn vital, up-to-date knowledge and skills required to supervise the security
▐▐ Establish a minimum standard for IT component of any information technology project. Additionally, the course has been
security knowledge, skills, and abilities. engineered to incorporate the NIST Special Publication 800 (series) guidance so that it can
In a nutshell, this course covers all of be particularly useful to U.S. government managers and supporting contractors.
the non-operating system topics that
are in SANS SEC401: Security Essentials Essential security topics covered in this management track include network fundamentals
Bootcamp Style, though not to the same and applications, power, cooling and safety, architectural approaches to defense in depth,
depth. The goal is to enable managers cyber attacks, vulnerability assessment and management, security policies, contingency and
and auditors to speak the same language continuity planning, awareness management, risk management analysis, incident handling,
as system, security, and network web application security, and offensive and defensive information warfare, culminating with
administrators.
our management practicum. The material uses Knowledge Compression,™ special charts,
▐▐ Establish a minimum standard for IT and other proprietary SANS techniques to help convey the key points of critical slides and
management knowledge, skills, and
keep the information flow rate at a pace senior executives demand every teaching hour of
abilities. We keep running into managers
who don’t know what TCP/IP is, and that the course. The course has been evaluated and approved by CompTIA’s CAQC program for
is OK; but then they don’t know how to Security+ 2008 to ensure that managers and their direct reports have a common baseline for
calculate total cost of ownership (TCO), security terminology and concepts. You will be able to put what you learn into practice the
leaving us quietly wondering what they day you get back into the office.
do know.
▐▐ Save the up-and-coming generation of
senior and rapidly advancing managers
a world of pain by sharing the things we Knowledge Compression™
wish someone had shared with us. As the
saying goes, it is OK to make mistakes, Maximize your learning potential!
just make new ones. Knowledge Compression™ is an optional add-on feature to a SANS class that aims to
maximize the absorption and long-term retention of large amounts of data over a relatively
short period of time. Through the use of specialized training materials, in-class reviews,
examinations and test-taking instruction, Knowledge Compression™ ensures students have
a solid understanding of the information presented to them. By attending classes that
feature this advanced training product, you will experience some of the most intense and
rewarding training programs SANS has to offer, in ways that you never thought possible!

“This course is highly useful for giving me a sound baseline of

technical and general skills to help me manage an effective team.”
-Richard Ward, REA Group

MGT512 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-20 Baltimore Fall Baltimore, MD Sep 10-14 E-learning available anytime, anywhere, at your pace
New York City Summer New York City, NY Aug 13-17 Network Security Las Vegas, NV Sep 23-27
Virginia Beach Virginia Beach, VA Aug 20-24 Austin Austin, TX Nov 26 - Dec 1 Private Training
Tampa-Clearwater Tampa, FL Sep 4-8 CDI Washington, DC Dec 13-17 All courses are available through Private Training.

16
Course Day
Descriptions

DAY 1: Managing the Enterprise, Planning, DAY 2: IP Concepts, Attacks Who Should Attend
Network, and Physical Plant Against the Enterprise, and Defense- ▐▐ All newly appointed
The course starts with a whirlwind tour of the information in-Depth information security officers
an effective IT security manager must know to function ▐▐ Technically skilled
On this course day you will learn about information
in today’s environment. We will cover safety, physical administrators who have
assurance foundations, which are presented in the
security, and how networks and the related protocols like recently been given leadership
context of both current and historical computer security
TCP/IP work, and equip you to review network designs responsibilities
threats, and how they have impacted confidentiality,
for performance, security, vulnerability scanning, and
integrity, and availability. You will also learn the methods ▐▐ Seasoned managers who want
return on investment. You will learn more about secure IT
of the attack and the importance of managing the attack to understand what their
operations in a single day than you ever thought possible.
surface. technical people are telling
Topics: Budget Awareness and Project Management; them
Topics: Attacks Against the Enterprise; Defense in Depth;
The Network Infrastructure; Computer and Network
Managing Security Policy; Access Control and Password
Addressing; IP Terminology and Concepts; Vulnerability
Management
Management; Managing Physical Safety, Security, and the Course Author Statement
Procurement Process
“SANS designed the Security
Leadership Essentials for Managers
DAY 3: Secure Communications DAY 4: The Value of Information course to emulate the format
This course section examines various cryptographic tools On this day we consider the most valuable resource an utilized by many executive MBA
and technologies and how they can be used to secure a organization has: its information. You will learn about programs. While core source
company’s assets. A related area called steganography, or intellectual property, incident handling, and how to material is derived from our
information hiding, is also covered. Learn how malware identify and better protect the information that is the highly regarded SANS Security
and viruses often employ cryptographic techniques in an real value of your organization. We will then formally Essentials program, we decided
attempt to evade detection. We will learn about managing consider how to apply everything we have learned, to focus this course on the big
privacy issues in communications and investigate web as well as practice briefing management on our risk picture of securing the enterprise:
application security. architecture. network fundamentals, security
technologies, using cryptography,
Topics: Cryptography; Wireless Network Security; Topics: Managing Intellectual Property; Incident
defense-in-depth, policy
Steganography; Managing Privacy; Web Communications Handling Foundations; Information Warfare; Disaster
development, and management
and Security; Operations Security, Defensive and Recovery/Contingency Planning; Managing Ethics; IT Risk
practicum. This course includes
Offensive Methods Management
executive briefings designed to
present a distilled summary of
DAY 5: Management Practicum vitally important information
security topics like operating
On the fifth and final day, we pull it all together and
system security and security
apply the technical knowledge to the art of management.
threat forecasts. Ultimately, the
The management practicum covers a number of specific
goal of this program is to ensure
applications and topics concerning information security.
that managers charged with the
We’ll explore proven techniques for successful and
responsibility for information
effective management, empowering you to immediately
security can make informed
apply what you have learned your first day back at the
choices and decisions that will
office.
improve their organization’s
Topics: The Mission; Globalization; IT Business and security.”
Program Growth; Security and Organizational Structure;
-Stephen Northcutt
Total Cost of Ownership; Negotiations; Fraud; Legal
Liability; Technical People

17
 SEC566: I mplementing and Auditing the Critical GCCC
Security Controls – In-Depth
Critical Controls
[Link]/gccc

5 30 Laptop Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than
Day Program CPEs Required ever to prevent and defend against them. Does your organization have an effective method
in place to detect, thwart, and monitor external and internal threats to prevent security
breaches? This course helps you master specific, proven techniques and tools needed to
You Will Be Able To implement and audit the Critical Security Controls as documented by the Center for Internet
▐▐ Apply a security framework based Security (CIS).
on actual threats that is measurable, As threats evolve, an organization’s security should too. To enable your organization to stay
scalable, and reliable in stopping known
on top of this ever-changing threat scenario, SANS has designed a comprehensive course
attacks and protecting organizations’
important information and systems that teaches students the Critical Security Controls, a prioritized, risk-based approach to
security. Designed by private and public sector experts from around the world, the Controls
▐▐ Understand the importance of each
control, how it is compromised if ignored,
are the best way to block known attacks and mitigate damage from successful attacks.
and explain the defensive goals that They have been adopted by the U.S. Department of Homeland Security, state governments,
result in quick wins and increased universities, and numerous private firms.
visibility of networks and systems
The Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and
▐▐ Identify and utilize tools that implement information security personnel can use to manage and measure the effectiveness of their
controls through automation defenses. They are designed to complement existing standards, frameworks, and compliance
▐▐ Learn how to create a scoring tool for schemes by prioritizing the most critical threat and highest payoff defenses, while providing
measuring the effectiveness of each a common baseline for action against risks that we all face.
control
The Controls are an effective security framework because they are based on actual attacks
▐▐ Employ specific metrics to establish a
baseline and measure the effectiveness
launched regularly against networks. Priority is given to Controls that (1) mitigate known
of security controls attacks (2) address a wide variety of attacks, and (3) identify and stop attackers early in
the compromise cycle. The British government’s Center for the Protection of National
▐▐ Understand how the Critical Controls
map to standards such as NIST 800-53, Infrastructure describes the Controls as the “baseline of high-priority information security
ISO 27002, the Australian Top 35, and measures and controls that can be applied across an organisation in order to improve its
more cyber defence.”
▐▐ Audit each of the critical security SANS’s in-depth, hands-on training will teach you how to master the specific techniques and
controls, with specific, proven templates, tools needed to implement and audit the Critical Controls. It will help security practitioners
checklists, and scripts provided to
understand not only how to stop a threat, but why the threat exists, and how to ensure that
facilitate the audit process
security measures deployed today will be effective against the next generation of threats.
The course shows security professionals how to implement the Controls in an existing
network through cost-effective automation. For auditors, CIOs, and risk officers, the course
is the best way to understand how you will measure whether the Controls are effectively
implemented.

“SEC566 provides great tools, explanation, and insight!”

-Ryan LeVan, Trex Company, Inc.

SEC566 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-20 Network Security Las Vegas, NV Sep 23-27 E-learning available anytime, anywhere, at your pace
Boston Summer Boston, MA Aug 6-10 Houston Houston, TX Oct 29 - Nov 2
N VA – Alexandria Alexandria, VA Aug 13-17 San Diego Fall San Diego, CA Nov 12-16 Community Events
Tampa-Clearwater Tampa, FL Sep 4-8 CDI Washington, DC Dec 13-17 Ottawa, ON Nov 19-23

18
Course Day
Descriptions

DAY 1: Introduction and Overview of the DAY 2: Critical Controls 3, 4, 5, and 6 Who Should Attend
20 Critical Controls Topics: Critical Control 3: Secure Configurations for ▐▐ Information assurance
Hardware and Software on Laptops, Workstations, and auditors
Day 1 will introduce you to all of the Critical Controls,
Servers; Critical Control 4: Continuous Vulnerability
laying the foundation for the rest of the class. For each ▐▐ System implementers or
Assessment and Remediation; Critical Control 5:
Control, we will follow the same outline covering the administrators
Controlled Use of Administrative Privileges; Critical
following information:
Control 6: Maintenance, Monitoring, and Analysis of ▐▐ Network security engineers
• Overview of the Control Audit Logs ▐▐ IT administrators
• How It Is Compromised
▐▐ Department of Defense
• Defensive Goals personnel and contractors
• Quick Wins ▐▐ Staff and clients of federal
• Visibility & Attribution agencies
• Configuration & Hygiene ▐▐ Private sector organizations
• Overview of Evaluating the Control looking to improve information
• Core Evaluation Test(s) DAY 3: Critical Controls 7, 8, 9, 10, assurance processes and
secure their systems
• Testing/Reporting Metrics and 11
▐▐ Security vendors and
• Steps for Root Cause Analysis of Failures Topics: Critical Control 7: Email and Web Browser consulting groups looking to
Protections; Critical Control 8: Malware Defenses; Critical stay current with frameworks
• Audit/Evaluation Methodologies
Control 9: Limitation and Control of Network Ports, for information assurance
• Evaluation Tools Protocols, and Services; Critical Control 10: Data Recovery
Capability (validated manually); Critical Control 11: Secure ▐▐ Alumni of SEC/AUD440, SEC401,
• E
 xercise to Illustrate Implementation or Steps for
Configurations for Network Devices such as Firewalls, SEC501, SANS Audit classes,
Auditing a Control
Routers, and Switches and MGT512
In addition, Critical Controls 1 and 2 will be covered in
depth.
Topics: Critical Control 1: Inventory of Authorized and
Unauthorized Devices; Critical Control 2: Inventory of
Authorized and Unauthorized Software

DAY 4: Critical Controls 12, 13, 14, DAY 5: Critical Controls 16, 17, 18, 19,
and 15 and 20
Topics: Critical Control 12: Boundary Defense; Critical Topics: Critical Control 16: Account Monitoring and
Control 13: Data Protection; Critical Control 14: Controlled Control; Critical Control 17: Security Skills Assessment and
Access Based on the Need to Know; Critical Control 15: Appropriate Training to Fill Gaps (validated manually);
Wireless Device Control Critical Control 18: Application Software Security; “The training helps me
Critical Control 19: Incident Response and Management
(validated manually); Critical Control 20: Penetration Tests understand why the
and Red Team Exercises (validated manually) Controls are necessary
for securing systems
at my organization.”
-Brandon McWilliams, SRP

Simulcast
Online Training Aug 13-17
Online Training Nov 12-16

Private Training
All courses are available through Private Training.

19
 SEC503: Intrusion Detection In-Depth GCIA
Intrusion Analyst
[Link]/gcia

6 46 Laptop Reports of prominent organizations being hacked and suffering irreparable reputational
Day Program CPEs Required damage have become all too common. How can you prevent your company from becoming
the next victim of a major cyber attack?
Preserving the security of your site in today’s threat environment is more challenging
You Will Be Able To than ever before. The security landscape is continually changing from what was once only
▐▐ Configure and run open-source Snort and perimeter protection to protecting exposed and mobile systems that are almost always
write Snort signatures connected and sometimes vulnerable. Security-savvy employees who can help detect and
▐▐ Configure and run open-source Bro prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection
to provide a hybrid traffic analysis In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your
framework networks with insight and awareness. The training will prepare you to put your new skills
▐▐ Understand TCP/IP component layers to and knowledge to work immediately upon returning to a live environment.
identify normal and abnormal traffic
Mark Twain said, “It is easier to fool people than to convince them that they’ve been fooled.”
▐▐ Use open-source traffic analysis tools to
Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic
identify signs of an intrusion
and too many untrained analysts accept that feedback as the absolute truth. This course
▐▐ Comprehend the need to employ network emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point
forensics to investigate traffic to identify
and investigate a possible intrusion
for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the
analyst must have access and the ability to examine the alerts to give them meaning and
▐▐ Use Wireshark to carve out suspicious file
context. You will learn to investigate and reconstruct activity to deem if it is noteworthy or a
attachments
false indication.
▐▐ Write tcpdump filters to selectively
examine a particular traffic trait This course delivers the technical knowledge, insight, and hands-on training you need to
defend your network with confidence. You will learn about the underlying theory of TCP/IP
▐▐ Craft packets with Scapy
and the most used application protocols, such as DNS and HTTP, so that you can intelligently
▐▐ Use the open-source network flow tool examine network traffic for signs of an intrusion. You will get plenty of practice learning
SiLK to find network behavior anomalies
to master different open-source tools like tcpdump, Wireshark, Snort, Bro, tshark, and
▐▐ Use your knowledge of network SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book
architecture and hardware to customize
material so that you can transfer knowledge to execution. Basic exercises include assistive
placement of IDS sensors and sniff traffic
off the wire hints while advanced options provide a more challenging experience for students who may
already know the material or who have quickly mastered new material.

“I got a deeper understanding of the topics from my class.

This will help me get more data out of my investigations.”
-Alphonse Wichrowski, Allegiant Air

SEC503 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 Denver Denver, CO Oct 15-20 E-learning available anytime, anywhere, at your pace
San Antonio San Antonio, TX Aug 6-11 Dallas Fall Dallas, TX Nov 5-10
Virginia Beach Virginia Beach, VA Aug 20-25 San Diego Fall San Diego, CA Nov 12-17 Summit Events
Network Security Las Vegas, NV Sep 23-28 CDI Washington, DC Dec 13-18 Security Operations New Orleans, LA Jul 30 - Aug 6

N VA Fall – Tysons Tysons, VA Oct 15-20

20
Course Day
Descriptions

DAY 1: Fundamentals of Traffic Analysis – DAY 2: Fundamentals of Traffic Analysis – Who Should Attend
Part 1 Part 2 ▐▐ Intrusion detection (all
levels), system, and security
Day 1 provides a refresher or introduction, depending Day 2 continues where the previous day ended in
analysts
on your background, to TCP/IP. It describes the need to understanding the TCP/IP model. Two essential tools,
understand packet structure and content. It covers the Wireshark and tcpdump, are further explored, using their ▐▐ Network engineers/
essential foundations such as the TCP/IP communication advanced features to give you the skills to analyze your administrators
model, and the theory of bits, bytes, binary and own traffic. The focus of these tools on Day 2 is on filtering ▐▐ Hands-on security managers
hexadecimal. We introduce the use of open-source traffic of interest in Wireshark using display filters and in
Wireshark and tcpdump for analysis. We begin our tcpdump using Berkeley Packet Filters. We proceed with
exploration of the TCP/IP communication model with the our exploration of the TCP/IP layers covering TCP, UDP,
study of the link layer, the IP layer, both IPv4 and IPv6 and and ICMP. Once again, we describe the layers and analyze
packet fragmentation in both. We describe the layers and traffic not just in theory and function, but from the
analyze traffic not just in theory and function, but from perspective of an attacker and defender.
the perspective of an attacker and defender. All traffic is Topics: Wireshark Display Filters; Writing tcpdump Filters;
discussed and displayed using the two open-source tools, TCP; UDP; ICMP
Wireshark and tcpdump.
Topics: Concepts of TCP/IP; Introduction to Wireshark;
Network Access/Link Layer: Layer 2; IP Layer: Layer 3

DAY 3: Application Protocols and DAY 4: Network Monitoring:

Traffic Analysis Snort and Bro
Day 3 introduces the versatile packet crafting tool Scapy. The fundamental knowledge gained from the first
It is a very powerful Python-based tool that allows for the three days provides a fluid progression into one of the
manipulation, creation, reading, and writing of packets. most popular days of SEC503. Snort and Bro are widely
Scapy can be used to craft packets to test the detection deployed open-source IDS/IPS solutions that have been
capability of an IDS/IPS, especially important when a industry standards for many years. The day begins with a
new user-created IDS rule is added, for instance for a discussion on network architecture, including the features
recently announced vulnerability. The examination of of intrusion detection and prevention devices, along with
TCP/IP culminates with an exploration of the application a look at options and requirements of devices that can
protocol layer. The concentration is on some of the sniff and capture the traffic for inspection. Next, the topic
most widely used, and sometimes vulnerable, crucial of the analyst’s role in the detection process is examined.
application protocols: DNS, HTTP(S), SMTP, and Microsoft Before Snort and Bro are discussed, the capabilities and
communications. Our focus is on protocol analysis, a key limitations are considered. Snort detection flow, running
skill in intrusion detection. IDS/IPS evasions are the bane Snort, and rules are explored with an emphasis on writing
of the analyst, so the theory and possible implications of efficient rules. It is likely that false positives and negatives
evasions at different protocol layers are examined. will occur and tips for dealing with them are presented.
Topics: Scapy; Advanced Wireshark; Detection Methods for Bro’s unique capability to use its own scripting language
Application Protocols; DNS; Microsoft Protocols; HTTP(2)/ to write code to analyze patterns of event-driven behavior
TLS; SMTP; IDS/IPS Evasion Theory is one of the most powerful detection tools available to
the analyst. We discuss how this enables monitoring and
correlating activity and demonstrate with examples.
DAY 5: Network Traffic Forensics Topics: Network Architecture; Introduction to IDS/IPS
The penultimate day continues the format of less Analysis; Snort; Bro
instruction and more hands-on training using three
separate incidents that must be analyzed. The three
incident scenarios are introduced with some new material DAY 6: NetWars: IDS Version
to be used in the related hands-on analysis. This material The week culminates with a fun hands-on NetWars:
includes an introduction to network forensics analysis IDS Version challenge. Students compete on teams to
for the first scenario. It continues with using network flow answer many questions that require using tools and
records to assist in analysis of the traffic from the second theory covered in the first five days. This is a great way
scenario. It concludes by examining the third scenario, to end the week because it reinforces what was learned
including Command and Control channels and managing by challenging the student to think analytically and
analysis when very large packet capture files are involved. strengthens confidence to employ what was learned in a
Topics: Introduction to Network Forensics Analysis; Using real-world environment.
Network Flow Records; Examining Command and Control
Traffic; Analysis of Large pcaps

Community Events Private Training

Columbia, MD Aug 13-18 All courses are available through Private Training.

Simulcast
Online Training Aug 6-11
Online Training Nov 12-17

21
 SEC511: Continuous Monitoring and GMON
Security Operations
Continuous Monitoring
[Link]/gmon

6 46 Laptop We continue to underestimate the tenacity of our adversaries! Organizations are investing
Day Program CPEs Required significant time and financial and human resources to combat cyber threats and
prevent cyber attacks, but despite this tremendous effort, organizations are still getting
compromised. The traditional perimeter-focused, prevention-dominant approach to security
You Will Be Able To architecture has failed to prevent intrusions. No network is impenetrable, which is a reality
▐▐ Analyze a security architecture for that business executives and security professionals alike have to accept. Prevention is
deficiencies crucial, and we can’t lose sight of it as the primary goal. However, a new proactive approach
▐▐ Apply the principles learned in the to security is needed to enhance the capabilities of organizations to detect threats that will
course to design a defensible security inevitably slip through their defenses.
architecture The underlying challenge for organizations victimized by an attack is timely incident
▐▐ Understand the importance of a detection. Industry data suggest that most security breaches typically go undiscovered for
detection-dominant security architecture an average of seven months. Attackers simply have to find one way into most organizations,
and a Security Operations Center (SOC)
because they know that the lack of visibility and internal security controls will then allow
▐▐ Identify the key components of Network them to methodically carry out their mission and achieve their goals.
Security Monitoring (NSM)/Continuous
Diagnostics and Mitigation (CDM)/ The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous
Continuous Monitoring (CM) Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this
▐▐ Determine appropriate security course will best position your organization or Security Operations Center (SOC) to analyze
monitoring needs for organizations of threats and detect anomalies that could indicate cybercriminal behavior. The payoff for this
all sizes new proactive approach will be early detection of an intrusion, or successfully thwarting the
▐▐ Implement robust Network Security efforts of attackers altogether. The National Institute of Standards and Technology (NIST)
Monitoring/Continuous Security developed guidelines described in NIST SP 800-137 for Continuous Monitoring (CM), and this
Monitoring (NSM/CSM) course will greatly increase your understanding and enhance your skills in implementing CM
▐▐ Utilize tools to support implementation utilizing the NIST framework.
of Continuous Monitoring per NIST
SEC511 will take you on quite a journey. We start by exploring traditional security architecture
SP 800-137 guidelines
to assess its current state and the attacks against it. Next, we discuss and discover modern
▐▐ Determine requisite monitoring security design that represents a new proactive approach to such architecture that can be
capabilities for a SOC environment
easily understood and defended. We then transition to how to actually build the network
▐▐ Determine capabilities required to and endpoint security, and then carefully navigate our way through automation, NSM/
support continuous monitoring of key
CDM/CSM. For timely detection of potential intrusions, the network and systems must be
Critical Security Controls
proactively and continuously monitored for any changes in the security posture that might
increase the likelihood that attackers will succeed.
Your SEC511 journey will conclude with one last hill to climb! The final day (Day 6) features
a Capture-the-Flag competition that challenges you to apply the skills and techniques
learned in the course to detect and defend the modern security architecture that has
been designed. Course authors Eric Conrad and Seth Misenar have designed the Capture-
the-Flag competition to be fun, engaging, comprehensive, and challenging. You will not be
disappointed!

“SEC511 was a wonderful look into the world of the ‘Blue Team.’
The authors really put together a robust course full of great ideas and
tactics to take on intrusion detection and continuous monitoring.”
-Cameron Johns, Tyson Foods, Inc.

SEC511 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 Network Security Las Vegas, NV Sep 23-28 E-learning available anytime, anywhere, at your pace
Boston Summer Boston, MA Aug 6-11 San Diego Fall San Diego, CA Nov 12-17
Virginia Beach Virginia Beach, VA Aug 26-31 CDI Washington, DC Dec 13-18 Summit Events
Baltimore Fall Baltimore, MD Sep 10-15 Security Operations New Orleans, LA Jul 30 - Aug 6
Data Breach New York City, NY Aug 22-27
Threat Hunting & IR New Orleans, LA Sep 8-13
22
Course Day
Descriptions

DAY 1: Current State Assessment, SOCs, DAY 2: Network Security Architecture Who Should Attend
and Security Architecture Understanding the problems with the current ▐▐ Security architects
environment and realizing where we need to get to
We begin with the end in mind by defining the key ▐▐ Senior security engineers
is far from sufficient; we need a detailed roadmap to
techniques and principles that will allow us to get there.
bridge the gap between the current and desired state. ▐▐ Technical security managers
An effective modern Security Operations Center (SOC)
Day 2 introduces and details the components of our ▐▐ Security Operations Center
or security architecture must enable an organization’s
infrastructure that become part of a defensible network (SOC) analysts, engineers, and
ability to rapidly find intrusions to facilitate containment
security architecture and SOC. We are long past the managers
and response. Both significant knowledge and a
days when a perimeter firewall and ubiquitous antivirus
commitment to continuous monitoring are required to ▐▐ CND analysts
were sufficient security. There are many pieces and
achieve this goal.
moving parts that make up a modern defensible security ▐▐ Individuals working to
Topics: Current State Assessment, SOCs, and Security architecture. implement Continuous
Architecture; Modern Security Architecture Principles; Diagnostics and Mitigation
Topics: SOCs/Security Architecture – Key Infrastructure
Frameworks and Enterprise Security Architecture; (CDM), Continuous Security
Devices; Segmented Internal Networks; Defensible
Security Architecture – Key Techniques/Practices; Security Monitoring (CSM), or Network
Network Security Architecture Principles Applied
Operations Center Security Monitoring (NSM)

DAY 3: Network Security Monitoring DAY 4: Endpoint Security Architecture

Designing a SOC or security architecture that enhances One of the hallmarks of modern attacks is an emphasis
visibility and detective capabilities represents a paradigm on client-side exploitation. The days of breaking into
shift for most organizations. However, the design is simply networks via direct frontal assaults on unpatched mail,
the beginning. The most important element of a modern web, or DNS servers are largely behind us. We must
security architecture is the emphasis on detection. The focus on mitigating the risk of compromise of clients.
network security architecture presented in days one Day four details ways in which endpoint systems can be
and two emphasized baking visibility and detective both more resilient to attack and also enhance detective
capabilities into the design. Now we must figure out capabilities.
how to look at the data and continuously monitor the
Topics: Security Architecture – Endpoint Protection;
enterprise for evidence of compromise or changes that
Dangerous Endpoint Applications; Patching
increase the likelihood of compromise.
Topics: Continuous Monitoring Overview; Network Security
Monitoring (NSM); Practical NSM Issues; Cornerstone NSM

“SEC511 is a VERY
DAY 5: Automation and Continuous DAY 6: Capstone: Design, Detect, Defend
Security Monitoring The course culminates in a team-based design,
worthwhile addition
Network Security Monitoring (NSM) is the beginning;
detect, and defend the flag competition that is a full to the Cyber Defense
day of hands-on work applying the principles taught
we need to not only detect active intrusions and
throughout the week. curriculum for Blue
unauthorized actions, but also to know when our systems,
networks, and applications are at an increased likelihood Topics: Security Architecture; Assessing Provided Teamers.”
for compromise. A strong way to achieve this is through Architecture; Continuous Security Monitoring; Using
Continuous Security Monitoring (CSM) or Continuous Tools/Scripts Assessing the Initial State; Quickly/ -Robert Peden,
Diagnostics and Mitigation (CDM). Rather than waiting for Thoroughly Find All Changes Made NextGear Capital
the results of a quarterly scan or an annual penetration
test to determine what needs to be addressed,
continuous monitoring proactively and repeatedly
assesses and reassesses the current security posture for
potential weaknesses that need to be addressed.
Topics: CSM Overview; Industry Best Practices; Winning
CSM Techniques; Maintaining Situational Awareness;
Host, Port and Service Discovery; Vulnerability
Scanning; Monitoring Patching; Monitoring Applications;
Monitoring Service Logs; Monitoring Change to Devices
and Appliances; Leveraging Proxy and Firewall Data;
Configuring Centralized Windows Event Log Collection;
Monitoring Critical Windows Events; Scripting and
Automation

Community Events Simulcast

Nashville, TN Aug 13-18 Online Training Jul 16-21
Vancouver, BC Aug 20-25 Online Training Nov 12-17
Ottawa, ON Dec 10-15

Private Training
vLive All courses are available through Private Training.
Online Training Sep 5 - Oct 11
23
 SEC301: Introduction to Cyber Security GISF
Information Security
Fundamentals
[Link]/gisf

5 30 Laptop To determine if SANS SEC301: Introduction to Cyber Security is right for you, ask yourself five
Day Program CPEs Required simple questions:
▐▐ Do you have basic computer knowledge, but are new to cybersecurity and in need of an
introduction to the fundamentals?
You Will Be Able To
▐▐ Are you bombarded with complex technical security terms that you don’t understand?
▐▐ Communicate with confidence regarding
information security topics, terms, and ▐▐ Are you a non-IT security manager who lays awake at night worrying that your company
concepts will be the next mega-breach headline story on the 6 o’clock news?
▐▐ Understand and apply the Principles of ▐▐ Do you need to be conversant in basic security concepts, principles, and terms, even if
Least Privilege
you don’t need “deep in the weeds” detail?
▐▐ Understand and apply the Confidentiality,
Integrity, and Availability (CIA) Triad ▐▐ Have you decided to make a career change to take advantage of the job opportunities in
cybersecurity and need formal training and certification?
▐▐ Build better passwords that are more
secure while also being easier to If you answer yes to any of these questions, then the SEC301: Introduction to Cyber Security
remember and type training course is for you. Students with a basic knowledge of computers and technology but
▐▐ Grasp basic cryptographic principles, no prior cybersecurity experience can jump-start their security education with insight and
processes, procedures, and applications instruction from real-world security experts in SEC301.
▐▐ Understand computer network basics This completely revised and comprehensive five-day course covers a wide range of baseline
▐▐ Have a fundamental grasp of any number topics, including terminology, the basics of computer networks, security policies, incident
of critical technical networking acronyms, response, passwords, and even an introduction to cryptographic principles. The hands-on,
including TCP/IP, IP, TCP, UDP, MAC, ARP, step-by-step learning format will enable you to grasp all the information presented even if
NAT, ICMP, and DNS
some of the topics are new to you. You’ll learn fundamentals of cybersecurity that will serve
▐▐ Utilize built-in Windows tools to see your as the foundation of your security skills and knowledge for years to come.
network settings
Written by a security professional with over 30 years of experience in both the public and
▐▐ Recognize and be able to discuss
private sectors, SEC301 provides uncompromising real-world insight from start to finish. The
various security technologies, including
anti-malware, firewalls, and intrusion course prepares you for the Global Information Security Fundamentals (GISF) certification
detection systems, content filters, test, as well as for the next SANS course in this progression, SEC401: Security Essentials
sniffers, etc. Bootcamp Style. It also delivers on the SANS promise: You will be able to use the knowledge
▐▐ Build a simple but fully functional and skills you learn in SEC301 as soon as you return to work.
firewall configuration
▐▐ Secure your browser using a variety of
security plug-ins
▐▐ Secure a wireless access point (also
known as a wireless router)
▐▐ Scan for malware, clean malware from a
system, and whitelist legitimate software
identified by an anti-malware scanner as
“potentially unwanted”
▐▐ Access a number of websites to better “SEC301 provided a great foundation for the topic of
understand password security, encryption, security, since I deal with it on a daily basis on a high level.”
phishing, browser security, etc.
-Richard Pollich, Broadridge Financial Solutions Inc.

SEC301 is available via (subject to change):

Featured Training Events

SANSFIRE Washington, DC Jul 16-20 Tampa-Clearwater Tampa, FL Sep 4-8 Dallas Fall Dallas, TX Nov 5-9
Boston Summer Boston, MA Aug 6-10 Baltimore Fall Baltimore, MD Sep 10-14 San Diego Fall San Diego, CA Nov 12-16
San Antonio San Antonio, TX Aug 6-10 Network Security Las Vegas, NV Sep 23-27 Austin Austin, TX Nov 26 - Dec 1
Chicago Chicago, IL Aug 20-24 N VA Fall – Tysons Tysons, VA Oct 15-19 CDI Washington, DC Dec 13-17
Virginia Beach Virginia Beach, VA Aug 20-24

24
Course Day
Descriptions

DAY 1: Security’s Foundation DAY 2: Computer Functions and Who Should Attend
Every good security practitioner and every good security Networking ▐▐ Anyone new to cybersecurity
program begins with the same mantra: learn the and in need of an introduction
This course day begins with an explanation of how
fundamentals. SEC301 starts by instilling familiarity with to the fundamentals of
computers handle numbers using decimal, binary, and
core security terms and principles. By the time you leave security
hexadecimal numbering systems. It also provides an
the classroom after the first day, you will fully understand
understanding of how computers encode letters using ▐▐ Those who feel bombarded
the Principle of Least Privilege and Confidentiality,
the American Standard Code for Information Interchange with complex technical
Integrity, Availability (CIA), and you’ll see why those
(ASCII). We then spend the remainder of the day on security terms they don’t
principles drive all security discussions. You will be
networking. All attacks or exploits have one thing in understand, but want to
conversant in the fundamentals of risk management,
common: they take something that exists for perfectly understand
security policy, and authentication/authorization/
valid reasons and misuse it in malicious ways. Always!
accountability. ▐▐ Non-IT security managers who
So as security practitioners, to grasp what is invalid
deal with technical issues
we must first understand what is valid – that is, how
and understand them and
things like networks are supposed to work. Only once
who worry their company
we have that understanding can we hope to understand
will be the next mega-breach
the mechanics of malicious misuse of those networks
headline story on the 6 o’clock
– and only with that knowledge can we understand
news
how security devices such as firewalls seek to thwart
DAY 3: An Introduction to Cryptography those attacks. The networking discussion begins ▐▐ Professionals with basic
with a non-technical explanation of how data move computer and technical
Cryptography is one of the most complex issues faced
across a network. From there we move to fundamental knowledge in all disciplines
by security practitioners. It is not a topic you can
terminology dealing with network types and standards. who need to be conversant
explain in passing, so we will spend some time on
You’ll learn about common network hardware such as in basic security concepts,
it. Not to worry, we won’t take you through the math
switches and routers, and terms like “protocol” and principles, and terms, but
behind cryptography. Instead, we learn basic crypto
“encapsulation.” We’ll give a very basic introduction to who don’t need “deep in the
terminology and processes. What is steganography? What
network addressing and port numbers and then work our weeds” detail
is substitution and transposition? What is a “work factor”
in cryptography and why does it matter? What do we way up the Open Systems Interconnection (OSI) protocol ▐▐ Those who have decided
mean by symmetric and asymmetric key cryptography stack, introducing more detail only as we proceed to to make a career change to
and “cryptographic hash,” and why do you need to know? the next layer. In other words, we explain networking take advantage of the job
How are those concepts used together in the real world starting in non-technical terms and gradually progress opportunities in cybersecurity
to create cryptographic systems? to more technical detail as students are ready to take and need formal training and
the next step. By the end of our discussions, you’ll have certification
a fundamental grasp of any number of critical technical
networking acronyms that you’ve often heard but never
quite understood, including TCP/IP, IP, TCP, UDP, MAC, ARP,
NAT, ICMP, and DNS.

DAY 4: Cybersecurity Technologies – DAY 5: Cybersecurity Technologies –

Part 1 Part 2
Our fourth day in the classroom begins our exploration The final day of our SEC301 journey continues the “SEC301 is a great class
of cybersecurity technologies. We begin with wireless discussion of cybersecurity technologies. The day begins
network security (WiFi and Bluetooth), and mobile device by looking at several security technologies, including for the individual who
security (i.e., cell phones). We follow that with a brief look compartmentalization, firewalls, Intrusion Detection
at some common attacks. We then move into a discussion Systems and Intrusion Prevention Systems (IDS/IPS), wants to learn an
of malware and anti-malware technologies. We end sniffers, content filters, etc. We then take a good look extensive amount of
the day with an examination of several data protection at browser and web security, and the difficulties of
protocols used for email encryption, secure remote securing the web environment. For example, students material in one week.”
access, secure web access, secure file transfer, and Virtual will understand why and how their browser connects to
Private Network (VPN) technologies. anywhere from 5 to 100 different Internet locations each -Steven Chovanec,
time they load a single web page. We end the day with a Discover Financial Services
look at system security to include hardening operating
systems, patching, virtual machines, cloud computing,
and backup.

OnDemand Community Events Simulcast

E-learning available anytime, anywhere, at your pace Cupertino, CA Sep 10-14 Online Training Aug 6-10
Online Training Nov 12-17
Summit Events vLive
Security Awareness Charleston, SC Aug 10-14 Online Training Sep 18 - Oct 18 Private Training
All courses are available through Private Training.

25
 SEC487: O
 pen-Source Intelligence Gathering (OSINT)
and Analysis NEW!

6 36 Laptop Immeasurable amounts of personal and potentially incriminating data are currently stored
Day Program CPEs Required in the websites, apps, and social media platforms that people access and update daily via
their devices. Those data can become evidence for citizens, governments, and businesses to
use in solving real financial, employment, and criminal issues with the help of a professional
You Will Be Able To information gatherer.
▐▐ Create an OSINT process
Many people think using their favorite Internet search engine is sufficient to find the data
▐▐ Conduct OSINT investigations in they need and do not realize that most of the Internet is not indexed by search engines.
support of a wide range of customers
SEC487 teaches students legitimate and effective ways to find, gather, and analyze these
▐▐ Understand the data collection life data from the Internet. You’ll learn about reliable places to harvest data using manual
cycle and automated methods and tools. Once you have the information, we’ll show you how to
▐▐ Create a secure platform for data ensure that it is sound, how to analyze what you’ve gathered, and how to make it is useful to
collection your investigations.
▐▐ Analyze customer collection This is a foundational course in open-source intelligence (OSINT) gathering and, as such,
requirements
will move quickly through many areas of the field. You will learn current, real-world skills,
▐▐ Capture and record data techniques, and tools that law enforcement, private investigators, cyber attackers, and
▐▐ Create sock puppet accounts defenders use to scour the massive amount of information across the Internet, analyze the
▐▐ Create your own OSINT process results, and pivot on interesting pieces of data to find other areas for investigation. Our goal
▐▐ Harvest web data
is to provide the OSINT knowledge base for students to be successful in their fields whether
they are cyber defenders, threat intelligence analysts, private investigators, insurance claims
▐▐ Perform searches for people
investigators, intelligence analysts, law enforcement personnel, or just someone curious
▐▐ Access social media data about OSINT.
▐▐ Assess a remote location using online Throughout the course week, students will participate in numerous hands-on labs using
cameras and maps
the tools and techniques that are the basis for gathering free data from the Internet. More
▐▐ Examine geolocated social media than 20 labs in this course use the live Internet and dark web to help students gain real-
▐▐ Research businesses world confidence. You’ll leave the course knowing not just how to use search features on a
▐▐ Use government-provided data website, but all of the scenario-based requirements and OSINT techniques needed to gather
▐▐ Collect data from the dark web
truly important OSINT data.
▐▐ Leverage international sites and tools
Author Statement
“I recognized that the barrier to performing excellent OSINT was not that there was no free
data on the Internet. It was that there was too much data on the Internet. The challenge
transitioned from ‘how do I find something’ to ‘how do I find only what I need?’ This course
was born from this need to help others learn the tools and techniques to effectively gather
and analyze OSINT data from the Internet.”
-Micah Hoffman, SEC487 Author

SEC487 is available via (subject to change):

Featured Training Events

Baltimore Fall Baltimore, MD Sep 10-15
Network Security Las Vegas, NV Sep 23-28
San Francisco Fall San Francisco, CA Nov 26 - Dec 1
CDI Washington, DC Dec 13-18

26
SEC530: D
 efensible Security Architecture NEW!

6 36 Laptop SEC530: Defensible Security Architecture is designed to help students build and maintain
Day Program CPEs Required a truly defensible security architecture. “The perimeter is dead” is a favorite saying in this
age of mobile, cloud, and the Internet of Things, and we are indeed living in a new world of
“de-perimeterization” where the old boundaries of “inside” and “outside” or “trusted” and
You Will Be Able To “untrusted” no longer apply.
▐▐ Analyze a security architecture for
This changing landscape requires a change in mindset, as well as a repurposing of many
deficiencies
devices. Where does it leave our classic perimeter devices such as firewalls? What are the
▐▐ Apply the principles learned in the
ramifications of the “encrypt everything” mindset for devices such as Network Intrusion
course to design a defensible security
architecture Detection Systems?
▐▐ Determine appropriate security In this course, students will learn the fundamentals of up-to-date defensible security
monitoring needs for organizations of architecture. There will be a heavy focus on leveraging current infrastructure (and
all sizes investment), including switches, routers, and firewalls. Students will learn how to reconfigure
▐▐ Maximize existing investment in these devices to better prevent the threat landscape they face today. The course will also
security architecture by reconfiguring suggest newer technologies that will aid in building a robust security infrastructure.
existing assets
While this is not a monitoring course, this course will dovetail nicely with continuous security
▐▐ Determine capabilities required to monitoring, ensuring that security architecture not only supports prevention, but also
support continuous monitoring of key provides the critical logs that can be fed into a Security Information and Event Management
Critical Security Controls
(SIEM) system in a Security Operations Center.
▐▐ Configure appropriate logging and
monitoring to support a Security Hands-on labs will reinforce key points in the course and provide actionable skills that
Operations Center and continuous students will be able to leverage as soon as they return to work.
monitoring program

You Will Learn To

Who Should Attend ▐▐ Analyze a security architecture for deficiencies
▐▐ Security architects
▐▐ Apply the principles learned in the course to design a defensible security architecture
▐▐ Network engineers
▐▐ Network architects
▐▐ Maximize the current investment by reconfiguring existing equipment to become more
defensible
▐▐ Security analysts
▐▐ Senior security engineers ▐▐ Configure computer systems and network components to support proper logging and
▐▐ System administrators
continuous monitoring
▐▐ Technical security managers ▐▐ Improve both preventive and detective capabilities
▐▐ CND analysts ▐▐ Improve the security of devices from layer 1 (physical) through layer 7 (application)
▐▐ Security monitoring specialists
▐▐ Cyber threat investigators

“There are no other courses out there that cover

practical hands-on security architecture.”
-Chris Kuhl, Premier Health

SEC530 is available via (subject to change):

Featured Training Events Summit Events

SANSFIRE Washington, DC Jul 16-20 Tactical Detection &
Data Analytics Scottsdale, AZ Dec 6-11
Baltimore Fall Baltimore, MD Sep 10-15
Network Security Las Vegas, NV Sep 23-28
San Diego Fall San Diego, CA Nov 12-17
CDI Washington, DC Dec 13-18

27
11
 SEC501: Advanced Security Essentials – GCED
Enterprise Defender
Enterprise Defender
[Link]/gced

6 38 Laptop Effective cybersecurity is more important than ever as attacks become stealthier, have a
Day Program CPEs Required greater financial impact, and cause broad reputational damage. SEC501: Advanced Security
Essentials – Enterprise Defender builds on a solid foundation of core policies and practices
to enable security teams to defend their enterprise.
You Will Be Able To It has been said of security that “prevention is ideal, but detection is a must.” However,
▐▐ Identify the threats against network detection without response has little value. Network security needs to be constantly
infrastructures and build defensible improved to prevent as many attacks as possible and to swiftly detect and respond
networks that minimize the impact of
appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy
attacks
must be in place both externally and internally. As data become more portable and
▐▐ Access tools that can be used to analyze networks continue to be porous, there needs to be an increased focus on data protection.
a network to prevent attacks and detect
the adversary
Critical information must be secured regardless of whether it resides on a server, in a robust
network architecture, or on a portable device.
▐▐ Decode and analyze packets using
various tools to identify anomalies and Despite an organization’s best efforts to prevent network attacks and protect its critical
improve network defenses data, some attacks will still be successful. Therefore, organizations need to be able to detect
▐▐ Understand how the adversary attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing
compromises networks and how to on your networks, looking for indications of an attack, and performing penetration testing
respond to attacks and vulnerability analysis against your organization to identify problems and issues before a
▐▐ Perform penetration testing against an compromise occurs.
organization to determine vulnerabilities Finally, once an attack is detected we must react quickly and effectively and perform the
and points of compromise
forensics required. Knowledge gained by understanding how the attacker broke in can be
▐▐ Apply the six-step incident handling fed back into more effective and robust preventive and detective measures, completing the
process
security lifecycle.
▐▐ Use various tools to identify and
remediate malware across your
organization
▐▐ Create a data classification program and
deploy data loss prevention solutions at
both a host and network level

Who Should Attend

▐▐ Incident response and penetration
testers
▐▐ Security Operations Center engineers and
analysts
“SEC501 is a very valuable course to a Network/Security
▐▐ Network security professionals
Administrator. The first chapter of Defensible Network
▐▐ Anyone who seeks technical in-depth
knowledge about implementing Architecture is worth the price of admission in of itself.”
comprehensive security solutions
-Ryan Bast, Subzero Group, Inc.

