Take New Survey on Insider Threats for Chance to Win $400 Amazon Card

SEC504: Hacker Tools, Techniques, Exploits and Incident Handling

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

You Will Learn :

  • How best to prepare for an eventual breach
  • The step-by-step approach used by many computer attackers
  • Proactive and reactive defenses for each stage of a computer attack
  • How to identify active attacks and compromises
  • The latest computer attack vectors and how you can stop them
  • How to properly contain attacks
  • How to ensure that attackers do not return
  • How to recover from computer attacks and restore systems for business
  • How to understand and use hacking tools and techniques
  • Strategies and tools for detecting each type of attack
  • Attacks and defenses for Windows, Unix, switches, routers, and other systems
  • Application-level vulnerabilities, attacks, and defenses
  • How to develop an incident handling process and prepare a team for battle
  • Legal issues in incident handling

If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.

Notice:

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your company's system and also that you advise your network and computer operations teams of your testing.

Course Syllabus
Course Contents
  SEC504.1: Incident Handling Step-by-Step and Computer Crime Investigation
Overview

Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place to get systems and services back online as quickly and securely as possible.

The first part of this section looks at the invaluable Incident Handling Step-by-Step model, which was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, and has been proven effective in hundreds of organizations. This section is designed to provide students a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this section examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

CPE/CMU Credits: 7

Topics

Preparation

  • Building an incident response kit
  • Identifying your core incident response team
  • Instrumentation of the site and system

Identification

  • Signs of an incident
  • First steps
  • Chain of custody

Containment

  • Documentation strategies: video and audio
  • Containment and quarantine
  • Pull the network cable, switch and site
  • Identifying and isolating the trust model

Eradication

  • Evaluating whether a backup is compromised
  • Total rebuild of the Operating System
  • Moving to a new architecture

Recovery

  • Who makes the determination to return to production?
  • Monitoring to system
  • Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents

  • Espionage
  • Inappropriate use

Incident Record-keeping

  • Pre-built forms
  • Legal acceptability

Incident Follow-up

  • Lessons learned meeting
  • Changes in process for the future

 
  SEC504.2: Computer and Network Hacker Exploits - Part 1
Overview

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This day-long course covers the details associated with reconnaissance and scanning, the first two phases of many computer attacks.

Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage, attackers also conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and firewalls, unsecured modems, or the increasingly popular wireless LAN attacks. Attackers are increasingly employing inverse scanning, blind scans, and bounce scans to obscure their source and intentions. They are also targeting firewalls, attempting to understand and manipulate rule sets to penetrate our networks. Another very hot area in computer attacks involves Intrusion Detection System evasion, techniques that allow an attacker to avoid detection by these computer burglar alarms.

If you do not have the skills needed to understand these critical phases of an attack in detail, you will not be able to protect your network. Students who take this course and master the material will understand these attacks and the associated defenses.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's systems. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools:

  • InSSIDer for Wireless LAN discovery
  • Nmap Port Scanner and Operating System fingerprinting tool
  • Nessus Vulnerability Scanner
  • Windows Command Line Kung-Fu for extracting Windows data through SMB sessions

CPE/CMU Credits: 6

Topics

Reconnaissance

  • What does your network reveal?
  • Are you leaking too much information?
  • Using Whois lookups, ARIN, RIPE and APNIC
  • Domain Name System harvesting
  • Data gathering from fob postings, websites, and government databases
  • Recon-ng
  • Pushpin
  • Identifying publicly compromised accounts
  • Maltego
  • FOCA for metadata analysis

Scanning

  • Locating and attacking unsecure wireless LANs
  • War dialing with War-VOX for renegade modems and unsecure phones
  • Port scanning: Traditional, stealth, and blind scanning
  • Active and passive Operating System fingerprinting
  • Determining firewall filtering rules
  • Vulnerability scanning using Nessus and other tools
  • CGI scanning with Nikto

Intrusion Detection System (IDS) Evasion

  • Foiling IDS at the network level: Fragmentation and other tricks
  • Foiling IDS at the application level: Exploiting the rich syntax of computer languages
  • Using Fragroute and Web Attack IDS evasion tactics
  • Bypassing IDS/IPS with TCP obfuscation techniques

 
  SEC504.3: Computer and Network Hacker Exploits - Part 2
Overview

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This day-long course covers the third step of many hacker attacks: gaining access.

Attackers employ a variety of strategies to take over systems from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols. Additionally, you will get hands-on experience in running sniffers and the incredibly flexible Netcat tool.