SEC501 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 Network Security Las Vegas, NV Sep 23-28 E-learning available anytime, anywhere, at your pace
Pittsburgh Pittsburgh Jul 30 - Aug 4 Houston Houston, TX Oct 29 - Nov 3
San Francisco Summer San Francisco, CA Aug 26-31 CDI Washington, DC Dec 13-18 Summit Events
Secure DevOps Denver, CO Oct 24-29

28
Course Day
Descriptions

DAY 1: Defensive Network Architecture DAY 2: Penetration Testing

This course day will focus on security in the design and configuration of Security is all about understanding, mitigating, and controlling the risk
various enterprise infrastructures. From a security perspective, proper to an organization’s critical assets. An organization must understand the
design and configuration protects both the components being configured, changing threat landscape and have the capacity to compare it against its
as well as the rest of the organization that depends on that gear to defend own vulnerabilities that could be exploited to compromise the environment.
other components from attacks. In other words, a good house needs a good On day two, students will learn about the variety of tests that can be run
foundation! against an organization and how to perform effective penetration tests
Topics: Security Benchmarks, Standards, and the Role of Audit in Defending to better understand the security posture for network services, operating
Infrastructure; Defense Using Authentication and Authorization, and systems, and applications. In addition, we’ll talk about social engineering
Defending Those Services; The Use of Logging and Security Information and reconnaissance activities to better emulate increasingly prevalent
and Event Management (SIEM) in Defending an Organization from Attack; threats to users.
Attacking and Defending Critical Protocols; Several Man-in-the-Middle Attack Topics: Introduction to Penetration Testing Concepts; Penetration Testing
Methods, and Defenses against Each; Infrastructure Defense Using IPS, Scoping and Rules of Engagement; Online Reconnaissance and Offensive
Next-Generation Firewalls, and Web Application Firewalls; Defense of Critical Counterintelligence; Social Engineering; Network Mapping and Scanning
Servers and Services; Active Defense; Defense of Private and Public Cloud Techniques; Enterprise Vulnerability Scanning; Network Exploitation Tools
Architectures and Techniques; Web Application Exploitation Tools and Techniques; Post-
Exploitation and Pivoting; OS and Application Exploit Mitigations; Reporting
and Debriefing

DAY 3: Network Detection and Packet Analysis DAY 4: Digital Forensics and Incident Response
“Prevention is ideal, but detection is a must” is a critical motto for network In this section, you will learn the core concepts of both “Digital Forensics”
security professionals. While organizations always want to prevent as many and “Incident Response.” We’ll explore some of the hundreds of artifacts
attacks as possible, some adversaries will still sneak into the network. that can give forensic investigators specific insight into what occurred during
In cases where an attack is not successfully prevented, network security an incident. You will also learn how incident response currently operates,
professionals need to analyze network traffic to discover attacks in after years of evolving, in order to address the dynamic procedures used
progress, ideally stopping them before significant damage is done. Packet by attackers to conduct their operations. We’ll look at how to integrate DFIR
analysis and intrusion detection are at the core of such timely detection. practices into a continuous security operations program.
Organizations need to not only detect attacks but also to react in a way that Topics: DFIR Core Concepts: Digital Forensics; DFIR Core Concepts: Incident
ensures those attacks can be prevented in the future. Response; Modern DFIR: A Live and Continuous Process; Widening the Net:
Topics: Network Security Monitoring; IP, TCP, and UDP Refresher; Advanced Scaling the DFIR Process and Scoping a Compromise
Packet Analysis; Introduction to Network Forensics with Security Onion;
Identifying Malicious Content and Streams; Extracting and Repairing Content
from PCAP files; Traffic Visualization Tools; Intrusion Detection and Intrusion
Prevention; Handling Encrypted Network Traffic

DAY 5: Malware Analysis DAY 6: Enterprise Defender Capstone

Malicious software is responsible for many incidents in almost every type The concluding section of the course will serve as a real-world challenge for
of organization. Types of malware vary widely, from Ransomware and students by requiring them to work in teams, use the skills they have learned
Rootkits to Crypto Currency Miners and worms. We will define each of the throughout the course, think outside the box, and solve a range of problems
most popular types of malware and walk through multiple examples. The from simple to complex. A web server scoring system and Capture-the-Flag
four primary phases of malware analysis will be covered: Fully Automated engine will be provided to score students as they submit flags to score points.
Analysis, Static Properties Analysis, Interactive Behavior Analysis, and More difficult challenges will be worth more points. In this defensive exercise,
Manual Code Reversing. You will complete various in-depth labs requiring challenges include packet analysis, routing protocols, scanning, malware
you to fully dissect a live Ransomware specimen from static analysis analysis, and other challenges related to the course material.
through code analysis. You will get hands-on experience with tricking the
malware through behavioral analysis techniques, as well as decrypting
files encrypted by Ransomware by extracting the keys through reverse
engineering. All steps are well defined and tested to ensure that the process
to achieve these goals is actionable and digestible.
Topics: Introduction to Malware Analysis; The Many Types of Malware; ATM/
Cash Machine Malware; Building a Lab Environment for Malware Analysis;
Malware Locations and Footprints; Fully Automated Malware; Cuckoo
Sandbox; Static Properties Analysis; Interactive Behavior Analysis; Manual
Code Reversing; Tools such as IDA, PeStudio, ILSpy, Process Hacker, Process
Monitor, NoFuserEx, etc.

Simulcast
Online Training Sep 23-28

Private Training
All courses are available through Private Training.

29
 SEC505: Securing Windows and GCWN
PowerShell Automation
Windows Security
Administrator
[Link]/gcwn

6 36 Laptop Hackers know how to use PowerShell for evil. Do you know how to use it for good? In SEC505
Day Program CPEs Required you will learn PowerShell and Windows security hardening at the same time. SecOps/
DevOps requires automation, and Windows automation means PowerShell.
You’ve run a vulnerability scanner and applied patches – now what? A major theme of this
You Will Be Able To course is defensible architecture: we have to assume that there will be a breach, so we need
▐▐  onfigure mitigations against attacks
C to build in damage control from the beginning. Whack-a-mole incident response cannot be
such as pass-the-hash, Kerberos golden our only defensive strategy – we’ll never win, and we’ll never get ahead of the game. By the
tickets, Remote Desktop Protocol (RDP)
time your monitoring system tells you a Domain Admin account has been compromised, IT’S
man-in-the-middle, Security Access
Token abuse, and other attacks discussed TOO LATE.
in SEC504 and other SANS hacking For the assume-breach mindset, we must carefully delegate limited administrative powers
courses so that the compromise of one administrator account is not a disaster across the board.
▐▐ Execute PowerShell commands on Managing administrative privileges and credentials is a tough problem, so this course
remote systems and begin to write your devotes an entire day to just this one critical task. Perhaps you’ve taken a hacking course at
own PowerShell scripts
SANS and you now want to learn Windows mitigations: SEC505 is that course. SEC505 is the
▐▐ Harden PowerShell itself against abuse, defense-only mirror image of SEC504 with regard to Windows and Active Directory.
and enable transcription logging for your
SIEM Learning PowerShell is also useful for another kind of security: job security. Employers are
looking for people with these skills. You don’t have to know any PowerShell to attend the
▐▐ Use Group Policy and PowerShell to grant
administrative privileges in a way that course, we will learn it together. About half the labs during the week are PowerShell, while
reduces the harm if an attack succeeds the rest use graphical security tools. Many of the PowerShell scripts written by the course
(assume breach) author are available to download from GitHub for free.
▐▐ Block hacker lateral movement and This course is not a vendor show to convince you to buy another security appliance or to
malware Command & Control channels install yet another endpoint agent. The idea is to use built-in or free Windows and Active
using Windows Defender Firewall,
Directory security tools when we can (especially PowerShell and Group Policy) and then
IPsec, DNS sinkholes, admin credential
protections, and more purchase commercial products only when absolutely necessary.
▐▐ Prevent exploitation using AppLocker and If you are an IT manager or CIO, the aim for this course is to have it pay for itself 10 times
other Windows OS hardening techniques over within two years, because automation isn’t just good for SecOps/DevOps; it can save
in a scalable way with PowerShell money too.
▐▐ Configure PowerShell remoting to use This course is designed for systems engineers, security architects, and the Security
Just Enough Admin (JEA) policies to Operations (SecOps) team. The focus of the course is on how to automate the NSA Top 10
create a Windows version of Linux sudo
Mitigations and the CIS Critical Security Controls related to Windows, especially the ones
and setuid root
that are difficult to implement in large environments.
▐▐ Install and manage a full Windows Public
Key Infrastructure (PKI), including smart SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN)
cards, certificate auto-enrollment, Online certification exam to prove your Windows security expertise. The GCWN certification counts
Certificate Status Protocol (OCSP) web towards a Master’s Degree in Information Security from the SANS Technology Institute
responders, and detection of spoofed ([Link]) and satisfies the Department of Defense 8140 computing environment
root Certification Authorities (CAs)
requirement. The GCWN is also a foundational certification for soldiers in the U.S. Army’s
▐▐ Harden must-have protocols against 255-S Information Protection Program. For DoD students, we will see how to apply the NSA/
exploitation, such as SSL/TLS, RDP, DNS, DISA Secure Host Baseline.
DNSSEC, PowerShell Remoting, and SMB
This is a fun course and a real eye-opener, even for Windows administrators with years of
▐▐ Use PowerShell to access the WMI
service for remote command execution, experience. We don’t cover patch management, share permissions, or other such basics –
searching event logs, reconnaissance, the aim is to go far beyond that. Come have fun learning PowerShell and Windows security
and more at the same time!

SEC505 is available via (subject to change):

Featured Training Events OnDemand Simulcast

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace Online Training Jul 16-21
Boston Summer Boston, MA Aug 6-11 Online Training Nov 12-17
Network Security Las Vegas, NV Sep 23-28 vLive
San Diego Fall San Diego, CA Nov 12-17 Online Training Oct 1 - Nov 7 Private Training
CDI Washington, DC Dec 13-18 All courses are available through Private Training.

30
Course Day
Descriptions

DAY 1: PowerShell Automation and DAY 2: Continuous Secure Configuration Who Should Attend
Security Enforcement ▐▐ Security Operations
personnel
This course section covers what you need to know to Running a vulnerability scanner is easy, but remediating
get started using PowerShell. You don’t need to have vulnerabilities in a large enterprise is hard. Most ▐▐ Blue Team players who were
any prior scripting or programming experience. We have vulnerabilities are fixed by applying patches, but terrified by SEC504
PowerShell labs throughout the week, so today is not the this course does not talk about patch management, ▐▐ Windows endpoint and
only PowerShell material. We start with the essentials, then you’re doing that already. What about the other
server administrators
go more in depth as the week progresses. Don’t worry, you vulnerabilities, the ones not fixed by applying patches?
won’t be left behind, the PowerShell labs walk you through These vulnerabilities are, by definition, remediated by ▐▐ Anyone who wants to learn
every step. configuration changes. That’s the hard part. We need a PowerShell automation
Topics: PowerShell Overview and Tips; What Can We Do secure architecture designed for SecOps/DevOps. ▐▐ Anyone implementing the
With PowerShell?; Write Your Own Scripts Topics: Continuous Secure Configuration Enforcement; NSA Top 10 Mitigations
Group Policy Precision Targeting; Server Hardening for ▐▐ Anyone implementing the
SecOps/DevOps; PowerShell Desired State Configuration CIS Critical Security Controls
(DSC)
▐▐ DoD admins applying the
NSA/DISA Secure Host
DAY 3: Windows Public Key Infrastructure DAY 4: Administrative Compromise and Baseline
and Smart Cards Privilege Management ▐▐ Individuals deploying or
Don’t believe what you hear on the street: Public Key Why do submarines have pressure doors to seal off managing a PKI or smart
Infrastructure (PKI) is not that hard to manage on Windows! compartments? Because they are designed to assume a cards
You’ll be pleasantly surprised at how much Group Policy, breach will occur. In a Windows environment, a security ▐▐ Anyone wanting a more
Active Directory, and PowerShell can help you manage your breach will occur, so we must design the architecture rugged Windows architecture
PKI. And we don’t really have a choice anymore: running with an “assume breach” mindset as well. If we assume
a PKI is pretty much mandatory for Microsoft security and that some day the computers and credentials of our
cloud computing. This day of the course is basically one administrators will be compromised, then how do we build
long hands-on lab to install and configure a full Windows damage control into the network from the beginning?
Server PKI. This includes a root Certification Authority (CA), This is not about detection and incident response. The
Group Policy certificate auto-enrollment on endpoints, challenge here is how to design for damage control
Online Certificate Status Protocol (OCSP) revocation when we delegate administrative privileges. We need to
checking, private key roaming for users, smart card proactively design damage control into the architecture,
certificate deployment, and, of course, more PowerShell not wait until after there is a breach (when it’s too late).
examples.
Topics: Secure Architecture: Admin Privileges; Compromise
Topics: Why Is a PKI Necessary?; How to Install the Windows of Administrative Powers; PowerShell Just Enough Admin
PKI; How to Manage Your PKI; Deploying Smart Cards (JEA); Active Directory Permissions and Delegation
“This class provided
DAY 5: Endpoint Protection and DAY 6: Defensible Networking and Blue
real-world examples
Pre-Forensics Team WMI and sample scripts
You are already applying patches and updating anti-virus Hackers love the Windows Management Instrumentation to make a Windows-
signatures. But endpoint protection is much more than (WMI) service, and so should we. We are the linebackers
that. Because most advanced malware infections start with on the Blue Team and the WMI service was made to centric environment
a compromised endpoint, we want to proactively build benefit us, not hackers. The WMI service is enabled by fundamentally more
defensibility and damage control into our systems using default and accessible over the network. Through WMI we
a “zero trust” or “assume breach” model. How? AppLocker can do remote command execution (without PowerShell secure.”
is an application whitelisting tool built into Windows to being installed at the target), forcibly log off the user,
control which executables, scripts, DLLs and installer reboot the machine, stop services, search for processes -Nick Boardman, HRSD
packages users may run. If hackers or malware attempt to running as Administrator, kill any process, and much more.
launch an unauthorized process post-exploitation, the aim The WMI service is nearly all-powerful and it’s built for
is to block it and log it. In the lab, we’ll use PowerShell and remote administration. PowerShell is tightly integrated
Group Policy to manage AppLocker. Application whitelisting into WMI, and we’ll look at several PowerShell examples.
can be hard to manage if used too aggressively, so we’ll Topics: PowerShell and WMI; Hardening DNS; Dangerous
also talk about how to get started without making the help Protocols We Can’t Live Without
desk phone ring off the hook.
Topics: Anti-Exploitation; IPSec Port Permissions; Host-
Based Firewalls; Pre-Forensics

31
 SEC506: Securing Linux/Unix GCUX
Unix Security
Administrator
[Link]/gcux

6 36 Laptop This course provides in-depth coverage of Linux and Unix security issues that includes
Day Program CPEs Required specific configuration guidance and practical, real-world examples, tips, and tricks. We
examine how to mitigate or eliminate general problems that apply to all Unix-like operating
systems, including vulnerabilities in the password authentication system, file system, virtual
You Will Be Able To memory system, and applications that commonly run on Linux and Unix.
▐▐ Significantly reduce the number of The course will teach you the skills to use freely available tools to handle security issues,
vulnerabilities in the average Linux/Unix including SSH, AIDE, sudo, lsof, and many others. SANS’s practical approach uses hands-on
system by disabling unnecessary services
exercises every day to ensure that you will be able to use these tools as soon as you return
▐▐ Protect your systems from buffer to work. We will also put these tools to work in a special section that covers simple forensic
overflows, denial-of-service, and techniques for investigating compromised systems.
physical access attacks by leveraging OS
configuration settings
▐▐ Configure host-based firewalls to block Topics
attacks from outside.
▐▐ Memory Attacks, Buffer Overflows
▐▐ Deploy SSH to protect administrative
sessions, and leverage SSH functionality ▐▐ File System Attacks, Race Conditions
to securely automate routine ▐▐ Trojan Horse Programs and Rootkits
administrative tasks
▐▐ Use sudo to control and monitor
▐▐ Monitoring and Alerting Tools
administrative access ▐▐ Unix Logging and Kernel-Level Auditing
▐▐ Create a centralized logging ▐▐ Building a Centralized Logging Infrastructure
infrastructure with Syslog-NG, and
deploy log monitoring tools to scan for ▐▐ Network Security Tools
significant events
▐▐ SSH for Secure Administration
▐▐ Use SELinux to effectively isolate
compromised applications from harming ▐▐ Server Lockdown for Linux and Unix
other system services ▐▐ Controlling Root Access with sudo
▐▐ Securely configure common Internet- ▐▐ SELinux and chroot() for Application Security
facing applications such as Apache and
BIND ▐▐ DNSSEC Deployment and Automation
▐▐ Investigate compromised Unix/Linux ▐▐ mod_security and Web Application Firewalls
systems with the Sleuthkit, lsof, and
other open-source tools ▐▐ Secure Configuration of BIND, Sendmail, and Apache
▐▐ Understand attacker rootkits and how ▐▐ Forensic Investigation of Linux Systems
to detect them with AIDE and rkhunter/
chkrootkit

“Linux security courses are a rare commodity and a valuable resource

to the security professional.”
-Trevor Sellers, IDA Center for Communications Research

SEC506 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28

32
Course Day
Descriptions

DAY 1: Hardening Linux/Unix Systems – DAY 2: Hardening Linux/Unix Systems – Who Should Attend
Part 1 Part 2 ▐▐ Security professionals looking
to learn the basics of securing
This course day tackles some of the most important Continuing our exploration of Linux/Unix security
Unix operating systems
techniques for protecting your Linux/Unix systems from issues, this course day focuses on local exploits and
external attacks, and it also covers what those attacks access control issues. What do attackers do once they ▐▐ Experienced administrators
are so that you know what you’re defending against. gain access to your systems? How can you detect their looking for in-depth
This is a full-disclosure course with in-class demos of presence? How do you protect against attackers with descriptions of attacks on Unix
actual exploits and hands-on exercises to experiment physical access to your systems? What can you do to systems and how they can be
with various examples of malicious software, as well as protect against mistakes (or malicious activity) by your prevented
different techniques for protecting Linux/Unix systems. own users? ▐▐ Administrators needing
Topics: Memory Attacks and Overflows; Vulnerability Topics: Rootkits and Malicious Software; File Integrity information on how to secure
Minimization; Boot-Time Configuration; Encrypted Access; Assessment; Physical Attacks and Defenses; User Access common Internet applications
Host-Based Firewalls Controls; Root Access Control with sudo; Warning on the Unix platform
Banners; Kernel Tuning for Security ▐▐ Auditors, incident responders,
and InfoSec analysts who
DAY 3: Hardening Linux/Unix Systems – DAY 4: Application Security – Part 1 need greater insight into
Part 3 This course day examines common application security
Linux and Unix security tools,
procedures, and best practices
Monitoring your systems is critical for maintaining tools and techniques. The SCP-Only Shell will be
a secure environment. This course day digs into the presented as an example of using an application under
different logging and monitoring tools available in chroot() restriction, and as a more secure alternative to
Linux/Unix, and looks at additional tools for creating a file-sharing protocols like anonymous FTP. The SELinux
centralized monitoring infrastructure such as Syslog-NG. application whitelisting mechanism will be examined
Along the way, the course introduces a number of useful in-depth. Tips for troubleshooting common SELinux
SSH tips and tricks for automating tasks and tunneling problems will be covered and students will learn how
different network protocols in a secure fashion. to craft new SELinux policies from scratch for new and
locally developed applications. Significant hands-on time
Topics: Automating Tasks With SSH; AIDE via SSH; Linux/
will be provided for students to practice these concepts.
Unix Logging Overview; SSH Tunneling; Centralized Logging
with Syslog-NG Topics: chroot() for Application Security; The SCP-Only
Shell; SELinux Basics; SELinux and the Reference Policy

DAY 5: Application Security – Part 2 DAY 6: Digital Forensics for

This course section is a full day of in-depth analysis on Linux/Unix “This course gave me a
how to manage some of the most popular application-
This hands-on course day is designed to be an
level services securely on a Linux/Unix platform. We will
information-rich introduction to basic forensic better understanding
tackle the practical issues involved with securing three of
the most commonly used Internet servers on Linux and
principles and techniques for investigating of Linux internals and
compromised Linux and Unix systems. At a high level, it
Unix: BIND, Sendmail, and Apache. Beyond basic security
introduces the critical forensic concepts and tools that specific threat hunting
configuration information, we will take an in-depth look
every administrator should know and provides a real-
at topics like DNSSec and Web Application Firewalls with
world compromise for students to investigate using the ideas that I will use in
mod_security and the Core Rules.
tools and strategies discussed in class. my environment.”
Topics: BIND; DNSSec; Apache; Web Application Firewalls
Topics: Tools Throughout; Forensic Preparation and Best
with mod_security
Practices; Incident Response and Evidence Acquisition; -Shelby Peterson, Adobe
Media Analysis; Incident Reporting

33
 SEC545: Cloud Security Architecture and
Operations

5 30 Laptop As more organizations move data and infrastructure to the cloud, security is becoming a
Day Program CPEs Required major priority. Operations and development teams are finding new uses for cloud services,
and executives are eager to save money and gain new capabilities and operational
efficiency by using these services. But will information security prove to be an Achilles’
You Will Be Able To heel? Many cloud providers do not provide detailed control information about their internal
▐▐  evise and build internal policies
R environments, and quite a few common security controls used internally may not translate
to ensure cloud security is properly directly to the public cloud.
addressed
SEC545: Cloud Security Architecture and Operations will tackle these issues one by one.
▐▐ Understand all major facets of cloud risk, We’ll start with a brief introduction to cloud security fundamentals, then cover the critical
including threats, vulnerabilities, and concepts of cloud policy and governance for security professionals. For the rest of day one
impact
and all of day two, we’ll move into technical security principles and controls for all major
▐▐ Articulate the key security topics and risks cloud types (SaaS, PaaS, and IaaS). We’ll learn about the Cloud Security Alliance framework
associated with SaaS, PaaS, and IaaS cloud
for cloud control areas, then delve into assessing risk for cloud services, looking specifically
deployment models
at technical areas that need to be addressed.
▐▐ Evaluate Cloud Access Security Brokers
(CASBs) to better protect and monitor SaaS The course then moves into cloud architecture and security design, both for building new
deployments architectures and for adapting tried-and-true security tools and processes to the cloud.
▐▐ Build security for all layers of a hybrid This will be a comprehensive discussion that encompasses network security (firewalls and
cloud environment, starting with network access controls, intrusion detection, and more), as well as all the other layers of the
hypervisors and working to application cloud security stack. We’ll visit each layer and the components therein, including building
layer controls secure instances, data security, identity and account security, and much more. We’ll devote
▐▐ Evaluate basic virtualization hypervisor an entire day to adapting our offense and defense focal areas to the cloud. This will involve
security controls looking at vulnerability management and pen testing, as well as covering the latest and
▐▐ Design and implement network security greatest cloud security research. On the defense side, we’ll delve into incident handling,
access controls and monitoring forensics, event management, and application security.
capabilities in a public cloud environment
We wrap up the course by taking a deep dive into SecDevOps and automation, investigating
▐▐ Design a hybrid cloud network architecture methods of embedding security into orchestration and every facet of the cloud life cycle.
that includes IPSec tunnels
We’ll explore tools and tactics that work, and even walk through several cutting-edge use
▐▐ Integrate cloud identity and access cases where security can be automated entirely in both deployment and incident detection-
management (IAM) into security
and-response scenarios using APIs and scripting.
architecture
▐▐ Evaluate and implement various cloud
encryption types and formats
▐▐ Develop multi-tier cloud architectures in a
Virtual Private Cloud (VPC), using subnets,
availability zones, gateways, and NAT
▐▐ Integrate security into DevOps teams,
effectively creating a DevSecOps team
structure
▐▐ Build automated deployment workflows
“SEC545 helped to better align our policies to include
using Amazon Web Services and native cloud systems, and it gave me more insight into cloud
tools
▐▐ Incorporate vulnerability management,
systems and their configurations.”
scanning, and penetration testing into -Craig Lunde, Discovery Benefits Inc.
cloud environments

SEC545 is available via (subject to change):

Featured Training Events Community Events

SANSFIRE Washington, DC Jul 16-20 Washington, DC Jul 30 - Aug 3
San Francisco Summer San Francisco, CA Aug 26-30 Ottawa, ON Sep 24-28
Network Security Las Vegas, NV Sep 23-27
CDI Washington, DC Dec 13-17

34
Course Day
Descriptions

DAY 1: Cloud Security Foundations DAY 2: Core Security Controls for DAY 3: Cloud Security Architecture
The first day of the course starts out with an Cloud Computing and Design
introduction to the cloud, including terminology,
The second day of SEC545 compares traditional Instead of focusing on individual layers of our
taxonomy, and basic technical premises. We also
in-house controls with those in the cloud cloud stack, we start day three by building the
examine what is happening in the cloud today,
today. Some controls are similar and mostly core security components. We’ll break down cloud
and cover the spectrum of guidance available
compatible, but not all of them. Since most security architecture best practices and principles
from the Cloud Security Alliance, including the
cloud environments are built on virtualization that most high-performing teams prioritize when
Cloud Controls Matrix, the 14 major themes of
technology, we walk through a short virtualization building or adding cloud security controls and
cloud security, and other research available. Next
security primer, which can help teams building processes to their environments. We start with
we spend time on cloud policy and planning,
hybrid clouds that integrate with internal infrastructure and core component security – in
delving into the changes an organization needs
virtualized assets, and also help teams properly other words, we need to look at properly locking
to make for security and IT policy to properly
evaluate the controls cloud providers offer in down all the pieces and parts we covered on day
embrace the cloud. After all the legwork is
this area. We’ll then break down cloud network two! This then leads to a focus on major areas
done, we’ll start talking about some of the main
security controls and tradeoffs, since this is of architecture and security design. The first is
technical considerations for the different cloud
an area that is very different from what we’ve building various models of access control and
models. We’ll start by breaking down Software-
traditionally run in-house. For PaaS and IaaS compartmentalization. This involves breaking
as-a-Service (SaaS) and some of the main types
environments, it’s critical to secure virtual things down into two categories: identity and
of security controls available. A specialized
machines (instances) and the images we deploy access management (IAM) and network security.
type of Security-as-a-Service (SecaaS) known
them from, so we cover this next. At a high We delve into these in significant depth, as
as Cloud Access Security Brokers (CASBs) will
level, we’ll also touch on identity and access they can form the backbone of a sound cloud
also be explained, with examples of what to
management for cloud environments to help security strategy. We then look at architecture and
look for in such a service. We’ll wrap up with an
control and monitor who is accessing the cloud design for data security, touching on encryption
introduction to Platform-as-a-Service (PaaS) and
infrastructure, as well as what they’re doing technologies, key management, and what the
Infrastructure-as-a-Service (IaaS) controls, which
there. We also cover data security controls and different options are today. We wrap up our
will set the stage for the rest of the course.
types, including encryption, tokenization, and third day with another crucial topic: availability.
Topics: Introduction to the Cloud and Cloud more. Specific things to look for in application Redundant and available design is as important
Security Basics; Cloud Security Alliance Guidance; security are laid out as the final category of as ever, but we need to use cloud provider tools
Cloud Policy and Planning; SaaS Security; Cloud overall controls. We then pull it all together to and geography to our advantage. At the same
Access Security Brokers (CASBs); Intro to PaaS and demonstrate how you can properly evaluate a time, we need to make sure we evaluate the cloud
IaaS Security Controls cloud provider’s controls and security posture. provider’s disaster recovery and continuity, and so
Topics: Cloud Security: In-House versus Cloud; this is covered as well.
A Virtualization Security Primer; Cloud Network Topics: Cloud Security Architecture Overview;
Security; Instance and Image Security; Identity Cloud Architecture and Security Principles;
and Access Management; Data Security for the Infrastructure and Core Component Security;
Cloud; Application Security for the Cloud; Provider Access Controls and Compartmentalization;
Security: Cloud Risk Assessment Confidentiality and Data Protection; Availability

DAY 4: Cloud Security – Offense and Defense DAY 5: Cloud Security Automation and Orchestration
There are many threats to our cloud assets, so the fourth day of the course On our final day, we’ll focus explicitly on how to automate security in the
begins with an in-depth breakdown of the types of threats out there. We’ll cloud, both with and without scripting techniques. We will use tools like the
look at numerous examples. The class also shows students how to design AWS CLI and AWS Lambda to illustrate the premises of automation, then turn
a proper threat model focused on the cloud by using several well-known our attention toward SecDevOps principles. We begin by explaining what
methods such as STRIDE and attack trees and libraries. Scanning and pen that really means, and how security teams can best integrate into DevOps
testing the cloud used to be challenging due to restrictions put in place and cloud development and deployment practices. We’ll cover automation
by the cloud providers themselves. But today it is easier than ever. There and orchestration tools like Ansible and Chef, as well as how we can develop
are some important points to consider when planning a vulnerability better and more efficient workflows with AWS CloudFormation and other
management strategy in the cloud, and this class touches on how to best tools. Continuing some of the topics from day four, we will look at event-
scan your cloud assets and which tools are available to get the job done. Pen driven detection and event management, as well as response and defense
testing naturally follows this discussion, and we talk about how to work with strategies that work. While we won’t automate everything, some actions and
the cloud providers to coordinate tests, as well as how to perform testing scenarios really lend themselves to monitoring tools like CloudWatch, tagging
yourself. On the defensive side, we start with network-based and host-based assets for identification in security processes, and initiating automated
intrusion detection, and how to monitor and automate our processes to response and remediation to varying degrees. We wrap up the class with a
better carry out this detection. This is an area that has definitely changed few more tools and tactics, followed by a sampling of real-world use cases.
from what we’re used to in-house, so security professionals need to know Topics: Scripting and Automation in the Cloud; SecDevOps Principles; Creating
what their best options are and how to get this done. Our final topics on day Secure Cloud Workflows; Building Automated Event Management; Building
four include incident response and forensics (also topics that have changed Automated Defensive Strategies; Tools and Tactics; Real-World Use Cases;
significantly in the cloud). The tools and processes are different, so we need Class Wrap-Up
to focus on automation and event-driven defenses more than ever.
Topics: Threats to Cloud Computing; Vulnerability Management in the Cloud;
Cloud Pen Testing; Intrusion Detection in the Cloud; Cloud IR and Event
Management; Cloud Forensics

35
 SEC555: SIEM with Tactical Analytics GCDA
Detection Analyst
[Link]/gcda

6 46 Laptop Many organizations have logging capabilities but lack the people and processes to analyze
Day Program CPEs Required them. In addition, logging systems collect vast amounts of data from a variety of data
sources that require an understanding of the sources for proper analysis. This class is
designed to provide students with the training, methods, and processes to enhance existing
You Will Be Able To logging solutions. This class will also help you understand the when, what, and why behind
▐▐  eploy the SANS SOF-ELK VM in
D the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored free Security
production environments Information and Event Management (SIEM) solution, to provide hands-on experience and
▐▐ Demonstrate ways most SIEMs commonly the mindset for large-scale data analysis.
lag current open-source solutions (e.g., Today, security operations do not suffer from a “Big Data” problem but rather a “Data
SOF-ELK)
Analysis” problem. Let’s face it, there are multiple ways to store and process large amounts
▐▐ Get up to speed on SIEM use,
of data without any real emphasis on gaining insight into the information collected. Added
architecture, and best practices
to that is the daunting idea of an infinite list of systems from which one could collect logs.
▐▐ Know what type of data sources to collect
It is easy to get lost in the perils of data saturation. This class moves away from the typical
logs from
churn-and-burn log systems and moves instead towards achieving actionable intelligence
▐▐ Deploy a scalable logs solution with
and developing a tactical Security Operations Center (SOC).
multiple ways to retrieve logs
▐▐ Operationalize ordinary logs into tactical This course is designed to demystify the SIEM architecture and process by navigating the
data student through the steps of tailoring and deploying a SIEM to full SOC integration. The
▐▐ Develop methods to handle billions of material will cover many bases in the “appropriate” use of a SIEM platform to enrich readily
logs from many disparate data sources available log data in enterprise environments and extract actionable intelligence. Once
▐▐ Understand best practice methods for the information is collected, the student will be shown how to present the gathered input
collecting logs into usable formats to aid in eventual correlation. Students will then iterate through the
▐▐ Dig into log manipulation techniques log data and events to analyze key components that will allow them to learn how rich this
challenging many SIEM solutions information is, how to correlate the data, how to start investigating based on the aggregate
▐▐ Build out graphs and tables that can be data, and finally, how to go hunting with this newly gained knowledge. They will also learn
used to detect adversary activities and how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect
abnormalities sophisticated intrusions. Throughout the course, the text and labs will not only show
▐▐ Combine data into active dashboards how to manually perform these actions, but also how to automate many of the processes
that make analyst review more tactical mentioned so students can employ these tasks the day they return to the office.
▐▐ Utilize adversary techniques against The underlying theme is to actively apply Continuous Monitoring and analysis techniques
them by using frequency analysis in large by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to
data sets
provide real-world results and visualizations.
▐▐ Develop baselines of network activity
based on users and devices
▐▐ Develop baselines of Windows systems
with the ability to detect changes from
the baseline
▐▐ Apply multiple forms of analysis such as
long tail analysis to find abnormalities
▐▐ Correlate and combine multiple data
sources to achieve more complete “This course uses real-world events and hands-on training to allow
understanding me to immediately improve my organization’s security stance.
▐▐ Provide context to standard alerts to help
understand and prioritize them Day 1 back in the office, I was implementing what I learned.”
-Frank Giachino, Bechtel Corp.

SEC555 is available via (subject to change):

Featured Training Events Summit Events

SANSFIRE Washington, DC Jul 16-21 Denver Denver, CO Oct 15-20 Security Operations New Orleans, LA Jul 30 - Aug 6
New York City Summer New York City, NY Aug 13-18 San Diego Fall San Diego, CA Nov 12-17
Simulcast
Chicago Chicago, IL Aug 20-25 CDI Washington, DC Dec 13-18
Online Training Nov 12-17
Virginia Beach Virginia Beach, VA Aug 26-31
Network Security Las Vegas, NV Sep 23-28 OnDemand Private Training
E-learning available anytime, anywhere, at your pace
36 All courses are available through Private Training.
Course Day
Descriptions

DAY 1: SIEM Architecture and SOF-ELK DAY 2: Service Profiling with SIEM Who Should Attend
This section will introduce free logging and analysis tools This section covers how to collect and handle this ▐▐ Security analysts
and focus on techniques to make sense of and augment massive amount of data. Methods for collecting these
traditional logs. It also covers how to handle the big data logs through service logs such as from DNS servers
▐▐ Security architects
problem of handling billions of logs and how advances in will be covered, as will be passive ways of pulling the ▐▐ Senior security engineers
free tools are starting to give commercial solutions a run same data from the network itself. Techniques will be
for their money. Day one is designed to bring all students demonstrated to augment and add valuable context
▐▐ Technical security managers
up to speed on SIEM concepts and to bring all students to to the data as they are collected. Finally, analytical ▐▐ Security Operations Center
a base level to carry them through the rest of the class. It principles will be covered for finding the needles in the analysts, engineers, and
is designed to also cover SIEM best practices. During day stack of needles. We will cover how, even if we have managers
one we will be introducing Elasticsearch, Logstash, and the problem of searching through billions of logs, we
Kibana within SOF-ELK and immediately go into labs to get can surface only meaningful items of interest. Active ▐▐ CND analysts
students comfortable with ingesting, manipulating, and dashboards will be designed to quickly find the logs of ▐▐ Security monitoring specialists
reporting on log data. interest and to provide analysts with additional context
for what to do next. ▐▐ System administrators
Topics: State of the SOC/SIEM; Log Monitoring; Logging
Architecture; SIEM Platforms; Planning a SIEM; SIEM Topics: Detection Methods and Relevance to Log ▐▐ Cyber threat investigators
Architecture; Ingestion Techniques and Nodes; Data Analysis; Analyzing Common Application Logs that ▐▐ Individuals working to
Queuing and Resiliency; Storage and Speed; Analytical Generate Tremendous Amounts of Data; Apply
implement Continuous
Reporting Threat Intelligence to Generic Network Logs; Active
Security Monitoring
Dashboards and Visualizations
▐▐ Individuals working in a hunt
team capacity
DAY 3: Advanced Endpoint Analytics DAY 4: Baselining and User Behavior
The value in endpoint logs provides tremendous Monitoring
visibility in detecting attacks. In particular, with regard
This section focuses on applying techniques to
to finding post-compromise activity, endpoint logs can
automatically maintain a list of assets and their
quickly become second to none. However, logs even on a
configurations as well as methods to distinguish if
single desktop can range in the tens if not hundreds of
they are authorized or unauthorized. Key locations
thousands of events per day. Multiply this by the number
to provide high-fidelity data will be covered and
of systems in your environment and it is no surprise that
techniques to correlate and combine multiple sources
organizations get overwhelmed. This section will cover
of data together will be demonstrated to build a master
the how and more importantly the why behind collecting
inventory list. Other forms of knowing thyself will be
system logs. Various collection strategies and tools will
introduced such as gaining hands-on experience in
be used to gain hands-on experience and to provide
applying network and system baselining techniques.
simplification with handling and filtering the seemingly
We will monitor network flows and identify abnormal
infinite amount of data generated by both servers and
activity such as C2 beaconing as well as look for
workstations. Workstation log strategies will be covered in
unusual user activity. Finally, we will apply large data
depth due to their value in today’s modern attack vectors.
analysis techniques to sift through massive amounts
After all, modern-day attacks typically start and then
of endpoint data. This will be used to find things such
spread from workstations.
as unwanted persistence mechanisms, dual-homed
Topics: Endpoint Logs devices, and more.
Topics: Identify Authorized and Unauthorized Assets;
Identify Authorized and Unauthorized Software; “The immediate value
Baseline Data of the SEC555 course
material is unlike any
DAY 5: Tactical SIEM Detection and Post- DAY 6: Capstone: Design, Detect,
Mortem Analysis Defend course or training I’ve
This section focuses on combining multiple security The course culminates in a team-based design, detect, received. A++.”
logs for central analysis. More importantly, we will cover and defend the flag competition. Powered by NetWars,
methods for combining multiple sources to provide day six provides a full day of hands-on work applying -David Savercool,
improved context to analysts. We will also show how the principles taught throughout the week. Your team Dart Container
providing context with asset data can help prioritize will progress through multiple levels and missions
analyst time, saving money and addressing risks that designed to ensure mastery of the modern cyber
matter. After covering ways to optimize traditional security defense techniques promoted all week long. From
alerts, we will jump into new methods to utilize logging building a logging architecture to augmenting logs,
technology to implement virtual tripwires. While it would analyzing network logs, analyzing system logs, and
be ideal to prevent attackers from gaining access to developing dashboards to find attacks, this challenging
your network, it is a given that at some point you will be exercise will reinforce key principles in a fun, hands-on,
compromised. However, preventing compromise is the team-based challenge.
beginning, not the end goal. Adversaries will crawl your Topics: Defend-the-Flag Challenge – Hands-on
systems and network to achieve their own ends. Knowing Experience
this, we will implement logging-based tripwires—and if
a single one is stepped on, we can quickly detect it and
respond to the adversary.
Topics: Centralize NIDS and HIDS Alerts; Analyze Endpoint
Security Logs; Augment Intrusion Detection Alerts; Analyze
Vulnerability Information; Correlate Malware Sandbox
Logs with Other Systems to Identify Victims Across the
Enterprise; Monitor Firewall Activity; SIEM Tripwires; Post
Mortem Analysis

37
 SEC579: Virtualization and
Software-Defined Security

5 30 Laptop One of today’s most rapidly evolving and widely deployed technologies is server
Day Program CPEs Required virtualization. SEC579: Virtualization and Software-Defined Security is intended to help
security, IT operations, and audit and compliance professionals build, defend, and properly
assess both virtual and converged infrastructures, as well as understand software-defined
You Will Be Able To networking and infrastructure security risks.
▐▐ Lock down and maintain a secure Many organizations are already realizing cost savings from implementing virtualized servers,
configuration for all components of a and systems administrators love the ease of deployment and management of virtualized
virtualization environment
systems. More and more organizations are deploying desktop, application, and network
▐▐ Design a secure virtual network virtualization as well. There are even security benefits of virtualization: easier business
architecture continuity and disaster recovery, single points of control over multiple systems, role-based
▐▐ Evaluate virtual firewalls, intrusion access, and additional auditing and logging capabilities for large infrastructure.
detection and prevention systems, and
other security infrastructure With these benefits comes a dark side, however. Virtualization technology is the focus of
many new potential threats and exploits, and it presents new vulnerabilities that must
▐▐ Evaluate security for converged and
software-defined environments be managed. There are also a vast number of configuration options that security and
system administrators need to understand, with an added layer of complexity that has
▐▐ Perform vulnerability assessments and
penetration tests in virtual and private
to be managed by operations teams. Virtualization technologies also connect to network
cloud environments, and acquire forensic infrastructure and storage networks, and require careful planning with regard to access
evidence controls, user permissions, and traditional security controls.
▐▐ Perform audits and risk assessments In addition, many organizations are evolving virtualized infrastructure into private clouds
within a virtual or private cloud using converged infrastructure that employs software-defined tools and programmable
environment stack layers to control large, complex data centers. Security architecture, policies, and
processes will need to be adapted to work within a converged infrastructure, and there are
Who Should Attend many changes that security and operations teams will need to accommodate to ensure that
assets are protected.
▐▐ Security personnel who are tasked with
securing virtualization and private cloud This course will cover core operational functions like secure network design and
infrastructure segmentation, building secure systems, and secure virtualization implementation and
▐▐ Network and systems administrators who controls. Cutting-edge topics like software-defined networking and container technology will
need to understand how to architect, also be covered in detail with an emphasis on security techniques and controls. Security-
secure and maintain virtualization and focused virtualization, integration, and monitoring will be covered at length. Attacks and
cloud technologies threats to virtual environments will be discussed, and students will learn how to perform
▐▐ Technical auditors and consultants who vulnerability assessments and penetration tests in their virtual environments. We’ll also look
need to gain a deeper understanding of at how to implement network intrusion detection and access controls, implement log and
VMware virtualization from a security and
event management, and perform forensics and incident handling in virtual and converged
compliance perspective
data centers. Finally, students will learn how to perform technical audits and assessments of
their in-house and public cloud environments, creating reports and documenting technical
controls. This instruction will heavily emphasize automation and scripting techniques.

“SEC579 actually provides pertinent information outside

what is freely available and is applicable to securing my
organization’s virtual infrastructure.”
-David Richardson, ManTech

SEC579 is available via (subject to change):

OnDemand
E-learning available anytime, anywhere, at your pace

Private Training
All courses are available through Private Training.

38
Course Day
Descriptions

DAY 1: Core Concepts of Virtualization Security DAY 2: Virtualization and Software-Defined Security
The first day of class will cover the foundations of virtualization infrastructure Architecture and Design
and different types of technology. We will define and clarify the differences
Day 2 starts with several topics that round out our discussions on
between server, desktop, application, and storage virtualization, and we will
virtualization and infrastructure components, delving into container
lay out a simple architecture overview that sets the stage for the rest of the
technology and converged infrastructure platforms and tools (along
day. Then we will dissect the various virtualization elements that make up
with security considerations for both). We’ll then begin our discussion of
the architecture one by one, with a focus on the security configurations that
virtualization and software-defined architecture and networking. We’ll cover
will help you create or revise your virtualization design to be as secure as
design concepts and models, with deep discussion of benefits and drawbacks
possible. We will start off with hypervisor platforms, covering the fundamental
throughout. We’ll also cover network capabilities and models in virtual
controls that can and should be set within VMware ESX and ESXi, Microsoft
environments, with time devoted to virtual switches and other platforms, and
Hyper-V, and Citrix XenServer. We’ll look at virtual machine settings, with
look at how network security adapts to fit into a virtual infrastructure.
an emphasis on VMware VMX files. We’ll also cover some of the ways
organizations can control access to and from these virtual machines. Topics: Container Technology Security Considerations; Converged
Infrastructure Security Considerations; Defining “software-defined”
Topics: Virtualization Components and Architecture Designs; Different Types of
Components and Architectural Models; Designing Security for Software-
Virtualization, Ranging from Desktops to Servers and Applications; Hypervisor
Defined Environments; Virtual Network Design Cases with Pros and Cons
Lockdown Controls for VMware, Microsoft Hyper-V, and Citrix Xen; Virtual
of Each; Virtual Switches and Port Groups, with Security Options Available;
Machine Security Configuration Options, with a Focus on VMware VMX Files;
Commercial and Open-Source Virtual Switches Available, with Configuration
Storage Security and Design Considerations; Locking Down Management
Options; Segmentation Techniques, including VLANs and PVLANs; Software-
Servers and Clients for vCenter, XenServer, and Microsoft SCVMM; Security
Defined Networking and Architecture; Network Isolation and Access Control;
Design Considerations for VDI
Adapting Firewalls, IPS, Proxies, and More to Virtual Environments; Products
and Capabilities Available Today

DAY 3: Virtualization Threats, Vulnerabilities, and Attacks DAY 4: Defending Virtualization and Software-Defined
This session will delve into the offensive side of security specific to Technologies
virtualization and cloud technologies. While many key elements of
This session is all about defense! We will start off with an analysis of
vulnerability management and penetration testing are similar to traditional
anti-malware techniques, looking at traditional antivirus, whitelisting, and
environments, there are also many differences, which will be covered here.
other tools and techniques to combat malware, with a specific eye toward
Topics: Threats and Attack Research Related to Virtualization Infrastructure; virtualization and cloud environments. New commercial offerings in this
Attack Models that Pertain to Virtualization and Cloud Environments; Threat area will also be discussed to provide context. Then we will turn to intrusion
Modeling for Virtualization and Software-Defined Technology; Specific detection, starting with a simple architecture refresher on how IDS and
Virtualization Platform Attacks and Exploits; Pen Testing Cycles with a Focus monitoring technologies fit into a virtual infrastructure. Students will then
on Virtualization Attack Types; Password Attacks Against Virtualization and learn about monitoring traffic and looking for malicious activity within the
Software-Defined Platforms; How to Modify Vulnerability Management virtual network. Numerous network-based and host-based tools will be
Processes and Scanning Configuration to Get the Best Results in Virtualized covered and used in class. This topic will also be extended to the software-
Environments; How to Use Attack Frameworks like VASTO to Exploit defined environment, with some special caveats to which all organizations
Virtualization Systems should pay attention.
Topics: Data Protection in Virtual and Converged Environments; Identity and
DAY 5: Virtualization Operations, Auditing, and Monitoring Access Management in Virtual and Software-Defined Environments; How to
Implement Intrusion Detection Tools and Processes in a Virtual Environment;
Today’s session will start off with a lively discussion on virtualization
What Kinds of Logs and Logging are Most Critical for Identifying Attacks and
assessment and auditing. You may be asking, how can you possibly make a
Live Incidents in Virtual Environments?; How Anti-Malware Tools Function
discussion on auditing lively? Trust us! We will cover the top virtualization
in Virtual Environments; How the Six-Step Incident Response Process can
configuration and hardening guides from DISA, CIS, Microsoft, and VMware,
be Modified and Adapted to Work with Virtual Infrastructure; What Kinds of
and talk about the most critical information to take away from these guides
Incidents to Look for Within Virtual Environments, and What the Warning
and implement. Next, we’ll really put our money where our mouth is: students
Signs are; Processes and Procedures to Build and Grow Incident Response
will learn to implement audit and assessment techniques by scripting with
Capabilities for Virtual Environments; How Forensics Processes and Tools
the VI CLI, as well as some general shell scripting! Although not intended to be
Should be Used and Adapted for Virtual Systems; What Tools are Best to
an in-depth class on scripting, some key techniques and ready-made scripts
Get the Most Accurate Results from Virtual Machine System Analysis?; How
will be discussed and used in class to get students prepared for implementing
to Most Effectively Capture Virtual Machines for Forensic Evidence Analysis;
these principles in their environments as soon as they get back to work.
What Can Be Done to Analyze Hypervisor Platforms, and What Does the
Topics: Key Configuration Controls from the Leading DISA, CIS, VMware, and Future Hold for VM Forensics?
Microsoft Hardening Guides; Sound Configuration Management and Patching
in Virtual Infrastructure; Scripting Techniques in VI CLI and PowerShell for
Automating Audit and Assessment Processes; Sample Scripts that Help
Implement Key Audit Functions; Automation and Orchestration with Puppet,
Chef, ManageEngine, etc.; Full Hardening-Guide-Scripted Audit

39
 SEC599: D
 efeating Advanced Adversaries – GDAT
Purple Team Tactics and
Defending Advanced
Threats
[Link]/gdat

Kill Chain Defenses

6 36 Laptop You just got hired to help our virtual organization “SyncTechLabs” build out a cybersecurity
Day Program CPEs Required capability. On your first day, your manager tells you: “We looked at some recent cybersecurity
trend reports and we feel like we’ve lost the plot. Advanced persistent threats, ransomware,
denial of service...We’re not even sure where to start!”
You Will Be Able To Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises
▐▐ Understand how red and blue teams can alike, while state-sponsored adversaries are attempting to obtain access to your most
effectively work together to form a true precious crown jewels. SEC599: Defeating Advanced Adversaries – Purple Team Tactics and
purple team
Kill Chain Defenses will provide an in-depth understanding of how current adversaries
▐▐ Understand how recent high-profile operate and arm you with the knowledge and expertise you need to detect and respond to
attacks were delivered and how they today’s threats.
could have been stopped
SEC599 aims to leverage the purple team concept by bringing together red and blue
▐▐ Implement security controls throughout
the different phases in the APT attack teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the
cycle to prevent, detect, and respond course focuses on current attack strategies and how they can be effectively mitigated and
to attacks. We will define the following detected using a Kill Chain structure. Throughout the course, the purple team principle will
stages in the APT Attack Cycle: be maintained, where attack techniques are first explained in-depth, after which effective
- Reconnaissance security controls are introduced and implemented.
- Weaponization Course authors Erik Van Buggenhout and Stephen Sims (both certified as GIAC Security
- Delivery Experts) are hands-on practitioners who have achieved a deep understanding of how cyber
- Exploitation attacks work through penetration testing and incident response. While teaching penetration
- Installation testing courses, they were often asked “But how do I prevent this type of attack?” With
- Command and control more than 20 labs plus a full-day defend-the-flag exercise during which students attempt
- Action on objectives to defend our virtual organization from different waves of attacks against its environment,
▐▐ Carry out a series of practical exercises: SEC599 gives students real-world examples of how to prevent attacks.
-C
 ompromise a virtual organization to Our six-day journey will start with an analysis of recent attacks through in-depth case
understand how attackers operate studies. We will explain what types of attacks are occurring and introduce the Advanced
- Build your own mail sandbox solution Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In
to detect spear phishing order to understand how attacks work, you will also compromise our virtual organization
-D
 evelop effective group policies to “SyncTechLabs” in our Day 1 exercises.
prevent script execution and stop
malicious code execution Throughout days 2 through 5 we will discuss how effective security controls can be
-S
 top 0-day exploits using exploit implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will
mitigation techniques and address include:
application whitelisting ▐▐ How red and blue teams can improve collaboration, forming a true purple team
-D
 etect and avoid malware
persistence using host-based IDS ▐▐ How current advanced adversaries are breaching our defenses
techniques ▐▐ Security controls structured around the Kill Chain
-D
 etect and prevent lateral movement
through Sysmon, Windows event In designing the course and its exercises, the authors went the extra mile to ensure that
monitoring, and group policies attendees “build” something that can be used later on. For this reason, the different
-B
 lock and detect command and technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes,
control through network analysis visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.
-M
 anage, share & operationalize SEC599 will finish with a bang. During the Defend-the-Flag challenge on the final course day,
threat intelligence using MISP, a you will be pitted against advanced adversaries in an attempt to keep your network secure.
threat information sharing platform
Can you protect the environment against the different waves of attacks? The adversaries
aren’t slowing down, so what are you waiting for?

SEC599 is available via (subject to change):

Featured Training Events Summit Events

SANSFIRE Washington, DC Jul 16-21 Security Operations New Orleans, LA Jul 30 - Aug 6
Network Security Las Vegas, NV Sep 23-28
San Diego Fall San Diego, CA Nov 12-17
CDI Washington, DC Dec 13-18

40
Course Day
Descriptions

DAY 1: Knowing the Adversary, Knowing DAY 2: Averting Payload Delivery Who Should Attend
Yourself Day 2 will cover how attackers take their first steps. ▐▐ Security architects
How do they deliver their initial payload and what can
Our six-day journey will start with an introduction on ▐▐ Security engineers
defenders do about it? We will cover the most frequently
the purple team concept. What is it all about? Should
used payload delivery mechanisms: ▐▐ Technical security managers
you form another dedicated cybersecurity team? We will
focus on how red and blue teams can be encouraged to • Delivery through (spear-)phishing ▐▐ Security Operations Center
form a strong feedback loop for maximum effect. We will • Delivery through removable media analysts, engineers, and
explain how recent attacks operate through in-depth case managers
• Delivery through the network (e.g., Server Message
studies and introduce the APT attack cycle as a structured Block relays, Responder, etc.) ▐▐ IT administrators
approach to describing attacks. In order to understand
how attacks work, you will also compromise our virtual • Delivery through HTTP or HTTPS ▐▐ Penetration testers who want
organization “SyncTechLabs” during the day’s exercises. As always, students will first learn how the adversaries to better understand how
Once we understand how adversaries are operating, we are operating by simulating the attacks in our lab defensive controls work
will flip over to the blue side and explain how defenders environment, after which they will implement security ▐▐ IT administrators
can better understand their own environments, set up a controls to prevent and detect these attacks. The
courseware will cover technical controls, but will also
▐▐ Individuals looking to better
fundamental detection capability, and understand their
touch upon “soft topics” such as security awareness. understand how persistent
own “soft spots.”
cyber adversaries operate
Topics: Course Outline and Lab Set-up; Current Threat Topics: End-User Security Awareness; Leveraging and how the IT environment
and Attack Landscape; Introducing the APT Attack Cycle; A Suricata IDS/IPS; Stopping Delivery Through Removable can be improved to better
Defensible Architecture and Environment; Preparation – Media; Stopping Delivery Through the Network; Stopping prevent, detect, and respond
Knowing Yourself Delivery Through Email; Stopping Delivery Through to incidents
HTTP(S)

DAY 3: Preventing Exploitation DAY 4: Avoiding Installation, Foiling

On Day 3 we will explain how exploitation can Command and Control, and Thwarting
be prevented. Attendees will gain an in-depth
understanding of current exploitation tactics. We will
Lateral Movement
introduce effective security controls to stop exploitation On Day 4 we will continue our journey in the Kill Chain,
attempts dead in their tracks. Discussions will include: with a key focus on how malicious adversary persistence
can be avoided, how command and control channels
• Operating system hardening
can be detected, and how lateral movement can be
• Payload execution control (including application stopped. Topics to be discussed include:
whitelisting and script control)
• Principle of least privilege to prevent malware
• Securing applications from the ground up by doing persistence
threat modeling and implementing compile-time
• Detecting malware persistence in user land
controls
• Network monitoring to detect command and control
• Securing vulnerable applications by implementing
exploit mitigating techniques • Hardening Windows to prevent lateral movement
Topics: Operating System Hardening; Preventing • Analyzing Windows event logs to detect ongoing lateral “SEC599 gives really
movement
Execution of Payloads; Securing Applications good background
Topics: Avoiding Installation; Foiling Command and
Control; Thwarting Lateral Movement about adversary
behavior and the steps
DAY 5: Thwarting Exfiltration, Cyber DAY 6: Advanced Persistent Threat
needed to detect it.”
Deception, and Incident Response Defender Capstone
Day 5 focuses on stopping the adversary during the final The course culminates in a team-based Defend-the-Flag -Tarot Wake,
stages of the attack: competition. Day six provides a full day of hands-on Halkyn Consulting Ltd
• How can data exfiltration be detected and stopped? work applying the principles taught throughout the
week. Your team will progress through multiple levels
• How can cyber deception be used to slow down and
and missions designed to ensure mastery of the modern
stop advanced adversaries?
cybersecurity controls studied all week long. This
• How can threat intelligence aid defenders in the APT challenging exercise will reinforce key principles in a
Attack Cycle? fun, hands-on, team-based challenge.
• How can defenders perform effective incident Topics: Applying Previously Covered Security Controls
response? In-depth; Reconnaissance; Weaponization; Delivery;
As always, theoretical concepts will be illustrated during Exploitation; Installation; Command and Control; Action
the different exercises performed throughout the day. on Objectives
Topics: Data Exfiltration; Cyber Deception Strategies;
Patrolling Your Neighborhood; Leveraging Threat
Intelligence; Incident Response

41
 SEC560: Network Penetration Testing and GPEN
Ethical Hacking
Penetration Tester
[Link]/gpen

6 37 Laptop As a cybersecurity professional, you have a unique responsibility to find

Day Program CPEs Required and understand your organization’s vulnerabilities, and to work diligently to
mitigate them before the bad guys pounce. Are you ready? SANS SEC560, our
flagship course for penetration testing, fully arms you to address this task
You Will Be Able To head-on.
▐▐ Develop tailored scoping and rules of engagement SEC560 is the must-have course for every well-rounded security professional.
for penetration testing projects to ensure the work is
focused, well defined, and conducted in a safe manner With comprehensive coverage of tools, techniques, and methodologies for
network penetration testing, SEC560 truly prepares you to conduct high-value
▐▐ Conduct detailed reconnaissance using document
metadata, search engines, and other publicly
penetration testing projects step-by-step and end-to-end. Every organization
available information sources to build a technical and needs skilled information security personnel who can find vulnerabilities and
organizational understanding of the target environment mitigate their effects, and this entire course is specially designed to get you
▐▐ Utilize a scanning tool such as Nmap to conduct ready for that role. The course starts with proper planning, scoping and recon,
comprehensive network sweeps, port scans, OS then dives deep into scanning, target exploitation, password attacks, and web
fingerprinting, and version scanning to develop a map app manipulation, with more than 30 detailed hands-on labs throughout. The
of target environments course is chock-full of practical, real-world tips from some of the world’s best
▐▐ Choose and properly execute Nmap Scripting Engine penetration testers to help you do your job safely, efficiently…and masterfully.
scripts to extract detailed information from target
Learn the best ways to test your own systems before the bad guys attack.
systems
▐▐ Configure and launch a vulnerability scanner such
SEC560 is designed to get you ready to conduct a full-scale, high-value
as Nessus so that it safely discovers vulnerabilities penetration test – and on the last day of the course you’ll do just that.
through both authenticated and unauthenticated scans, After building your skills in comprehensive and challenging labs over five
and customize the output from such tools to represent days, the course culminates with a final full-day, real-world penetration
the business risk to the organization test scenario. You’ll conduct an end-to-end pen test, applying knowledge,
▐▐ Analyze the output of scanning tools to eliminate false tools, and principles from throughout the course as you discover and exploit
positive reduction with tools including Netcat and Scapy vulnerabilities in a realistic sample target organization, demonstrating the
▐▐ Utilize the Windows PowerShell and Linux bash knowledge you’ve mastered in this course.
command lines during post-exploitation to plunder
You will bring comprehensive penetration testing and ethical hacking know-
target systems for vital information that can further
overall penetration test progress, establish pivots for how back to your organization.
deeper compromise, and help determine business risks You will learn how to perform detailed reconnaissance, studying a target’s
▐▐ Configure an exploitation tool such as Metasploit infrastructure by mining blogs, search engines, social networking sites, and
to scan, exploit, and then pivot through a target other Internet and intranet infrastructures. Our hands-on labs will equip you
environment to scan target networks using best-of-breed tools. We won’t just cover run-of-
the-mill options and configurations, we’ll also go over the lesser known but
Who Should Attend super-useful capabilities of the best pen test toolsets available today. After
scanning, you’ll learn dozens of methods for exploiting target systems to gain
▐▐ Security personnel whose job involves assessing
access and measure real business risk. You’ll dive deep into post-exploitation,
networks and systems to find and remediate
vulnerabilities password attacks, and web apps, pivoting through the target environment to
model the attacks of real-world bad guys to emphasize the importance of
▐▐ Penetration testers
defense in depth.
▐▐ Ethical hackers
▐▐ Defenders who want to better understand offensive
methodologies, tools, and techniques
▐▐ Auditors who need to build deeper technical skills “SEC560 provides practical, how-to material that I can
▐▐ Red and blue team members use daily in my penetration testing activities – not only
▐▐ Forensics specialists who want to better understand technically, but also from a business perspective.”
offensive tactics
-Steve Nolan, General Dynamics

SEC560 is available via (subject to change):

Featured Training Events

SANSFIRE Washington, DC Jul 16-21 Baltimore Fall Baltimore, MD Sep 10-15 Dallas Fall Dallas, TX Nov 5-10
San Antonio San Antonio, TX Aug 6-11 Network Security Las Vegas, NV Sep 23-28 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
New York City Summer New York City, NY Aug 13-18 Denver Denver, CO Oct 15-20 Nashville Nashville, TN Dec 3-8
Virginia Beach Virginia Beach, VA Aug 26-31 Seattle Fall Seattle, WA Oct 15-20 Santa Monica Santa Monica, CA Dec 3-8
Chicago Chicago, IL Aug 20-25 Houston Houston, TX Oct 29 - Nov 3 CDI Washington, DC Dec 13-18

42
Course Day
Descriptions

DAY 1: Comprehensive Pen Test Planning, Scoping, DAY 2: In-Depth Scanning

and Recon We next focus on the vital task of mapping the target environment’s attack
surface by creating a comprehensive inventory of machines, accounts, and
In this section of the course, you will develop the skills needed to conduct a
potential vulnerabilities. We will look at some of the most useful scanning
best-of-breed, high-value penetration test. We will go in-depth on how to build
tools freely available today and run them in numerous hands-on labs to help
penetration testing infrastructure that includes all the hardware, software,
hammer home the most effective way to use each tool. We will also conduct
network infrastructure, and tools you will need to conduct great penetration
a deep dive into some of the most useful tools available to pen testers
tests, with specific low-cost recommendations for your arsenal. We will then
today for formulating packets: Scapy and Netcat. We finish the day covering
cover formulating a pen test scope and rules of engagement that will set you
vital techniques for false-positive reduction so you can focus your findings
up for success, including a role-play exercise. We’ll also dig deep into the
on meaningful results and avoid the sting of a false positive. And we will
reconnaissance portion of a penetration test, covering the latest tools and
examine the best ways to conduct your scans safely and efficiently.
techniques, including hands-on document metadata analysis to pull sensitive
information about a target environment, as well as a lab using Recon-ng to Topics: Tips for Awesome Scanning; Tcpdump for the Pen Tester; Nmap
plunder a target’s DNS infrastructure for information such as the anti-virus In-Depth; Version Scanning with Nmap; Vulnerability Scanning with Nessus;
tools the organization relies on. False-Positive Reduction; Packet Manipulation with Scapy; Enumerating Users;
Netcat for the Pen Tester; Monitoring Services During a Scan
Topics: The Mindset of the Professional Pen Tester; Building a World-Class
Pen Test Infrastructure; Creating Effective Pen Test Scopes and Rules of
Engagement; Detailed Recon Using the Latest Tools; Effective Pen Test DAY 4: Post-Exploitation and Merciless Pivoting
Reporting to Maximize Impact; Mining Search Engine Results; Document
This section of the course zooms in on pillaging target environments and
Metadata Extraction and Analysis
building formidable hands-on command line skills. We’ll cover Windows
command line skills in-depth, including PowerShell’s awesome abilities for
DAY 3: Exploitation post-exploitation. We’ll see how we can leverage malicious services and the
In this section, we look at the many kinds of exploits that penetration testers incredible WMIC toolset to access and pivot through a target organization.
use to compromise target machines, including client-side exploits, service- We’ll then turn our attention to password guessing attacks, discussing
side exploits, and local privilege escalation. We’ll see how these exploits are how to avoid account lockout, as well as numerous options for plundering
packaged in frameworks like Metasploit and its mighty Meterpreter. You’ll learn password hashes from target machines including the great Mimikatz Kiwi tool.
in-depth how to leverage Metasploit and the Meterpreter to compromise target Finally, we’ll look at Metasploit’s fantastic features for pivoting, including the
environments. We’ll also analyze the topic of anti-virus evasion to bypass msfconsole route command.
the target organization’s security measures, as well as methods for pivoting Topics: Windows Command Line Kung Fu for Penetration Testers; PowerShell’s
through target environments, all with a focus on determining the true business Amazing Post-Exploitation Capabilities; Password Attack Tips; Account Lockout
risk of the target organization. and Strategies for Avoiding It; Automated Password Guessing with THC-Hydra;
Topics: Comprehensive Metasploit Coverage with Exploits/Stagers/Stages; Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems;
Strategies and Tactics for Anti-Virus Evasion; In-Depth Meterpreter Analysis, Pivoting through Target Environments; Extracting Hashes and Passwords from
Hands-On; Implementing Port Forwarding Relays for Merciless Pivots; How to Memory with Mimikatz Kiwi
Leverage Shell Access of a Target Environment

DAY 5: In-Depth Password Attacks and DAY 6: Penetration Test and

Web App Pen Testing Capture-the-Flag Workshop
In this section of the course, we’ll go even deeper in exploiting one of the This lively session represents the culmination of the network penetration
weakest aspects of most computing environments: passwords. You’ll custom- testing and ethical hacking course. You’ll apply all of the skills mastered
compile John the Ripper to optimize its performance in cracking passwords. in the course so far in a full-day, hands-on workshop during which you’ll
You’ll look at the amazingly full-featured Cain tool, running it to crack sniffed conduct an actual penetration test of a sample target environment. We’ll
Windows authentication messages. We’ll see how Rainbow Tables really work provide the scope and rules of engagement, and you’ll work with a team to
to make password cracking much more efficient, all hands-on. And we’ll cover achieve your goal of finding out whether the target organization’s Personally
powerful “pass-the-hash” attacks, leveraging Metasploit, the Meterpreter, and Identifiable Information (PII) is at risk. As a final step in preparing you
more. We then turn our attention to web application pen testing, covering the for conducting penetration tests, you’ll make recommendations about
most powerful and common web app attack techniques with hands-on labs for remediating the risks you identify.
every topic we address. We’ll cover finding and exploiting cross-site scripting Topics: Applying Penetration Testing and Ethical Hacking Practices End-to-End;
(XSS), cross-site request forgery (XSRF), command injection, and SQL injection Scanning; Exploitation; Post-Exploitation; Merciless Pivoting; Analyzing Results
flaws in applications such as online banking, blog sites, and more.
Topics: Password Cracking with John the Ripper; Sniffing and Cracking
Windows Authentication Exchanges Using Cain; Using Rainbow Tables to
Maximum Effectiveness; Pass-the-Hash Attacks with Metasploit and More;
Finding and Exploiting Cross-Site Scripting; Cross-Site Request Forgery; SQL
Injection; Leveraging SQL Injection to Perform Command Injection; Maximizing
Effectiveness of Command Injection Testing

OnDemand Mentor Events Simulcast

E-learning available anytime, anywhere, at your pace Fort Worth, TX Sep 11 - Nov 13 Online Training Jul 16-21
Online Training Sep 23-28
Summit Events vLive
Alaska Anchorage, AK Sep 10-15 Online Training Jul 24 - Aug 30 Private Training
Pen Test HackFest Bethesda, MD Nov 14-19 All courses are available through Private Training.

43
 SEC542: Web App Penetration Testing and GWAPT
Ethical Hacking
Web Application
Penetration Tester
[Link]/gwapt

6 36 Laptop Web applications play a vital role in every modern organization. However, if your
Day Program CPEs Required organization doesn’t properly test and secure its web apps, adversaries can compromise
these applications, damage business functionality, and steal data. Unfortunately, many
organizations operate under the mistaken impression that a web application security
You Will Be Able To scanner will reliably discover flaws in their systems.
▐▐ Apply a detailed, four-step methodology SEC542 helps students move beyond push-button scanning to professional, thorough, and
to your web application penetration tests: high-value web application penetration testing.
reconnaissance, mapping, discovery, and
exploitation Customers expect web applications to provide significant functionality and data access.
▐▐ Analyze the results from automated
Even beyond the importance of customer-facing web applications, internal web applications
web testing tools to validate findings, increasingly represent the most commonly used business tools within any organization.
determine their business impact, and Unfortunately, there is no “patch Tuesday” for custom web applications, and major industry
eliminate false positives studies find that web application flaws play a major role in significant breaches and
▐▐ Manually discover key web application intrusions. Adversaries increasingly focus on these high-value targets either by directly
flaws abusing public-facing applications or by focusing on web apps as targets after an initial
▐▐ Use Python to create testing and break-in.
exploitation scripts during a penetration Modern cyber defense requires a realistic and thorough understanding of web application
test
security issues. Anyone can learn to sling a few web hacks, but effective web application
▐▐ Discover and exploit SQL Injection flaws penetration testing requires something deeper.
to determine true risk to the victim
organization SEC542 enables students to assess a web application’s security posture and convincingly
demonstrate the impact of inadequate security that plagues most organizations.
▐▐ Create configurations and test payloads
within other web attacks In this course, students will come to understand major web application flaws and their
▐▐ Fuzz potential inputs for injection attacks exploitation. Most importantly, they’ll learn a field-tested and repeatable process to
consistently find these flaws and convey what they have learned to their organizations. Even
▐▐ Explain the impact of exploitation of web
application flaws technically gifted security geeks often struggle with helping organizations understand risk
in terms relatable to business. Much of the art of penetration testing has less to do with
▐▐ Analyze traffic between the client and
the server application using tools such learning how adversaries are breaking in than it does with convincing an organization to
as the Zed Attack Proxy and Burp Suite to take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to
find security issues within the client-side better secure organizations through penetration testing, and not just show off hacking skills.
application code This course will help you demonstrate the true impact of web application flaws through
▐▐ Manually discover and exploit Cross-Site exploitation.
Request Forgery (CSRF) attacks In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on
▐▐ Use the Browser Exploitation Framework labs to ensure that students can immediately apply all they learn.
(BeEF) to hook victim browsers, attack
client software and the network, and In addition to having more than 30 formal hands-on labs, the course culminates in a web
evaluate the potential impact that XSS application pen test tournament, powered by the SANS NetWars Cyber Range. This Capture-
flaws have within an application the-Flag event on the final day brings students into teams to apply their newly acquired
▐▐ Perform a complete web penetration test command of web application penetration testing techniques in a fun way that hammers
during the Capture the Flag exercise to home lessons learned.
bring techniques and tools together into
a comprehensive test

“SEC542 shows a hands-on way of doing web app penetration testing –

not just how to use this tool, or that tool.”
-Christopher J. Stover, Infogressive Inc.

SEC542 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 San Francisco Summer San Francisco, CA Aug 26-31 E-learning available anytime, anywhere, at your pace
Boston Summer Boston, MA Aug 6-11 Network Security Las Vegas, NV Sep 23-28
N VA – Alexandria Alexandria, VA Aug 13-18 Seattle Fall Seattle, WA Oct 15-20 Summit Events
Chicago Chicago, IL Aug 20-25 Austin Austin, TX Nov 26 - Dec 1 Pen Test HackFest Bethesda, MD Nov 14-19

Virginia Beach Virginia Beach, VA Aug 20-25 CDI Washington, DC Dec 13-18

44
Course Day
Descriptions

DAY 1: Introduction and Information DAY 2: Configuration, Identity, and Who Should Attend
Gathering Authentication Testing ▐▐ Security personnel whose
job involves assessing
Understanding the attacker’s perspective is key to successful The second day starts the actual penetration testing
networks and systems
web application penetration testing. The course begins by process, beginning with the reconnaissance and mapping
to find and remediate
thoroughly examining web technology, including protocols, phases. Reconnaissance includes gathering publicly
vulnerabilities
languages, clients and server architectures, from the available information regarding the target application
attacker’s perspective. We will also examine different and organization, identifying the machines that support ▐▐ Penetration testers
authentication systems, including Basic, Digest, Forms and our target application, and building a profile of each ▐▐ Ethical hackers
Windows Integrated authentication, and discuss how servers server, including the operating system, specific software
use them and attackers abuse them. and configuration. The discussion is underscored through ▐▐ Defenders who want
several practical, hands-on labs in which we conduct to better understand
Topics: Overview of the Web from a Penetration Tester’s
reconnaissance against in-class targets. offensive methodologies,
Perspective; Exploring the Various Servers and Clients;
tools, and techniques
Discussion of the Various Web Architectures; Discovering Topics: Discovering the Infrastructure Within the Application;
How Session State Works; Discussion of the Different Types Identifying the Machines and Operating Systems; Secure ▐▐ Auditors who need to build
of Vulnerabilities; Defining a Web Application Test Scope and Sockets Layer (SSL) Configurations and Weaknesses; deeper technical skills
Process; Defining Types of Penetration Testing; Heartbleed Exploring Virtual Hosting and Its Impact on Testing; Learning ▐▐ Red and blue team
Exploitation; Utilizing the Burp Suite in Web App Penetration Methods to Identify Load Balancers; Software Configuration members
Testing Discovery; Exploring External Information Sources; Learning
Tools to Spider a Website; Scripting to Automate Web ▐▐ Forensics specialists who
Requests and Spidering; Brute Forcing Unlinked Files and want to better understand
Directories; Discovering and Exploiting Shellshock offensive tactics

DAY 3: Injection DAY 4: XXE and XSS

This section continues to explore our methodology with On day four, students continue exploring the discovery
the discovery phase. We will build on the information phase of the methodology. We cover methods to discover
started the previous day, exploring methods to find and key vulnerabilities within web applications, such as Cross-
verify vulnerabilities within the application. Students will Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/
also begin to explore the interactions between the various XSRF). Manual discovery methods are employed during
vulnerabilities. hands-on labs.
Topics: Python for Web App Penetration Testing; Web Topics: XML External Entity (XXE); Cross-Site Scripting (XSS);
App Vulnerabilities and Manual Verification Techniques; Browser Exploitation Framework (BeEF); AJAX; XML and JSON;
Interception Proxies; Zed Attack Proxy (ZAP); Burp Suite; Document Object Model (DOM); Logic Attacks; API Attacks;
Information Leakage and Directory Browsing; Username Data Attacks
Harvesting; Command Injection; Directory Traversal; SQL
Injection; Blind SQL Injection; Local File Inclusion (LFI);
Remote-File Inclusion (RFI); JavaScript for the Attacker

DAY 5: CSRF, Logic Flaws, and DAY 6: Capture the Flag

Advanced Tools On day six, students form teams and compete in a web
application penetration testing tournament. This NetWars-
On the fifth day, we launch actual exploits against real-world
powered Capture-the-Flag exercise provides students an
applications, building on the previous three steps, expanding
opportunity to wield their newly developed or further-
our foothold within the application, and extending it to
honed skills to answer questions, complete missions,
the network on which it resides. As penetration testers, we
and exfiltrate data, applying skills gained throughout the
specifically focus on ways to leverage previously discovered
course. The style of challenge and integrated-hint system
vulnerabilities to gain further access, highlighting the
allows students of various skill levels to both enjoy a game
cyclical nature of the four-step attack methodology.
environment and solidify the skills learned in class.
Topics: Metasploit for Web Penetration Testers; The sqlmap
Tool; Exploring Methods to Zombify Browsers; Browser
Exploitation Framework (BeEF); Walking Through an Entire
Attack Scenario; Leveraging Attacks to Gain Access to the
System; How to Pivot Our Attacks Through a Web Application;
Understanding Methods of Interacting with a Server
Through SQL Injection; Exploiting Applications to Steal
Cookies; Executing Commands Through Web Application
Vulnerabilities

Mentor Events Simulcast Private Training

Denver, CO Aug 23 - Oct 25 Online Training Jul 16-21 All courses are available through Private Training.
San Antonio, TX Oct 2 - Nov 20 Online Training Aug 13-18

45
 SEC460: E
 nterprise Threat and
Vulnerability Assessment NEW!

6 36 Laptop Computer exploitation is on the rise. As advanced adversaries become more numerous,
Day Program CPEs Required more capable, and much more destructive, organizations must become more effective at
mitigating their information security risks at the enterprise scale. SEC460 is the premier
course focused on building technical vulnerability assessment skills and techniques, while
You Will Be Able To highlighting time-tested practical approaches to ensure true value across the enterprise.
▐▐ Perform end-to-end vulnerability The course covers threat management, introduces the core components of comprehensive
assessments vulnerability assessment, and provides the hands-on instruction necessary to produce a
▐▐ Develop customized vulnerability discovery, vigorous defensive strategy from day one. The course is focused on equipping information
management, and remediation plans security personnel from organizations charged with effectively and efficiently securing
▐▐ Conduct threat intelligence gathering and 10,000 or more systems.
analysis to create a tailored cybersecurity SEC460 begins with an introduction to information security vulnerability assessment
plan that integrates various attack and fundamentals, followed by in-depth coverage of the Vulnerability Assessment Framework.
vulnerability modeling frameworks
It then moves into the structural components of a dynamic and iterative information
▐▐ Implement a proven testing methodology security program. Through a detailed, practical analysis of threat intelligence, modeling, and
using industry-leading tactics and
automation, students will learn the skills necessary to not only use the tools of the trade,
techniques
but also to implement a transformational security vulnerability assessment program.
▐▐ Adapt information security approaches to
target real-world enterprise challenges SEC460 will teach you how to use real industry-standard security tools for vulnerability
assessment, management, and mitigation. It is the only course that teaches a holistic
▐▐ Configure and manage vulnerability
assessment tools to limit risk added to vulnerability assessment methodology while focusing on challenges faced in a large
the environment by the tester enterprise. You will learn on a full-scale enterprise range chock full of target machines
▐▐ Operate enumeration tools like Nmap,
representative of an enterprise environment, leveraging production-ready tools, and a
Masscan, Recon-ng, and WMI to identify proven testing methodology .
network nodes, services, configurations, This course takes you beyond the checklist, giving you a tour of the attackers’ perspective
and vulnerabilities that an attacker could
that is crucial to discovering where they will strike. Operators are more than the scanner
use as an opportunity for exploitation
they employ. SEC460 emphasizes this personnel-centric approach by examining the
▐▐ Conduct infrastructure vulnerability shortfalls of many vulnerability assessment programs in order to provide you with the
enumeration at scale across numerous
network segments, in spite of divergent
tactics and techniques required to secure networks against even the most advanced
network infrastructure and nonstandard intrusions.
configurations We wrap up the first five days of instruction with a discussion of triage, remediation, and
▐▐ Conduct web application vulnerability reporting before putting your skills to the test on the final day against an enterprise-grade
enumeration in enterprise environments cyber range with numerous target systems for you to analyze and explore. The cyber range
while solving complex challenges is a large environment of servers, end-users, and networking gear that represents many of
resulting from scale
the systems and topologies used by enterprises. By adopting an end-to-end approach to
▐▐ Perform manual discovery and validation vulnerability assessment, you can be confident that your skills will provide much-needed
of cybersecurity vulnerabilities that
value in securing your medium- or large-scale organization.
can be extended to custom and unique
applications and systems
▐▐ Manage large vulnerability datasets and
perform risk calculation and scoring
against organization-specific risks
▐▐ Implement vulnerability triage and “SEC460 has provided me the knowledge to build a great
prioritize mitigation
▐▐ Use high-end commercial software vulnerability management/vulnerability assessment
including Acunetix WVS and Rapid7 program that vendor courses couldn’t provide.”
Nexpose (InsightVM) in the classroom range
-Eric Osmus, ConocoPhillips Company
▐▐ Craft custom PowerShell scripts to
enhance your operations, gain increased
insight, scale mitigation tactics, and
outsource skills to less skilled team
members

SEC460 is available via (subject to change):

Featured Training Events Summit Events

Pittsburgh Pittsburgh Jul 30 - Aug 4 Pen Test HackFest Bethesda, MD Nov 14-19
San Francisco Summer San Francisco, CA Aug 26-31
Network Security Las Vegas, NV Sep 23-28 Simulcast
Austin Austin, TX Nov 26 - Dec 1 Online Training Sep 23-28

CDI Washington, DC Dec 13-18

46
Course Day
Descriptions

DAY 1: Methodology, Planning, and DAY 2: Discovery Who Should Attend

Threat Modeling Having mastered the structural foundations of ▐▐ Vulnerability assessors
vulnerability management, we pivot to the realm
In this section of the course, students will ▐▐ IT System administrators
of direct, tactical application. Comprehensive
develop the skills needed to conduct high-value
reconnaissance, enumeration, and discovery techniques ▐▐ Security auditors
vulnerability assessments with measurable impact.
are the prime elements of successful vulnerability ▐▐ Compliance professionals
We will explore the elemental components of
assessment. While gaining additional familiarity with
successful vulnerability assessment programs, ▐▐ Penetration testers
hands-on enterprise operations, you will systematically
deconstruct the logistical precursors to value-
probe the environment in order to discover the relevant ▐▐ Vulnerability program managers
added operations, and integrate adversarial threat
host, service, version, and configuration details that will
modeling and intelligence. ▐▐ Security analysts
drive the remainder of the assessment system.
Topics: Maximizing Value from Vulnerability ▐▐ Security architects
Topics: Active and Passive Reconnaissance; Identification
Assessments and Programs; Setting Up for Success
and Enumeration with DNS; DNS Zone Speculation ▐▐ Senior security engineers
at Scale: Enterprise Architecture and Strategy;
and Dictionary-Enabled Discovery; Port Scanning
Developing Transformational Vulnerability ▐▐ Technical security managers
with Nmap and Zenmap; Scanning Large-Scale
Assessment Strategies; Performing Enterprise
Environments; Commonplace Services; Scanning the
Threat Modeling; Generating Compounding Interest
Network Perimeter and Engaging the DMZ; The Windows
from Threat Intelligence and Avoiding Information
Domain: Exchange, SharePoint, and Active Directory;
Overload; The Vulnerability Assessment Framework;
Recruiting Disparate Data Sources: Patches, Hotfixes, and
Overview of Comprehensive Network Scanning;
Configurations; Trade-offs: Speed, Efficiency, Accuracy,
Compliance Standards and Information Security
and Thoroughness; Introduction to PowerShell

DAY 3: Enhanced Vulnerability Scanning and Automation DAY 4: Vulnerability Validation, Triage, and
We begin day three by delving into the next phase of the Vulnerability Assessment Framework Data Management
and charging into the most exciting topic in security testing: automation to handle scale.
Over the course of this day we will tackle the next phase
We start by breaking vulnerability scanning into its elemental components and gaining an
of our overarching testing methodology, vulnerability
understanding of vulnerability measurement that can be applied to task automation. This
validation, while simultaneously confronting the biggest
focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and
headaches common to a vulnerability assessment at scale.
drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying,
At large scale, vulnerability data can be overwhelming
observing, inciting, or assessing the entry points that threats leverage during network attacks.
and possibly even contradictory. We will cover the
Later in the day, we will apply our understanding of the vulnerability concept to evolve our
specific techniques needed to wade through and better
PowerShell skills and take action on an enterprise scale.
focus those data. Next, we will examine techniques for
Topics: Enhanced Vulnerability Scanning; Risk Assessment Matrices and Rating Systems; collaboration and data management with the Acheron tool
Quantitative Analysis Techniques Applied to Vulnerability Scoring; Performing Tailored Risk for analyzing vulnerability data across an organization.
Calculation to Drive Triage; General Purpose vs. Application Specific Vulnerability Scanning;
Topics: Recruiting Disparate Data Sources: Patches,
Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale; Scan Policies and
Hotfixes, and Configurations; Manual Vulnerability
Compliance Auditing; Performing Vulnerability Discovery with Open-Source and Commercial
Validation Targeting Enterprise Infrastructure; Converting
Appliances; Nmap Scripting Engine and OpenVAS; Testing for Insecure Cryptographic
Disparate Datasets into a Central, Normalized, and
Implementations Including SSL; Assessing VOIP Environments; Discovering Vulnerabilities in
Relational Knowledge Base; Managing Large Repositories
the Enterprise Backbone: Active Directory, Exchange, and SharePoint; Evaluating Vulnerability
of Vulnerability Data; Querying the Vulnerability Knowledge
Risk in Custom and Unique Systems including Web Applications; Minimizing Supplemental
Base; Evaluating Vulnerability Risk in Custom and Unique
Risk while Conducting Authenticated Scanning through Purposeful Application of Least
Systems, including Web Applications; Triage: Assessing the
Privilege; Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure,
Relative Importance of Vulnerabilities Against Strategic Risk
Switches, and VLANs; Manual Vulnerability Discovery Automated to Attain Maximal Efficacy