Administrators need to get into the nitty-gritty of how the attacks and their associated defenses work if they want to effectively defend against these invasions. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a DVD containing the attack tools examined in class.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools:

  • Sniffers, including Tcpdump
  • Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
  • Netcat for transferring files, creating backdoors, and setting up relays
  • Metasploit, Metasploit, Metasploit Lots of Metasploit
  • ARP and MAC analysis for ARP cache poisoning attack detection

CPE/CMU Credits: 6

Topics

Network-Level Attacks

  • Session hijacking: From Telnet to SSL and SSH
  • Monkey-in-the-middle attacks
  • Passive sniffing

Gathering and Parsing Packets

  • Active sniffing: ARP cache poisoning and DNS injection
  • DNS cache poisoning: Redirecting traffic on the Internet
  • Using and abusing Netcat, including backdoors and nasty relays
  • IP address spoofing variations

Operating System and Application-level Attacks

  • Buffer overflows in-depth
  • The Metasploit exploitation framework
  • Format string attacks

Netcat: The Attacker's Best Friend

  • Transferring files, creating backdoors, and shoveling shell
  • Netcat relays to obscure the source of an attack
  • Replay attacks

 
  SEC504.4: Computer and Network Hacker Exploits - Part 3
Overview

This course starts out by covering one of the attackers' favorite techniques for compromising systems: worms. We will analyze worm developments over the last two years and project these trends into the future to get a feel for the coming Super Worms we will face. Then the course turns to another vital area often exploited by attackers: web applications. Because most organizations' homegrown web applications do not get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.

The course also presents a taxonomy of nasty denial-of-service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.

Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence. To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms. To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers' maintaining access and covering their tracks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools and Topics :

  • Password cracking
  • Cross-site scripting and SQL injection web application attacks
  • Detecting DoS attacks

CPE/CMU Credits: 6

Topics

Password Cracking

  • Analysis of worm trends
  • Password cracking with John the Ripper
  • Rainbow Tables
  • Password spraying

Web Application Attacks

  • Account harvesting
  • SQL Injection: Manipulating back-end databases
  • Session Cloning: Grabbing other users' web sessions
  • Cross-Site Scripting

Denial-of-Service Attacks

  • Distributed Denial of Service: Pulsing zombies and reflected attacks
  • Local Denial of Service

 
  SEC504.5: Computer and Network Hacker Exploits - Part 4
Overview

This day-long course covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. Computer attackers install backdoors, apply Rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. In this course, we will analyze the most commonly used malicious code specimens, as well as explore future trends in malware, including BIOS-level and combo malware possibilities.

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes. Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations. Finally, attackers often alter system logs, all in an attempt to make the compromised system appear normal. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools:

  • RootKits and detection
  • Detecting backdoors with Netstat, lsof
  • Hidden file detection with LADS
  • Covert channels using Covert_TCP
  • HTTP Reverse Shells using Base64

CPE/CMU Credits: 6

Topics

Maintaining Access

  • Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other popular beasts
  • Trojan horse backdoors: A nasty combo
  • Rootkits: Substituting binary executables with nasty variations
  • Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks

  • File and directory camouflage and hiding
  • Log file editing on Windows and Unix
  • Accounting entry editing: UTMP, WTMP, shell histories, etc.
  • Covert channels over HTTP, ICMP, TCP, and other protocols
  • Sniffing backdoors and how they can really mess up your investigations unless you are aware of them
  • Steganography: Hiding data in images, music, binaries, or any other file type
  • Memory analysis of an attack

Putting It All Together

  • Specific scenarios showing how attackers use a variety of tools together
  • Analyzing scenarios based on real-world attacks
  • Learning from the mistakes of other organizations
  • Where to go for the latest attack info and trends

 
  SEC504.6: Hacker Tools Workshop
Overview

Over the years, the security industry has become smarter and more effective in stopping hackers. Unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods to stop the enemy is to actually test the environment with the same tools and tactics an attacker might use against you.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. This workshop will supplement the classroom training that students have already received and give them flight time with the attack tools to better understand how they work. Instructors will give guidance on exactly what is happening as exploits and defensive measures are running. As students work on various exploits and master them, the environment will become increasingly difficult, so students will have to master additional skills in order to successfully complete the exercises.

Additionally, students can participate in the workshop's Capture the Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you have built over the week in this engaging contest. The Capture the Flag victors will win a prize.

In sum, paranoia is good! Your laptop will be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if (actually, when) someone in the class attacks it in the workshop. Bring the right equipment and prepare it in advance to maximize what you will learn and the fun you will have doing it.

CPE/CMU Credits: 6

Topics

Hands-on Analysis

  • Nmap port scanner
  • Nessus vulnerability scanner
  • Network mapping
  • Netcat: File transfer, backdoors, and relays
  • More Metasploit
  • Exploitation using built in OS commands
  • Privilege escalation
  • Advanced pivoting techniques

 
Additional Information
 
  Laptop Required

IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network. It is the students' responsibility to make sure that the system is properly configured with all the drivers necessary to connect to an Ethernet network.