DAY 5: Remediation and Reporting DAY 6: Vulnerability Assessment Foundry

Many well-intentioned vulnerability assessment programs begin with In celebration of your diligence, curiosity, and mad new vulnerability skills,
zeal and vitality, but after the discovery of vulnerabilities there is often a we welcome you to your final hands-on challenge to hammer home your
tendency to ignore the risk reality and shift back to the status quo. Over the capabilities. The guided scenario on this final course day is designed to
previous course modules we focused on knowing the target environment and test your mettle through trial and detailed work in a fun capture-the-flag-
uncovering its weak points. Now it’s time for decision and action based on an style environment. The challenge is the canvas upon which you can hone
understanding of the risks the organization faces. Developing an actionable your skills and measure your maturing talents. Armed for the fight, you will
vulnerability remediation plan with time-based success targets sets the stage doubtless rise to the challenge...and triumph! The scenario: An organization
for continuous improvement, and that’s exactly what we cover in this section called “The Foundry” has engaged you to perform a vulnerability assessment
of the course. Developing this plan in conjunction with the Vulnerability of its environment. The organization is very aware of your particular set of
Assessment Report is an opportunity to galvanize the team, while enhancing vulnerability assessment skills, and treasures the insights it is certain you will
the vulnerability assessment value proposition. provide to help secure the organization against its formidable adversaries,
Topics: Team Operations and Collaboration; Security Operations Project including nefarious cybercrime cartels and jealous nation-state actors. Teams
Management Essentials; Transforming Triage Listing into the Vulnerability will work together to help squash issues that would lead to a compromise of
Remediation Plan; Developing the Cybersecurity Risk Sight Picture; Connecting The Foundry’s precious assets.
Related Datasets and Framing the Narrative; Developing a Web of Network and Topics: Tactical Employment of the Vulnerability Assessment Framework;
Host Affiliations; Modeling Account Relationships on Active Directory Forests; Threat Modeling; Discovery; Vulnerability Scanning; Validation; Data
Creating Effective Vulnerability Assessment Reports; Curbing the Vulnerability Management and Triage
Lifecycle and Aspiring to Zero Hour; Closure: Be a Positive Influence in the
Context of the Global Information Security Crisis

47
 SEC573: Automating Information Security GPYC
with Python
Python Coder
[Link]/gpyc

6 36 Laptop All security professionals, including penetration testers, forensics analysts, network
Day Program CPEs Required defenders, security administrators, and incident responders, have one thing in common:
CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we
don’t evolve with them, we’ll become ineffective and irrelevant, unable to provide the vital
You Will Be Able To defenses our organizations increasingly require.
▐▐ Develop forensics tools to carve artifacts Maybe your chosen operating system has a new feature that creates interesting forensics
from forensics evidence for which no artifacts that would be invaluable for your investigation, if only you had a tool to access it.
other tool exists or use third-party
Often for new features and forensics artifacts, no such tool has yet been released. You could
modules for well-known artifacts
that hide evidence relevant to your try moving your case forward without that evidence or hope that someone creates a tool
investigations before the case goes cold. Or you can write a tool yourself.
▐▐ Create defensive tools to automate the Perhaps an attacker bypassed your defenses and owned your network months ago. If
analysis of log file and network packets existing tools were able to find the attack, you wouldn’t be in this situation. You are bleeding
using hunt team techniques to track sensitive data and the time-consuming manual process of finding and eradicating the
down attackers in your network
attacker is costing you money and hurting your organization big time. The answer is simple
▐▐ Implement custom whitelisting, if you have the skills: Write a tool to automate your defenses.
blacklisting, signature detection, long-
tail and short-tail analysis, and other Finally, what do you do when “off-the-shelf” tools and exploits fall short? As a penetration
data analysis techniques to find attacks tester you need to evolve as quickly as the threats you are paid to emulate, so the answer is
overlooked by conventional methods simple, if you have the skills: You write your own tool.
▐▐ Write penetration testing tools including Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly
several backdoors with features like language that is designed to make automating tasks that security professionals perform
process execution, upload and download
quick and easy. Whether you are new to coding or have been coding for years, SEC573:
payloads, port scanning and more
Automating Information Security with Python will have you creating programs to make your
▐▐ Build essential tools that evade antivirus
job easier and make you more efficient. This self-paced class starts from the very beginning
software and allow you to establish the
required foothold inside your target assuming you have no prior experience or knowledge of programming. We cover all of the
essentials of the language up front. If you already know the essentials, you will find that the
▐▐ Understand Python coding fundamentals
required to automate common
pyWars lab environment allows advanced developers to quickly accelerate to more advanced
information security tasks. Language material in the class. The self-paced style of the class will meet you where you are to let
essentials like variables, loops, if-then- you get the most out of what is being taught. Beyond the essentials, we discuss file analysis,
else, logic, file operations, command packet analysis, forensics artifact carving, networking, database access, website access,
line arguments, and debugging are process execution, exception handling, object-oriented coding, and more.
all covered assuming no prerequisite
knowledge This course is designed to give you the skills you need for tweaking, customizing, or outright
developing your own tools. We put you on the path of creating your own tools, empowering
▐▐ Tap into the wealth of existing Python
modules to complete tasks using Regular you in automating the daily routine of today’s information security professional, and in
Expressions, Database interactions achieving more value in less time. Again and again, organizations serious about security
with SQL, IP Networking, and Exception emphasize their need for skilled tool builders. There is a huge demand for people who can
handling understand a problem and then rapidly develop prototype code to attack or defend against
▐▐ Interact with websites using Requests, it. Join us and learn Python in-depth and fully weaponized.
Packet Analysis, Packet reassembly
techniques, and much more

“SEC573 is excellent. I went from having almost no Python coding

ability to being able to write functional and useful programs.”
-Caleb Jaren, Microsoft

SEC573 is available via (subject to change):

Featured Training Events OnDemand Community Events

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace Columbia, MD Sep 10-15
Virginia Beach Virginia Beach, VA Aug 20-25
Network Security Las Vegas, NV Sep 23-28 Summit Events Simulcast
Pen Test HackFest Bethesda, MD Nov 14-19 Online Training Jul 16-21
Online Training Sep 23-28

48
Course Day
Descriptions

DAY 1: Essentials Workshop DAY 2: Essentials Workshop with MORE Who Should Attend
with pyWars pyWars ▐▐ Security professionals
who benefit from
The course begins with a brief introduction to Python and You will never learn to program by staring at PowerPoint
automating routine tasks
the pyWars Capture-the-Flag game. We set the stage for slides. The second day continues the hands-on, lab-centric
so they can focus on
students to learn at their own pace in the 100% hands-on approach established on day one. This section covers data
what’s most important
pyWars lab environment. As more advanced students take structures and more detailed programming concepts. Next,
on Python-based Capture-the-Flag challenges, students who we focus on invaluable tips and tricks to make you a better ▐▐ Forensics analysts who
are new to programming will start from the very beginning Python programmer and on how to debug your code. can no longer wait on
with Python essentials. Topics: Lists; Loops; Tuples; Dictionaries; The Python someone else to develop
Topics: Python Syntax; Variables; Math Operators; Strings; Debugger; Coding Tips, Tricks, and Shortcuts; System a commercial tool to
Functions; Modules; Control Statements; Introspection Arguments; ArgParser Module analyze artifacts
▐▐ Network defenders who
DAY 3: Defensive Python DAY 4: Forensics Python
sift through mountains
of logs and packets to
Day three includes in-depth coverage of how defenders On day four we will play the role of a forensics analyst who find evildoers in their
can use Python automation as we cover Python modules has to carve evidence from artifacts when no tool exists networks
and techniques that everyone can use. Forensicators and to do so. Even if you don’t do forensics you will find that
offensive security professionals will also learn essential these skills covered on day four are foundational to every
▐▐ Penetration testers who
skills they will apply to their craft. We will play the role of security role. We will discuss the process required to carve are ready to advance
network defenders who need to find the attackers on their binary images, find appropriate data of interest in them, from script kiddie to
network. We will discuss how to analyze network logs and and extract those data. Once you have the artifact isolated, professional offensive
packets to discover where the attackers are coming from there is more analysis to be done. You will learn how to computer operations
and what they are doing. We will build scripts to empower extract metadata from image files. Then we will discuss operator
continuous monitoring and disrupt the attackers before they techniques for finding artifacts in other locations such as ▐▐ Security professionals
exfiltrate your data. SQL databases and interacting with web pages. who want to evolve from
Topics: File Operations; Python Sets; Regular Expressions; Topics: Acquiring Images from Disk, Memory, and the security tool consumer to
Log Parsing; Data Analysis Tools and Techniques; Long Tail/ Network; File Carving; The STRUCT Module; Raw Network security solution provider
Short Tail Analysis; Geolocation Acquisition; Blacklists and Sockets and Protocols; Image Forensics and PIL; SQL
Whitelists; Packet Analysis; Packet Reassembly; Payload Queries; HTTP Communications with Python Built-In
Extraction Libraries; Web Communications with the Requests Module You Will Receive
▐▐ A virtual machine with
DAY 5: Offensive Python DAY 6: Capture the Flag
sample code and working
examples
On day five we play the role of penetration testers whose In this final course section you will be placed on a team
normal tricks have failed. Their attempts to establish a with other students. Working as a team, you will apply
▐▐ A copy of the book Violent
foothold have been stopped by modern defenses. To bypass the skills you have mastered in a series of programming Python: A Cookbook
these defenses, you will build an agent to give you access challenges. Participants will exercise the skills and code for Hackers, Forensic
to a remote system. Similar agents can be used for incident they have developed over the previous five days as they Analysts, Penetration
response or systems administration, but our focus will be on exploit vulnerable systems, break encryption cyphers, Testers and Security
offensive operations. analyze packets, parse logs, and automate code execution Engineers, which shows
on remote systems. Test your skills! Prove your might! how to forge your own
Topics: Network Socket Operations; Exception Handling; weapons using the Python
Process Execution; Blocking and Non-blocking Sockets; programming language
Asynchronous Operations; The Select Module; Python
Objects; Argument Packing and Unpacking
▐▐ MP3 audio files of the
complete course lecture

Private Training
All courses are available through Private Training.

49
 SEC575: Mobile Device Security and GMOB
Ethical Hacking
Mobile Device
Security Analyst
[Link]/gmob

6 36 Laptop Imagine an attack surface that is spread across your organization and in the hands of
Day Program CPEs Required every user. It moves from place to place regularly, stores highly sensitive and critical data,
and sports numerous different wireless technologies all ripe for attack. Such a surface
already exists today: mobile devices. These devices are the biggest attack surface in most
You Will Be Able To organizations, yet these same organizations often don’t have the skills needed to assess them.
▐▐ Use jailbreak tools for Apple iOS and SEC575 NOW COVERS ANDROID OREO and iOS 11
Android systems
SEC575: Mobile Device Security and Ethical Hacking is designed to give you the skills you
▐▐ Conduct an analysis of iOS and Android need to understand the security strengths and weaknesses in Apple iOS and Android
filesystem data to plunder compromised
devices and extract sensitive mobile
devices. Mobile devices are no longer a convenience technology: they are an essential tool
device use information carried or worn by users worldwide, often displacing conventional computers for everyday
enterprise data needs. You can see this trend in corporations, hospitals, banks, schools,
▐▐ Analyze Apple iOS and Android
applications with reverse-engineering and retail stores throughout the world. Users rely on mobile devices more today than ever
tools before – we know it, and the bad guys do too. The SEC575 course examines the full gamut of
▐▐ Change the functionality of Android these devices.
and iOS apps to defeat anti-jailbreaking LEARN HOW TO PEN TEST THE BIGGEST ATTACK SURFACE IN YOUR ENTIRE ORGANIZATION
or circumvent in-app purchase
requirements With the skills you learn in SEC575, you will be able to evaluate the security weaknesses
of built-in and third-party applications. You’ll learn how to bypass platform encryption
▐▐ Conduct an automated security
assessment of mobile applications
and how to manipulate apps to circumvent client-side security techniques. You’ll leverage
automated and manual mobile application analysis tools to identify deficiencies in mobile
▐▐ Use wireless network analysis tools to
app network traffic, file system storage, and inter-app communication channels. You’ll safely
identify and exploit wireless networks
used by mobile devices work with mobile malware samples to understand the data exposure and access threats
affecting Android and iOS, and you’ll bypass lock screen to exploit lost or stolen devices.
▐▐ Intercept and manipulate mobile device
network activity TAKE A DEEP DIVE INTO EVALUATING MOBILE APPS, OPERATING SYSTEMS, AND THEIR
▐▐ Leverage mobile-device-specific exploit ASSOCIATED INFRASTRUCTURES
frameworks to gain unauthorized access Understanding and identifying vulnerabilities and threats to mobile devices is a valuable
to target devices skill, but it must be paired with the ability to communicate the associated risks. Throughout
▐▐ Manipulate the behavior of mobile the course, you’ll review ways to effectively communicate threats to key stakeholders. You’ll
applications to bypass security leverage tools, including Mobile App Report Cards, to characterize threats for managers and
restrictions
decision-makers, while also identifying sample code and libraries that developers can use to
address risks for in-house applications.
Who Should Attend YOUR MOBILE DEVICES ARE GOING TO COME UNDER ATTACK – HELP YOUR ORGANIZATION
▐▐ Penetration testers PREPARE FOR THE ONSLAUGHT!
▐▐ Ethical hackers In employing your newly learned skills, you’ll apply a step-by-step mobile device
▐▐ Auditors who need to build deeper deployment penetration test. Starting with gaining access to wireless networks to implement
technical skills man-in-the-middle attacks and finishing with mobile device exploits and data harvesting,
▐▐ Security personnel whose job involves you’ll examine each step of the test with hands-on exercises, detailed instructions, and tips
assessing, deploying or securing mobile and tricks learned from hundreds of successful penetration tests. By building these skills,
phones and tablets you’ll return to work prepared to conduct your own test, or better informed on what to look
▐▐ Network and system administrators for and how to review an outsourced penetration test.
supporting mobile phones and tablets Mobile device deployments introduce new threats to organizations, including advanced
malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual
property, and personally identifiable information assets. Further complicating matters,
there simply are not enough people with the security skills needed to identify and manage
secure mobile phone and tablet deployments. By completing this course, you’ll be able
to differentiate yourself as having prepared to evaluate the security of mobile devices,
effectively assess and identify flaws in mobile applications, and conduct a mobile device
penetration test – all critical skills to protect and defend mobile device deployments.

SEC575 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Virginia Beach Virginia Beach, VA Aug 26-31
Network Security Las Vegas, NV Sep 23-28 Simulcast
N VA Fall – Tysons Tysons, VA Oct 15-20 Online Training Jul 16-21

CDI Washington, DC Dec 13-18 Online Training Sep 23-28

50
Course Day
Descriptions

DAY 1: Device Architecture and Common Mobile Threats DAY 2: Mobile Platform Access and Application Analysis
The first module of SEC575 quickly looks at the significant threats affecting With an understanding of the threats, architectural components and desired
mobile device deployments, highlighted by a hands-on exercise evaluating security methods, we dig deeper into iOS and Android mobile platforms
network traffic from a vulnerable mobile banking application. As a critical focusing on sandboxing and data isolation models, and on the evaluation of
component of a secure deployment, we will examine the architectural and mobile applications. This module is designed to help build skills in analyzing
implementation differences and similarities between Android (including mobile device data and applications through rooting and jailbreaking Android
Android Marshmallow), Apple iOS 11, and the Apple Watch and Google Wear and iOS devices and using that access to evaluate file system artifacts. We
platforms. We will also look at the specific implementation details of popular will also start to evaluate the security of mobile applications, using network
platform features such as iBeacon, AirDrop, App Verification, and more. capture analysis tools to identify weak network protocol use and sensitive
Hands-on exercises will be used to interact with mobile devices running in a data disclosure over the network. Finally, we’ll wrap up the module with an
virtualized environment, including low-level access to installed application introduction to reverse engineering of iOS and Android applications using
services and application data. We’ll examine the tools used to evaluate decompilers, disassemblers, and by manual analysis techniques.
mobile devices as part of establishing a lab environment for mobile device
Topics: Unlocking, Rooting, and Jailbreaking Mobile Devices; Mobile Phone
assessments, including the analysis of mobile malware affecting Android and
Data Storage and File System Architecture; Network Activity Monitoring; Static
non-jailbroken iOS devices. Finally, we will address the threats of lost and
Application Analysis
stolen devices (and opportunities for a pen tester), including techniques to
bypass mobile device lock screens.
Topics: Mobile Problems and Opportunities; Mobile Device Platform Analysis;
Wearable Platforms; Mobile Device Lab Analysis Tools; Mobile Device Malware
Threats

DAY 3: Mobile Application Reverse Engineering DAY 4: Penetration Testing Mobile Devices – Part 1
One of the core skills you need as a mobile security analyst is the ability to An essential component of developing a secure mobile device deployment
evaluate the risks and threats a mobile app introduces to your organization. is to perform or outsource a penetration test. Through ethical hacking and
Through lecture and hands-on exercises in this module, with some analysis penetration testing, we examine the mobile devices and infrastructure from
skills, you will be able to evaluate critical mobile applications to determine the perspective of an attacker, identifying and exploiting flaws that deliver
the type of access threats and information disclosure threats they represent. unauthorized access to data or supporting networks. By identifying these
In this module we will use automated and manual application assessment flaws we can evaluate the mobile phone deployment risk to the organization
tools to evaluate iOS and Android apps. We’ll build upon the static with practical and useful risk metrics. Whether your role is to implement the
application analysis skills covered in Module 2 to manipulate application penetration test, or to source and evaluate the penetration tests of others,
components, including Android Intents and iOS URL extensions. We’ll also understanding these techniques will help your organization identify and
learn and practice techniques for manipulating iOS and Android applications, resolve vulnerabilities before they become incidents.
such as method swizzling on iOS, and disassembly, modification, and Topics: Manipulating Application Behavior; Using Mobile Device Remote
reassembly of Android apps. The module ends with a look at a consistent Access Trojans; Wireless Network Probe Mapping; Weak Wireless Attacks;
system for evaluating and grading the security of mobile applications using Enterprise Wireless Security Attacks
the Application Report Card Project.
Topics: Automated Application Analysis Systems; Reverse Engineering
Obfuscated Applications; Application Report Cards

DAY 5: Penetration Testing Mobile Devices – Part 2 DAY 6: Capture-the-Flag Event

Continuing our look at ethical hacking and penetration testing, we turn our In the final module of SEC575 we will pull together all the concepts and
focus to exploiting weaknesses on iOS and Android devices. We will also technology covered during the week in a comprehensive Capture-the-Flag event.
examine platform-specific application weaknesses and look at the growing In this hands-on exercise, you will have the option to participate in multiple
use of web framework attacks in mobile application exploitation. Hands-on roles, including designing a secure infrastructure for the deployment of mobile
exercises are used throughout the module to practice these attacks, exploiting phones, monitoring network activity to identify attacks against mobile devices,
both vulnerable mobile applications and the supporting back-end servers. extracting sensitive data from a compromised iPad, and attacking a variety of
Topics: Network Manipulation Attacks; Sidejacking Attacks; SSL/TLS Attacks; mobile phones and related network infrastructure components. During this
Client-Side Injection Attacks; Web Framework Attacks; Back-end Application mobile security event you will put into practice the skills you have learned in
Support Attacks order to evaluate systems and defend against attackers, simulating the realistic
environment you will be prepared to protect when you get back to the office.

“SEC575 provides an incredible amount of information,

and the hands-on labs are awesome. It is a must-have
for mobile penetration testers.”
-Richard Takacs, Integrity360

51
 SEC617: Wireless Penetration Testing and GAWN
Ethical Hacking
Assessing & Auditing
Wireless Networks
[Link]/gawn

6 36 Laptop This course is designed for professionals seeking a comprehensive technical ability to
Day Program CPEs Required understand, analyze, and defend the various wireless technologies that have become
ubiquitous in our environments and, increasingly, key entrance points for attackers.
The authors of SEC617, as penetration testers themselves, know that many organizations
You Will Be Able To overlook wireless security as an attack surface, and therefore fail to establish required
▐▐ Identify and locate malicious rogue defenses and monitoring, even though wireless technologies are now commonplace in
access points using free and low-cost executive suites, financial departments, government offices, manufacturing production lines,
tools retail networks, medical devices, and air traffic control systems. Given the known risks of
▐▐ Conduct a penetration test against insecure wireless technologies and the attacks used against them, SEC617 was designed to
low-power wireless devices to identify help people build the vital skills needed to identify, evaluate, assess, and defend against these
control system and related wireless threats. These skills are “must-haves” for any high-performing security organization.
vulnerabilities
For many analysts, “wireless” was once synonymous with “WiFi,” the ever-present networking
▐▐ Identify vulnerabilities and bypass
technology, and many organizations deployed complex security systems to protect these
authentication mechanisms in Bluetooth
networks networks. Today, wireless takes on a much broader meaning – not only encompassing the
security of WiFi systems, but also the security of Bluetooth, ZigBee, Z-Wave, DECT, RFID, NFC,
▐▐ Utilize wireless capture tools to extract
contactless smart cards, and even proprietary wireless systems. To effectively evaluate the
audio conversations and network traffic
from DECT wireless phones security of wireless systems, your skillset needs to expand to include many different types of
wireless technologies.
▐▐ Implement a WPA2 Enterprise penetration
test to exploit vulnerable wireless client SEC617 will give you the skills you need to understand the security strengths and weaknesses of
systems for credential harvesting wireless systems. You will learn how to evaluate the ever-present cacophony of WiFi networks
▐▐ Utilize Scapy to force custom packets and identify the WiFi access points (APs) and client devices that threaten your organization.
to manipulate wireless networks in new You will learn how to assess, attack, and exploit deficiencies in modern WiFi deployments using
ways, quickly building custom attack WPA2 technology, including sophisticated WPA2 Enterprise networks. You will gain a strong,
tools to meet specific penetration test practical understanding of the many weaknesses in WiFi protocols and how to apply that
requirements understanding to modern wireless systems. Along with identifying and attacking WiFi access
▐▐ Identify WiFi attacks using network points, you will learn to identify and exploit the behavioral differences in how client devices
packet captures traces and freely scan for, identify, and select APs, with deep insight into the behavior of the Windows 10, macOS,
available analysis tools Apple iOS, and Android WiFi stacks.
▐▐ Identify and exploit shortcomings in the A significant portion of the course focuses on Bluetooth and Bluetooth Low Energy (BLE)
security of proximity key card systems
attacks, targeting a variety of devices, including wireless keyboards, smart light bulbs, mobile
▐▐ Decode proprietary radio signals using devices, audio streaming devices, and more. You will learn to assess a target Bluetooth device,
Software-Defined Radio identify the present (or absent) security controls, and apply a solid checklist to certify a
▐▐ Mount a penetration test against device’s security for use within your organization.
numerous standards-based or
proprietary wireless technologies Beyond analyzing WiFi and Bluetooth security threats, analysts must also understand many
other wireless technologies that are widely utilized in complex systems. SEC617 provides insight
and hands-on training to help analysts identify and assess the use of ZigBee and Z-Wave
wireless systems used for automation, control, and smart home systems. The course also
investigates the security of cordless telephony systems in the worldwide Digital Enhanced
Cordless Telephony (DECT) standard, including audio eavesdropping and recording attacks.
Radio frequency identification (RFID), near field communication (NFC), and contactless smart
card systems are more popular than ever in countless applications such as point of sale
systems and data center access control systems. You will learn how to assess and evaluate
these deployments using hands-on exercises to exploit the same kinds of flaws discovered in
mass transit smart card systems, hotel guest room access systems, and more.
In addition to standards-based wireless systems, we also dig deeper into the radio spectrum
using software-defined radio (SDR) systems to scour for signals. Using SDR, you will gain
new insight into how widely pervasive wireless systems are deployed. With your skills in
identifying, decoding, and evaluating the data these systems transmit, you will be able to spot
vulnerabilities even in custom wireless infrastructures.

SEC617 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28
CDI Washington, DC Dec 13-18 Summit Events
Pen Test HackFest Bethesda, MD Nov 14-19

52
Course Day
Descriptions

DAY 1: WiFi Data Collection and Analysis DAY 2: WiFi Attack and Exploitation Who Should Attend
The first section of the course quickly looks at wireless Techniques ▐▐ Ethical hackers and
threats and attack surfaces and analyzes where you will penetration testers
After developing skills needed to capture and evaluate WiFi
likely see non-WiFi systems deployed in modern networks.
activity, we start our look at exploiting WiFi, targeting AP ▐▐ Network security staff
We start off with a look at fundamental analysis techniques
and client devices. We cover techniques that apply to any
for evaluating WiFi networks, including the identification ▐▐ Network and system
WiFi products, from consumer to enterprise-class devices,
and analysis of rogue devices, and finish with a dive into administrators
focusing on understanding protocol-level deficiencies that
remote penetration testing techniques using compromised ▐▐ Incident response teams
will continue to be applied throughout the course on non-
Windows 10 and macOS devices to pivot.
WiFi wireless systems as well. ▐▐ Information security
Topics: Characterize the Wireless Threat; Sniffing WiFi; Rogue
Topics: Exploiting WiFi Hotspots; WiFi Client Attacks; policy decision-makers
Access Point (AP) Analysis
Exploiting WEP; Denial of Service (DoS) Attacks; WiFi Fuzzing ▐▐ Technical auditors
for Bug Discovery
▐▐ Information security
consultants
DAY 3: Enterprise WiFi, DECT, and ZigBee DAY 4: Bluetooth and Software Defined
▐▐ Wireless system engineers
Attacks Radio Attacks ▐▐ Embedded wireless
We finish our look at WiFi attack techniques with a Bluetooth technology is nearly as pervasive as WiFi, with system developers
detailed look at assessing and exploiting WPA2 networks. widespread adoption in smart phones, fitness trackers,
Starting with WPA2 consumer networks, we investigate the wireless keyboard, smart watches, and more. In this module,
flaws associated with pre-shared key networks and WiFi we dig into the Bluetooth Classic, Enhanced Data Rate,
Protected Setup (WPS) deployments, continuing with a and Low Energy protocols, including tools and techniques
look at exploiting WPA2 Enterprise networks using various to evaluate target devices for vulnerabilities. Immediately
Extensible Authentication Protocol (EAP) methods. We following our look at Bluetooth technology, we jump into
continue to investigate the security of wireless networks the practical application of Software Defined Radio (SDR)
on day 3, switching to non-WiFi analysis with a look technology to identify, decode, and assess proprietary
at exploiting the worldwide Digital Enhanced Cordless wireless systems. We investigate the hardware and software
Telephony (DECT) standard to capture and export audio available for SDR systems, and look at the tools and
conversations from cordless headsets and phones. We techniques to start exploring this exciting area of wireless
also investigate the security of ZigBee and IEEE 802.15.4 security assessment.
networks, looking at cryptographic flaws, key management Topics: Bluetooth Introduction and Attack Techniques;
failures, and hardware attacks. Bluetooth Low Energy Introduction and Attack Techniques;
Topics: Attacking WPA2 Pre-Shared Key Networks; Attacking Practical Application of Software-Defined Radio (SDR)
WPA2 Enterprise Networks; Attacking Digital Enhanced
Cordless Telephony Deployments; Attacking ZigBee “SEC617 is great for
Deployments someone looking
for a top-to-bottom
DAY 5: RFID, Smart Cards, and NFC Hacking DAY 6: Capture-the-Flag Event
On day 5, we evaluate RFID technology in its multiple On the last day of class, we will pull together all the
rundown in wireless
forms to identify the risks associated with privacy loss concepts and technology we have covered during the attacks.”
and tracking, while also building an understanding of both week in a comprehensive Capture-the-Flag event. In this
low-frequency and high-frequency RFID systems and NFC. hands-on exercise, you will have the option to participate -Garret Picchioni,
We examine the security associated with contactless Point in multiple roles: identifying unauthorized/rogue WiFi Salesforce
of Sale (PoS) terminals, including Apple Pay and Google access points, attacking live and recorded WiFi networks,
Wallet, and proximity lock access systems from HID and decoding proprietary wireless signals, exploiting smart
other vendors. We also examine generalized techniques for card deficiencies, and more. During this wireless security
attacking smart card systems, including critical data analysis event you will put into practice the skills you have learned
skills needed to bypass the intended security of smart card in order to evaluate systems and defend against attackers,
systems used for mass transit systems, concert venues, bike simulating the realistic environment you will be prepared to
rentals, and more. protect when you get back to the office.
Topics: RFID Overview; RFID Tracking and Privacy Attacks;
Low-Frequency RFID Attacks; Exploiting Contactless RFID
Smart Cards; Attacking NFC

53
 SEC642: Advanced Web App Penetration Testing, Ethical
Hacking, and Exploitation Techniques

6 36 Laptop Can your web apps withstand the onslaught of modern advanced attack techniques?
Day Program CPEs Required
Modern web applications are growing more sophisticated and complex as they utilize
exciting new technologies and support ever more critical operations. Long gone are
the days of basic HTML requests and responses. Even in the age of Web 2.0 and AJAX,
You Will Be Able To the complexity of HTTP and modern web applications is progressing at breathtaking
▐▐  erform advanced Local File Include
P speed. With the demands of highly available web clusters and cloud deployments,
(LFI)/Remote File Include (RFI), Blind SQL web applications are looking to deliver more functionality in smaller packets, with a
injection (SQLi), and Cross-Site Scripting
decreased strain on backend infrastructure. Welcome to an era that includes tricked-
(XSS) combined with Cross-Site Request
Forger (XSRF) discovery and exploitation out cryptography, WebSockets, HTTP/2, and a whole lot more. Are your web application
assessment and penetration testing skills ready to evaluate these impressive new
▐▐ Exploit advanced vulnerabilities common
to most backend language like Mass
technologies and make them more secure?
Assignments, Type Juggling, and Object Are you ready to put your web apps to the test with cutting-edge skills?
Serialization
This pen testing course is designed to teach you the advanced skills and techniques
▐▐ Perform JavaScript-based injection required to test modern web applications and next-generation technologies. The
against ExpressJS, [Link], and NoSQL
course uses a combination of lecture, real-world experiences, and hands-on exercises
▐▐ Understand the special testing methods to teach you the techniques to test the security of tried-and-true internal enterprise
for content management systems such as
web technologies, as well as cutting-edge Internet-facing applications. The final course
SharePoint and WordPress
day culminates in a Capture-the-Flag competition, where you will apply the knowledge
▐▐ Identify and exploit encryption you acquired during the previous five days in a fun environment based on real-world
implementations within web applications
and frameworks
technologies.
▐▐ Discover XML Entity and XPath This course offers hands-on learning of advanced web app exploitation skills.
vulnerabilities in SOAP or REST web We begin by exploring advanced techniques and attacks to which all modern-day
services and other datastores complex applications may be vulnerable. We’ll learn about new web frameworks and
▐▐ Use tools and techniques to work with web backends, then explore encryption as it relates to web applications, digging deep
and exploit HTTP/2 and Web Sockets into practical cryptography used by the web, including techniques to identify the type
▐▐ Identify and bypass Web Application of encryption in use within the application and methods for exploiting or abusing it.
Firewalls and application filtering We’ll look at alternative front ends to web applications and web services such as mobile
techniques to exploit the system applications, and examine new protocols such as HTTP/2 and WebSockets. The final
portion of the class will focus on how to identify and bypass web application firewalls,
Who Should Attend filtering, and other protection techniques.
▐▐ Web and network penetration testers
▐▐ Red team members
▐▐ Vulnerability assessment personnel
▐▐ Security consultants
▐▐ Developers, QA testers
▐▐ System administrators and IT managers
▐▐ System architects “SEC642 is quality content for senior penetration testers –
a nice extension of standard WAPT courses!”
-Caleb Jaren, Microsoft

SEC642 is available via (subject to change):

Featured Training Events OnDemand Simulcast

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace Online Training Jul 16-21
Network Security Las Vegas, NV Sep 23-28
San Francisco Fall San Francisco, CA Nov 26 - Dec 1 Summit Events Private Training
Pen Test HackFest Bethesda, MD Nov 14-19 All courses are available through Private Training.

54
Course Day
Descriptions

DAY 1: Advanced Attacks DAY 2: Web Frameworks DAY 3: Web Cryptography

As applications and their vulnerabilities become We’ll continue exploring advanced discovery Cryptographic weaknesses are common, yet few
more complex, penetration testers have to be able and exploitation techniques for today’s complex penetration testers have the skill to investigate,
to handle advanced targets. We’ll start the course web applications. We’ll look at vulnerabilities attack and exploit these flaws. When we
with a warm-up pen test of a small application. that could affect web applications written in investigate web application crypto attacks, we
After our review of this exercise, we will explore any backend language, then examine how logic typically target the implementation and use
some of the more advanced techniques for LFI/ flaws in applications, especially in Mass Object of cryptography in modern web applications.
RFI and SQLi server-based flaws. We will then take Assignments, can have devastating effects on Many popular web programming languages
a stab at combined XSS and XSRF attacks, where security. We’ll also dig into assumptions made by or development frameworks make encryption
we leverage the two vulnerabilities together for core development teams of backend programming services available to the developer, but do
even greater effect. After discovering the flaws, languages and learn how even something as not inherently protect encrypted data from
we will then work through various ways to exploit simple as handling the data types in variables can being attacked, or only permit the developer
these flaws beyond the typical means exhibited be leveraged through the web with Type Juggling to use cryptography in a weak manner. These
today. These advanced techniques will help and Object Serialization. Next we’ll explore implementation mistakes are going to be
penetration testers find ways to demonstrate various popular applications and frameworks and our focus in this section, as opposed to the
these vulnerabilities to their organization through how they change the discovery techniques within exploitation of deficiencies in the cryptographic
advanced and custom exploitation. a web penetration test. Part of this discussion algorithms themselves. We will also explore the
Topics: Review of the Testing Methodology; will lead us to cutting-edge technologies like the various ways applications use encryption and
Using Burp Suite in a Web Penetration Test; MEAN stack, where JavaScript is leveraged from hashing insecurely. Students will learn techniques
Exploiting Local and Remote File Inclusions; the browser, web server, and backend NoSQL ranging from identifying what the encryption
Exploring Advanced Discovery Techniques for storage. The final section of the class examines technique is to exploiting various flaws within the
SQL Injection and Other Server-Based Flaws; applications in content management systems encryption or hashing.
Exploring Advanced Exploitation of XSS and such as SharePoint and WordPress, which have Topics: Identifying the Cryptography Used in
XSRF in a Combined Attack; Learning Advanced unique needs and features that make testing the Web Application; Analyzing and Attacking
Exploitation Techniques them both more complex and more fruitful for the Encryption Keys; Exploiting Stream Cipher IV
the tester. Sollisions; Exploiting Electronic Codebook (ECB)
Topics: Web Architectures; Web Design Patterns; Mode Ciphers with Block Shuffling; Exploiting
Languages and Frameworks; Java and Struts; Cipher Block Chaining (CBC) Mode with Bit
PHP-Type Juggling; Logic Flaws; Attacking Flipping; Vulnerabilities in PKCS#7 Padding
Object Serialization; The MEAN Stack; Content Implementations
Management Systems; SharePoint; WordPress

DAY 4: Alternative Web Interfaces DAY 5: Web Application Firewall and DAY 6: Capture the Flag
Web applications are no longer limited to Filter Bypass On this final course day you will be placed on a
the traditional HTML-based interfaces. Web network and given the opportunity to complete an
Applications today are using more security
services and mobile applications have become entire penetration test. The goal of this exercise
controls to help prevent attacks. These
more common and are regularly being used is for you to explore the techniques, tools, and
controls, such as Web Application Firewalls and
to attack clients and organizations. As such, it methodology you will have learned over the
filtering techniques, make it more difficult for
has become very important that penetration last five days. You’ll be able to use these skills
penetration testers during their testing. The
testers understand how to evaluate the security against a realistic extranet and intranet. At the
controls block many of the automated tools and
of these systems. We will examine Flash, Java, end of the day, you will provide a verbal report
simple techniques used to discover flaws. On
Active X, and Silverlight flaws. We will explore of the findings and methodology you followed to
this day we’ll explore techniques used to map
various techniques to discover flaws within complete the test. Students will be provided with
the control and how that control is configured
the applications and backend systems. These a virtual machine that contains the Samurai Web
to block attacks. You’ll be able to map out the
techniques will make use of tools such as Burp Testing Framework (SamuraiWTF). You will be able
rule sets and determine the specifics of how the
Suite and other automated toolsets. We’ll use to use this both in the class and after leaving and
Web Application Firewall detects attacks. This
lab exercises to explore the newer protocols of returning to your job.
mapping will then be used to determine attacks
HTTP/2 and WebSockets, exploiting flaws exposed
that will bypass the control. You’ll use HTML5,
within each of them.
UNICODE, and other encodings that will enable
Topics: Intercepting Traffic to Web Services your discovery techniques to work within the
and from Mobile Applications; Flash, Java, protected application.
ActiveX, and Silverlight Vulnerabilities; SOAP
Topics: Understanding of Web Application
and REST Web Services; Penetration Testing of
Firewalling and Filtering Techniques;
Web Services; WebSocket Protocol Issues and
Determining the Rule Sets Protecting the
Vulnerabilities; New HTTP/2 Protocol Issues and
Application; Fingerprinting the Defense
Penetration Testing
Techniques Used; Learning How HTML5 Injections
Work; Using UNICODE, CTYPEs, and Data URIs to
Bypass Restrictions; Bypassing a Web Application
Firewall’s Best-Defended Vulnerabilities, XSS
and SQLi

55
 SEC660: Advanced Penetration Testing, GXPN
Exploit Writing, and Ethical Hacking
Exploit Researcher &
Advanced Pen Tester
[Link]/gxpn

6 46 Laptop This course is designed as a logical progression point for those who have completed SEC560:
Day Program CPEs Required Network Penetration Testing and Ethical Hacking, or for those with existing penetration
testing experience. Students with the prerequisite knowledge to take this course will walk
through dozens of real-world attacks used by the most seasoned penetration testers.
You Will Be Able To The methodology of a given attack is discussed, followed by exercises in a real-world lab
▐▐ Perform fuzz testing to enhance your environment to solidify advanced concepts and allow for the immediate application of
company’s SDL process techniques in the workplace. Each day includes a two-hour evening bootcamp to allow
▐▐ Exploit network devices and assess for additional mastery of the techniques discussed and even more hands-on exercises.
network application protocols A sample of topics covered includes weaponizing Python for penetration testers, attacks
▐▐ Escape from restricted environments on against network access control (NAC) and VLAN manipulation, network device exploitation,
Linux and Windows breaking out of Linux and Windows restricted environments, IPv6, Linux privilege escalation
▐▐ Test cryptographic implementations
and exploit-writing, testing cryptographic implementations, fuzzing, defeating modern OS
controls such as ASLR and DEP, return-oriented programming (ROP), Windows exploit-writing,
▐▐ Model the techniques used by attackers
and much more!
to perform 0-day vulnerability discovery
and exploit development Attackers are becoming more clever and their attacks more complex. In order to keep up
▐▐ Develop more accurate quantitative and with the latest attack methods, you need a strong desire to learn, the support of others, and
qualitative risk assessments through the opportunity to practice and build experience. SEC660 provides attendees with in-depth
validation knowledge of the most prominent and powerful attack vectors and an environment to
▐▐ Demonstrate the needs and effects of perform these attacks in numerous hands-on scenarios. This course goes far beyond simple
leveraging modern exploit mitigation scanning for low-hanging fruit, and shows penetration testers how to model the abilities of
controls an advanced attacker to find significant flaws in a target environment and demonstrate the
▐▐ Reverse-engineer vulnerable code to business risk associated with these flaws.
write custom exploits
SEC660 starts off by introducing the advanced penetration concept, and provides an
overview to help prepare students for what lies ahead. The focus of day one is on network
Who Should Attend attacks, an area often left untouched by testers. Topics include accessing, manipulating, and
▐▐ Network and systems penetration testers
exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6,
VOIP, SSL, ARP, SNMP, and others. Day two starts off with a technical module on performing
▐▐ Incident handlers
penetration testing against various cryptographic implementations. The rest of the day
▐▐ Application developers is spent on network booting attacks, escaping Linux restricted environments such as
▐▐ IDS engineers chroot, and escaping Windows restricted desktop environments. Day three jumps into an
introduction of Python for penetration testing, Scapy for packet crafting, product security
testing, network and application fuzzing, and code coverage techniques. Days four and five
are spent exploiting programs on the Linux and Windows operating systems. You will learn
to identify privileged programs, redirect the execution of code, reverse-engineer programs
to locate vulnerable code, obtain code execution for administrative shell access, and defeat
modern operating system controls such as ASLR, canaries, and DEP using ROP and other
techniques. Local and remote exploits, as well as client-side exploitation techniques, are
covered. The final course day is dedicated to numerous penetration testing challenges
requiring you to solve complex problems and capture flags.

“SEC660 is the right balance between theory and practice;

it’s hands-on, not too hard, but also not too easy.”
-Anton Ebertzeder, Siemens AG

SEC660 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28
CDI Washington, DC Dec 13-18 Summit Events
Pen Test HackFest Bethesda, MD Nov 14-19

56
Course Day
Descriptions

DAY 1: Network Attacks for DAY 2: Crypto and Post-Exploitation DAY 3: Python, Scapy, and Fuzzing
Penetration Testers Day two starts by taking a tactical look at Day three starts with a focus on how to leverage
techniques penetration testers can use to Python as a penetration tester. It is designed
Day one serves as an advanced network attack
investigate and exploit common cryptography to help people unfamiliar with Python start
module, building on knowledge gained from
mistakes. We finish the module with lab exercises modifying scripts to add to their own functionality
SEC560. The focus will be on obtaining access to
that allow you to practice your new-found crypto while helping seasoned Python scripters improve
the network; manipulating the network to gain
attack skill set against reproduced real-world their skills. Once we leverage the Python skills in
an attack position for eavesdropping and attacks,
application vulnerabilities. creative lab exercises, we move on to leveraging
and for exploiting network devices; leveraging
Topics: Pen Testing Cryptographic Scapy for custom network targeting and
weaknesses in network infrastructure; and taking
Implementations; Exploiting CBC Bit Flipping protocol manipulation. Using Scapy, we examine
advantage of client frailty.
Vulnerabilities; Exploiting Hash Length Extension techniques for transmitting and receiving network
Topics: Bypassing Network Admission Control; traffic beyond what canned tools can accomplish,
Vulnerabilities; Delivering Malicious Operating
Impersonating Devices with Admission including IPv6.
Systems to Devices Using Network Booting and
Control Policy Exceptions; Exploiting EAP-MD5
PXE; PowerShell Essentials; Enterprise PowerShell; Topics: Becoming Familiar with Python Types;
Authentication; Custom Network Protocol
Post-Exploitation with PowerShell and Metasploit; Leveraging Python Modules for Real-World Pen
Manipulation with Ettercap and Custom Filters;
Escaping Software Restrictions; Two-hour Evening Tester Tasks; Manipulating Stateful Protocols with
Multiple Techniques for Gaining Man-in-
Capture-the-Flag Exercise Using PXE, Network Scapy; Using Scapy to Create a Custom Wireless
the-Middle Network Access; Exploiting OSPF
Attacks, and Local Privilege Escalation Data Leakage Tool; Product Security Testing;
Authentication to Inject Malicious Routing
Using Taof for Quick Protocol Mutation Fuzzing;
Updates; Using Evilgrade to Attack Software
Optimizing Your Fuzzing Time with Smart Target
Updates; Overcoming SSL Transport Encryption
Selection; Automating Target Monitoring While
Security with Sslstrip; Remote Cisco Router
Fuzzing with Sulley; Leveraging Microsoft Word
Configuration File Retrieval; IPv6 for Penetration
Macros for Fuzzing .docx files; Block-Based Code
Testers
Coverage Techniques Using Paimei

DAY 4: Exploiting Linux for DAY 5: Exploiting Windows for DAY 6: Capture-the-Flag Challenge
Penetration Testers Penetration Testers This day will serve as a real-world challenge for
students by requiring them to utilize skills they
Day four begins by walking through memory from On day five we start with covering the OS security
have learned throughout the course, think outside
an exploitation perspective as well as introducing features (ALSR, DEP, etc.) added to the Windows
the box, and solve a range of problems from
x86 assembler and linking and loading. Processor OS over the years, as well as Windows-specific
simple to complex. A web server scoring system
registers are directly manipulated by testers and constructs, such as the process environment
and Capture-the-Flag engine will be provided
must be intimately understood. Disassembly block (PEB), structured exception handling (SEH),
to score students as they capture flags. More
is a critical piece of testing and will be used thread information block (TIB), and the Windows
difficult challenges will be worth more points.
throughout the remainder of the course. We will API. Differences between Linux and Windows will
In this offensive exercise, challenges range from
take a look at the Linux OS from an exploitation be covered. These topics are critical in assessing
local privilege escalation to remote exploitation
perspective and discuss the topic of privilege Windows-based applications. We then focus on
on both Linux and Windows systems, as well as
escalation. stack-based attacks against programs running on
networking attacks and other challenges related
Topics: Stack and Dynamic Memory Management the Windows OS.
to the course material.
and Allocation on the Linux OS; Disassembling Topics: The State of Windows OS Protections
a Binary and Analyzing x86 Assembly Code; on Windows 7, 8, 10, Server 2008 and 2012;
Performing Symbol Resolution on the Linux OS; Understanding Common Windows Constructs;
Identifying Vulnerable Programs; Code Execution Stack Exploitation on Windows; Defeating OS
Redirection and Memory Leaks; Return-Oriented Protections Added to Windows; Creating a
Programming (ROP); Identifying and Analyzing Metasploit Module; Advanced Stack-Smashing
Stack-Based Overflows on the Linux OS; on Windows; Using ROP; Building ROP Chains
Performing Return-to-libc (ret2libc) Attacks on the to Defeat DEP and Bypass ASLR; Windows 7
Stack; Defeating Stack Protection on the Linux OS; and 8; Porting Metasploit Modules; Client-side
Defeating ASLR on the Linux OS Exploitation; Windows Shellcode

57
 SEC760: Advanced Exploit Development for
Penetration Testers

6 46 Laptop Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server 2012, and
Day Program CPEs Required the latest Linux distributions are often very complex and subtle. Yet these vulnerabilities
could expose organizations to significant attacks, undermining their defenses when attacked
by very skilled adversaries. Few security professionals have the skillset to discover let alone
You Will Be Able To even understand at a fundamental level why the vulnerability exists and how to write an
▐▐ Discover zero-day vulnerabilities in exploit to compromise it. Conversely, attackers must maintain this skillset regardless of
programs running on fully-patched the increased complexity. SEC760: Advanced Exploit Development for Penetration Testers,
modern operating systems the SANS Institute’s only 700-level course, teaches the skills required to reverse-engineer
▐▐ Create exploits to take advantage of 32- and 64-bit applications, perform remote user application and kernel debugging, analyze
vulnerabilities through a detailed patches for one-day exploits, and write complex exploits, such as use-after-free attacks,
penetration testing process against modern software and operating systems.
▐▐ Use the advanced features of IDA Pro Some of the skills you will learn in SEC760 include:
and write your own IDC and IDA Python
scripts ▐▐ How to write modern exploits against the Windows 7/8/10 operating systems
▐▐ Perform remote debugging of Linux and ▐▐ How to perform complex attacks such as use-after-free, Kernel exploit techniques, one-
Windows applications day exploitation through patch analysis, and other advanced topics
▐▐ Understand and exploit Linux heap ▐▐ The importance of utilizing a Security Development Lifecycle (SDL) or Secure SDLC, along
overflows
with Threat Modeling
▐▐ Write Return-Oriented Shellcode
▐▐ How to effectively utilize various debuggers and plug-ins to improve vulnerability
▐▐ Perform patch diffing against programs,
libraries, and drivers to find patched
research and speed
vulnerabilities ▐▐ How to deal with modern exploit mitigation controls aimed at thwarting success and
▐▐ Perform Windows heap overflows and defeating determination
use-after-free attacks
▐▐ Use precision heap sprays to improve
exploitability
Course Author Statement
▐▐ Perform Windows Kernel debugging up “As a perpetual student of information security, I am excited to offer SEC760: Advanced
through Windows 8 64-bit Exploit Writing for Penetration Testers. Exploit development is a hot topic as of late and
▐▐ Jump into Windows kernel exploitation
will continue to increase in importance moving forward. With all of the modern exploit
mitigation controls offered by operating systems such as Windows 7 and 8, the number
of experts with the skills to produce working exploits is highly limited. More and more
companies are looking to hire professionals with the ability to conduct a Secure-SDLC
process, perform threat modeling, determine if vulnerabilities are exploitable, and carry
out security research. This course was written to help you get into these highly sought-after
positions and to teach you cutting-edge tricks to thoroughly evaluate a target, providing you
with the skills to improve your exploit development.”
-Stephen Sims

“SEC760 is a kind of training we could not get

anywhere else. It is not a theory, we got to
implement and to exploit everything we learned.”
-Jenny Kitaichit, Intel

SEC760 is available via (subject to change):

Featured Training Events Private Training

SANSFIRE Washington, DC Jul 16-21 All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28
CDI Washington, DC Dec 13-18

58
Course Day
Descriptions

DAY 1: Threat Modeling, Reversing and DAY 2: Advanced Linux Exploitation Who Should Attend
Debugging with IDA The ability to progress into more advanced reversing and ▐▐ Senior network and
exploitation requires an expert-level understanding of basic system penetration
Many penetration testers, incident handlers, developers,
software vulnerabilities, such as those covered in SEC660. testers
and other related professionals lack reverse-engineering
Heap overflows serve as a rite of passage into modern
and debugging skills. These are different skills than ▐▐ Secure application
exploitation techniques. This day is aimed at bridging this
reverse-engineering malicious software. As part of the developers (C and C++)
gap of knowledge in order to inspire thinking in a more
Security Development Lifecycle (SDL) and Secure-SDLC,
abstract manner, necessary for continuing further with the ▐▐ Reverse-engineering
developers and exploit writers should have experience
course. Linux can sometimes be an easier operating system professionals
using IDA Pro to debug and reverse their code when
to learn these techniques, serving as a productive gateway ▐▐ Senior incident handlers
finding bugs or when identifying potential risks after static
into Windows.
code analysis or fuzzing. ▐▐ Senior threat analysts
Topics: Linux Heap Management, Constructs, and
Topics: Security Development Lifecycle; Threat Modeling; ▐▐ Vulnerability researchers
Environment; Navigating the Heap; Abusing Macros such as
Why IDA Is the #1 Tool for Reverse Engineering; IDA
unlink() and frontlink(); Function Pointer Overwrites; Format ▐▐ Security researchers
Navigation; IDA Python and the IDA IDC; IDA Plug-ins and
String Exploitation; Abusing Custom Doubly-Linked Lists;
Extensibility; Local Application Debugging with IDA; Remote
Defeating Linux Exploit Mitigation Controls; Using IDA for
Application Debugging with IDA
Linux Application Exploitation; Using Format String Bugs for
ASLR Bypass

DAY 3: Patch Diffing, One-Day Exploits, and Return-Oriented Shellcode

Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly
patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to
more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched
vulnerability. Attackers are well aware of this and quickly work to find the patched vulnerability in order to take control of
unpatched systems. This technique is also used by incident handlers, IDS administrators and vendors, vulnerability and
penetration testing framework companies, government entities, and others. You will use the material covered in this day to
identify bugs patched by vendors and take them through to exploitation.
Topics: The Microsoft Patch Management Process and Patch Tuesday; Obtaining Patches and Patch Extraction; Binary Diffing
with BinDiff, patchdiff2, turbodiff, and DarunGrim4; Visualizing Code Changes and Identifying Fixes; Reversing 32-bit and
64-bit Applications and Modules; Triggering Patched Vulnerabilities; Writing One-Day Exploits; Handling Modern Exploit
Mitigation Controls; Using ROP to Compiled Shellcode on the Fly (Return-Oriented Shellcode)
“SEC760 is the
DAY 4: Windows Kernel Debugging and DAY 5: Windows Heap Overflows and challenge I am
Exploitation Client-Side Exploitation looking for. It will
The Windows Kernel is very complex and intimidating.
This course day aims to help you understand the Windows
The focus of this section is primarily on Windows browser
and client-side exploitation. You will learn to analyze C++
be overwhelming,
Kernel and the various exploit mitigations added into vftable overflows, one of the most common mechanisms but well worth it.”
recent versions. You will perform Kernel debugging on used to compromise a modern Windows system. Many
various versions of the Windows OS, such as Windows 7 of these vulnerabilities are discovered in the browser, so -William Stott, Raytheon
and 8, and learn to deal with its inherent complexities. browser techniques will also be taught, including modern
Exercises will be performed to analyze vulnerabilities, look heap spraying to deal with Internet Explorer 8/9/10 and
at exploitation techniques, and get a working exploit. other browsers such as FireFox and Chrome. You will work
Topics: Understanding the Windows Kernel; Navigating the towards writing exploits in the Use-After-Free/Dangling
Windows Kernel; Modern Kernel Protections; Debugging Pointer vulnerability class.
the Windows 7/8 Kernels and Drivers; WinDbg; Analyzing Topics: Windows Heap Management, Constructs, and
Kernel Vulnerabilities and Kernel Vulnerability Types; Kernel Environment; Understanding the Low Fragmentation Heap
Exploitation Techniques; Token Stealing and HAL Dispatch (LFH); Browser-based and Client-side Exploitation; Remedial
Table Overwrites Heap Spraying; Understanding C++ vftable/vtable Behavior;
Modern Heap Spraying to Determine Address Predictability;
Use-after-free Attacks and Dangling Pointers; Using Custom
DAY 6: Capture-the-Flag Challenge Flash Objects to Bypass ASLR; Defeating ASLR, DEP, and
Day 6 will feature a Capture-the-Flag event with different Other Common Exploit Mitigation Controls
types of challenges taken from material taught throughout
the week.

59
 FOR508: A
 dvanced Digital Forensics, Incident GCFA
Response, and Threat Hunting
Forensic Analyst
[Link]/gcfa

6 36 Laptop FOR508: Advanced Digital Forensics, Incident Response, and Theat Hunting will help you to:
Day Program CPEs Required
▐▐ Detect how and when a breach occurred
▐▐ Identify compromised and affected systems
You Will Be Able To ▐▐ Determine what attackers took or changed
▐▐ Learn and master the tools, techniques, ▐▐ Contain and remediate incidents
and procedures necessary to effectively
hunt, detect, and contain a variety of ▐▐ Develop key sources of threat intelligence
adversaries and to remediate incidents ▐▐ Hunt down additional breaches using knowledge of the adversary
▐▐ Detect and hunt unknown live, dormant,
and custom malware in memory DAY 0: A 3-letter government agency contacts you to say an advanced threat group is
across multiple Windows systems in an targeting organizations like yours, and that your organization is likely a target. They won’t
enterprise environment tell how they know, but they suspect that there are already several breached systems within
▐▐ Hunt through and perform incident your enterprise. An advanced persistent threat, aka an APT, is likely involved. This is the
response across hundreds of unique most sophisticated threat that you are likely to face in your efforts to defend your systems
systems simultaneously using and data, and these adversaries may have been actively rummaging through your network
F-Response Enterprise and the SIFT undetected for months or even years.
Workstation
This is a hypothetical situation, but the chances are very high that hidden threats already
▐▐ Identify and track malware beaconing
exist inside your organization’s networks. Organizations can’t afford to believe that their
outbound to its command and control
(C2) channel via memory forensics, security measures are perfect and impenetrable, no matter how thorough their security
registry analysis, and network connection precautions might be. Prevention systems alone are insufficient to counter focused human
residue adversaries who know how to get around most security and monitoring tools.
▐▐ Determine how the breach occurred by This in-depth incident response and threat hunting course provides responders and threat
identifying the beachhead and spear hunting teams with advanced skills to hunt down, identify, counter, and recover from a
phishing attack mechanisms
wide range of threats within enterprise networks, including APT nation-state adversaries,
▐▐ Target advanced adversary anti-forensics organized crime syndicates, and hactivism. Constantly updated, FOR508: Advanced
techniques like hidden and time- Digital Forensics, Incident Response, and Threat Hunting addresses today’s incidents by
stomped malware, along with utility-
ware used to move in the network and
providing hands-on incident response and threat hunting tactics and techniques that elite
maintain an attacker’s presence responders and hunters are successfully using to detect, counter, and respond to real-
world breach cases.
▐▐ Use memory analysis, incident response,
and threat hunting tools in the SIFT GATHER YOUR INCIDENT RESPONSE TEAM – IT’S TIME TO GO HUNTING!
Workstation to detect hidden processes,
malware, attacker command lines,
rootkits, network connections, and more
▐▐ Track user and attacker activity second-
by-second on the system you are
analyzing through in-depth timeline and
super-timeline analysis
▐▐ Recover data cleared using anti-forensics
techniques via Volume Shadow Copy and
Restore Point analysis “FOR508 analyzes Advanced Persistent Threat samples that are
▐▐ Identify lateral movement and pivots affecting our industry today. This training can’t get any better!”
within your enterprise, showing how
attackers transition from system to -Neel Mehta, Chevron
system without detection

FOR508 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 N VA Fall – Tysons Tysons, VA Oct 15-20 E-learning available anytime, anywhere, at your pace
San Antonio San Antonio, TX Aug 6-11 Seattle Fall Seattle, WA Oct 15-20
Chicago Chicago, IL Aug 20-25 DFIRCON Miami Miami, FL Nov 5-10 Summit Events
Virginia Beach Virginia Beach, VA Aug 20-25 Nashville Nashville, TN Dec 3-8 Data Breach New York City, NY Aug 22-27

Network Security Las Vegas, NV Sep 23-28 CDI Washington, DC Dec 13-18 Threat Hunting & IR New Orleans, LA Sep 6-13

60
Course Day
Descriptions

DAY 1: Advanced Incident Response and DAY 2: Memory Forensics in Incident Who Should Attend
Threat Hunting Response and Threat Hunting ▐▐ Incident response team
members
Incident responders and threat hunters should be armed Now a critical component of many incident response and
with the latest tools, memory analysis techniques, and threat hunting teams that detect advanced threats in their ▐▐ Threat hunters
enterprise methodologies to identify, track, and contain organization, memory forensics has come a long way in ▐▐ Experienced digital
advanced adversaries and to remediate incidents. Incident just a few years. Memory forensics can be extraordinarily
forensic analysts
response and threat hunting analysts must be able to effective at finding evidence of worms, rootkits, and
scale their analysis across thousands of systems in their advanced malware used by an APT group of attackers. This ▐▐ Information security
enterprise. This section examines the six-step incident extremely popular section will introduce some of the most professionals
response methodology as it applies to an enterprise’s capable tools available and give you a solid foundation ▐▐ Federal agents and law
response to a targeted attack. to add core and advanced memory forensic skills to your enforcement personnel
Topics: Real Incident Response Tactics; Threat Hunting; incident response and forensics capabilities.
▐▐ Red team members,
Cyber Threat Intelligence; Threat Hunting in the Enterprise; Topics: Memory Acquisition; Memory Forensics Analysis penetration testers, and
Malware Persistence Identification; Remote and Enterprise Process for Response and Hunting; Memory Forensics exploit developers
Incident Response Examinations; Memory Analysis Tools
▐▐ SANS FOR500 and SEC504
graduates
DAY 3: Intrusion Forensics DAY 4: Timeline Analysis
Cyber defenders have a wide variety of tools and artifacts Learn advanced incident response and hunting techniques
available to identify, hunt, and track adversary activity in uncovered via timeline analysis directly from the authors
a network. Each attacker’s action leaves a corresponding who pioneered timeline analysis tradecraft. This section
artifact, and understanding what is left behind as footprints will step you through the two primary methods of building
can be critical to both red and blue team members. Attacks and analyzing timelines created during advanced incident
follow a predictable pattern, and we focus our detective response, threat hunting, and forensic cases. Exercises will
efforts on immutable portions of that pattern. In this show analysts how to create a timeline and also how to
section, we cover common attacker tradecraft and discuss introduce the key methods to help you use those timelines
the various data sources and forensic tools you can use to effectively in your cases.
identify malicious activity in the enterprise. Topics: Timeline Analysis Overview; Memory Analysis
Topics: Advanced Evidence of Execution Detection; Window Timeline Creation; Filesystem Timeline Creation & Analysis;
Shadow Volume Copy Analysis; Lateral Movement Adversary Super Timeline Creation and Analysis
Tactics, Techniques, and Procedures (TTPs); Event Log
Analysis for Incident Responders and Hunters
“This was an amazing
DAY 5: Incident Response and Hunting DAY 6: The APT Incident Response class that showed,
Across the Enterprise – Advanced Challenge from beginning
Adversary and Anti-Forensics Detection This incredibly rich and realistic enterprise intrusion to end, how to
exercise is based on a real-world advanced persistent
Over the years, we have observed that many incident
threat (APT) group. It brings together techniques learned investigate a
responders and threat hunters have a challenging time
finding threats without pre-built indicators of compromise
earlier in the week and tests your newly acquired skills in possible breach and
a case that simulates an attack by an advanced adversary.
or threat intelligence gathered before a breach. This is
especially true in APT adversary intrusions. This advanced
The challenge brings it all together using a real intrusion the ways to identify
into a complete Windows enterprise environment. You will
session will demonstrate techniques used by first
be asked to uncover how the systems were compromised and prevent it.”
responders to identify malware or forensic artifacts when
in the initial intrusion, find other systems the adversary -Jimmy Hwang,
very little information exists about their capabilities or
moved to laterally, and identify intellectual property stolen
hidden locations. We will discuss techniques to help funnel Wyndham Worldwide Corp.
via data exfiltration. You will walk out of the course with
possibilities down to the candidates most likely to be evil
hands-on experience investigating realistic attacks, curated
malware trying to hide on the system.
by a cadre of instructors with decades of experience fighting
Topics: Evolution of Incident Response Scripting; Malware advanced threats from attackers ranging from nation-states
and Anti-Forensic Detection; Anti-Forensic Detection to financial crime syndicates and hactivist groups.
Methodologies; Identifying Compromised Hosts without
Topics: Identification and Scoping; Containment and Threat
Active Malware
Intelligence Gathering; Remediation and Recovery

Community Events Private Training

Columbia, MD Sep 17-22 All courses are available through Private Training.

Simulcast
Online Training Aug 6-11
Online Training Sep 8-13

61
 FOR572: A
 dvanced Network Forensics: GNFA
Threat Hunting, Analysis,
Network Forensic
Analyst
[Link]/gnfa

and Incident Response

6 36 Laptop This course will enable you to take your system-based forensic knowledge onto the wire,
Day Program CPEs Required incorporate network evidence into your investigations, provide better findings, and get the
job done faster.
It is exceedingly rare to work any forensic investigation that doesn’t have a network
You Will Be Able To component. Endpoint forensics will always be a critical and foundational skill for this career,
▐▐  xtract files from network packet captures
E but overlooking network communications is akin to ignoring security camera footage of
and proxy cache files, allowing for follow- a crime as it was committed. Whether you handle an intrusion incident, data theft case,
on malware analysis or definitive data loss
employee misuse scenario, or are engaged in proactive adversary discovery, the network
determination
often provides an unparalleled view of the incident. Its evidence can provide the proof
▐▐ Use historical NetFlow data to identify necessary to show intent, uncover attackers that have been active for months or longer, or
relevant past network occurrences,
allowing for accurate incident scoping
even prove useful in definitively proving a crime actually occurred.
▐▐ Reverse-engineer custom network FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response was
protocols to identify an attacker’s built from the ground up to cover the most critical skills needed to mount efficient and
command-and-control abilities and actions effective post-incident response investigations. We focus on the knowledge necessary to
▐▐ Decrypt captured SSL traffic to identify expand the forensic mindset from residual data on the storage media from a system or
attackers’ actions and what data they device to the transient communications that occurred in the past or continue to occur. Even
extracted from the victim if the most skilled remote attacker compromised a system with an undetectable exploit, the
▐▐ Use data from typical network protocols to system still has to communicate over the network. Without command-and-control and data
increase the fidelity of the investigation’s extraction channels, the value of a compromised computer system drops to almost zero. Put
findings another way: Bad guys are talking – we’ll teach you to listen.
▐▐ Identify opportunities to collect This course covers the tools, technology, and processes required to integrate network
additional evidence based on the existing
evidence sources into your investigations, with a focus on efficiency and effectiveness. You
systems and platforms within a network
architecture will leave this week with a well-stocked toolbox and the knowledge to use it on your first day
back on the job. We will cover the full spectrum of network evidence, including high-level
▐▐ Examine traffic using common network
protocols to identify patterns of activity NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more.
or specific actions that warrant further We cover how to leverage existing infrastructure devices that may contain months or years
investigation of valuable evidence as well as how to place new collection platforms while an incident is
▐▐ Incorporate log data into a comprehensive already under way.
analytic process, filling knowledge gaps Whether you are a consultant responding to a client’s site, a law enforcement professional
that may be far in the past assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff
▐▐ Learn how attackers leverage man-in-the- forensic practitioner, or a member of the growing ranks of “threat hunters,” this course offers
middle tools to intercept seemingly secure hands-on experience with real-world scenarios that will help take your work to the next
communications
level. Previous SANS SEC curriculum students and other network defenders will benefit from
▐▐ Examine proprietary network protocols to the FOR572 perspective on security operations as they take on more incident response and
determine what actions occurred on the
investigative responsibilities. SANS Forensics alumni from FOR500 (formerly FOR408) and
endpoint systems
FOR508 can take their existing knowledge and apply it directly to the network-based attacks
▐▐ Analyze wireless network traffic to find that occur daily. In FOR572, we solve the same caliber of real-world problems without the
evidence of malicious activity
use of disk or memory images.
▐▐ Learn how to modify configuration on
typical network devices such as firewalls The hands-on labs in this class cover a wide range of tools and platforms, including the
and intrusion detection systems to venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact
increase the intelligence value of their extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly
logs and alerts during an investigation added tools in the course include the SOF-ELK platform­—a VMware appliance pre-configured
with the ELK stack. This “big data” platform includes the Elasticsearch storage and search
database, the Logstash ingest and parse utility, and the Kibana graphical dashboard
interface. Together with the custom SOF-ELK configuration files, the platform gives
forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis
and hunting at scale, the Moloch platform is also used. Through all of the in-class labs, your
shell scripting abilities will also be used to make easy work of ripping through hundreds and
thousands of data records.

FOR572 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 San Francisco Fall San Francisco, CA Nov 26 - Dec 1 E-learning available anytime, anywhere, at your pace
Virginia Beach Virginia Beach, VA Aug 26-31 Austin Austin, TX Nov 26 - Dec 1
Network Security Las Vegas, NV Sep 23-28 CDI Washington, DC Dec 13-18 Summit Events
DFIRCON Miami Miami, FL Nov 5-10 Threat Hunting & IR New Orleans, LA Sep 6-13

62
Course Day
Descriptions

DAY 1: Off the Disk and Onto the Wire DAY 2: Core Protocols & Log Aggregation/ Who Should Attend
Network data can be preserved, but only if captured directly Analysis ▐▐ Incident response
from the wire. Whether tactical or strategic, packet capture team members and
Understanding log data and how it can guide the investigative
methods are quite basic. You will re-acquaint yourself with forensicators
process is an important network forensicator skill. Examining
tcpdump and Wireshark, the most common tools used to
network-centric logs can also fill gaps left by an incomplete ▐▐ Hunt team members
capture and analyze network packets, respectively. However,
or nonexistent network capture. In this section, you will learn
since long-term full-packet capture is still uncommon in most ▐▐ Law enforcement officers,
various logging mechanisms available to both endpoint
environments, many artifacts that can tell us about what federal agents, and
and network transport devices. You will also learn how to
happened on the wire in the past come from devices that detectives
consolidate log data from multiple sources, providing a broad
manage network functions. You will learn about what kinds
corpus of evidence in one location. As the volume of log data ▐▐ Information security
of devices can provide valuable evidence and at what level of
increases, so does the need to consider automated analytic managers
granularity. We will walk through collecting evidence from one
tools. You’ll use the SOF-ELK platform for post-incident log
of the most common sources of network evidence, a web proxy
aggregation and analysis, bringing quick and decisive insight ▐▐ Network defenders
server, then you’ll go hands-on to find and extract stolen data
to a compromise investigation.
from the proxy yourself. The Linux SIFT virtual machine, which ▐▐ IT professionals
has been specifically loaded with a set of network forensic Topics: Hypertext Transfer Protocol (HTTP): Protocol and Logs;
Domain Name Service (DNS): Protocol and Logs; Firewall,
▐▐ Network engineers
tools, will be your primary toolkit for the week.
Intrusion Detection System, and Network Security Monitoring ▐▐ Anyone interested in
Topics: Web Proxy Server Examination; Foundational
Logs; Logging Protocol and Aggregation; ELK Stack and the computer network
Network Forensics Tools: tcpdump and Wireshark; Network
SOF-ELK Platform intrusions and
Evidence Acquisition; Network Architectural Challenges and
Opportunities investigations
▐▐ Security Operations
DAY 3: NetFlow and File Access Protocols DAY 4: Commercial Tools, Wireless, and Center personnel and
information security
In this section, you will learn the contents of typical NetFlow Full-Packet Hunting practitioners
protocols, as well as common collection architectures and
Commercial tools hold clear advantages in some situations
analysis methods. You’ll also learn how to distill full-packet
a forensicator may typically encounter. Most commonly, this
collections to NetFlow records for quick initial analysis
centers on scalability. Many open-source tools are designed
before diving into more cumbersome pcap files. In addition,
for tactical or small-scale use. Whether they are used for
you’ll examine the File Transfer Protocol, including how to
large-scale deployments or for specific niche functionalities,
reconstruct specific files from an FTP session. While FTP is
these tools can immediately address many investigative
commonly used for data exfiltration, it is also an opportunity
needs. You’ll look at the typical areas where commercial tools
to refine protocol analysis techniques, due to its multiple-
in the network forensic realm tend to focus, and discuss the
stream nature. Lastly, you’ll explore a variety of the network
protocols unique to a Microsoft Windows or Windows-
value each may provide for your organizational requirements
or those of your clients. Additionally, we will address the
“I love how this
compatible environment. Attackers frequently use these
protocols to “live off the land” within the victim’s environment.
forensic aspects of wireless networking. course is very well
Topics: Simple Mail Transfer Protocol (SMTP); Commercial
By using existing and expected protocols, adversaries can hide
in plain sight and avoid deploying malware that could tip off Network Forensics; Wireless Network Forensics; Automated organized, and how
the investigators to their presence and actions. Tools and Libraries; Full-Packet Hunting with Moloch
the step-by-step
Topics: NetFlow Collection and Analysis; Open-Source Flow
Tools; File Transfer Protocol (FTP); Microsoft Protocols walk through of
the lab allows even
DAY 5: Encryption, Protocol Reversing, DAY 6: Network Forensics Capstone someone new to
OPSEC, and Intel Challenge
network forensics
Encryption is frequently cited as the most significant hurdle Students will test their understanding of network evidence
to effective network forensics, and for good reason. When and their ability to articulate and support hypotheses through to get started
properly implemented, encryption can be a brick wall in presentations made to the instructor and class. The audience
between an investigator and critical answers. However, will include senior-level decision-makers, so all presentations right away.”
technical and implementation weaknesses can be used to must include executive summaries as well as technical details.
our advantage. Even in the absence of these weaknesses, the Time permitting, students should also include recommended -Paul Kim, PWC
right analytic approach to encrypted network traffic can still steps that could help to prevent, detect, or mitigate a repeat
yield valuable information about the content. We will discuss compromise.
the basics of encryption and how to approach it during an Topics: Network Forensic Case
investigation. The section will also cover flow analysis to
characterize encrypted conversations.
Topics: Encoding, Encryption, and SSL; Man in the Middle;
Network Protocol Reverse Engineering; Investigation OPSEC
and Threat Intel

Simulcast
Online Training Sep 8-13

Private Training
All courses are available through Private Training.

63
 FOR500: W
 indows Forensic Analysis GCFE
Forensic Examiner
[Link]/gcfe

6 36 Laptop All organizations must prepare for cyber crime occurring on their computer systems and
Day Program CPEs Required within their networks. Demand has never been greater for analysts who can investigate
crimes like fraud, insider threats, industrial espionage, employee misuse, and computer
intrusions. Government agencies increasingly require trained media exploitation specialists
You Will Be Able To to recover key intelligence from Windows systems. To help solve these cases, SANS is
▐▐ Perform proper Windows forensic analysis training a new cadre of the world’s best digital forensic professionals, incident responders,
by applying key techniques focusing on and media exploitation masters capable of piecing together what happened on computer
Windows 7/8/10 systems second by second.
▐▐ Use full-scale forensic tools and analysis FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge
methods to detail nearly every action of the Microsoft Windows operating systems. You can’t protect what you don’t understand,
a suspect accomplished on a Windows
system, including who placed an artifact
and understanding forensic capabilities and artifacts is a core component of information
on the system and how, program security. You’ll learn to recover, analyze, and authenticate forensic data on Windows systems.
execution, file/folder opening, geo- You’ll understand how to track detailed user activity on your network and how to organize
location, browser history, profile USB findings for use in incident response, internal investigations, and civil/criminal litigation.
device usage, and more You’ll be able to use your new skills to validate security tools, enhance vulnerability
▐▐ Uncover the exact time a specific user last assessments, identify insider threats, track hackers, and improve security policies. Whether
executed a program through Registry and you know it or not, Windows is silently recording an unimaginable amount of data about you
Windows artifact analysis, and understand and your users. FOR500 teaches you how to mine this mountain of data.
how this information can be used to
prove intent in cases such as intellectual Proper analysis requires real data for students to examine. The completely updated FOR500
property theft, hacker-breached systems, course trains digital forensic analysts through a series of new hands-on laboratory exercises
and traditional crimes that incorporate evidence found on the latest Microsoft technologies (Windows 7/8/10, Office
▐▐ Determine the number of times files and Office365, cloud storage, Sharepoint, Exchange, Outlook). Students leave the course
have been opened by a suspect through armed with the latest tools and techniques and prepared to investigate even the most
browser forensics, shortcut file analysis complicated systems they might encounter. Nothing is left out­—attendees learn to analyze
(LNK), e-mail analysis, and Windows
Registry parsing
everything from legacy Windows XP systems to just-discovered Windows 10 artifacts.
▐▐ Identify keywords searched by a specific FOR500 is continually updated. This course utilizes a brand-new intellectual property theft
user on a Windows system in order to and corporate espionage case that took over six months to create. You work in the real world
pinpoint the files and information the and your training should include real practice data. Our development team used incidents
suspect was interested in finding and from their own experiences and investigations and created an incredibly rich and detailed
accomplish detailed damage assessments scenario designed to immerse students in a true investigation. The case demonstrates the
▐▐ Use Windows shellbags analysis tools to latest artifacts and technologies an investigator might encounter while analyzing Windows
articulate every folder and directory that systems. The detailed step-by-step workbook meticulously outlines the tools and techniques
a user opened up while browsing local,
that each investigator should follow to solve a forensic case.
removable, and network drives
▐▐ Determine each time a unique and
MASTER WINDOWS FORENSICS – YOU CAN’T PROTECT WHAT YOU DON’T KNOW ABOUT
specific USB device was attached to the
Windows system, the files and folders that
were accessed on it, and who plugged it in
by parsing key Windows artifacts such as
the Registry and log files
▐▐ Use event log analysis techniques to
determine when and how users logged
into a Windows system, whether via a
remote session, at the keyboard, or simply
by unlocking a screensaver

FOR500 is available via (subject to change):

Featured Training Events

SANSFIRE Washington, DC Jul 16-21 Tampa-Clearwater Tampa, FL Sep 4-9 Houston Houston, TX Oct 29 - Nov 3
Boston Summer Boston, MA Aug 6-11 Baltimore Fall Baltimore, MD Sep 10-15 DFIRCON Miami Miami, FL Nov 5-10
New York City Summer New York City, NY Aug 13-18 Network Security Las Vegas, NV Sep 23-28 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
Virginia Beach Virginia Beach, VA Aug 26-31 Denver Denver, CO Oct 15-20 CDI Washington, DC Dec 13-18

64
Course Day
Descriptions

DAY 1: Windows Digital Forensics and DAY 2: Core Windows Forensics Part 1 – Who Should Attend
Advanced Data Triage Windows Registry Forensics and Analysis ▐▐ Information security
professionals
The Windows forensics course starts with an examination of Our journey continues with the Windows Registry, where
digital forensics in today’s interconnected environments and the digital forensic investigator will learn how to discover ▐▐ Incident response team
discusses challenges associated with mobile devices, tablets, critical user and system information pertinent to almost any members
cloud storage, and modern Windows operating systems. We investigation. Each examiner will learn how to navigate and ▐▐ Law enforcement officers,
will discuss how modern hard drives, such as Solid State examine the Registry to obtain user-profile data and system
federal agents, and
Devices (SSD), can affect the digital forensics acquisition data. The course teaches forensic investigators how to
detectives
process and how analysts need to adapt to overcome the prove that a specific user performed key word searches, ran
introduction of these new technologies. specific programs, opened and saved files, perused folders, ▐▐ Media exploitation
and used removable devices. analysts
Topics: Windows Operating System Components; Core
Forensic Principles; Live Response and Triage-Based Topics: Registry Basics; Profile Users and Groups; Core ▐▐ Anyone interested in a
Acquisition Techniques; Acquisition Review with Write System Information; User Forensic Data; Tools Utilized deep understanding of
Blocker; Advanced Acquisition Challenges; Windows Image Windows forensics
Mounting and Examination; NTFS File System Overview;
Document and File Metadata; File Carving; Custom Carving
Signatures; Memory, Pagefile, and Unallocated Space
Analysis

DAY 3: Core Windows Forensics Part 2 – DAY 4: Core Windows Forensics Part 3 –
USB Devices and Shell Items Email, Key Additional Artifacts,
Being able to show the first and last time a file was opened and Event Logs
is a critical analysis skill. Utilizing shortcut (LNK) and
This section discusses what types of information can be
jumplist databases, we are able to easily pinpoint which file
relevant to an investigation, where to find email files, and
was opened and when. We will demonstrate how to examine
the pagefile, system memory, and unallocated space – all
how to use forensic tools to facilitate the analysis process. “Anyone involved
We will find that the analysis process is similar across
difficult-to-access locations that can offer the critical data
different types of email stores, but the real work takes in digital
for your case.
Topics: Shell Item Forensics; USB and Bring Your Own Device
place in the preparation – finding and extracting the email
files from a variety of different sources. The last part of the
investigations
(BYOD) Forensic Examinations section will arm each investigator with the core knowledge needs to take
and capability to maintain this crucial skill for many years
to come. this class! It
Topics: Email Forensics; Forensicating Additional Windows covers or touches
OS Artifacts; Windows Event Log Analysis
upon almost
DAY 5: Core Windows Forensics Part 4 – DAY 6: Windows Forensic Challenge every aspect of
Web Browser Forensics: Firefox, Internet This complex case will involve an investigation into one of Windows forensic
Explorer, and Chrome the most recent versions of the Windows Operating System.
The evidence is real and provides the most realistic training investigations in a
Throughout the section, investigators will use their skills in
real hands-on cases, exploring evidence created by Chrome,
opportunity currently available. Solving the case will require very short period
that students use all of the skills gained from each of the
Firefox, and Internet Explorer along with Windows Operating previous sections. of time.”
System artifacts.
Topics: Digital Forensic Case; Windows 7 Forensic Challenge -Cy Bleistine, NJSP
Topics: Browser Forensics: History, Cache, Searches,
Downloads, Understanding of Browser Timestamps, Internet
Explorer; Firefox; Chrome; Examination of Browser Artifacts;
Tools Used

OnDemand Simulcast
E-learning available anytime, anywhere, at your pace Online Training Sep 23-28

Community Events Private Training

Columbia, MD Jul 23-28 All courses are available through Private Training.

65
 FOR518: M
 ac and iOS Forensic Analysis
and Incident Response

6 36 Laptop Digital forensic investigators have traditionally dealt with Windows machines, but what if
Day Program CPEs Required they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of
Apple devices can be seen everywhere, from coffee shops to corporate boardrooms, yet
most investigators are familiar with Windows-only machines.
You Will Be Able To Times and trends change and forensic investigators and analysts need to change with
▐▐  arse the HFS+ file system by hand, using
P them. The new FOR518: Mac Forensic Analysis course provides the tools and techniques
only a cheat sheet and a hex editor necessary to take on any Mac case without hesitation. The intense, hands-on forensic
▐▐ Determine the importance of each file analysis skills taught in the course will enable Windows-based investigators to broaden
system domain their analysis capabilities and have the confidence and knowledge to comfortably analyze
▐▐ Conduct temporal analysis of a system by any Mac or iOS system.
correlating data files and log analysis
This course will teach you:
▐▐ Profile individuals’ usage of the system,
including how often they used it, what
▐▐ Mac and iOS Fundamentals: How to analyze and parse the Hierarchical File System
applications they frequented, and their (HFS+) by hand and recognize the specific domains of the logical file system and Mac-
personal system preferences specific file types.
▐▐ Determine remote or local data backups, ▐▐ User Activity: How to understand and profile users through their data files and
disk images, or other attached devices preference configurations.
▐▐ Find encrypted containers and FileVault
volumes, understand keychain data, and
▐▐ Advanced Analysis and Correlation: How to determine how a system has been used or
crack Mac passwords compromised by using the system and user data files in correlation with system log files.
▐▐ Analyze and understand Mac metadata ▐▐ Apple Technologies: How to understand and analyze many Mac and iOS specific
and their importance in the Spotlight technologies, including Time Machine, Spotlight, iCloud, Document Versions, FileVault,
database, Time Machine, and Extended Continuity, and FaceTime.
Attributes
FOR518: Mac Forensic Analysis aims to form a well-rounded investigator by introducing Mac
▐▐ Develop a thorough knowledge of the
Safari Web Browser and Apple Mail
and iOS forensics into a Windows-based forensics world. This course focuses on topics such
applications as the HFS+ file system, Mac-specific data files, tracking of user activity, system configuration,
analysis and correlation of Mac logs, Mac applications, and Mac-exclusive technologies. A
▐▐ Identify communication with other users
and systems through iChat, Messages, computer forensic analyst who successfully completes the course will have the skills needed
FaceTime, Remote Login, Screen Sharing, to take on a Mac or iOS forensics case.
and AirDrop FORENSICATE DIFFERENTLY!
▐▐ Conduct an intrusion analysis of a Mac for
signs of compromise or malware infection
▐▐ Acquire and analyze memory from Mac
systems
▐▐ Acquire iOS and analyze devices in-depth

“We have primarily Mac OS environment and I don’t think I could

find a tenth of this information through my own research.”
-Kevin Neely, Pure Storage

SEC518is available via (subject to change):

Featured Training Events OnDemand Private Training

Network Security Las Vegas, NV Sep 23-28 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.