John Strand has created a video to help you walk through the setup requirements for the course. This short 10 minute video will help ensure your system is properly configured and ready for class.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.

Windows

You are required to bring Windows 8 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate), or 2012/2008 Server, either a real system or a virtual machine.

The course includes a VMware image file of a guest Linux system that is larger than 3 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

We also require that no enterprise group policies be applied to the system. These policies can and will interfere with our labs.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you are using a Macbook or Macbook Pro with OS X 10.8 or later, you will need VMWare Fusion 5.0 or later.

VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class.

We will give you a DVD full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • DVD drive (not a CD drive)
  • 3 GB RAM minimum with 4 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • 10 GB available hard drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7, or Windows Vista

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Incident handlers
  • Leaders of incident handling teams
  • System administrators who are on the front lines defending their systems and responding to attacks
  • Other security personnel who are first responders when systems come under attack

 
  Prerequisites
  • A strong desire to understand hacker tools and techniques
  • A foundational understanding of the Windows Command Line
  • A foundational understanding of core networking concepts such as TCP/IP
  • A strong desire to understand how key defensive tactics can thwart advanced attackers

 
  What You Will Receive
  • A DVD with all of the tools for class ready to go
  • Over 1,000 slides of instruction with detailed notes
  • Step-by-step instructions in self-contained labs showing you how to employ these hacker tools and techniques

 
  You Will Be Able To
  • Apply incident handling processes-including preparation, identification, containment, eradication, and recovery-to protect enterprise environments
  • Analyze the structure of common attack techniques in order to evaluate an attacker's spread through a system and network, anticipating and thwarting further attacker activity
  • Utilize tools and evidence to determine the kind of malware used in an attack, including rootkits, backdoors, and Trojan horses, choosing appropriate defenses and response tactics for each
  • Use built-in command-line tools such as Windows tasklist, wmic, and reg, as well as Linux netstat, ps, and lsof to detect an attacker's presence on a machine
  • Analyze router and system ARP tables along with switch CAM tables to track an attacker's activity through a network and identify a suspect
  • Use memory dumps and memory analysis tools to determine an attacker's activities on a machine, the malware installed, and other machines the attacker used as pivot points across the network
  • Gain access to a target machine using Metasploit, and then detecting the artifacts and impact of exploitation through process, file, memory, and log analysis
  • Analyze a system to see how attackers use the malware to move files, create backdoors, and build relays through a target environment
  • Run the Nmap port scanner and Nessus vulnerability scanner to find openings on target systems, and apply tools such as tcpdump and netstat to detect and analyze the impact of the scanning activity
  • Apply the tcpdump sniffer to analyze network traffic generated by a covert backdoor to determine an attacker's tactics
  • Employ the netstat and Isof tools to diagnose specific types of traffic-flooding denial-of-service techniques, and choose appropriate response actions based on each attacker's flood technique
  • Analyze shell history files to find compromised machines, attacker-controlled accounts, sniffers, and backdoors

 
  Hands-on Training
  • Memory analysis
  • Metasploit attack and detect
  • Nmap and Nessus
  • SQL Injection
  • Cross-Site Scripting
  • Covert channel analysis
  • Detecting an insider with built-in Windows commands
  • Windows Command Line Kung-fu
  • Working with backdoors
  • Detecting Denial-of-Service attacks
  • Shell history analysis
  • Linux attack detection
  • Full day Capture the Flag event

 
  Press & Reviews

"It is great to understand how hackers are exploiting a variety of systems. Learning how to prevent these as best as possible is imperative to protect key systems and resources. SEC504 course concepts are great." - Samantha Hanagan, Texel Tek

"SEC504 should be taken by anyone in your company that has anything to do with security. Especially valuable for sys admins as well as security personnel." - Karl Findorff, Xavier University of Louisiana

"Incident response is the most underused aspect in small companies. SEC504 gives us the ability to help management understand the value." - David Freedman, Nationwide Payment Solutions

"Higher education is often a hacker's playground/training camp. Courses like SEC504 are important to learn what to watch for (network traffic baseline)." - Michael Barton, Princeton University

"As someone who works in information security but has never had to do a full incident report, SEC504 is teaching me all the proper processes and steps." - Todd Choryan, Motorola Solutions

"SEC504 teaches not just how to do Incident Response, but why and most importantly what not to do." - Brad Milhorn, ii2P

 
  What To Take Next?