66
Course Day
Descriptions

DAY 1: Mac and iOS Essentials DAY 2: HFS+ File System & System Triage Who Should Attend
This section introduces the student to Mac and iOS The building blocks of Mac and iOS forensics start with a ▐▐ Experienced digital
essentials such as acquisition, timestamps, logical file thorough understanding of the HFS+. Utilizing a hex editor, forensic analysts
system, and disk structure. Acquisition fundamentals are students will learn the basic principles of the primary file who want to solidify
the same with Mac and iOS devices, but there are a few tips system implemented on Mac OS X systems. The students and expand their
and tricks that can be used to successfully and easily collect will then use that information to look at a variety of great understanding of file
Mac and iOS systems for analysis. Students comfortable artifacts that use the file system and that are different from system forensics and
with Windows forensic analysis can easily learn the slight other operating systems students have seen in the past. advanced Mac analysis
differences on a Mac system – the data are the same, only Rounding out the day, students will review Mac and iOS ▐▐ Law enforcement officers,
the format differs. triage data.
federal agents, and
Topics: Apple Essentials; Mac Essentials and Acquisition; Topics: HFS+ File System; Extended Attributes; File System detectives who want
Disks & Partitions; iOS Essentials; iOS Acquisition; iOS Events Store Database; Spotlight; Portable Artifacts; Mac and to master advanced
Backups iOS Triage; Most Recently Used (MRU) computer forensics and
expand their investigative
skill set
DAY 3: User Data, System Configuration, DAY 4: Application Data Analysis
▐▐ Media exploitation
and Log Analysis In addition to all the configuration and preference
analysts who need to
information found in the User Domain, the user can interact
This section contains a wide array of information that can know where to find the
with a variety of native Apple applications, including the
be used to profile and understand how individuals use critical data they need
Internet, email, communication, photos, locational data, etc.
their computers. The logical Mac file system is made up from a Mac system
These data can provide analysts with the who, what, where,
of four domains: User, Local, System, and Network. The
why, and how for any investigation. This section will explore ▐▐ Incident response team
User Domain contains most of the user-related items of
the various databases and other files where data are being members who are
forensic interest. This domain consists of user preferences
stored. The student will be able to parse this information by responding to complex
and configurations. The System and Local Domains contain
hand without the help of a commercial tool parser. security incidents and/
system-specific information such as application installation,
Topics: Application Permissions; Native Application or intrusions from
system settings and preferences, and system logs. This
Fundamentals; Safari Browser; Apple Mail; Communication; sophisticated adversaries
section details basic system information, GUI preferences,
Calendar and Reminders; Contacts; Notes; Photos; Maps; and need to know what
and system application data. A basic analysis of system logs
Location Data; Random Apps; Apple Watch; Third-Party Apps to do when examining a
can give a good understanding of how a system was used or
compromised system
abused. Timeline analysis tells the story of how the system
was used. Each entry in a log file has a specific meaning ▐▐ Information security
and may be able to tell how the user interacted with the professionals who want
computer. The log entries can be correlated with other data to become knowledgeable
found on the system to create an in-depth timeline that can with Mac OS X and iOS
be used to solve cases quickly and efficiently. Analysis tools system internals
and techniques will be used to correlate the data and help ▐▐ SANS FOR500, FOR508,
the student put the story back together in a coherent and FOR526, FOR585, and
meaningful way. FOR610 alumni looking to
Topics: User Data and System Configuration; Log Parsing and round out their forensic
Analysis; Timeline Analysis and Data Correlation skills

DAY 5: Advanced Analysis Topics DAY 6: Mac Forensics Challenge

Mac systems implement some technologies that are Students will put their new Mac forensics skills to the test
available only to those with Mac and iOS devices. These by running through a real-life scenario with team members.
include data backup with Time Machine, Document Topics: In-Depth HFS+ File System Examination; File
Versions, and iCloud; and disk encryption with FileVault. System Timeline Analysis; Advanced Computer Forensics
Other advanced topics include data hidden in encrypted Methodology; Mac Memory Analysis; File System Data
containers, live response, Mac intrusion and malware Analysis; Metadata Analysis; Recovering Key Mac Files;
analysis, and Mac memory analysis. Volume and Disk Image Analysis; Analysis of Mac
Topics: Live Response; Time Machine; OS X Malware and Technologies including Time Machine, Spotlight, and
Intrusion Analysis; iCloud; Versions; Memory Acquisitions and FileVault; Advanced Log Analysis and Correlation; iDevice
Analysis; Password Cracking and Encrypted Containers Analysis and iOS Artifacts

67
 FOR526: M
 emory Forensics In-Depth

6 36 Laptop Digital Forensics and Incident Response (DFIR) professionals need Windows memory
Day Program CPEs Required forensics training to be at the top of their game. Investigators who do not look at volatile
memory are leaving evidence at the crime scene. RAM content holds evidence of user
actions, as well as evil processes and furtive behaviors implemented by malicious code.
What You Will Receive It is this evidence that often proves to be the smoking gun that unravels the story of what
▐▐ SIFT Workstation 3 happened on a system.
This course extensively uses the FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics
SIFT Workstation 3 to teach incident
examiners and incident responders to successfully perform live system memory triage and
responders and forensic analysts how to
respond to and investigate sophisticated analyze captured memory images. The course uses the most effective freeware and open-
attacks. SIFT contains hundreds of free source tools in the industry today and provides an in-depth understanding of how these
and open-source tools, easily matching tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle
any modern forensic and incident advanced forensics, trusted insider, and incident response cases.
response commercial tool suite.
In today’s forensics cases, it is just as critical to understand memory structures as it is to
- Ubuntu LTS base
understand disk and registry structures. Having in-depth knowledge of Windows memory
- 64 bit-based system
internals allows the examiner to access target data specific to the needs of the case at hand.
- Better memory utilization
For those investigating platforms other than Windows, this course also introduces OSX and
-A
 uto-DFIR package update and Linux memory forensics acquisition and analysis using hands-on lab exercises.
customizations
- Latest forensic tools and techniques There is an arms race between analysts and attackers. Modern malware and post-
-V
 Mware Appliance ready to tackle
exploitation modules increasingly employ self-defense techniques that include more
forensics sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile
-C
 ross-compatibility between Linux data. Examiners must have a deeper understanding of memory internals in order to discern
and Windows the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and
-E
 xpanded filesystem support (NTFS, recommendations from experts in the field to guide DFIR professionals through acquisition,
HFS, EXFAT, and more) validation, and memory analysis with real-world and malware-laden memory images.
▐▐ Windows 8.1 Workstation with license FOR526:Memory Forensics In-Depth will teach you:
- 64 bit-based system ▐▐ Proper Memory Acquisition: Demonstrate targeted memory capture ensuring data
-A
 licensed virtual machine loaded integrity and overcoming obstacles to acquisition/anti-acquisition behaviors
with the latest forensic tools
-V
 Mware Appliance ready to tackle
▐▐ How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level
forensics rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated
▐▐ 32 GB Course USB 3.0
persistence mechanisms
-U
 SB loaded with memory captures, ▐▐ Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low
SIFT Workstation 3, tools, and level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous
documentation behavior
▐▐ SANS Memory Forensics Exercise Workbook ▐▐ Best Practice Techniques: Learn when to implement triage, live system analysis, and
-E
 xercise book is over 200 pages alternative acquisition techniques and how to devise custom parsing scripts for targeted
long with detailed step-by-step
instructions and examples to help you
memory analysis
become a master incident responder MALWARE CAN HIDE, BUT IT MUST RUN
▐▐ SANS DFIR cheat sheets to help use the
tools
▐▐ MP3 audio files of the complete course
lecture

FOR526 is available via (subject to change):

Featured Training Events Summit Events Simulcast

Network Security Las Vegas, NV Sep 23-28 Threat Hunting & IR New Orleans, LA Sep 6-13 Online Training Sep 8-13
San Francisco Fall San Francisco, CA Nov 26 - Dec 1
vLive Private Training
OnDemand Online Training Oct 9 - Nov 15 All courses are available through Private Training.
E-learning available anytime, anywhere, at your pace

68
Course Day
Descriptions

DAY 1: Foundations in Memory Analysis DAY 2: Unstructured Analysis and Process Who Should Attend
and Acquisition Exploration ▐▐ Incident response team
members
Simply put, memory analysis has become a required skill Structured memory analysis using tools that identify and
for all incident responders and digital forensics examiners. interpret operating system structures is certainly powerful. ▐▐ Experienced digital
Regardless of the type of investigation, system memory and However, many remnants of previously allocated memory forensic analysts
its contents often expose the first piece of the evidential remain available for analysis, and they cannot be parsed ▐▐ Red team members,
thread that, when pulled, unravels the whole picture through structure identification. What tools are best
penetration testers, and
of what happened on the target system. Where is the for processing fragmented data? Unstructured analysis
exploit developers
malware? How did the machine get infected? Where did tools! They neither know nor care about operating system
the attacker move laterally? Or what did the disgruntled structures. Instead, they examine data, extracting findings ▐▐ Law enforcement officers,
employee do on the system? What lies in physical memory using pattern matching. You will learn how to use Bulk federal agents, and
can provide answers to all of these questions and more. Extractor to parse memory images and extract investigative detectives
Topics: Why Memory Forensics?; Investigative leads such as email addresses, network packets, and more. ▐▐ SANS FOR508 and SEC504
Methodologies; The Ubuntu SIFT and Windows 8.1 Topics: Unstructured Memory Analysis; Page File Analysis; graduates
Workstations; The Volatility Framework; System Exploring Process Structures; List Walking and Scanning; ▐▐ Forensics investigators
Architectures; Triage versus Full Memory Acquisition; Pool Memory; Exploring Process Relationships; Exploring
Physical Memory Acquisition DLLs; Kernel Objects

DAY 3: Investigating the User via Memory DAY 4: Internal Memory Structures
Artifacts Day 4 focuses on introducing some internal memory
structures (such as drivers), Windows memory table
An incident responder (IR) is often asked to triage a system
structures, and extraction techniques for portable
because of a network intrusion detection system alert. The
executables. As we come to the final steps in our
Security Operations Center makes the call and requires
investigative methodology, “Spotting Rootkit Behaviors”
more information due to outbound network traffic from
and “Extracting Suspicious Binaries,” it is important to
an endpoint and the IR team is asked to respond. In this
emphasize again the rootkit paradox. The more malicious
section, we cover how to enumerate active and terminated
code attempts to hide itself, the more abnormal and
TCP connections – selecting the right plugin for the job
seemingly suspicious it appears. We will use this concept to
based on the OS version.
evaluate some of the most common structures in Windows
Topics: Network Connections; Virtual Address Descriptors;
Detecting Injected Code; Analyzing the Registry via Memory
memory for hooking, the IDTs and SSDTs. “FOR526 is the best
Topics: Interrupt Descriptor Tables; System Service
Analysis; User Artifacts in Memory
Descriptor Tables; Drivers; Direct Kernel Object
training I’ve had in
Manipulation; Module Extraction; Hibernation Files; Crash years. I’m learning
Dump Files
many new tools and
DAY 5: Memory Analysis on Platforms DAY 6: Memory Analysis Challenge methodologies and
Other than Windows This final course section provides students with a direct using them in labs
memory forensics challenge that makes use of the SANS
Windows systems may be the most prevalent platform
encountered by forensic examiners today, but most
NetWars Tournament platform. Your memory analysis skills immediately.”
are put to the test with a variety of hands-on scenarios
enterprises are not homogeneous. Forensic examiners and -Josh Burbank,
involving hibernation files, Crash Dump files, and raw
incident responders are best served by having the skills to Northrop Grumman
memory images, reinforcing techniques covered in the first
analyze the memory of multiple platforms, including Linux
five sections of the course. These challenges strengthen
and Mac—that is, platforms other than Windows.
students’ ability to respond to typical and atypical
Topics: Linux Memory Acquisition and Analysis; Mac memory forensics challenges from all types of cases, from
Memory Acquisition and Analysis investigating the user to isolating the malware. By applying
the techniques learned earlier in the course, students
consolidate their knowledge and can shore up skill areas
where they feel they need additional practice.
Topics: Malware and Rootkit Behavior Detection; Persistence
Mechanism Identification; Code Injection Analysis; User
Activity Reconstruction; Linux Memory Image Parsing; Mac
OSX Memory Image Parsing; Windows Hibernation File
Conversion and Analysis; Windows Crash Dump Analysis
(Using Windows Debugger)

69
 FOR578: C
 yber Threat Intelligence GCTI
Cyber Threat
Intelligence
[Link]/gcti

5 30 Laptop Security practitioners should attend FOR578: Cyber Threat Intelligence because it is unlike
Day Program CPEs Required any other technical training. It focuses on structured analysis in order to establish a solid
foundation for any security skillset and to amplify existing skills. The course will help
practitioners from across the security spectrum to:
Who Should Attend ▐▐ Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
▐▐ Security practitioners
▐▐ Identify and create intelligence requirements through practices such as threat modeling
▐▐ Incident response team members
▐▐ Understand and develop skills in tactical, operational, and strategic-level threat intelligence
▐▐ Threat hunters
▐▐ Security Operations Center personnel and
▐▐ Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
information security practitioners ▐▐ Learn about the different sources from which to collect adversary data and how to exploit
▐▐ Digital forensic analysts and malware and pivot off of those data
analysts ▐▐ Validate information received externally to minimize the costs of bad intelligence
▐▐ Federal agents and law enforcement
officials
▐▐ Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX
▐▐ Technical managers ▐▐ Move security maturity past IOCs into understanding and countering the behavioral
▐▐ SANS alumni looking to take their tradecraft of threats
analytical skills to the next level ▐▐ Establish structured analytical techniques to be successful in any security role
It is common for security practitioners to call themselves analysts. But how many of us have
taken structured analysis training instead of simply attending technical training? Both are
important, but very rarely do analysts focus on training on analytical ways of thinking. This
course exposes analysts to new mindsets, methodologies, and techniques that will complement
their existing knowledge as well as establish new best practices for their security teams. Proper
analysis skills are key to the complex world that defenders are exposed to on a daily basis.
The analysis of an adversary’s intent, opportunity, and capability to do harm is known as
cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from
a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or
requirement of an organization. This collection, classification, and exploitation of knowledge
about adversaries gives defenders an upper hand against adversaries and forces defenders to
learn and evolve with each subsequent intrusion they face.
Cyber threat intelligence thus represents a force multiplier for organizations looking to
establish or update their response and detection programs to deal with increasingly
sophisticated threats. Malware is an adversary’s tool, but the real threat is the human one, and
cyber threat intelligence focuses on countering those flexible and persistent human threats
with empowered and trained human defenders.
Knowledge about the adversary is core to all security teams. The red team needs to understand
adversaries’ methods in order to emulate their tradecraft. The Security Operations Center
needs to know how to prioritize intrusions and quickly deal with those that need immediate
attention. The incident response team needs actionable information on how to quickly scope
and respond to targeted intrusions. The vulnerability management group needs to understand
which vulnerabilities matter most for prioritization and the risk that each one presents. The
threat hunting team needs to understand adversary behaviors to search out new threats.
In other words, cyber threat intelligence informs all security practices that deal with
adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your
organization with the tactical, operational, and strategic-level cyber threat intelligence skills
and tradecraft required to better understand the evolving threat landscape and to accurately
and effectively counter those threats.

FOR578 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-20 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-27
N VA Fall – Tysons Tysons, VA Oct 15-19 Summit Events
DFIRCON Miami Miami, FL Nov 5-9 Security Operations New Orleans, LA Aug 1-5

CDI Washington, DC Dec 13-17 Threat Hunting & IR New Orleans, LA Sep 6-13

70
Course Day
Descriptions

DAY 1: Cyber Threat Intelligence and DAY 2: The Fundamental Skillset: DAY 3: Collection Sources
Requirements Intrusion Analysis Cyber Threat Intelligence analysts must be
able to interrogate and fully understand their
Cyber threat intelligence is a rapidly growing Intrusion analysis is at the heart of threat
collection sources. Analysts do not have to be
field. However, intelligence was a profession intelligence. It is a fundamental skillset for any
malware reverse engineers as an example but
long before the word “cyber” entered the security practitioner who wants to use a more
they must at least understand that work and
lexicon. Understanding the key points regarding complete approach to addressing security. Two of
know what data can be sought. This section
intelligence terminology, tradecraft, and impact the most commonly used models for assessing
continues from the previous one in identifying
is vital to understanding and using cyber adversary intrusions are the “kill chain” and
key collection sources for analysts. There is also a
threat intelligence. This section introduces the “Diamond Model.” These models serve as a
lot of available information on what is commonly
students to the most important concepts of framework and structured scheme for analyzing
referred to as open-source intelligence (OSINT).
intelligence, analysis tradecraft, and levels of intrusions and extracting patterns such as
In this course section students will learn to seek
threat intelligence, and the value they can add adversary behaviors and malicious indicators.
and exploit information from Domains, External
to organizations. It also focuses on getting In this section students will participate in and
Datasets, Transport Layer Security/Secure Sockets
your intelligence program off to the right start be walked through multi-phase intrusions from
Layer (TLS/SSL) Certificates, and more while also
with planning, direction, and the generation of initial notification of adversary activity to the
structuring the data to be exploited for purposes
intelligence requirements. As with all sections, the completion of analysis of the event. The section
of sharing internally and externally.
day includes immersive hands-on labs to ensure also highlights the importance of this process
that students have the ability to turn theory into in terms of structuring and defining adversary Topics: Case Study: Axiom; Collection Source:
practice. campaigns. Domains; Case Study: GlassRAT; Collection
Source: External Datasets; Collection Source: TLS
Topics: Case Study: Carbanak, The Great Topics: Primary Collection Source: Intrusion
Certificates; Case Study: Trickbots; Exploitation:
Bank Robbery; Understanding Intelligence; Analysis; Kill Chain Courses of Action; Kill
Storing and Structuring Data
Understanding Cyber Threat Intelligence; Threat Chain Deep Dive; Handling Multiple Kill Chains;
Intelligence Consumption; Positioning the Team Collection Source: Malware
to Generate Intelligence; Planning and Direction
(Developing Requirements)

DAY 4: Analysis and Dissemination DAY 5: Higher-Order Analysis and

of Intelligence Attribution
Many organizations seek to share intelligence A core component of intelligence analysis at any
but often fail to understand its value, its level is the ability to defeat biases and analyze
limitations, and the right formats to choose information. The skills required to think critically
for each audience. Additionally, indicators and are exceptionally important and can have an
information shared without analysis are not organization-wide or national-level impact. In
intelligence. Structured analytical techniques this course section, students will learn about
such as the Analysis of Competing Hypotheses logical fallacies and cognitive biases as well as
can help add considerable value to intelligence how to defeat them. They will also learn about
before it is disseminated. This section will focus nation-state attribution, including when it can
on identifying both open-source and professional be of value and when it is merely a distraction.
tools that are available for students as well as Students will also learn about nation-state-level
on sharing standards for each level of cyber attribution from previously identified campaigns
threat intelligence both internally and externally. and take away a more holistic view of the cyber
Students will learn about YARA and generate threat intelligence industry to date. The class
YARA rules to help incident responders, security will finish with a discussion on consuming
operations personnel, and malware analysts. threat intelligence and actionable takeaways for
Students will gain hands-on experience with STIX students to make significant changes in their
and understand the CybOX and TAXII frameworks organizations once they complete the course.
for sharing information between organizations. Topics: Logical Fallacies and Cognitive Biases;
Finally, the section will focus on building the Dissemination Strategies; Case Study: Stuxnet;
singular intrusions into campaigns and being able Fine-Tuning Analysis; Case Study: Sofacy;
to communicate about those campaigns. Attribution
Topics: Analysis: Exploring Hypotheses; Analysis:
Building Campaigns; Dissemination: Tactical; Case
Study: Sony Attack; Dissemination: Operational

“This course gives a very smart and structured approach to Cyber

Threat Intelligence, something that the global community has
been lacking to date.”
-John Geary, Citigroup

71
 FOR585: A
 dvanced Smartphone Forensics GASF
Advanced Smartphone
Forensics
[Link]/gasf

6 36 Laptop SMARTPHONES HAVE MINDS OF THEIR OWN. DON’T MAKE THE MISTAKE OF REPORTING SYSTEM
Day Program CPEs Required EVIDENCE AS USER ACTIVITY. IT’S TIME TO GET SMARTER!
A smartphone lands on your desk and you are tasked with determining if the user was at
a specific location at a specific date and time. You rely on your forensic tools to dump and
You Will Be Able To parse the data. The tools show location information tying the device to the place of interest.
▐▐  elect the most effective forensic tools,
S Are you ready to prove the user was at that location? Do you know how to take this further
techniques, and procedures for critical to place the subject at the location of interest at that specific date and time? Tread carefully,
analysis of smartphone data
because the user may not have done what the tools are showing!
▐▐ Reconstruct events surrounding a crime
using information from smartphones,
Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats,
including timeline development and link accident reconstruction, and more. Understanding how to leverage the data from the device
analysis (e.g., who communicated with in a correct manner can make or break your case and your future as an expert. FOR585:
whom, where, and when) Advanced Smartphone Forensics will teach you those skills.
▐▐ Understand how smartphone file systems Every time the smartphone thinks or makes a suggestion, the data are saved. It’s easy to
store data, how they differ, and how the get mixed up in what the forensic tools are reporting. Smartphone forensics is more than
evidence will be stored on each device
pressing the find evidence button and getting answers. Your team cannot afford to rely
▐▐ Interpret file systems on smartphones solely on the tools in your lab. You have to understand how to use them correctly to guide
and locate information that is not
your investigation, instead of just letting the tool report what it believes happened on the
generally accessible to users
device. It is impossible for commercial tools to parse everything from smartphones and
▐▐ Identify how the evidence got onto the understand how the data were put on the device. Examination and interpretation of the data
mobile device – we’ll teach you how to
know if the user created the data, which
is your job and this course will provide you and your organization with the capability to find
will help you avoid the critical mistake of and extract the correct evidence from smartphones with confidence.
reporting false evidence obtained from This in-depth smartphone forensic course provides examiners and investigators with
tools
advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered
▐▐ Incorporate manual decoding techniques from mobile devices. The course features 20 hands-on labs that allow students to analyze
to recover deleted data stored on different datasets from smart devices and leverage the best forensic tools, methods, and
smartphones and mobile devices
custom scripts to learn how smartphone data hide and can be easily misinterpreted by
▐▐ Tie a user to a smartphone at a specific forensic tools. Each lab is designed to teach you a lesson that can be applied to other
date/time and at various locations
smartphones. You will gain experience with the different data formats on multiple platforms
▐▐ Recover hidden or obfuscated and learn how the data are stored and encoded on each type of smart device. The labs will
communication from applications on open your eyes to what you are missing by relying 100% on your forensic tools.
smartphones
FOR585 is continuously updated to keep up with the latest malware, smartphone operating
▐▐ Decrypt or decode application data that
are not parsed by your forensic tools systems, third-party applications, and encryption. This intensive six-day course offers the
most unique and current instruction on the planet, and it will arm you with mobile device
▐▐ Detect smartphones compromised by
malware and spyware using forensic forensic knowledge you can immediately apply to cases you’re working on the day you
methods complete the course.
▐▐ Decompile and analyze mobile malware SMARTPHONE DATA CAN’T HIDE FOREVER – IT’S TIME TO OUTSMART THE MOBILE DEVICE!
using open-source tools
▐▐ Handle encryption on smartphones and
bypass, crack, and/or decode lock codes
manually recovered from smartphones,
including cracking iOS backup files that
were encrypted with iTunes

FOR585 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 DFIRCON Miami Miami, FL Nov 5-10 E-learning available anytime, anywhere, at your pace
New York City Summer New York City, NY Aug 13-18 Austin Austin, TX Nov 26 - Dec 1
Network Security Las Vegas, NV Sep 23-28 CDI Washington, DC Dec 13-18 vLive
Denver Denver, CO Oct 15-20 Online Training Sep 4 - Oct 11

72
Course Day
Descriptions

DAY 1: Malware Forensics, Smartphone DAY 2: Android Forensics Who Should Attend
Overview, and SQLite Introduction Android devices are among the most widely used ▐▐ Experienced digital
smartphones in the world, which means they will forensic analysts
Although smartphone forensic concepts are similar to those
surely be part of an investigation that will come
of digital forensics, smartphone file system structures differ ▐▐ Media exploitation
across your desk. Android devices contain substantial
and require specialized decoding skills to correctly interpret analysts
amounts of data that can be decoded and
the data acquired from the device. On this first course day,
interpreted into useful information. However, without ▐▐ Information security
students will apply what they know to smartphone forensic
honing the appropriate skills for bypassing locked professionals
handling, device capabilities, acquisition methods, and SQLite
Androids and correctly interpreting the data stored ▐▐ Incident response teams
database examination and query development. Students will also
on them, you will be unprepared for the rapidly
become familiar with the forensic tools required to complete ▐▐ Law enforcement officers,
evolving world of smartphone forensics.
comprehensive examinations of smartphone data structures. federal agents, and
Malware affects a plethora of smartphone devices. This course Topics: Android Forensics Overview; Handling Locked detectives
section will examine various types of malware, how it exists on Android Devices; Android File System Structures;
smartphones, and how to identify and analyze it. Most commercial Android Evidentiary Locations; Traces of User Activity ▐▐ Accident reconstruction
smartphone tools help you identify malware, but none of them on Android Devices investigators
will allow you to tear down the malware to the level we cover in ▐▐ IT auditors
DAY 4: iOS Backups, Windows, and
class. Up to five labs will be conducted on this first day alone!
▐▐ Graduates of SANS SEC575,
Topics: The SIFT Workstation; Malware and Spyware Forensics;
Introduction to Smartphones; Smartphone Handling; Forensic
BlackBerry 10 Forensics SEC563, FOR500, FOR508,
FOR572, FOR526, FOR610,
Acquisition Concepts of Smartphones; Smartphone Forensics Tool iOS backups are extremely common and are found or FOR518 who want to
Overview; JTAG Forensics; Smartphone Components; Introduction in the cloud and on hard drives. Not only do users take their skills to the
to SQLite create backups, we often find that our best data next level
can be derived from creating an iOS backup for
forensic investigation. We realize that not everyone
DAY 3: Android Backups and iOS Devise examines BlackBerry and Windows Phone devices,
Forensics which is why we are focusing primarily on BlackBerry
10, Windows Phone 8 and 10 and application usage.
Android backups can be created for forensic analysis or by a user.
Both the Windows Phone and BlackBerry 10 sections
Smartphone examiners need to understand the file structures and
highlight pieces of evidence that can be found on
how to parse these data. Apple iOS devices contain substantial
multiple smartphones. BlackBerry smartphones are
amounts of data (including deleted records) that can be decoded
designed to protect user privacy, but techniques
and interpreted into useful information. Proper handling and
taught on this course day will enable the investigator
parsing skills are needed for bypassing locked iOS devices and
to go beyond what the tools decode and manually
correctly interpreting the data. Without iOS instruction, you will be
recover data residing in database files of BlackBerry
unprepared to deal with the iOS device that will likely be a major
device file systems. The day ends with the students
component in a forensic investigation.
Topics: Android Backup Files; iOS Forensics Overview and
challenging themselves using tools and methods
learned throughout the week to recover user data
“Exremely valuable,
Acquisition; iOS File System Structures; iOS Evidentiary Locations; from a wiped Windows Phone before embarking on up-to-date content
Handling Locked iOS Devices; Traces of User Activity on iOS Devices a BlackBerry 10 lab that covers tying SIM cards and
application usage to a device. that will be
DAY 5: Third-Party Application and Knock-Off Topics: iOS Backup File Forensics; Windows Phone/ applicable day 1
Forensics Mobile Forensics; BlackBerry 10 Forensic Overview;
back at the office!”
BlackBerry 10 File System, Evidentiary Locations, and
This day starts with third-party applications across all Forensic Analysis
smartphones and is designed to teach students how to leverage -Michael Perelman,
third-party application data and preference files to support an Night Owl Discovery
investigation. The rest of the day focuses heavily on secure chat DAY 6: Smartphone Forensics
applications, recovering deleted application data and attachments, Capstone Exercise
mobile browser artifacts, and knock-off phone forensics. The skills
learned in this section will provide you with advanced methods This final course day will test all that you have
for decoding data stored in third-party applications across all learned during the course. Working in small groups,
smartphones. We will show you what the commercial tools miss students will examine three smartphone devices and
and teach you how to recover these artifacts yourself. solve a scenario relating to a real-world smartphone
forensic investigation. Each group will independently
Topics: Third-Party Applications Overview; Third-Party Application analyze the three smartphones, manually decode
Artifacts; Messaging Applications and Recovering Attachments; data, answer specific questions, form an investigation
Secure Chat Applications; Mobile Browsers; Knock-off Phone hypothesis, develop a report, and present findings.
Forensics

Simulcast
Online Training Jul 16-21
Online Training Sep 23-28

Private Training
All courses are available through Private Training.

73
 FOR610: Reverse-Engineering Malware: GREM
Malware Analysis Tools and Techniques
Reverse Engineering
Malware
[Link]/grem

6 36 Laptop Learn to turn malware inside out! This popular course explores malware analysis tools
Day Program CPEs Required and techniques in depth. FOR610 training has helped forensic investigators, incident
responders, security engineers, and IT administrators acquire the practical skills to
examine malicious programs that target and infect Windows systems.
You Will Be Able To Understanding the capabilities of malware is critical to an organization’s ability
▐▐  uild an isolated, controlled laboratory
B to derive threat intelligence, respond to information security incidents, and fortify
environment for analyzing code and defenses. This course builds a strong foundation for reverse-engineering malicious
behavior of malicious programs
software using a variety of system and network monitoring utilities, a disassembler, a
▐▐ Employ network and system-monitoring debugger, and many other freely available tools.
tools to examine how malware interacts with
the file system, registry, network, and other The course begins by establishing the foundation for analyzing malware in a way that
processes in a Windows environment dramatically expands upon the findings of automated analysis tools. You will learn how
▐▐ Uncover and analyze malicious JavaScript to set up a flexible laboratory to examine the inner workings of malicious software,
and VBScript components of web pages, and how to use the lab to uncover characteristics of real-world malware samples. You
which are often used by exploit kits for will also learn how to redirect and intercept network traffic in the lab to explore the
drive-by attacks specimen’s capabilities by interacting with the malicious program.
▐▐ Control relevant aspects of the malicious Malware is often obfuscated to hinder analysis efforts, so the course will equip you
program’s behavior through network traffic
with the skills to unpack executable files. You will learn how to dump such programs
interception and code patching to perform
effective malware analysis from memory with the help of a debugger and additional specialized tools, and how
to rebuild the files’ structure to bypass the packer’s protection. You will also learn how
▐▐ Use a disassembler and a debugger to
examine the inner workings of malicious
to examine malware that exhibits rootkit functionality to conceal its presence on the
Windows executables system, employing code analysis and memory forensics approaches to examining these
characteristics.
▐▐ Bypass a variety of packers and other
defensive mechanisms designed by malware FOR610 malware analysis training also teaches how to handle malicious software that
authors to misdirect, confuse and otherwise attempts to safeguard itself from analysis. You will learn how to recognize and bypass
slow down the analyst common self-defensive measures, including code injection, sandbox evasion, flow
▐▐ Recognize and understand common misdirection, and other measures.
assembly-level patterns in malicious code,
such as DLL injection and anti-analysis Hands-on workshop exercises are a critical aspect of this course. They enable you to
measures apply malware analysis techniques by examining malicious software in a controlled
▐▐ Assess the threat associated with malicious
and systematic manner. When performing the exercises, you will study the supplied
documents, such as PDF and Microsoft Office specimens’ behavioral patterns and examine key portions of their code. To support
files these activities, you will receive pre-built Windows and Linux virtual machines that
▐▐ Derive Indicators of Compromise (IOCs) from include tools for examining and interacting with malware.
malicious executables to strengthen incident
response and threat intelligence efforts

Who Should Attend

▐▐ Individuals who have dealt with incidents
involving malware and want to learn how
to understand key aspects of malicious
programs
▐▐ Technologists who have informally
experimented with aspects of malware
analysis prior to the course and are looking
to formalize and expand their expertise in
this area
▐▐ Forensic investigators and IT practitioners
looking to expand their skillsets and learn
how to play a pivotal role in the incident
response process

FOR610 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-21 DFIRCON Miami Miami, FL Nov 5-10 E-learning available anytime, anywhere, at your pace
San Francisco Summer San Francisco, CA Aug 26-31 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
Baltimore Fall Baltimore, MD Sep 10-15 CDI Washington, DC Dec 13-18 Summit Events
Network Security Las Vegas, NV Sep 23-28 Threat Hunting & IR New Orleans, LA Sep 6-13

74
Course Day
Descriptions

DAY 1: Malware Analysis DAY 2: Reversing Malicious Code DAY 3: Malicious Web and
Fundamentals Section two focuses on examining malicious Document Files
Windows executables at the assembly level.
Section one lays the groundwork for malware Section three focuses on examining malicious
You will discover approaches for studying inner
analysis by presenting the key tools and techniques web pages and documents, which adversaries
workings of a specimen by looking at it through
useful for examining malicious programs. You can use to directly perform malicious actions on
a disassembler and, at times, with the help of a
will learn how to save time by exploring Windows the infected system and launch attacks that lead
debugger. The section begins with an overview
malware in two phases. Behavioral analysis to the installation of malicious executable files.
of key code-reversing concepts and presents a
focuses on the program’s interactions with its The section begins by discussing how to examine
primer on essential x86 Intel assembly concepts,
environment, such as the registry, the network, suspicious websites that might host client-side
such as instructions, function calls, variables,
and the file system. Code analysis focuses exploits. Next, you will learn how to de-obfuscate
and jumps. You will also learn how to examine
on the specimen’s code and makes use of a malicious scripts with the help of script debuggers
common assembly constructs, such as functions,
disassembler and debugger tools such as IDA and interpreters, examine Microsoft Office macros,
loops, and conditional statements. The material
Pro and OllyDbg. You will learn how to set up a and assess the threats associated with PDF and
will then build on this foundation and expand
flexible laboratory to perform such analysis in a RTF files using several techniques.
your understanding to incorporate 64-bit
controlled manner, and set up such a lab on your Topics: Interacting with Malicious Websites to
malware, given its growing popularity. Throughout
laptop using the supplied Windows and Linux Assess the Nature of Their Threats; De-obfuscating
the discussion, you will learn to recognize
(REMnux) virtual machines. You will then learn Malicious JavaScript Using Debuggers and
common characteristics at a code level, including
how to use the key analysis tools by examining a Interpreters; Analyzing Suspicious PDF Files;
HTTP command and control, keylogging, and
malware sample in your lab—with guidance and Examining Malicious Microsoft Office Documents,
command execution.
explanations from the instructor—to reinforce the Including Files with Macros; Analyzing Malicious
concepts discussed throughout the day. Topics: Understanding Core x86 Assembly Concepts RTF Document Files
Topics: Assembling a Toolkit for Effective to Perform Malicious Code Analysis; Identifying Key
Malware Analysis; Examining Static Properties Assembly Logic Structures with a Disassembler;
of Suspicious Programs; Performing Behavioral Following Program Control Flow to Understand
Analysis of Malicious Windows Executables; Decision Points During Execution; Recognizing
Performing Static and Dynamic Code Analysis of Common Malware Characteristics at the Windows
Malicious Windows Executables; Interacting with API Level (Registry Manipulation, Keylogging, HTTP
Malware in a Lab to Derive Additional Behavioral Communications, Droppers); Extending Assembly
Characteristics Knowledge to Include x64 Code Analysis

DAY 4: In-Depth Malware Analysis DAY 5: Examining Self-Defending DAY 6: Malware Analysis Tournament
Section four builds on the approaches to Malware Section six assigns students to the role of a
behavioral and code analysis introduced malware analyst working as a member of an
Section five takes a close look at the techniques
earlier in the course, exploring techniques for incident response or forensics team. Students
malware authors commonly employ to protect
uncovering additional aspects of the functionality are presented with a variety of hands-on
malicious software from being examined. You
of malicious programs. The section begins by challenges involving real-world malware in the
will learn how to recognize and bypass anti-
discussing how to handle packed malware. We context of a fun tournament. These challenges
analysis measures designed to slow you down
will examine ways to identify packers and strip further a student’s ability to respond to typical
or misdirect you. In the process, you will gain
away their protection with the help of a debugger malware-reversing tasks in an instructor-led
more experience performing static and dynamic
and other utilities. We will also walk through lab environment and offer additional learning
analysis of malware that is able to unpack or
the analysis of malware that employs multiple opportunities. Moreover, the challenges are
inject itself into other processes. You will also
technologies to conceal its true nature, including designed to reinforce skills covered in the first five
expand your understanding of how malware
the use of registry, obfuscated JavaScript and sections of the course, making use of the hugely
authors safeguard the data that they embed
PowerShell scripts, and shellcode. Finally, we will popular SANS NetWars tournament platform. By
inside malicious executables. As with the other
learn how malware implements Usermode rootkit applying the techniques learned earlier in the
topics covered throughout the course, you will be
functionality to perform code injection and API course, students solidify their knowledge and can
able to experiment with such techniques during
hooking, examining this functionality from both shore up skill areas where they feel they need
hands-on exercises.
code and memory forensics perspectives. additional practice. Students who score the highest
Topics: Analyzing Malicious Microsoft Office in the malware analysis challenge will be awarded
Topics: Recognizing Packed Malware; Getting
(Word, Excel, PowerPoint) Documents; Analyzing the coveted SANS Lethal Forensicator coin.
Started with Unpacking; Using Debuggers
Malicious Adobe PDF Documents; Analyzing
for Dumping Packed Malware from Memory;
Memory to Assess Malware Characteristics and Topics: Behavioral Malware Analysis; Dynamic
Analyzing Multi-Technology and Fileless Malware; Malware Analysis (Using a Debugger); Static
Reconstruct Infection Artifacts; Using Memory
Code Injection and API Hooking; Using Memory Malware Analysis (Using a Disassembler);
Forensics to Analyze Rootkit Infections
Forensics for Malware Analysis JavaScript Deobfuscation; PDF Document Analysis;
Office Document Analysis; Memory Analysis

Community Events Simulcast

Columbia, MD Aug 20-25 Online Training Sep 23-28

vLive Private Training

Online Training Jul 30 - Sep 5 All courses are available through Private Training.

75
 MGT414: S
 ANS Training Program for GISP
CISSP® Certification
Information Security
Professional
[Link]/gisp

6 46 Laptop SANS MGT414: SANS Training Program for CISSP® Certification is an accelerated review course
Day Program CPEs Not Needed that is specifically designed to prepare students to successfully pass the CISSP® exam.
MGT414 focuses solely on the eight domains of knowledge as determined by (ISC)2 that form
a critical part of the CISSP® exam. Each domain of knowledge is dissected into its critical
You Will Be Able To components, and those components are then discussed in terms of their relationship with
▐▐  nderstand the eight domains of
U one another and with other areas of information security.
knowledge that are covered on the
CISSP® exam
▐▐ Analyze questions on the exam and be After completing the course students will have:
able to select the correct answer ▐▐ Detailed coverage of the eight domains of knowledge
▐▐ Apply the knowledge and testing skills ▐▐ The analytical skills required to pass the CISSP® exam
learned in class to pass the CISSP® exam
▐▐ The technical skills required to understand each question
▐▐ Understand and explain all of the
concepts covered in the eight domains of ▐▐ The foundational information needed to become a Certified Information Systems Security
knowledge Professional (CISSP®)
▐▐ Apply the skills learned across the eight
domains to solve security problems when
you return to work External Product Notice:
The CISSP® exam itself is not hosted by SANS. You will need to make separate arrangements
to take the CISSP® exam. Please note as well that the GISP exam offered by GIAC is NOT the
same as the CISSP® exam offered by (ISC)2.

“This training was a comprehensive overview of all topics

covered in the CISSP® exam. All in attendance were there for
a common goal, including the instructor. It was easy to follow,
and the real-world examples given were priceless.”
-Ron Pinnock, Navy Exchange Service Command

MGT414 is available via (subject to change):

Featured Training Events

SANSFIRE Washington, DC Jul 16-21 Tampa-Clearwater Tampa, FL Sep 4-9 San Diego Fall San Diego, CA Nov 12-17
Pittsburgh Pittsburgh Jul 30 - Aug 4 Network Security Las Vegas, NV Sep 23-28 Austin Austin, TX Nov 26 - Dec 1
New York City Summer New York City, NY Aug 13-18 N VA Fall – Tysons Tysons, VA Oct 15-20 Santa Monica Santa Monica, CA Dec 3-8
Chicago Chicago, IL Aug 20-25 Dallas Fall Dallas, TX Nov 5-10 CDI Washington, DC Dec 13-18
San Francisco Summer San Francisco, CA Aug 26-31

76
Course Day
Descriptions

DAY 1: Introduction; Security and Risk DAY 2: Asset Security and Security Who Should Attend
Management Engineering – Part 1 ▐▐ Security professionals
who are interested
On the first day of training for the CISSP® exam, MGT414 Understanding asset security is critical to building a solid
in understanding the
introduces the specific requirements needed to obtain information security program. The Asset Security domain,
concepts covered on
certification. The exam update will be discussed in detail. the initial focus of today’s course section, describes data
the CISSP® exam as
We will cover the general security principles needed to classification programs, including those used by both
determined by (ISC)2
understand the eight domains of knowledge, with specific governments and the military as well as the private sector.
examples for each domain. The first of the eight domains, We will also discuss ownership ranging from business/ ▐▐ Managers who want to
Security and Risk Management, is discussed using real- mission owners to data and system owners. We will examine understand the critical
world scenarios to illustrate the critical points. data retention and destruction in detail, including secure areas of information
Topics: Overview of CISSP® Certification; Introductory methods for purging data from electronic media. We then security
Material; Overview of the Eight Domains; Domain 1: Security turn to the first part of the Security Engineering domain, ▐▐ System, security, and
and Risk Management including new topics for the 2018 exam such as the Internet
network administrators
of Things, Trusted Platform Modules, Cloud Security, and
who want to understand
much more.
the pragmatic
Topics: Domain 2: Asset Security; Domain 3: Security applications of the CISSP®
Engineering (Part 1) eight domains
▐▐ Security professionals
DAY 3: Security Engineering – Part 2; DAY 4: Identity and Access Management and managers looking for
Communication and Network Security Controlling access to data and systems is one of the primary
practical ways the eight
domains of knowledge
objectives of information security. Domain 5, Identity
This course section continues the discussion of the can be applied to their
and Access Management, strikes at the heart of access
Security Engineering domain, including a deep dive into current job
control by focusing on identification, authentication, and
cryptography. The focus is on real-world implementation
authorization of accounts. Password-based authentication
of core cryptographic concepts, including the three types
represents a continued weakness, so Domain 5 stresses
of cryptography: symmetric, asymmetric, and hashing.
multi-factor authentication, biometrics, and secure
Salts are discussed, as well as rainbow tables. We will
credential management. The CISSP® exam underscores
round out Domain 3 with a look at physical security
the increased role of external users and service providers,
before turning to Domain 4, Communication and Network
and mastery of Domain 5 requires an understanding of
Security. The discussion will cover a range of protocols and
federated identity, SSO, SAML, and third-party identity and
technologies, from the Open Systems Interconnection (OSI)
authorization services like Oauth and OpenID.
model to storage area networks.
Topics: Domain 5: Identity and Access Management
Topics: Domain 3: Security Engineering (Part 2); Domain 4:
Communication and Network Security

“Great discussions
DAY 5: Security Assessment and Testing; DAY 6: Software Development Security
Security Operations Domain 8 (Software Development Security) describes and examples that
This course section covers Domain 6 (Security Assessment)
the requirements for secure software. Security should provide a clear
be “baked in” as part of network design from day one,
and Domain 7 (Security Operations). Security Assessment
covers types of security tests, testing strategies,
since it is always less effective when it is added later to a understanding and
and security processes. Security Operations covers
poor design. We will discuss classic development models,
including waterfall and spiral methodologies. We will then
relate material to
investigatory issues, including eDiscovery, logging and
monitoring, and provisioning. We will discuss cutting-edge
turn to more modern models, including agile software examples.”
development methodologies. New content for the CISSP®
technologies such as the cloud, and we’ll wrap up day five
exam update will be discussed, including DevOps. We -Kelley ONeil, Wells Fargo
with a deep dive into disaster recovery.
will wrap up this course section by discussing security
Topics: Domain 6: Security Assessment; Domain 7: Security vulnerabilities, secure coding strategies, and testing
Operations methodologies.
Topics: Domain 8: Software Development Security

OnDemand Mentor Events Simulcast

E-learning available anytime, anywhere, at your pace Portland, OR Jul 18 Sep 12 Online Training Sep 23-28
Washington, DC Sep 12 - Oct 24
Community Events Private Training
Dallas, TX Jul 9-14 vLive All courses are available through Private Training.
Online Training Oct 23 - Dec 6

77
 MGT514: S
 ecurity Strategic Planning, GSTRT
Policy, and Leadership
Strategic Planning,
Policy & Leadership
[Link]/gstrt

5 30 Laptop As security professionals we have seen the landscape change. Cybersecurity is now
Day Program CPEs Not Needed more vital and relevant to the growth of your organization than ever before. As a result,
information security teams have more visibility, more budget, and more opportunity.
However, with this increased responsibility comes more scrutiny.
You Will Be Able To
This course teaches security professionals how to do three things:
▐▐ Develop security strategic plans
that incorporate business and ▐▐ Develop Strategic Plans
organizational drivers Strategic planning is hard for people in IT and IT security because we spend so much
▐▐ Develop and assess information time responding and reacting. We almost never get to practice until we get promoted
security policy to a senior position and then we are not equipped with the skills we need to run
▐▐ Use management and leadership with the pack. Learn how to develop strategic plans that resonate with other IT and
techniques to motivate and inspire business leaders.
your teams ▐▐ Create Effective Information Security Policy
Policy is a manager’s opportunity to express expectations for the workforce, set the
boundaries of acceptable behavior, and empower people to do what they ought to be
doing. It is easy to get wrong. Have you ever seen a policy and your response was, “No
way, I am not going to do that!” Policy must be aligned with an organization’s culture. We
will break down the steps to policy development so that you have the ability to develop
and assess policy to successfully guide your organization.
▐▐ Develop Management and Leadership Skills
Leadership is a capability that must be learned, exercised and developed to better
ensure organizational success. Strong leadership is brought about primarily through
selfless devotion to the organization and staff, tireless effort in setting the example,
and the vision to see and effectively use available resources toward the end goal.
Effective leadership entails persuading team members to accomplish their objectives
“This course provided a full while removing obstacles and maintaining the well-being of the team in support of the
organization’s mission. Learn to utilize management tools and frameworks to better
scope of leadership and lead, inspire, and motivate your teams.
security that can immediately Using case studies from Harvard Business School, team-based exercises, and discussions
be applied to your job.” that put students in real-world scenarios, students will participate in activities that they can
then carry out with their own team members when they return to work.
-Jerry Butler, NAVSEA OOI
The next generation of security leadership must bridge the gap between security staff
and senior leadership by strategically planning how to build and run effective security
programs. After taking this course you will have the fundamental skills to create strategic
plans that protect your company, enable key innovations, and work effectively with your
business partners.

MGT514 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-20 Network Security Las Vegas, NV Sep 23-27 E-learning available anytime, anywhere, at your pace
Boston Summer Boston, MA Aug 6-10 Seattle Fall Seattle, WA Oct 15-19
Chicago Chicago, IL Aug 20-24 San Francisco Fall San Francisco, CA Nov 26-30 Private Training
Virginia Beach Virginia Beach, VA Aug 26-30 Nashville Nashville, TN Dec 3-7 All courses are available through Private Training.

San Francisco Summer San Francisco, CA Aug 26-30 CDI Washington, DC Dec 13-17

78
Course Day
Descriptions

DAY 1: Strategic Planning Foundations DAY 2: Strategic Roadmap Development Who Should Attend
On this first day we will introduce the key elements of With a firm understanding of business drivers as well as the ▐▐ CISOs
strategic security plans and lay the groundwork for the rest threats facing the organization, you will develop a plan to ▐▐ Information security
of the course. Creating strategic plans for security requires analyze the current situation, identify the target situation,
officers
a fundamental understanding of the business and a deep perform gap analysis, and develop a prioritized roadmap. In
understanding of the threat landscape. other words, you will be able to determine (1) what you do ▐▐ Security directors
Topics: Vision and Mission Statements; Stakeholder today, (2) what you should be doing in the future, (3) what ▐▐ Security managers
Management; PEST Analysis; Porter’s Five Forces; Threat you don’t do, and (4) what you should do first. With this
plan in place you will learn how to build and execute your
▐▐ Aspiring security leaders
Actors; Asset Analysis; Threat Analysis
plan by developing a business case, defining metrics for ▐▐ Other security personnel
success, and effectively marketing your security program. who have team lead
Topics: Historical Analysis; Values and Culture; SWOT or management
Analysis; Vision and Innovation; Security Framework; responsibilities
Gap Analysis; Roadmap Development; Business Case
Development; Metrics and Dashboards; Marketing and
Executive Communications

DAY 3: Security Policy Development and DAY 4: Leadership and Management

Assessment Competencies
Policy is one of the key tools that security leaders have to Learn the critical skills you need to lead, motivate, and
influence and guide the organization. Security managers inspire your teams to achieve the goal. By establishing a
must understand how to review, write, assess, and support minimum standard for the knowledge, skills, and abilities
security policy and procedure. Using an instructional required to develop leadership you will understand how
delivery methodology that balances lecture, exercises, to motivate employees and develop from a manager into a
and in-class discussion, this course section will teach leader.
techniques to create successful policy that users will read Topics: Leadership Building Blocks; Creating and Developing
and follow and business leaders will accept. Learn key
elements of policy, including positive and negative tone,
Teams; Coaching and Mentoring; Customer Service Focus; “This course
Conflict Resolution; Effective Communication; Leading
consistency of policy bullets, how to balance the level Through Change; Relationship Building; Motivation and Self- provides invaluable
of specificity to the problem at hand, the role of policy, Direction; Teamwork; Leadership Development
awareness and training, and the SMART approach to policy info with specific
development and assessment.
guidance on how to
Topics: Purpose of Policy; Policy Gap Analysis; Policy
Development; Policy Review; Awareness and Training perform leadership
tasks, and it also
DAY 5: Strategic Planning Workshop
provides links
Using the case study method, students will work through
real-world scenarios by applying the skills and knowledge to useful info...
learned throughout the course. Case studies are taken
directly from Harvard Business School, the pioneer of the Outstanding.”
case-study method, and focus specifically on information -Jeff Haynes, NELO
security management and leadership competencies. The
Strategic Planning Workshop serves as a capstone exercise
for the course, allowing students to synthesize and apply
concepts, management tools, and methodologies learned
in class.
Topics: Creating a Security Plan for the CEO; Understanding
Business Priorities; Enabling Business Innovation;
Working with BYOD; Effective Communication; Stakeholder
Management

79
 MGT517: M
 anaging Security Operations:
Detection, Response, and Intelligence

5 30 Laptop Managing Security Operations covers the design, operation, and ongoing growth of all facets
Day Program CPEs Required of the security operations capabilities in an organization. An effective Security Operations
Center (SOC) has many moving parts and must be designed so that it can be adjusted
to work within the context and constraints of the organization. To run a successful SOC,
You Will Be Able To managers need to provide tactical and strategic direction and inform staff of the changing
▐▐ Design security operations to threat environment and provide them with guidance and training. This course covers
address all needed functions for the design, deployment, and operation of the security program to empower leadership through
organization technical excellence.
▐▐ Select technologies needed to The course covers the functional areas of Communications, Network Security Monitoring,
implement the functions for a Security Threat Intelligence, Incident Response, Forensics, and Self-Assessment. We discuss
Operations Center (SOC)
establishing Security Operations governance for:
▐▐ Maintain appropriate business
alignment with the security capability ▐▐ Business alignment and ongoing adjustment of capabilities and objectives
and the organization ▐▐ Designing the SOC and the associated objectives of functional areas
▐▐ Develop and streamline security
operations processes
▐▐ Software and hardware technology required for performance of functions
▐▐ Strengthen and deepen capabilities ▐▐ Knowledge, skills, and abilities of staff as well as staff hiring and training
▐▐ Collect data for metrics, report ▐▐ Execution of ongoing operations
meaningful metrics to the business,
and maintain internal SOC performance You will walk out of this course armed with a roadmap to design and operate an effective
metrics SOC tailored to the needs of your organization.
▐▐ Hire appropriate SOC staff and keep
existing SOC staff up to date

Who Should Attend

▐▐ Information security managers
▐▐ SOC managers, analysts, and engineers
▐▐ Information security architects
▐▐ IT managers
▐▐ Operations managers
▐▐ Risk management professionals “Insanely valuable content. This course is validating and filling in
IT/System administration/Network
the gaps for my SOC.”
▐▐
administration professionals
▐▐ IT auditors -Robert Wysor, Duke Energy
▐▐ Business continuity and disaster
recovery staff

MGT517 is available via (subject to change):

Featured Training Events Summit Events

SANSFIRE Washington, DC Jul 16-20 Houston Houston, TX Oct 29 - Nov 3 Security Operations New Orleans, LA Aug 1-5
San Francisco Summer San Francisco, CA Aug 26-31 San Francisco Fall San Francisco, CA Nov 26 - Dec 1
Network Security Las Vegas, NV Sep 23-28 CDI Washington, DC Dec 13-17

80
Course Day
Descriptions

DAY 1: Design the Security DAY 2: Build the Security Operations DAY 3: Operate and Mature the
Operations Center Center Security Operations Center
This day focuses on how to align and deploy a Once a clear picture of what should be done to Designing and building-out a SOC are considered
Security Operations Center (SOC). The course day secure the organization is produced from analysis projects. Operation is an ongoing and perpetual
establishes the foundational aspects of an SOC of what the needs are, and what resources are effort. If the design of the system is insufficient
by discussing the functional areas that form the available, we set out to build the SOC. The build- or short-sighted, then operating the system
basis of the build-and-operate days that follow. out starts with an operating plan decided on by will be difficult and inefficient. The overriding
The first issue to address is how the SOC will the key stakeholders from the organization. The challenge of management is discussed in terms
serve the business. To understand what is to be interactions, inputs, outputs, and actions within of organizational dimensions. The analytical
built, we explore the business drivers for SOCs. each of the process components are identified. processes of competing hypotheses, the kill chain,
Each company has its own circumstances and Each functional area needs specific hardware and the diamond model are discussed to provide
needs, but there are common drivers for setting and software to accomplish each process, so a context for the analytical currency of the SOC.
out to build a SOC. From business alignment, alternatives are discussed for all of these. We will evaluate the staffing structure, how to
systems analysis performed shows all the things Open-source, inexpensive, and enterprise-level hire, and how to keep those staff continually
that need to be done. This is an elaborate and solutions are presented for each need. We will trained and updated. A schedule of meetings,
substantial effort to undertake. Knowing what discuss the available solutions in-depth, and help specific metrics to report, and specific metrics
components are available and how the pieces fit focus the budget available on the necessary tools. to use to measure the relationship within the
together is critical. This analysis will be followed The output of this day is on all the procurement functional areas of the SOC are shown. Specific
with design and build on day 2. necessary for building out a SOC. processes and the data relationships when
Topics: SOC Fundamentals; SOC Components; Topics: Governance Structure; Process performing the processes are discussed to depict
Sizing and Scoping; SOC Program Engineering; Technical Components the standard operating procedures that the SOC
must carry out.
Topics: People and Processes; Measurements and
Metrics; Process Development

DAY 4: Incident Response DAY 5: Incident Response

Management – Part 1 Management – Part 2
Further detail on incident response is developed Continuing the operation of incident response,
to show the operation of the SOC. Since the we discuss the staffing requirements in detail.
response component is the action of defense, Common caveats of incidence response
the operation of the incident response team operations are discussed, and tabletop exercises
is addressed in great detail. An examination of are developed to mitigate those caveats.
cloud-based systems shows a special case of Communication requirements are laid out and
incident response. The preparation of response incident tracking methods are discussed. We also
capability in the cloud is insufficient because look at how to make the most out of a response “This course touches on the art
the contractual negotiations of the service and damage control task. Tools for estimating and science of cybersecurity
rarely address incident response adequately. We and tracking costs associated with incidents are
discuss appropriate preparation and response demonstrated, and overall recommendations operations management.”
action within cloud services. User training and are presented on how to interface with law
awareness is developed as a basis for corrective enforcement. The final topic addressed is the -Joanne Lim, Citibank
action when incident response is required. development of appropriate response techniques
Topics: The Cloud; Incident Response Process; for APT-style actors, including strategies for
Creating Incident Requirements; Training, quickly differentiating APT-style compromise
Education, and Awareness using threat intelligence, sufficient scope
identification, and eradication of the current wave
of compromise.
Topics: Staffing Considerations; Setting Up
Operations; Managing Daily Operations; Cost
Considerations; Legal and Regulatory Issues;
Advanced Threat Response

81
 MGT525: I T Project Management, Effective GCPM
Communication, and PMP® Exam Prep
Project Manager
[Link]/gcpm

6 36 Laptop This course is offered by the SANS Institute as a PMI® Registered Education Provider
Day Program CPEs Not Needed (R.E.P.). R.E.P.s provide the training necessary to earn and maintain the Project Management
Professional (PMP)® and other professional credentials. PMP® is a registered trademark of
Project Management Institute, Inc.
You Will Be Able To This course has recently been updated to fully prepare you for changes in the 2018 PMP®
▐▐ Recognize the top failure mechanisms exam. During this class you will learn how to improve your project planning methodology
related to IT and InfoSec projects, so and project task scheduling to get the most out of your critical IT resources. We will utilize
that your projects can avoid common
project case studies that highlight information technology services as deliverables. MGT525
pitfalls
follows the basic project management structure from the PMBOK® Guide – Sixth Edition
▐▐ Create a project charter that defines and also provides specific techniques for success with information assurance initiatives.
the project sponsor and stakeholder
involvement
Throughout the week, we will cover all aspects of IT project management from initiating and
planning projects through managing cost, time, and quality while your project is active, and
▐▐ Document project requirements and
create a requirements traceability
to completing, closing, and documenting as your project finishes. A copy of the PMBOK®
matrix to track changes throughout the Guide – Sixth Edition is provided to all participants. You can reference the PMBOK® Guide
project life cycle and use your course material along with the knowledge you gain in class to prepare for the
▐▐ Clearly define the scope of a project in updated 2018 Project Management Professional (PMP)® Exam and the GIAC Certified Project
terms of cost, schedule and technical Manager Exam.
deliverables The project management process is broken down into core process groups that can be
▐▐ Create a work breakdown structure applied across multiple areas of any project, in any industry. Although our primary focus
defining work packages, project is the application to the InfoSec industry, our approach is transferable to any projects that
deliverables and acceptance criteria
create and maintain services as well as general product development. We cover in-depth
▐▐ Develop a detailed project schedule, how cost, time, quality, and risks affect the services we provide to others. We will also
including critical path tasks and address practical human resource management as well as effective communication and
milestones
conflict resolution. You will learn specific tools to bridge the communications gap between
▐▐ Develop a detailed project budget, managers and technical staff.
including cost baselines and tracking
mechanisms PMP®, PMBOK®, and the PMI Registered Education Provider® logo are registered trademarks of the Project
▐▐ Develop planned and earned value Management Institute, Inc.
metrics for your project deliverables
and automate reporting functions
▐▐ Effectively manage conflict situations
and build communication skills with
your project team
▐▐ Document project risks in terms
of probability and impact, and
assign triggers and risk response
responsibilities
▐▐ Create project earned value baselines
and project schedule and cost
forecasts
“MGT525 offers tools and techniques that will directly improve
the planning, execution, and closing of your projects.”
-Michael Long, ARCYBER

MGT525 is available via (subject to change):

Featured Training Events Summit Events Private Training

SANSFIRE Washington, DC Jul 16-21 Pen Test HackFest Bethesda, MD Nov 14-19 All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28

82
Course Day
Descriptions

DAY 1: Project Management Structure and DAY 2: Project Charter and Scope Who Should Attend
Framework Management ▐▐ Individuals interested
in preparing for the
This course day offers insight and specific techniques that During day two, we will go over techniques used to develop
Project Management
both beginner and experienced project managers can utilize. the project charter and formally initiate a project. The
Professional (PMP)®
The structure and framework section lays out the basic scope portion defines the important input parameters of
Exam
architecture and organization of project management. We project management and gives you the tools to ensure that
will cover the common project management group processes, your project is well defined from the outset. We cover tools ▐▐ Security professionals
the difference between projects and operations, project life and techniques that will help you define your project’s who are interested
cycles, and managing project stakeholders. deliverables and develop milestones to gauge performance in understanding the
Topics: Definition of Terms and Process Concepts; Group and manage change requests. concepts of IT project
Processes; Project Life Cycle; Types of Organizations; PDCA Topics: Formally Initiating Projects; Project Charters; Project management
Cycle Scope Development; Work Breakdown Structures; Scope ▐▐ Managers who want
Verification and Control to understand the
critical areas of
DAY 3: Schedule and Cost Management DAY 4: Communications and Project
making projects
successful
Our third day details the schedule and cost aspects of Resources ▐▐ Individuals working
managing a project. We will cover the importance of correctly
During day four, we move into project and human resource with time, cost,
defining project activities, project activity sequence, and
management and building effective communications skills. quality, and risk-
resource constraints. We will use milestones to set project
People are the most valuable asset of any project and we sensitive projects and
timelines and task dependencies along with learning
cover methods for identifying, acquiring, developing and applications
methods of resource allocation and scheduling. We introduce
managing your project team. Performance appraisal tools are
the difference between resource and product-related costs ▐▐ Anyone who would
offered as well as conflict management techniques. You will
and go into detail on estimating, budgeting, and controlling like to utilize effective
learn management methods to help keep people motivated
costs. You will learn techniques for estimating project communication
and provide great leadership. The effective communication
cost and rates as well as budgeting and the process for techniques and
portion of the day covers identifying and developing key
developing a project cost baseline. proven methods
interpersonal skills. We cover organizational communication
Topics: Process Flow; Task Lead and Lag Dependencies; and the different levels of communication as well as common to relate better to
Resource Breakdown Structures; Task Duration Estimating; communication barriers and tools to overcome these barriers. people
Critical Path Scheduling; Cost Estimating Tools; Cost ▐▐ Anyone in a key or
Topics: Acquiring and Developing Your Project Team;
vs. Quality; Cost Baselining; Earned Value Analysis and lead engineering/
Organizational Dependencies and Charts; Roles and
Forecasting design position who
Responsibilities; Team Building; Conflict Management;
Interpersonal Communication Skills; Communication Models works regularly with
and Effective Listening project management
staff

DAY 5: Quality and Risk Management DAY 6: Procurement, Stakeholder

On day five you will become familiar with quality planning, Management, and Project Integration
assurance, and control methodologies, as well as learn the
We close out the week with the procurement aspects of project
cost-of-quality concept and its parameters. We define quality
and stakeholder management, and then integrate all of the
metrics and cover tools for establishing and benchmarking
concepts presented into a solid, broad-reaching approach.
quality control programs. We go into quality assurance
We cover different types of contracts and then the make-
and auditing as well as how to understand and use quality
versus-buy decision process. We go over ways to initiate
control charts. The risk section goes over known versus
strong requests for quotations (RFQ) and develop evaluation
unknown risks and how to identify, assess, and categorize
criteria, then qualify and select the best partners for your
risk. We use quantitative risk analysis and modeling
project. Stakeholder communication and management
techniques so that you can fully understand how specific
strategies are reinforced. The final session integrates
risks affect your project. You will learn ways to plan for and
everything we have learned by bringing all the topics together
mitigate risk by reducing your exposure as well as how to
with the common process groups. Using a detailed project
take advantage of risks that could have a positive effect on
management methodology, we learn how to finalize the project
your project.
management plan and then execute and monitor the progress
Topics: Cost of Quality; Quality Metrics; Continual Process of your project to ensure success.
Improvement; Quality Baselines; Quality Control; Change
Topics: Contract Types; Make vs. Buy Analysis; Vendor
Control; Risk Identification; Risk Assessment; Time and Cost
Weighting Systems; Contract Negotiations; Stakeholder
Risks; Risk Probability and Impact Matrices; Risk Modeling
Communication and Stakeholder Management Strategies;
and Response
Project Execution; Monitoring Your Project’s Progress; Finalizing
Deliverables; Forecasting and Integrated Change Control

83
 AUD507: A
 uditing & Monitoring Networks, GSNA
Perimeters, and Systems
Systems and
Networking Auditor
[Link]/gsna

6 36 Laptop One of the most significant obstacles facing many auditors today is how exactly to go about
Day Program CPEs Required auditing the security of an enterprise. What systems really matter? How should the firewall
and routers be configured? What settings should be checked on the various systems under
scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus
You Will Be Able To on the business processes rather than the security settings? How do we turn this into a
▐▐ Understand the different types of continuous monitoring process? All of these questions and more will be answered by the
controls (e.g., technical vs. non- material covered in this course.
technical) essential to perform a
successful audit This course is specifically organized to provide a risk-driven method for tackling the
▐▐ Conduct a proper risk assessment of a enormous task of designing an enterprise security validation program. After covering a
network to identify vulnerabilities and variety of high-level audit issues and general audit best practices, the students will have the
prioritize what will be audited opportunity to dive deep into the technical how-to for determining the key controls that can
▐▐ Establish a well-secured baseline for be used to provide a level of assurance to an organization. Tips on how to repeatedly verify
computers and networks, constituting these controls and techniques for automatic compliance validation are taken from real-
a standard against which one can world examples.
conduct audits
One of the struggles that IT auditors face today is helping management understand the
▐▐ Perform a network and perimeter audit relationship between the technical controls and the risks to the business that these controls
using a seven-step process
address. In this course these threats and vulnerabilities are explained based on validated
▐▐ Audit firewalls to validate that rules/ information from real-world situations. The instructor will take the time to explain how this
settings are working as designed,
can be used to raise the awareness of management and others within the organization
blocking traffic as required
to build an understanding of why these controls specifically and auditing in general are
▐▐ Utilize vulnerability assessment tools important. From these threats and vulnerabilities, we will explain how to build the ongoing
effectively to provide management
with the continuous remediation
compliance monitoring systems and automatically validate defenses through instrumentation
information necessary to make and automation of audit checklists.
informed decisions about risk and You’ll be able to use what you learn immediately. Five of the six days in the course will
resources help you produce your own checklist, or provide you with a general checklist that can be
▐▐ Audit web application configuration, customized for your audit practice. Each of these days includes hands-on exercises with a
authentication, and session variety of tools discussed during the lecture sections so that you will leave knowing how
management to identify vulnerabilities
to verify each and every control described in the class. Each of the six hands-on days gives
attackers can exploit
you the chance to perform a thorough technical audit of the technology being considered
▐▐ Utilize scripting to build a system to
by applying the checklists provided in class to sample audit problems in a virtualized
baseline and automatically audit Active
Directory and all systems in a Windows environment.
domain A great audit is more than marks on a checklist; it is the understanding of what the
underlying controls are, what the best practices are, and why. Sign up for this course and gain
the mix of theoretical, hands-on, and practical knowledge to conduct a great audit.

Who Should Attend

▐▐ Auditors seeking to identify key controls in IT systems
“AUD507 provides insight on ▐▐ Audit professionals looking for technical details on auditing
different aspects related to ▐▐ Managers responsible for overseeing the work of an audit or security team

system configurations and ▐▐ Security professionals newly tasked with audit responsibilities
▐▐ System and network administrators looking to better understand what an auditor is trying to achieve,
associated risks.” how auditors think, and how to better prepare for an audit
-Yosra Al-Basha, Yemen LNG Co. ▐▐ System and network administrators seeking to create strong change control management and detection
systems for the enterprise
▐▐ Anyone looking to implement effective continuous monitoring processes within the enterprise

AUD507 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Baltimore Fall Baltimore, MD Sep 10-15
CDI Washington, DC Dec 13-18

84
LEG523: L aw of Data Security and GLEG
Investigations
Law of Data Security
& Investigation
[Link]/gleg

5 30 Laptop LEG523 is constantly updated to address changing trends and current events. Here’s a
Day Program CPEs Not Needed sampling of what’s new:
▐▐ How a breach involving EU data can lead to a cascade of investigations into not just your
You Will Be Able To security, but all aspects of your General Data Protection Regulation compliance, even if
you have no physical presence in the European Union.
▐▐  ork better with other professionals at
W
your organization who make decisions ▐▐ Lessons from lost FBI text messages
about the law of data security and
investigations
▐▐ How to improve the assessment and interpretation of digital evidence, such as evidence
of a breach or other cyber event
▐▐ Exercise better judgment on how to
comply with technology regulations, ▐▐ Students will receive a form contract for inviting outside incident responders – including
both in the United States and in other police, contractors, National Guard, or civil defense agencies anywhere in the world – to
countries help with a cyber crisis
▐▐ Evaluate the role and meaning of ▐▐ The EU’s new General Data Protection Regulation and its impact around the world
contracts for technology, including
services, software and outsourcing New law on privacy, e-discovery and data security is creating an urgent need for
▐▐ Help your organization better explain professionals who can bridge the gap between the legal department and the IT department.
its conduct to the public and to legal SANS LEG523 provides this unique professional training, including skills in the analysis and
authorities use of contracts, policies, and records management procedures.
▐▐ Anticipate technology law risks before This course covers the law of fraud, crime, policy, contracts, liability, IT security and active
they get out of control defense—all with a focus on electronically stored and transmitted records. It also teaches
▐▐ Implement practical steps to cope with investigators how to prepare credible, defensible reports, whether for cyber crimes,
technology law risk forensics, incident response, human resource issues or other investigations.
▐▐ Better explain to executives what your Each successive day of this five-day course builds upon lessons from the earlier days in order
organization should do to comply with
information security and privacy law
to comprehensively strengthen your ability to help your enterprise (public or private sector)
cope with illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial
▐▐ Better evaluate technologies, such as
spies, rogue or uncooperative employees, or bad publicity connected with IT security.
digital signatures, to comply with the
law and serve as evidence Recent updates to the course address hot topics such as legal tips on confiscating and
▐▐ Make better use of electronic interrogating mobile devices, the retention of business records connected with cloud
contracting techniques to get the best computing and social networks like Facebook and Twitter, and analysis and response to the
terms and conditions risks and opportunities surrounding open-source intelligence gathering.
▐▐ Exercise critical thinking to understand Over the years this course has adopted an increasingly global perspective. Non-U.S.
the practical implications of technology professionals attend LEG523 because there is no training like it anywhere else in the world.
laws and industry standards (such
as the Payment Card Industry Data
For example, a lawyer from the national tax authority in an African country took the course
Security Standard) because electronic filings, evidence and investigations have become so important to her
work. International students help the instructor, U.S. attorney Benjamin Wright, constantly
revise the course and include more content that crosses borders.

Who Should Attend

“I wish I’d taken LEG523 four ▐▐ Investigators ▐▐ Compliance officers
years ago, so that our policy ▐▐ Security and IT professionals ▐▐ Law enforcement personnel
and governance could have ▐▐ Lawyers ▐▐ Privacy officers

been enhanced sooner.” ▐▐ Paralegals ▐▐ Penetration testers

▐▐ Auditors ▐▐ Cyber incident and emergency
-Tom Siu, responders around the world
▐▐ Accountants
Case Western Reserve University (including private sector, law
▐▐ Technology managers enforcement, national guard, civil
▐▐ Vendors defense and the like)

LEG523 is available via (subject to change):

Featured Training Events OnDemand vLive

SANSFIRE Washington, DC Jul 16-20 E-learning available anytime, anywhere, at your pace Online Training Oct 1-31
Network Security Las Vegas, NV Sep 23-28
Dallas Fall Dallas, TX Nov 5-10 Summit Events Private Training
Data Breach New York City, NY Aug 22-27 All courses are available through Private Training.

85
11
 DEV522: D
 efending Web Applications GWEB
Security Essentials
Web Application
Defender
[Link]/gweb

6 36 Laptop This is the course to take if you have to defend web applications!
Day Program CPEs Required
The quantity and importance of data entrusted to web applications is growing, and
defenders need to learn how to secure them. Traditional network defenses, such as firewalls,
fail to secure web applications. DEV522 covers the OWASP Top 10 Risks and will help you
You Will Be Able To better understand web application vulnerabilities, thus enabling you to properly defend
▐▐ Understand the major risks and your organization’s web assets.
common vulnerabilities related to
web applications through real-world Mitigation strategies from an infrastructure, architecture, and coding perspective will be
examples discussed alongside real-world applications that have been proven to work. The testing
▐▐ Mitigate common security
aspect of vulnerabilities will also be covered so that you can ensure your application is
vulnerabilities in web applications tested for the vulnerabilities discussed in class.
using proper coding techniques, To maximize the benefit for a wider range of audiences, the discussions in this course will be
software components, configurations,
programming language agnostic. Focus will be maintained on security strategies rather than
and defensive architecture
coding-level implementation.
▐▐ Understand the best practices in
various domains of web application DEV522: Defending Web Applications Security Essentials is intended for anyone tasked
security such as authentication, access with implementing, managing, or protecting web applications. It is particularly well suited
control, and input validation to application security analysts, developers, application architects, pen testers, auditors
▐▐ Fulfill the training requirement as who are interested in recommending proper mitigations for web security issues, and
stated in PCI DSS 6.5 infrastructure security professionals who have an interest in better defending their web
▐▐ Deploy and consume web services applications.
(SOAP and REST) in a more secure The course will also cover additional issues the authors have found to be important in their
fashion
day-to-day web application development practices. The topics that will be covered include:
▐▐ Proactively deploy cutting-edge
defensive mechanisms such as the
▐▐ Infrastructure security
defensive HTTP response headers and ▐▐ Server configuration
Content Security Policy to improve the
security of web applications ▐▐ Authentication mechanisms
▐▐ Strategically roll out a web application ▐▐ Application language configuration
security program in a large
environment
▐▐ Application coding errors like SQL injection and cross-site scripting
▐▐ Incorporate advanced web technologies ▐▐ Cross-site request forging
such as HTML5 and AJAX cross-domain ▐▐ Authentication bypass
requests into applications in a safe and
secure manner ▐▐ Web services and related flaws
▐▐ Develop strategies to assess the ▐▐ Web 2.0 and its use of web services
security posture of multiple web
applications ▐▐ XPATH and XQUERY languages and injection
▐▐ Business logic flaws
▐▐ Protective HTTP headers
The course will make heavy use of hands-on exercises and conclude with a large defensive
exercise that reinforces the lessons learned throughout the week.

DEV522 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-21 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
Network Security Las Vegas, NV Sep 23-28
Summit Events
Secure DevOps Denver, CO Oct 24-29

86
Course Day
Descriptions

DAY 1: Web Basics and Authentication DAY 2: Web Application Common Who Should Attend
Security Vulnerabilities & Mitigations ▐▐ Application
developers
We begin day one with an overview of recent web application Since the Internet does not guarantee the secrecy of
attack and security trends, then follow up by examining the information being transferred, encryption is commonly used ▐▐ Application security
essential technologies that are at play in web applications. to protect the integrity and secrecy of information on the web. analysts or managers
You cannot win the battle if you do not understand what you This course day covers the security of data in transit or on disk ▐▐ Application architects
are trying to defend. We arm you with the right information and how encryption can help with securing that information in
so you can understand how web applications work and the the context of web application security. ▐▐ Penetration testers
security concepts related to them. who are interested
Topics: SSL Vulnerabilities and Testing; Proper Encryption
in learning about
Topics: HTTP Basics; Overview of Web Technologies; Web Use in Web Application; Session Vulnerabilities and Testing;
defensive strategies
Application Architecture; Recent Attack Trends; Authentication Cross-site Request Forgery; Business Logic Flaws; Concurrency;
Vulnerabilities and Defense; Authorization Vulnerabilities and Input-related Flaws and Related Defenses; SQL Injection ▐▐ Security professionals
Defense Vulnerabilities, Testing, and Defense who are interested in
learning about web
application security
DAY 3: Proactive Defense and Operation DAY 4: AJAX and Web Services Security
▐▐ Auditors who need to
Security Day four is dedicated to the security of asynchronous
understand defensive
JavaScript and XML (AJAX) and web services, which are
Day three begins with a detailed discussion on cross-site mechanisms in web
currently the most active areas in web application
scripting and related mitigation and testing strategies, as applications
development. Security issues continue to arise as
well as HTTP response splitting. The code in an application
organizations dive head first into insecurely implementing ▐▐ Employees of
may be totally locked down, but if the server setting is
new web technologies without first understanding them. We PCI-compliant
insecure, the server running the application can be easily
will cover security issues, mitigation strategies, and general organizations who
compromised. Locking down the web environment is
best practices for implementing AJAX and web services. We need to be trained
essential, so we cover this basic concept of defending the
will also examine real-world attacks and trends to give you to comply with those
platform and host. To enable any detection of intrusion,
a better understanding of exactly what you are protecting requirements
logging and error handling must be done correctly. We will
against. Discussion focuses on the web services in the
discuss the correct approach to handling incidents and
morning and AJAX technologies in the afternoon.
logs, then dive even further to cover the intrusion detection
aspect of web application security. In the afternoon we turn Topics: Web Services Overview; Security in Parsing of XML; XML
our focus to the proactive defense mechanism so that we are Security; AJAX Technologies Overview; AJAX Attack Trends and
ahead of the bad guys in the game of hack and defend. Common Attacks; AJAX Defense
Topics: Cross-site Scripting Vulnerability and Defenses; Web
Environment Configuration Security; Intrusion Detection in DAY 6: Capture and Defend the Flag Exercise
Web Applications; Incident Handling; Honeytoken
Day six starts with an introduction to the secure software
development life cycle and how to apply it to web “Brilliant! The
DAY 5: Cutting-Edge Web Security development. But the focus is a large lab that will tie together
the lessons learned during the week and reinforce them combination
Day five focuses on cutting-edge web application
technologies and current research areas. Topics such
with hands-on applications. Students will be provided with
a virtual machine to implement a complete database-driven
of hands-on
as clickjacking and DNS rebinding are covered. These
vulnerabilities are difficult to defend and multiple defense
dynamic website. In addition, they will use a custom tool to exercises and
enumerate security vulnerabilities and simulate a vulnerability
strategies are needed for their defense to be successful.
assessment of the website. Students will then have to decide Q&A streamlines
Another topic of discussion is the new generation of single-
sign-on solutions such as OpenID. We cover the implications
which vulnerabilities are real and which are false positives, learning like
and then mitigate the vulnerabilities. The scanner will score
of using these authentication systems and the common
“gotchas” to avoid. With the adoption of Web2.0, the use of
the student as vulnerabilities are eliminated or checked off nothing else.”
as false positives. Advanced students will be able to extend
Java applet, Flash, ActiveX, and Silverlight is on the increase. -McKell Gomm,
this exercise and find vulnerabilities not presented by the
The security strategies of defending these technologies are
discussed so that these client-side technologies can be
scanner. Students will learn through these hands-on exercises Henry Schein
how to secure the web application, starting with the operating
locked down properly.
system, the web server, finding configuration problems in the
Topics: Clickjacking; DNS Rebinding; Flash Security; Java application language setup, and finding and fixing coding
Applet Security; Single-Sign-On Solution and Security; problems in the site.
IPv6 Impact on Web Security
Topics: Mitigation of Server Configuration Errors; Discovering
and Mitigating Coding Problems; Testing Business Logic Issues
and Fixing Problems; Web Services Testing and Security
Problem Mitigation

87
 DEV540: S
 ecure DevOps and Cloud
Application Security

5 30 Laptop This course covers how developers and security professionals can build and deliver secure
Day Program CPEs Required software using DevOps and cloud services, specifically Amazon Web Services (AWS). It
explains how principles, practices, and tools in DevOps and AWS can be leveraged to
improve the reliability, integrity, and security of applications.
You Will Be Able To The first two days of the course cover how Secure DevOps can be implemented using
▐▐ Understand the core principles and lessons from successful DevOps security programs. Students build a secure DevOps CI/
patterns behind DevOps CD toolchain and understand how code is automatically built, tested, and deployed using
▐▐ Map out and implement a Continuous popular open-source tools such as git, Puppet, Jenkins, and Docker. In a series of labs you
Delivery/Deployment pipeline learn to inject security into your CI/CD toolchain using various security tools, patterns,
▐▐ Map out where security controls and and techniques.
checks can be added in Continuous
The final three days of the course cover how developers and security professionals can
Delivery and Continuous Deployment
utilize AWS services to build secure software in the cloud. Students leverage the CI/CD
▐▐ Integrate security into production
toolchain to push application code directly to the cloud instead of to local servers on their
operations
class virtual machines. Students analyze and fix applications hosted in the cloud using
▐▐ Create a plan for introducing – or AWS services and features such as API Gateway, IAM, signed cookies, Security Token Service,
improving – security in a DevOps
environment
autoscaling, KMS, encryption, WAF, and Lambda for Serverless computing.
▐▐ Move your DevOps workflows to the The course makes extensive use of open-source materials and tooling for automated
cloud configuration management (“Infrastructure as Code”), Continuous Integration, Continuous
▐▐ Consume cloud services to secure
Delivery, Continuous Deployment, containerization, micro-segmentation, automated
cloud applications compliance (“Compliance as Code”), and Continuous Monitoring.
This course also makes extensive use of AWS and associated developer tools such as
CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services
so students can experience how these services can be utilized in their applications.

“DEV540 opened my eyes to a new way of thinking

about operations and security unlike anything since
SEC401: Security Essentials.”
-Todd Anderson, OBE

DEV540 is available via (subject to change):

Featured Training Events Summit Events

N VA – Alexandria Alexandria, VA Aug 13-17 Secure DevOps Denver, CO Oct 24-28
Virginia Beach Virginia Beach, VA Aug 20-24
Network Security Las Vegas, NV Sep 23-27
Santa Monica Santa Monica, CA Dec 3-7
CDI Washington, DC Dec 13-17

88
Course Day
Descriptions

DAY 1: Introduction to Secure DevOps DAY 2: Moving to Production Who Should Attend
The first day is an introduction to DevOps practices, Building on the ideas and frameworks developed in Section 1, ▐▐  nyone working in the
A
principles and tooling, how DevOps works, and how work you will learn how secure Infrastructure as code, using modern DevOps environment
is done in DevOps. We’ll look at the importance of culture, automated configuration management tools like Puppet, Chef or transitioning to a
collaboration, and automation in DevOps. Using case studies and Ansible, allows you to quickly and consistently deploy new DevOps environment
of DevOps “Unicorns” – the Internet tech leaders who have infrastructure and manage configurations. ▐▐ Anyone who wants to
created the DNA for DevOps – we’ll show you how and why Topics: Securing Your CD Pipeline. Threat Modeling and understand where to
they succeeded. This includes the keys to their DevOps Locking Down Your Build and Deployment Environment; add security checks,
security programs. Then you’ll learn Continuous Delivery – Runtime Checks and Monitoring – Monkeys and Smart Checks; testing, and other
the automation engine in DevOps – and how to build up a Run-Time Defense: RASP, IAST and Other Run-Time Security controls to DevOps
Continuous Delivery or Continuous Deployment pipeline. This Solutions; Security in Monitoring. Using Production Metrics and Continuous
includes how security controls can be folded into or wired and Insight to Drive Improvements in Your Security Program; Delivery
into the CD pipeline, and how to automate security checks Red Teaming, Bug Bounties and Blameless Postmortems;
and tests in CD. ▐▐ Anyone interested
Secure Infrastructure as Code – Building Security Policies
in learning how to
Topics: Introduction to DevOps; Case studies on DevOps into Infrastructure Code; Security with Puppet Lab; Managing
migrate DevOps
Unicorns; DevOps Principles; Working in DevOps; From Secrets. The Problem of Secrets in Automated Environment.
workflows to the
Continuous Integration to Continuous Delivery; Building a Patterns – and Anti-Patterns – for Managing Secrets; Container
cloud, specifically
CD Pipeline; Deployment Kata; Secure Continuous Delivery: Security – Introduction to Containers, Docker, and Docker
Amazon Web Services
Challenges and Issues; Introducing Security into CD; Static Security Risks and Tools; Compliance as Code. How to Satisfy
(AWS)
Analysis in CD; Pen Testing and Manual Assessments – How Compliance Requirements Using Continuous Delivery and
Do They Fit in DevOps?; Vulnerability Management in CD; Continuous Deployment; Going Forward: Introducing Security ▐▐ Anyone interested
Securing Your Software Supply Chain; Automated Security into DevOps – and DevOps into Security. Quick Wins and Long- in learning how
Testing and Scanning in CI/CD Term Investments Needed to Succeed to leverage cloud
application security
services provided
by AWS
DAY 3: Moving to the Cloud DAY 4: Cloud Application Security – Part 1
▐▐ Developers
Utilizing DevOps principles you will learn how to move your In this course section, we will examine how to leverage cloud
CI/CD toolchain into the cloud. This section provides an application security services to ensure that applications have ▐▐ Software architects
overview of Amazon Web Services (AWS) and introduces the appropriate authentication and access control functionality ▐▐ Operations engineers
foundational tools and practices needed to securely deploy while maintaining availability even while patching critical
your applications in the cloud. security defects.
▐▐ System
administrators
Topics: Introduction to the Cloud; Introduction to Amazon Topics: Authentication and Access Control; API Gateway;
Web Services; Cloud Infrastructure as Code; Cloud CI/CD; Availability; Patch Management ▐▐ Security analysts
Cloud Container Orchestration ▐▐ Security engineers
▐▐ Auditors
DAY 5: Cloud Application Security – Part 2 ▐▐ Risk managers
Expand usage of cloud application security services to ▐▐ Security consultants
provide encryption, monitoring, and automation.
Topics: Encryption; Security Monitoring; Security Automation;
Serverless Security

89
 DEV541: Secure Coding in Java/JEE: GSSP-JAVA
Developing Defensible Applications
Secure Software
Programmer - Java
[Link]/gssp-java

4 24 Laptop This secure coding course will teach students how to build secure Java applications and
Day Program CPEs Required gain the knowledge and skills to keep a website from getting hacked, counter a wide range
of application attacks, prevent critical security vulnerabilities that can lead to data loss, and
understand the mindset of attackers.
You Will Be Able To
The course teaches you the art of modern web defense for Java applications by focusing on
▐▐ Use a web application proxy to view and
manipulate HTTP requests and responses
foundational defensive techniques, cutting-edge protection, and Java EE security features you
can use in your applications as soon as you return to work. This includes learning how to:
▐▐ Review and perform basic exploits of
common web application vulnerabilities, ▐▐ Identify security defects in your code
such as those found among the SANS/ ▐▐ Fix security bugs using secure coding techniques
CWE Top 25 Most Dangerous Software
Errors and the OWASP Top 10: ▐▐ Utilize secure HTTP headers to prevent attacks
• Cross-site scripting (XSS) ▐▐ Secure your sensitive representational state transfer (REST) services
• Cross-site request forgery (CSRF)
▐▐ Incorporate security into your development process
• SQL injection
• Parameter manipulation ▐▐ Use freely available security tools to test your applications
• Open redirect Great developers have traditionally distinguished themselves by the elegance, effectiveness
• Session hijacking and reliability of their code. That is still true, but the security of the code now needs to be
• Clickjacking added to those other qualities. This unique SANS course allows you to hone the skills and
•A
 uthentication and access control knowledge required to prevent your applications from getting hacked.
bypass DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive
▐▐ Mitigate common web application course covering a wide set of skills and knowledge. It is not a high-level theory course – it is
vulnerabilities using secure coding about real-world, hands-on programming. You will examine actual code, work with real tools,
practices and Java libraries, including: build applications and gain confidence in the resources you need to improve the security of
• Input validation Java applications.
• Blacklist and whitelist validation
Rather than teaching students to use a given set of tools, the course covers concepts of
• Regular expressions secure programming. This involves looking at a specific piece of code, identifying a security
• Output encoding flaw and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25
• Content Security Policy Most Dangerous Programming Errors.
• Client-side security headers
The course culminates in a Secure Development Challenge in which students perform a
▐▐ Build applications using: security review of a real-world open-source application. You will conduct a code review,
• Java Enterprise Edition authentication perform security testing to actually exploit real vulnerabilities, and implement fixes for these
• Basic and form-based authentication issues using the secure coding techniques that you have learned in course.
• Client certificates
•S
 ecure Sockets Layer/Transport Layer PCI Compliance
Security (SSL/TLS)
Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs
• Java Secure Sockets Extension
auditors to verify processes that require training in secure coding techniques for developers.
• Secure password storage techniques This is the course for you if your application processes cardholder data and you are required
• Java Cryptography Architecture to meet PCI compliance.
• Security Manager
▐▐ Implement a secure software Who Should Attend
development lifecycle, including code ▐▐ Developers who want to build more secure ▐▐ Application security auditors
review, static analysis and dynamic applications
analysis techniques. ▐▐ Technical project managers
▐▐ Java Enterprise Edition programmers ▐▐ Senior software QA specialists
▐▐ Software engineers ▐▐ Penetration testers who want a deeper
▐▐ Software architects understanding of target applications or who
want to provide more detailed vulnerability
▐▐ Developers who need to be trained in secure
remediation options
coding techniques to meet PCI compliance

DEV541 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-19 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.

90
DEV544: Secure Coding in .NET: [Link]
Developing Defensible Applications
Secure Software
Programmer - .net
[Link]/gssp-net

4 24 Laptop [Link] and the .NET framework have provided web developers with tools that allow them
Day Program CPEs Required an unprecedented degree of flexibility and productivity. However, these sophisticated tools
make it easier than ever to miss the little details that allow security vulnerabilities to creep
into an application. Since [Link] 2.0, Microsoft has done a fantastic job of integrating
You Will Be Able To security into the [Link] framework, but the responsibility is still on application developers
▐▐ Use a web application proxy to view HTTP to understand the limitations of the framework and ensure that their own code is secure.
requests and responses.
▐▐ Review and perform basic exploits Have you ever wondered if the built-in [Link] validation is effective? Have you been
of common .NET web application concerned that Windows Communication Foundation (WCF) services might be introducing
vulnerabilities, such as those found in the unexamined security issues into your application? Should you feel uneasy relying solely on
SANS/CWE Top 25 and the OWASP Top 10: the security controls built into the [Link] framework?
•C ross-Site Scripting
This comprehensive course covers a huge set of skills and knowledge. It is not a high-level
•P arameter Manipulation
theory course. It is about real programming. Students examine actual code, work with real
•O pen Redirect
•U nvalidated Forwards
tools, build applications, and gain confidence in the resources they need to improve the
•S QL Injection security of .NET applications.
•S ession Hijacking Rather than teaching students to use a set of tools, the course teaches students concepts of
•C lickjacking secure programming. This involves looking at a specific piece of code, identifying a security
•C ross-Site Request Forgery flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25
•M an-in-the-middle (MITM) Most Dangerous Programming Errors.
▐▐ Mitigate common web application
The class culminates with a security review of a real-world open-source application.
vulnerabilities using industry best practices
in the .NET framework, including the Students will conduct a code review, review a penetration test report, perform security
following: testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques
• Input Validation that they have learned in class, implement fixes for these issues.
•B  lacklist & Whitelist Validation
•R  egular Expressions
•C  ommand Encoding PCI Compliance
•O  utput Encoding Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs
•C  ontent Security Policy auditors to verify processes that require training in secure coding techniques for developers.
•C  lient-side Security Headers This is the course for you if your application processes cardholder data and you are required
▐▐ Understand built-in ASP .NET security to meet PCI compliance.
mechanisms, including the following:
•A  ntiForgeryToken
•D  ata Annotations Who Should Attend
•E  vent Validation ▐▐ [Link] developers who want to build more secure web applications
•R  equest Validation
▐▐ .NET framework developers
•V  iew State
•E  ntity Framework ▐▐ Software engineers
•A  [Link] Identity ▐▐ Software architects
• F orms Authentication ▐▐ Developers who need to be trained in secure coding techniques to meet PCI compliance
•M  embership Provider
•W  CF
▐▐ Application security auditors
•W  eb API ▐▐ Technical project managers
•R  oslyn Diagnostic Analyzers ▐▐ Senior software QA specialists
▐▐ Apply industry best practices (NIST, PCI) ▐▐ Penetration testers
for cryptography and hashing in the .NET
framework.
▐▐ Implementing a secure software
development lifecycle (SDLC) to include “Very important course to learn how to avoid hacks!”
threat modeling, static analysis, and
dynamic analysis -Ahmed Zakaria, Thiqah

DEV544 is available via (subject to change):

Featured Training Events OnDemand Private Training

Network Security Las Vegas, NV Sep 23-26 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.