Courses that lead in to SEC504

Courses that are good follow-ups to SEC504

 

Author Statement

One of my greatest joys in life is helping people understand the complex landscape of security so that they can implement really effective defenses. It may be difficult to fully grasp what truly impacts the security of your organization versus what is simply product marketing hype. This class is the nexus between attacks and defenses, chock full of vital information for thwarting today's nastiest attacks. Ed Skoudis and I continuously refine this class on the foundation of the multitude of penetration tests we conduct and incidents we handle regularly. We strive to keep the material relevant, interesting, and directly applicable to the job of infosec professionals. And I personally live for the moments when the light goes on within a 504 student and they finally see through the noise, and they begin to understand what is important from a threat and vulnerability perspective.

-John Strand

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

Training Event
Incident Handling Jan 16, 2015 -
Jan 21, 2015
 

Training Event
Incident Handling
SANS Brussels 2015
Brussels, Belgium
Jan 26, 2015 -
Jan 31, 2015
 

Training Event
Incident Handling
SANS Dubai 2015
Dubai, United Arab Emirates
Jan 31, 2015 -
Feb 5, 2015
 

Training Event
Incident Handling Feb 23, 2015 -
Feb 28, 2015
 

Training Event
Incident Handling
SANS Secure India 2015
Bangalore, India
Feb 23, 2015 -
Mar 7, 2015
 

Training Event
Incident Handling Mar 9, 2015 -
Mar 14, 2015
 

Training Event
Incident Handling
SANS Secure Singapore 2015
Singapore, Singapore
Mar 9, 2015 -
Mar 21, 2015
 

Training Event
Incident Handling
SANS Secure Canberra 2015
Canberra, Australia
Mar 16, 2015 -
Mar 28, 2015
 

Training Event
Incident Handling Mar 23, 2015 -
Mar 28, 2015
 

Training Event
Incident Handling
SANS 2015
Orlando, FL
Apr 11, 2015 -
Apr 18, 2015
 

Training Event
Incident Handling May 4, 2015 -
May 12, 2015
 

Training Event
Incident Handling
SANS Secure Europe 2015
Amsterdam, Netherlands
May 11, 2015 -
May 23, 2015
 

Training Event
Incident Handling May 18, 2015 -
May 23, 2015
 

Training Event
Incident Handling
SANS Melbourne 2015
Melbourne, Australia
Staff
May 18, 2015 -
May 23, 2015
 

Training Event
Incident Handling
SANS London in the Summer
London, United Kingdom
Jul 13, 2015 -
Jul 18, 2015
 

Summit
Incident Handling Feb 2, 2015 -
Feb 9, 2015
 

Summit
Incident Handling Jul 7, 2015 -
Jul 14, 2015
 

Community SANS
Incident Handling Jan 26, 2015 -
Jan 31, 2015
 

Community SANS
Incident Handling Feb 23, 2015 -
Feb 28, 2015
 

Community SANS
Incident Handling
Staff
Feb 23, 2015 -
Feb 28, 2015
 

Community SANS
Incident Handling
Staff
Feb 23, 2015 -
Feb 28, 2015
 

Community SANS
Incident Handling Feb 23, 2015 -
Feb 28, 2015
 

Community SANS
Incident Handling
Staff
Mar 16, 2015 -
Mar 21, 2015
 

Community SANS
Incident Handling Apr 20, 2015 -
Apr 25, 2015
 

Community SANS
Incident Handling
Staff
Jun 8, 2015 -
Jun 13, 2015
 

Mentor
Incident Handling
Mentor Session
Columbus, OH
Jan 8, 2015 -
Mar 12, 2015
 

Mentor
Incident Handling
Mentor Session
Dallas, TX
Jan 20, 2015 -
Mar 24, 2015
 

Mentor
Incident Handling
Mentor Session
London, United Kingdom
Jan 20, 2015 -
Mar 24, 2015
 

Mentor
Incident Handling
Mentor Session
Eureka, MO
Jan 21, 2015 -
Mar 25, 2015
 

Mentor
Incident Handling
Mentor Session
Houston, TX
Feb 2, 2015 -
Apr 6, 2015
 

Mentor
Incident Handling
Mentor Session
Seattle, WA
Feb 3, 2015 -
Apr 7, 2015
 

vLive
Incident Handling
Online
Staff
Apr 14, 2015 -
May 21, 2015
 

vLive
Incident Handling
Online
Staff
Sep 14, 2015 -
Oct 21, 2015
 

vLive
Incident Handling
Online
Staff
Dec 8, 2015 -
Jan 28, 2016
 

OnDemand
Incident Handling
Online
Anytime  

Simulcast
Incident Handling
Online
May 18, 2015 -
May 23, 2015
 

SelfStudy
Incident Handling
Online
Anytime  

Onsite
All OnSite Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.