91
 ICS410: I CS/SCADA Security Essentials GICSP
Industrial Cyber
Security Professional
[Link]/gicsp

5 30 Laptop SANS has joined forces with industry leaders to equip security professionals and control
Day Program CPEs Required system engineers with the cybersecurity skills they need to defend national critical
infrastructure. ICS410: ICS/SCADA Security Essentials provides a foundational set of
standardized skills and knowledge for industrial cybersecurity professionals. The course
You Will Be Able To is designed to ensure that the workforce involved in supporting and defending industrial
▐▐ Better understand various industrial control systems (ICS) is trained to keep the operational environment safe, secure, and
control systems and their purpose, resilient against current and emerging cyber threats.
application, function, and dependencies
The course will provide you with:
on network IP and industrial
communications ▐▐ An understanding of ICS components, purposes, deployments, significant drivers, and
▐▐ Work with control network infrastructure constraints
design (network architecture concepts, ▐▐ Hands-on lab learning experiences to control system attack surfaces, methods, and tools
including topology, protocols, and
components) and their relation to IEC ▐▐ Control system approaches to system and network defense architectures and techniques
62443 and the Perdue Model.
▐▐ Incident-response skills in a control system environment
▐▐ Run Windows command line tools to
analyze the system looking for high-risk ▐▐ Governance models and resources for industrial cybersecurity professionals
items When examining the greatest risks and needs in critical infrastructure sectors, the course
▐▐ Run Linux command line tools (ps, authors looked carefully at the core security principles necessary for the range of tasks
ls, netstat, ect) and basic scripting to involved in supporting control systems on a daily basis. While other courses are available for
automate the running of programs
higher-level security practitioners who need to develop specific skills such as ICS penetration
to perform continuous monitoring of
various tools testing, vulnerability analysis, malware analysis, forensics, secure coding, and red team
training, most of these courses do not focus on the people who operate, manage, design,
▐▐ Work with operating systems (system
administration concepts for Unix/Linux
implement, monitor, and integrate critical infrastructure production control systems.
and/or Windows operating systems) With the dynamic nature of ICS, many engineers do not fully understand the features and
▐▐ Better understand the systems’ security risks of many devices. For their part, IT support personnel who provide the communications
lifecycle paths and network defenses do not always grasp the systems’ operational drivers and
▐▐ Better understand information assurance constraints. This course is designed to help traditional IT personnel fully understand
principles and tenets (confidentiality, the design principles underlying control systems and how to support those systems in a
integrity, availability, authentication, non- manner that ensures availability and integrity. In parallel, the course addresses the need for
repudiation) control system engineers and operators to better understand the important role they play
▐▐ Use your skills in computer network in cybersecurity. This starts by ensuring that a control system is designed and engineered
defense (detecting host and network- with cybersecurity built into it, and that cybersecurity has the same level of focus as system
based intrusions via intrusion detection reliability throughout the system lifecycle.
technologies)
When these different groups of professionals complete this course, they will have developed
▐▐ Implement incident response and
handling methodologies an appreciation, understanding, and common language that will enable them to work
together to secure their ICS environments. The course will help develop cyber-secure-
▐▐ Map different ICS technologies, attacks,
and defenses to various cybersecurity
aware engineering practices and real-time control system IT/OT support carried out by
standards including NIST Cyber Security professionals who understand the physical effects of actions in the cyber world.
Framework, ISA/IEC 62443, ISO/IEC 27001,
NIST SP 800-53, Center for Internet
Security Critical Security Controls, and
COBIT 5

“The course is informative and relevant to anyone working with

or alongside industrial control systems.”
-Abrael Delgado, Compuquip Technologies

ICS410 is available via (subject to change):

Featured Training Events OnDemand

SANSFIRE Washington, DC Jul 16-20 Seattle Fall Seattle, WA Oct 15-19 E-learning available anytime, anywhere, at your pace
Pittsburgh Pittsburgh Jul 30 - Aug 3 Austin Austin, TX Nov 26 - Dec 1
Chicago Chicago, IL Aug 20-24 CDI Washington, DC Dec 13-17 Summit Events
Network Security Las Vegas, NV Sep 23-27 Alaska Anchorage, AK Sep 10-14
Oil & Gas Cybersecurity Houston, TX Oct 2-6

92
Course Day
Descriptions

DAY 1: ICS Overview DAY 2: Field Devices and Controllers Who Should Attend
Students will develop and reinforce a common language If you know the adversary’s approaches to attacking The course is designed for
and understanding of industrial control system (ICS) an ICS environment, you will be better prepared to the range of individuals who
cybersecurity as well as the important considerations defend that environment. Numerous attack vectors work in, interact with, or can
that come with cyber-to-physical operations within these exist within an ICS environment. Some are similar to affect industrial control system
environments. Each student will receive programmable logic traditional IT systems, while others are more specific environments, including asset
controller (PLC) hardware to keep. The PLC contains physical to ICS. During Day 2, students will develop a better owners, vendors, integrators,
inputs and outputs that will be programmed in class and understanding of where these specific attack vectors and other third parties. These
mapped to an operator interface, or HMI, also created in exist and how to block them, starting at the lowest personnel primarily come from
class. This improved hardware-enabled approach provides levels of the control network. Students will look at four domains:
the necessary cyber-to-physical knowledge that allows different technologies and communications used in ▐▐ IT (includes operational
students to better understand important ICS operational Perdue Levels 0 and 1, the levels that are the most
technology support)
drivers and constraints that require specific safety different from an IT network. Students will capture
protection, communications needs, system management fieldbus traffic from the PLCs they programmed in ▐▐ IT security (includes
approaches, and cybersecurity implementations. Essential day 1 and look at what other fieldbus protocols used operational technology
terms, architectures, methodologies, and devices are all in the industry. Later in the day, students will analyze security)
covered to build a common language for students from a network captures containing other control protocols ▐▐ Engineering
variety of different roles. that traverse Ethernet-only networks and TCP/IP
networks, set up a simulated controller, and interact
▐▐ Corporate, industry, and
Topics: Global Industrial Cybersecurity Professional (GICSP) professional standards
Overview; Perdue Levels 0 and 1; Perdue Levels 2 and 3; DCS with it through a control protocol.
and SCADA; IT & ICS Differences; Physical and Cybersecurity; Topics: ICS Attack Surface; Purdue Level 0 and 1;
Secure ICS Network Architectures Ethernet and TCP/IP

DAY 3: Supervisory Systems DAY 4: Workstations and DAY 5: ICS Security Governance
Day 3 will take students through the middle Servers Students will learn about the various models,
layers of control networks. Students will learn methodologies, and industry-specific regulations that
Students will learn essential ICS-related
about different methods to segment and control are used to govern what must be done to protect
server and workstation operating system
the flow of traffic through the control network. critical ICS systems. Key business processes that
capabilities, implementation approaches,
Students will explore cryptographic concepts consider risk assessments, disaster recovery, business
and system management practices.
and how they can be applied to communications impact analysis, and contingency planning will be
Students will receive and work with both
protocols and on devices that store sensitive examined from the perspective of ICS environments. On
Windows- and Linux-based virtual machines
data. Students will learn about the risks of using this final course day, students will work together on an
in order to understand how to monitor and
wireless communications in control networks, incident response exercise that places them squarely in
harden these hosts from attack. Students
which wireless technologies are commonly used, an ICS environment that is under attack. This exercise
will examine concepts that benefit ICS
and available defenses for each. After a hand- ties together key aspects of what has been learned
systems such as system hardening, log
on network forensics exercise where students throughout the course and presents students with a
management, monitoring, alerting, and
follow an attacker from phishing campaign to HMI scenario to review with their peers. Specific incident-
audit approaches, then look at some of the
breach, students will look at HMI, historian, and response roles and responsibilities are considered, and
more common applications and databases
user interface technologies used in the middle to actions available to defenders throughout the incident
used in ICS environments across multiple
upper levels of the control network, namely Perdue response cycle are explored. Students will leave with a
industries. Finally, students will explore
Levels 2 and 3, while performing attacks on HMI variety of resources for multiple industries and will be
attacks and defenses on remote access for
web technologies and interfaces susceptible to well prepared to pursue the GICSP, an important ICS-
control systems.
password brute force attacks. focused professional certification.
Topics: Patching ICS Systems; Defending
Topics: Enforcement Zone Devices; Understanding Topics: Building an ICS Cyber Security Program; Creating
Microsoft Windows; Defending Unix and
Basic Cryptography; Wireless Technologies; Wireless ICS Cybersecurity Policy; Disaster Recovery; Measuring
Linux; Endpoint Security Software; Event
Attacks and Defenses; Exercise: Network Forensics Cybersecurity Risk; Incident Response; Exercise:
Logging and Analysis; Remote Access Attacks
of an Attack; Purdue Level 2 and 3 Attacks Incident Response Tabletop Exercise; Final Thoughts
and Next Steps

Private Training
All courses are available through Private Training.

93
 ICS515: ICS Active Defense and GRID
Incident Response
Response and
Industrial Defense
[Link]/grid

5 30 Laptop ICS515: ICS Active Defense and Incident Response will help you deconstruct industrial control
Day Program CPEs Required system (ICS) cyber attacks, leverage an active defense to identify and counter threats in
your ICS, and use incident response procedures to maintain the safety and reliability of
operations.
You Will Be Able To This course will empower students to understand their networked ICS environment,
▐▐ Perform industrial control system (ICS) monitor it for threats, perform incident response against identified threats, and learn from
incident response focusing on security interactions with the adversary to enhance network security. This process of monitoring,
operations and prioritizing the safety and
responding to, and learning from threats internal to the network is known as active defense.
reliability of operations
An active defense is the approach needed to counter advanced adversaries targeting an
▐▐ Determine how ICS threat intelligence ICS, as has been seen with malware such as Stuxnet, Havex, and BlackEnergy2. Students
is generated and how to use what is
available in the community to support
can expect to come out of this course with the ability to deconstruct targeted ICS attacks
ICS environments. The analysis skills you and fight these adversaries and others. The course uses a hands-on approach and real-
learn will enable you to critically analyze world malware to break down cyber attacks on ICS from start to finish. Students will gain a
and apply information from ICS threat practical and technical understanding of leveraging active defense concepts such as using
intelligence reports on a regular basis. threat intelligence, performing network security monitoring, and utilizing malware analysis
▐▐ Identify ICS assets and their network and incident response to ensure the safety and reliability of operations. The strategy and
topologies and how to monitor ICS technical skills presented in this course serve as a basis for ICS organizations looking to
hotspots for abnormalities and threats. show that defense is do-able.
Methodologies such as ICS network
security monitoring and approaches This course will prepare you to:
to reducing the control system threat
landscape will be introduced and
▐▐ Examine ICS networks and identify the assets and their data flows in order to understand
reinforced the network baseline information needed to identify advanced threats
▐▐ Analyze ICS malware and extract the most ▐▐ Use active defense concepts such as threat intelligence consumption, network security
important information needed to quickly monitoring, malware analysis, and incident response to safeguard the ICS
scope the environment and understand
the nature of the threat
▐▐ Build your own Programmable Logic Controller using a CYBATIworks Kit and keep it after
the class ends
▐▐ Operate through an attack and gain the
information necessary to instruct teams ▐▐ Gain hands-on experience with samples of Havex, BlackEnergy2, and Stuxnet by
and decision-makers on when operations participating in labs and de-constructing these threats and others
must shut down, or if it is safe to respond
to the threat and continue operations ▐▐ Leverage technical tools such as Shodan, Security Onion, TCPDump, NetworkMiner,
▐▐ Use multiple security disciplines in
Foremost, Wireshark, Snort, Bro, SGUIL, ELSA, Volatility, Redline, FTK Imager, PDF
conjunction with each other to leverage analyzers, malware sandboxes, and more
an active defense and safeguard the ICS, ▐▐ Create indicators of compromise (IOCs) in OpenIOC and YARA while understanding
all reinforced with hands-on labs and
sharing standards such as STIX and TAXII
technical concepts
▐▐ Take advantage of models such as the Sliding Scale of Cybersecurity, the Active Cyber
Defense Cycle, and the ICS Cyber Kill Chain to extract information from threats and use it
to encourage the long-term success of ICS network security.

ICS515 is available via (subject to change):

Featured Training Events OnDemand Private Training

SANSFIRE Washington, DC Jul 16-20 E-learning available anytime, anywhere, at your pace All courses are available through Private Training.
San Antonio San Antonio, TX Aug 6-10
Dallas Fall Dallas, TX Nov 5-10 Summit Events
Nashville Nashville, TN Dec 3-7 Oil & Gas Cybersecurity Houston, TX Oct 2-6

94
Course Day
Descriptions

DAY 1: Threat Intelligence DAY 2: Asset Identification and Network Who Should Attend
Industrial control system (ICS) security professionals Security Monitoring ▐▐ ICS incident response team
must be able to leverage internal and external threat leads and members
Understanding the networked environment is the only
intelligence to critically analyze threats, extract indicators
way to fully defend it: you cannot defend what you do ▐▐ ICS and operations technology
of compromise (IOCs), and guide security teams to find
not know. This course section will teach students to security personnel
threats in the environment. Today you will learn how
use tools such as Wireshark, TCPdump, SGUIL, ELSA,
threat intelligence is generated, how to critically analyze ▐▐ IT security professionals
CyberLens, Bro, NetworkMiner, and Snort to map their ICS
reports, and the basic tenets of active defense functions. ▐▐ Security Operations Center
network, collect data, detect threats, and analyze threats
Students will become better analysts and critical thinkers (SOC) team leads and analysts
to drive incident response procedures. During this
by learning skills useful in day-to-day operations,
section, students will be introduced to the lab network ▐▐ ICS red team and penetration
regardless of their jobs and roles. This day features four
and an advanced persistent threat (APT) that is present testers
hands-on labs that include building a Programmable Logic
on it. Drawing on threat intelligence from the previous
Controller (PLC), identifying information available about ▐▐ Active defenders
course section, students will have to discover, identify,
assets online through Shodan, completing an analysis of
and analyze the threat using their new active defense
competing hypotheses, and ingesting threat intelligence
skills to guide incident responders to the affected
reports. This will guide the practices of students during
Human Machine Interface (HMI).
the rest of the labs in the course
Topics: Case Study: BlackEnergy2; ICS Asset and Network
Topics: Case Study: Havex; Introduction to ICS Active Visibility; Identifying and Reducing the Threat Landscape;
Defense and Incident Response; Intelligence Life Cycle and ICS Network Security Monitoring – Collection; ICS Network
Threat Intelligence; ICS Information Attack Surface; External Security Monitoring – Detection; ICS Network Security
ICS Threat Intelligence; Internal ICS Threat Intelligence; Monitoring – Analysis
Sharing and Consuming ICS Threat Intelligence

DAY 3: Incident Response DAY 4: Threat and Environment

The ability to prepare for and perform ICS incident Manipulation
response is vital to the safety and reliability of control
Understanding the threat is key to discovering its
systems. ICS incident response is a core concept in an ICS
capabilities and its potential to affect the ICS. The
active defense and requires that analysts safely acquire
information extracted from threats through processes
digital evidence while scoping the environment for threats
such as malware analysis is also critical to being able
and their impact on operations. ICS incident response is
to make the necessary changes to the environment to
a young field with many challenges, but students in this
section will learn effective tactics and tools to collect
reduce the effectiveness of the threat. The information “ICS515 integrated the
obtained is vital to an ICS active defense, which requires
and preserve forensic-quality data. Students will then
internal data collection to create and share threat OT/ICS side of security
use these data to perform timely forensic analysis and
create IOCs. In the previous section’s labs, APT malware
intelligence. In this section, students will learn how to
analyze initial attack vectors such as spearphishing
into the course well,
was identified in the network. In this section, the labs
will focus on identifying which system is impacted and
emails, perform timely malware analysis techniques, not like other courses
analyze memory images, and create Indicators of
gathering a sample of the threat that can be analyzed.
Compromise in YARA. The previous section’s labs I’ve taken that taught
Topics: Case Study: Stuxnet; Incident Response and Digital
Forensics Overview; Preparing an ICS Incident Response
identified the infected HMI and gathered a sample of the
APT malware. In this section’s labs, students will analyze
general IT security
Team; Evidence Acquisition; Sources of Forensic Data in the malware, extract information, and develop YARA rules with OT added as an
ICS Networks; Time-Critical Analysis; Maintaining and to complete the active defense model introduced in the
Restoring Operations class and maintain operations. afterthought.”
Topics: Case Study: German Steelworks; ICS Threat and -Josh Tanski, Morton Salt
DAY 5: Active Defense and Incident Environment Manipulation Goals and Considerations;
Establishing a Safe Working Environment; Analyzing
Response Challenge Acquired Evidence; Memory Forensics; Malware Analysis
This section focuses on reinforcing the strategy, Methodologies; Case Study: BlackEnergy2 Automated
methodologies, skillsets, and tools introduced in the first Analysis; Indicators of Compromise; Environment
four sections of the course. This entirely hands-on section Manipulation
will present students with two different scenarios. The first
involves data collected from an intrusion into SANS Cyber
City. The second involves data collected from a Distributed
Control System (DCS) infected with malware. This section
will truly challenge students to utilize their ICS active
defense and incident response skills and test themselves.
Topics:
Scenario One:
Identify the Assets and Map the ICS Networks; Perform ICS
Network Security Monitoring to Identify the Abnormalities;
Execute ICS Incident Response Procedures Into the SANS
Cyber City Data Files; Analyze the Malicious Capability and
Determine if the Threat Is an Insider Threat or a Targeted
External Threat
Scenario Two:
Identify the Software and Information Present on the DCS;
Leverage ICS Active Defense Concepts to Identify the Real-
World Malware; Determine the Impact on Operations and
Remediation Needs
95
 ICS456: Essentials for NERC Critical GCIP
Infrastructure Protection
Critical Infrastructure
Protection
[Link]/gcip

5 30 Laptop This five-day course empowers students with knowledge of the “what” and the “how” of
Day Program CPEs Required the version 5/6 standards. The course addresses the role of FERC, NERC and the Regional
Entities, provides multiple approaches for identifying and categorizing BES Cyber
Systems, and helps asset owners determine the requirements applicable to specific
Who Should Attend implementations. Additionally, the course covers implementation strategies for the
▐▐ IT and OT (ICS) cybersecurity version 5/6 requirements with a balanced practitioner approach to both cybersecurity
▐▐ Field support personnel
benefits, as well as regulatory compliance.
▐▐ Security operations personnel The course features 25 hands-on labs range from securing workstations to digital
forensics and lock picking.
▐▐ Incident response personnel
The SANS ICS456: NERC Critical Infrastructure Protection Essentials course was developed
▐▐ Compliance staff
by SANS ICS team members with extensive electric industry experience, including former
▐▐ Team leaders Registered Entity Primary Contacts, a former NERC officer, and a Co-Chair of the NERC
▐▐ Persons involved in governance CIP Interpretation Drafting Team. Together the authors bring real-world, practitioner
▐▐ Vendors/Integrators experience gained from developing and maintaining NERC CIP and NERC 693 compliance
▐▐ Auditors programs and actively participating in the standards development process.

“This is best-in-class NERC CIP training. The courseware

provides valuable compliance approaches and software tools
for peer collaboration to build consent on implementation.”
-Jeff Mantong, WAPA

ICS456 is available via (subject to change):

Summit Events
Oil & Gas Cybersecurity Houston, TX Oct 2-6

96
Course Day
Descriptions

DAY 1: Asset Identification and Governance DAY 2: Access Control and Monitoring
A transition is underway from NERC CIP programs that are well defined and Strong physical and cyber access controls are at the heart of any good
understood to a new CIP paradigm that expands its scope into additional cybersecurity program. During day 2 we move beyond the “what” of CIP
environments and adds significantly more complexity. On day 1 students compliance to understanding the “why” and the “how.” Firewalls, proxies,
will develop an understanding of the electricity sector regulatory structure gateways, IDS and more – learn where and when they help and learn
and history as well as an appreciation for how the CIP Standards fit into practical implementations to consider and designs to avoid. Physical
the overall framework of the reliability standards. Key NERC terms and protections include more than fences and you’ll learn about the strengths
definitions related to NERC CIP are reviewed using realistic concepts and and weaknesses of common physical controls and monitoring schemes.
examples that prepare students to better understand their meaning. We Labs will reinforce the learnings throughout the day and will introduce
will explore multiple approaches to BES Cyber Asset identification and learn architecture review and analysis, firewall rules, IDS rules, compliance
the critical role of strong management and governance controls. The day evidence demonstration, and physical security control reviews.
will examine a series of architectures, strategies, and difficult compliance Topics: CIP-005: Electronic Security Perimeter(s); Interactive Remote Access;
questions in a way that highlights the reliability and cybersecurity External Routable Communication and Electronic Access Points; CIP-006:
strengths of particular approaches. Unique labs will include a scenario- Physical Security of BES Cyber Systems; Physical Security Plan; Visitor Control
based competition that helps bring the concepts to life and highlights the Programs; PACS Maintenance and Testing; CIP-014: Physical Security
important role we play in defending ‘the grid.
Topics: Regulatory History and Overview; NERC Functional Model; NERC
Reliability Standards; CIP History; Terms and Definitions; CIP-002: BES Cyber
System Categorization; CIP-003: Security Management Controls

DAY 3: System Management DAY 4: Information Protection and Response

CIP-007 has consistently been one of the most violated Standards going back Education is key to every organization’s success with NERC CIP and the
to CIP version 1. With the CIP Standards moving to a systematic approach with students in ICS 456 will be knowledgeable advocates for CIP when they
varying requirement applicability based on system impact rating, the industry return to their place of work. Regardless of their role, all students can be a
now has new ways to design and architect system management approaches. valued resource to their organization’s CIP-004 training program, the CIP-011
Throughout day 3, students will dive into CIP-007. We’ll examine various information protection program. Students will be ready with resources for
Systems Security Management requirements with a focus on implementation building and running strong awareness programs that reinforce the need for
examples and the associated compliance challenges. This day will also information protection and cybersecurity training. On day 4 we’ll examine
cover the CIP-010 requirements for configuration change management and CIP-008 and CIP-009 covering identification, classification communication
vulnerability assessments that ensure systems are in a known state and under of incidents as well as the various roles and responsibilities needed in an
effective change control. We’ll move through a series of labs that reinforce incident response or a disaster recovery event. Labs on day 4 will introduce
the topics covered from the perspective of the CIP practitioner responsible for tools for ensuring file integrity and sanitization of files to be distributed,
implementation and testing. how to best utilize and communicate with the E-ISAC, and how to preserve
Topics: CIP-007: System Management; Physical and Logical Ports; Patch incident data for future analysis.
Management; Malicious Code Prevention; Account Management; CIP-010: Topics: CIP-004: Personnel & Training; Security Awareness Program; CIP
Configuration Change Management and Vulnerability Assessments; Change Training Program; PRA Evaluation Process; CIP-011: Information Protection;
Management Program; Baseline Configuration Methodology; Change Information Protection Program; Data Sanitization; CIP-008: Incident
Management Alerting/Prevention Reporting and Response Planning; Incident Response Plan/Testing; Reporting
Requirements; CIP-009: Recovery Plans for BES Cyber Systems; Recovery
Plans; System Backup

DAY 5: CIP Process

On the final day students will learn the key components for running an
effective CIP Compliance program. We will review the NERC processes for
standards development, violation penalty determination, Requests For
Interpretation, and recent changes stemming from the Reliability Assurance
Initiative. Additionally we’ll identify recurring and audit-related processes
that keep a CIP compliance program on track: culture of compliance, annual
assessments, gap analysis, TFEs, and self-reporting. We’ll also look at the
challenge of preparing for NERC audits and provide tips to be prepared to
demonstrate the awesome work your team is doing. Finally, we’ll look at some
real-life CIP violations and discuss what happened and the lessons we can
take away. At the end of day 5 students will have a strong call to action to
participate in the ongoing development of CIP within their organization and
in the industry overall as well as a sense that CIP is doable! Labs on day 5 will
cover DOE C2M2, audit tools, and an audit-focused take on a blue team-red
team exercise.
Topics: Scenario One:
CIP Processes for Maintaining Compliance; Preparing for an Audit; Audit
Follow-Up; CIP Industry Activities; Standards Process; CIP of the Future

97
 Cyber Defense | 2-Day Courses
SEC455: SIEM Design & Implementation NEW! 2 14 Laptop
Day Course CPEs Required
Security Information and Event Management (SIEM) can be an extraordinary benefit to
an organization’s security posture, but understanding and maintaining it can be difficult.
Many solutions require complex infrastructure and software that necessitate professional Featured Training Events
services for installation. The use of professional services can leave security teams feeling SANSFIRE Washington, DC Jul 14-15
as if they do not truly own or understand how their SIEM operates. Combine this situation Baltimore Fall Baltimore, MD Sep 8-9
of complicated solutions with a shortage of available skills, a lack of simple documentation, Network Security Las Vegas, NV Sep 29-30
and the high costs of software and labor, and it is not surprising that deployments often N VA Fall – Tysons Tysons, VA Oct 15-20
fail to meet expectations. A SIEM can be the most powerful tool a cyber defense team can
Summit Events
wield, but only when it is used to its fullest potential. This course is designed to address
Oil & Gas Cybersecurity Houston, TX Oct 2-3
this problem by demystifying SIEMs and simplifying the process of implementing a solution
that is usable, scalable, and simple to maintain.

SEC524: Cloud Security Fundamentals 2 12 Laptop

Day Course CPEs Required
SEC524: Cloud Security Fundamentals teaches you how to properly evaluate cloud
providers, and perform risk assessment and review, with a focus on risk assessment
versus technical implementation and operations. This course will discuss architecture and Featured Training Events
infrastructure fundamentals for private, public and hybrid clouds, including a wide range Network Security Las Vegas, NV Sep 29-30
of topics such as patch and configuration management, virtualization security, application
security and change management. Policy, risk assessment, and governance within cloud Community SANS Events
Ottawa, ON Sep 11-12
environments will also be covered, with recommendations for both internal policies and
contract provisions. This path leads to a discussion of compliance and legal concerns.

SEC546: IPv6 Essentials 2 12 Laptop

Day Course CPEs Required
We are out of IPv4 addresses. ISPs worldwide will have to rapidly adopt IPv6 over the
next years to grow, in particular as mobile devices require more and more address space.
Already, modern operating systems implement IPv6 by default. Windows 7, for example, Private Training
ships with Teredo enabled by default. This course is designed not just for implementers All courses are available through Private Training.
of IPv6, but also for those who just need to learn how to detect IPv6 and defend against
threats unintentional IPv6 use may bring.
IPv6 is currently being implemented at a rapid pace in Asia in response to the exhaustion
of IPv4 address space, which is most urgently felt in rapidly growing networks in China
and India. Even if you do not feel the same urgency of IP address exhaustion, you may
have to connect to these IPv6 resources as they become more and more important to
global commerce.
The course will address how to take advantage of IPv6 to re-think how to assign addresses
in your network and how to cope with what some suggest is the biggest security problem in
IPv6: no more NAT! IPv6 doesn’t stop at the network layer. Many application layer protocols
change in order to support IPv6, and we will take a close look at protocols like DNS, DHCPv6
and more.

98
Software Security | 2-Day Courses
DEV531: Defending Mobile Applications Security Essentials 2 12 Laptop
Day Course CPEs Required
Mobile application development is growing exponentially year over year. As of late 2015,
over 3 million apps were deployed in the Apple and Google app stores. These apps are
consumed by over 700 million users world-wide and account for 33% of the traffic on the Featured Training Events
Internet. Average users have over 100 mobile apps installed on their device, many of which Network Security Las Vegas, NV Sep 29-30
provide business-critical services to customers and employees.
Unfortunately, these apps are often rushed to market to gain a competitive advantage Private Training
with little regard for security. As seen in web applications for the past 20 years, software All courses are available through Private Training.
vulnerabilities always exist where code is being written and mobile apps are no different.
Mobile apps are vulnerable to a whole new class of vulnerabilities, as well as most
traditional issues that have long plagued web and desktop applications. This problem will
only continue to grow unless managers, architects, developers, and QA teams learn how to
test and defend their mobile apps.
DEV531 covers the most prevalent mobile app risks, including those from the OWASP
Mobile Top 10. Students will participate in numerous hands-on exercises available in
both the Android and iOS platforms. Each exercise is designed to reinforce the lessons
learned throughout the course, ensuring that you understand how to properly defend your
organization’s mobile applications.

DEV534: Secure DevOps: A Practical Introduction 2 12 Laptop

Day Course CPEs Required
This course will introduce students to DevOps principles, practices and tools and explain
how Secure DevOps can be implemented using lessons from successful DevOps security
programs. Students will build up a DevOps CI/CD toolchain to understand how code is Featured Training Events
automatically built, tested and deployed, using popular open-source tools including git, SANSFIRE Washington, DC Jul 14-15
Puppet, Jenkins and Docker. In a series of labs students will inject security into a CI/CD
OnDemand
toolchain, and learn about the tools, patterns and techniques to do this. The course will
E-learning available anytime, anywhere, at your pace
make extensive use of open-source materials and tooling for automated configuration
management (“Infrastructure as Code”), Continuous Integration, Continuous Delivery Private Training
and Continuous Deployment, containerization and micro-segmentation, and automated All courses are available through Private Training.
compliance (“Compliance as Code”) and monitoring.

DEV543: Secure Coding in C & C++ 2 12 Laptop

Day Course CPEs Required
The C and C++ programming languages are the bedrock for most operating systems,
major network services, embedded systems and system utilities. Even though C and,
to a lesser extent, C++ are well understood languages, the flexibility of the language Private Training
and inconsistencies in the standard C libraries have led to an enormous number All courses are available through Private Training.
of discovered vulnerabilities over the years. The unfortunate truth is that there are
probably more undiscovered vulnerabilities than there are known vulnerabilities! This
course will cover all of the most common programming flaws that affect C and C++
code. Each issue is described clearly with examples. Throughout the course students
are asked to identify flaws in modern versions of common open-source software
to provide hands-on experience identifying these issues in existing code. Exercises
also require students to provide secure solutions to coding problems in order to
demonstrate mastery of the subject.

99
 Penetration Testing | 2-Day Courses
SEC564: Red Team Operations and Threat Emulation NEW! 2 12 Laptop
Day Course CPEs Required
This course provides the foundation needed to manage and operate a Red Team and
conduct Red Team engagements. What is Red Teaming? Red Teaming is the process of
using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the Featured Training Events
goals of training and measuring the effectiveness of people, processes and technology SANSFIRE Washington, DC Jul 14-15
used to defend an environment. Red Teaming is built on the fundamentals of penetration Network Security Las Vegas, NV Sep 29-30
testing, yet focuses on specific scenarios and goals used to evaluate and measure an
organization’s overall security defense posture. That posture includes people, processes, Private Training
and technology. This course will explore Red Teaming concepts in depth to provide a clear
All courses are available through Private Training.
understanding of what a Red Team is and its role in Security Testing.

SEC567: Social Engineering for Penetration Testers 2 12 Laptop

Day Course CPEs Required
SEC567 provides the blend of knowledge required to add social engineering skills to your
penetration testing portfolio. Successful social engineering utilizes psychological principles
and technical methods to measure your success and manage the risk. SEC567 covers the Featured Training Events
principles of persuasion and the psychology foundations required to craft effective attacks, SANSFIRE Washington, DC Jul 14-15
then bolsters this with many examples of what works, drawing on the experiences of cyber
criminals and the authors in engagements. In addition to these principles we provide a
number of tools (produced in our engagements over the years and now available in the
course) and labs centered around the key technical skills required to measure your social
engineering success and report it to your company or client.

SEC580: Metasploit Kung Fu for Enterprise Pen Testing 2 12 Laptop

Day Course CPEs Required
Many enterprises today face regulatory or compliance requirements that mandate regular
penetration testing and vulnerability assessments. Commercial tools and services for
performing such tests can be expensive. While really solid free tools such as Metasploit, Featured Training Events
are available, many testers do not understand the comprehensive feature sets of such SANSFIRE Washington, DC Jul 14-15
tools and how to apply them in a professional-grade testing methodology. Metasploit Network Security Las Vegas, NV Sep 29-30
was designed to help testers with confirming vulnerabilities using an open-source and
easy-to-use framework. This course will help students get the most out of this free tool. Private Training
This class will show students how to apply the incredible capabilities of the Metasploit
All courses are available through Private Training.
Framework in a comprehensive penetration testing and vulnerability assessment regimen,
according to a thorough methodology for performing effective tests. Students who
complete the course will have a firm understanding of how Metasploit can fit into their
penetration testing and day-to-day assessment activities. The course will provide an in-
depth understanding of the Metasploit Framework far beyond simply showing attendees
how to exploit a remote system.

Auditing | 2-Day Course

AUD440: Critical Security Controls: Planning, Implementing, and Auditing 2 12 Laptop
Day Course CPEs Required
This course helps you master specific, proven techniques and tools needed to implement
and audit the Critical Security Controls as documented by the Center for Internet Security
(CIS). These Critical Security Controls are rapidly becoming accepted as the highest priority Featured Training Events
SANSFIRE Washington, DC Jul 14-15
list of what must be done and proven before anything else at nearly all serious and
Network Security Las Vegas, NV Sep 29-30
sensitive organizations. These controls were selected and defined by the U.S. military and
other government and private organizations (including NSA, DHS, GAO, and many others) Summit Events
that are the most respected experts on how attacks actually work and what can be done to Security Awareness Charleston, SC Aug 14-15
stop them. They defined these controls as their consensus for the best way to block known Private Training
attacks and help find and mitigate damage from the attacks that get through. All courses are available through Private Training.

100
Management | 2- and 5-Day Courses
COMING SOON!
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud 5 30 Laptop
Day Course CPEs Required
The primary objective of this course is to help enterprises improve their vision and
understanding of the vulnerabilities present in their IT environments, and to develop
a straightforward approach to manage those vulnerabilities, avoiding or minimizing
unnecessary loss events. Based on the Prepare, Identify, Assess, Communicate, and Treat
(PIACT) model, MGT516 will help you implement a vulnerability management lifecycle that
ensures security from governance to monitoring and remediation.

MGT415: A Practical Introduction to Cyber Security Risk Management 2 12 Laptop

Day Course CPEs Required
In this course students will learn the practical skills necessary to perform regular risk
assessments for their organizations. The ability to perform risk management is crucial
for organizations hoping to defend their systems. There are simply too many threats, too Featured Training Events
many potential vulnerabilities that could exist, and not enough resources to create an SANSFIRE Washington, DC Jul 14-15
impregnable security infrastructure. Therefore every organization, whether it does so in an Network Security Las Vegas, NV Sep 29-30
organized manner or not, will make priority decisions on how best to defend its valuable
data assets. Risk management should be the foundational tool used to facilitate thoughtful
and purposeful defense strategies.

MGT433: S
 ANS Security Awareness: How to Build, Maintain, and Measure 2 12 Laptop
a Mature Awareness Program Day Course CPEs Not Needed

Organizations have invested a tremendous amount of money and resources into securing
technology, but little if anything into securing their workforce. As a result, people, not Featured Training Events
technology, have become the most common target for cyber attackers. The most effective SANSFIRE Washington, DC Jul 14-15
way to secure the human element is to establish a mature security awareness program that Network Security Las Vegas, NV Sep 29-30
goes beyond just compliance, changes peoples’ behaviors and ultimately creates a secure N VA Fall – Tysons Tysons, VA Oct 13-14
culture. This intense two-day course will teach you the key concepts and skills needed to CDI Washington, DC Dec 11-12
do just that, and is designed for those establishing a new program or wanting to improve
an existing one. Course content is based on lessons learned from hundreds of security Summit Events
awareness programs from around the world. In addition, you will learn not only from your
Security Awareness Charleston, SC Aug 6-7
instructor, but from extensive interaction with your peers. Finally, through a series of labs
Security Awareness Charleston, SC Aug 10-11
and exercises, you will develop your own custom security awareness plan that you can
implement as soon as you return to your organization. Data Breach New York City, NY Aug 22-27

OnDemand
E-learning available anytime, anywhere, at your pace

Private Training
All courses are available through Private Training.

MGT535: Incident Response Team Management 2 12 Laptop

Day Course CPEs Required
This course discusses the often-neglected topic of managing an incident response team.
Given the frequency and complexity of today’s cyber attacks, incident response is a critical
function for organizations. Incident response is the last line of defense. Private Training
All courses are available through Private Training.
Detecting and efficiently responding to incidents requires strong management processes,
and managing an incident response team requires special skills and knowledge. A
background in information security management or security engineering is not sufficient
for managing incidents. On the other hand, incident responders with strong technical
skills do not necessarily become effective incident response managers. Special training is
necessary.
The course has been updated to address current issues such as the advanced persistent
threat, incident response in the cloud, and threat intelligence.

101
 Hosted Courses
HOSTED Assessing and Exploiting Control Systems 6 36 Laptop
This course teaches hands-on penetration testing techniques used to test individual Day Course CPEs Required
components of a control system, including embedded electronic field devices, network
protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of
master servers and their ICS applications. Skills you will learn in this course will apply
directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management,
manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation,
and synchrophasors.

HOSTED Physical Security Specialist – Full Comprehensive Edition 6 36 Laptop

This course is taught by the CORE Group, a firm with divisions that focus on penetration Day Course CPEs Required
testing, physical defense, personal protection details, and law enforcement training. Those
who attend this course will leave with a full awareness of how to best protect buildings and
Featured Training Events
grounds from unauthorized access, as well as how to compromise most existing physical
security in order to gain access themselves. Our subject-matter experts will immerse you in Network Security Las Vegas, NV Sep 23-28
all the necessary components of a well-layered physical defense system and then teach you
how to conduct a thorough site analysis of a facility. This training is ideal for any individual
who is tasked with making physical security decisions for existing or new facilities.

HOSTED Critical Infrastructure and Control System Cybersecurity 5 30 Laptop

This is an intermediate to advanced course covering control system cybersecurity Day Course CPEs Required
vulnerabilities, threats and mitigating controls. This course will provide hands-on analysis
of control system environments allowing students to understand the environmental,
Summit Events
operational and economic impacts of attacks like Stuxnet and supporting mitigating controls.
Oil & Gas Cybersecurity Houston, TX Oct 2-6
▐▐ Hands-on environment (PLC, HMI, Network Communications, Backtrack)
▐▐ Operational, Cyber and Physical Protective Solutions
▐▐ Kits provided and used by pods of two attendees (Laptop, Customized I/O Trainer, PLC,
HMI, communications infrastructure, CYBATIFIED Backtrack)

HOSTED Physical Penetration Testing 2 12 Laptop

Those who attend this session will leave with a full awareness of how to best protect Day Course CPEs Not Needed
buildings and grounds from unauthorized access, as well as how to compromise most
existing physical security in order to gain access themselves. Attendees will not only learn
how to distinguish good locks and access control from poor ones, but will also become
Private Training
well-versed in picking and bypassing many of the most common locks used in North America All courses are available through Private Training.
in order to assess their own company’s security posture or to augment their career as a
penetration tester.

HOSTED Health Care Security Essentials 2 12 Laptop

This course is designed to provide attendees with an introduction to current and emerging Day Course CPEs Required
issues in health care information security and regulatory compliance. The class provides a
foundational set of skills and knowledge for students through the integration of case studies,
hands-on labs, and defensible control considerations for securing and monitoring electronic
protected health information (“ePHI”). Students will learn about actual attacks and incidents
that have affected health care organizations and what can be done to mitigate the damage to
prevent your organization from suffering a similar outcome.

102
103
 EXPERIENCE
Hands-On Information Security Challenges

Experience NetWars Choose from:

Core NetWars | DFIR NetWars | Cyber Defense NetWars | ICS NetWars

Play solo or on a team of up to five players Develop skills in:

• Cyber Defense
• Penetration Testing
• Digital Forensics & Incident Response
• ICS
Participation in NetWars is free for students taking 4-, 5-, or
6-day courses.
NetWars takes place in the evening, after class, and gives you an
“ NetWars takes the concepts in the class and
gives you an opportunity to put them into action.
immediate opportunity to apply what you’ve learned in a fun,
competitive, hands-on, and educational environment!
Highly recommended!
– Kyle McDaniel, Lenovo ” Seating is limited, register for NetWars when you register for
your course.

104 [Link]/netwars 15
 Summits

SANS
Cybersecurity
Summits
The Summits by SANS bring together some of the best minds in security.
I always learn new things to bring back to my team.
– Peter Kuzmiskas, Prudential

Security Operations Oil & Gas Cybersecurity

New Orleans, LA | Jul 30 - Aug 6 Houston, TX | Oct 1-6

Security Awareness Secure DevOps

Charleston, SC | Aug 10-15 Denver, CO | Oct 24-29

Data Breach Pen Test HackFest

New York City, NY | Aug 22-27 Bethesda, MD | Nov 12-19

Threat Hunting & IR Tactical Detection and Data Analytics

New Orleans, LA | Sep 6-13 Scottsdale, AZ | Dec 4-11

Alaska
Anchorage, AK | Sep 10-15

[Link]/summits 105
 5705 Salem Run Blvd.
Suite 105
Fredericksburg, VA 22407

Join the [Link] Community today to enjoy

these free resources at [Link]/join
Newsletters
NewsBites @RISK: The Consensus Security Alert
Twice-weekly, high-level executive summary of the most A reliable weekly summary of (1) newly discovered attack
important news relevant to cybersecurity professionals. vectors, (2) vulnerabilities with active new exploits,
(3) how recent attacks worked, and (4) other valuable data.
OUCH!
The world’s leading monthly, free security awareness newsletter
designed for the common computer user.

Webcasts
Ask the Experts Webcasts WhatWorks Webcasts
SANS experts bring current and timely information on relevant The SANS WhatWorks webcasts bring powerful customer
topics in IT Security. experiences showing how end users resolved specific IT
Security issues.
Analyst Webcasts
A follow-on to the SANS Analyst Program, Analyst Webcasts Tool Talks
provide key information from our whitepapers and surveys. Tool Talks are designed to give you a solid understanding of
a problem and how a vendor’s commercial tool can be used
to solve or mitigate that problem.

Other Free Resources (No [Link] account is necessary)

• InfoSec Reading Room • Security Posters
• Top 25 Software Errors • Thought Leaders
• 20 Critical Controls • 20 Coolest Careers
• Security Policies • Security Glossary
• Intrusion Detection FAQs • SCORE (Security Consensus Operational
• Tip of the Day Readiness Evaluation)

Astheleadingproviderofinformation
defense,security,andintelligence
trainingtomilitary,government,and
industrygroups,theSANSInstituteis
proudtobeaCorporateMemberofthe
AFCEA community.

[Link]