SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses™

GIAC Defending Advanced Threats (GDAT)
GIAC Defending Advanced Threats (GDAT)
  • In Person (6 days)
  • Online
36 CPEs
Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries through a purple team strategy. 20+ Hands-on Labs & a unique APT Defender Capstone

What You Will Learn

You just got hired to help our virtual organization "SYNCTECHLABS" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service... We're not even sure where to start!"

Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.

Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: "How do I prevent or detect this type of attack?" Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.

Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization "SYNCTECHLABS" in section one exercises.

In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:

  • Leveraging MITRE ATT&CK as a "common language" in the organization
  • Building your own Cuckoo sandbox solution to analyze payloads
  • Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stopping 0-day exploits using ExploitGuard and application whitelisting
  • Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
  • Detecting and preventing malware persistence
  • Leveraging the Elastic stack as a central log analysis solution
  • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
  • Blocking and detecting command and control through network traffic analysis
  • Leveraging threat intelligence to improve your security posture

SEC599 will finish with a bang. During the Defend-the-Flag challenge in the final course section, you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?

Purple Team Course FAQ

Business Takeaways

  • Understand how recent high-profile attacks were delivered and how they could have been stopped
  • Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks

Hands-On Training

SEC599 leverages SANS OnDemand systems, where attendees will be able to complete the 20+ labs in the course in a full-fledged browser environment. This eliminates possible issues with student laptops and increases time spent on actually learning security topics, not configuring virtual machines. The student VMs are provided to allow students to continue learning at home!

Examples of the practical labs and exercises you will complete in this course will enable you to:

  • Use MITRE ATT&CK Navigator to assess different techniques
  • Leverage MITRE ATT&CK as a "common language" in the organization
  • Build your own Cuckoo sandbox solution to analyze payloads
  • Develop effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlight key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stop 0-day exploits using ExploitGuard and application whitelisting
  • Highlight key bypass strategies in application whitelisting (focus on AppLocker), including:
    • Detecting and avoiding malware persistence using Autoruns and OSQuery
    • Leveraging the Elastic stack as a central log analysis solution
    • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
    • Blocking and detecting command and control through network traffic analysis using Suricata, Zeek, and RITA
    • Leveraging threat intelligence to improve your security posture using MISP, Loki, and Volatility

What You Will Receive

  • MP3 audio files of the complete course lecture
  • Digital Download Package that includes:
    • Virtual machines for training
    • Electronic Courseware
    • Download link to the target VMs

Syllabus (36 CPEs)

Download PDF
  • Overview

    Our six-part journey starts with an analysis of recent attacks through in-depth case studies. We will explain what's happening in real situations and introduce the Cyber Kill Chain and MITRE ATT&CK framework as a structured approach to describing adversary tactics and techniques. We will also explain what purple teaming is, typical tools associated with it, and how it can be best organized in your organization. In order to understand how attacks work, students will also compromise our virtual organization "SYNCTECHLABS" during section one exercises.

    Exercises
    • One click is all it takes...
    • Hardening our domain using SCT and STIG
    • Kibana, ATT&CK Navigator, and FlightSim
    • Automated reconnaissance using SpiderFoot
    Topics
    • Course Outline and Lab Setup
      • Course objectives and lab environment
      • What's happening out there?
      • Introducing SYNCTECHLABS
      • Exercise: One click is all it takes...
    • Adversary Emulation and the Purple Team
      • Introducing the extended Kill Chain
      • What is the purple team?
      • MITRE ATT&CK framework and "purple tools"
      • Key controls for prevention and detection
      • Exercise: Hardening our domain using SCT and STIG
      • Building a detection stack
      • Exercise: Kibana, ATT&CK Navigator, and FlightSim
    • Reconnaissance
      • Reconnaissance - Getting to know the target
      • Exercise: Automated reconnaissance using SpiderFoot
  • Overview

    Section 2 will cover how the attacker attempts to deliver and execute payloads in the organization. We will first cover adversary techniques (e.g., creation of malicious executables and scripts), then focus on how both payload delivery (e.g., phishing mails) and execution (e.g., double-clicking of the attachment) can be hindered. We will also introduce YARA as a common payload description language and SIGMA as a vendor-agnostic use-case description language.

    Exercises
    • Stopping NTLMv2 sniffing and relay attacks in Windows
    • Building a Sandbox using Cuckoo and YARA
    • Configuring AppLocker
    • Controlling script execution in the enterprise
    • Detection with Script Block Logging, Sysmon, and SIGMA
    • Preventing payload execution using ProcFilter
    Topics
    • Common Delivery Mechanisms
    • Hindering Payload Delivery
      • Removable media and network (NAC, MDM, etc.) controls
      • Exercise: Stopping NTLMv2 sniffing and relay attacks in Windows
      • Mail controls, web proxies, and malware sandboxing
      • YARA - A common payload description language
      • Exercise: Building a Sandbox using Cuckoo and YARA
    • Preventing Payload Execution
      • Initial execution - Application whitelisting
      • Exercise: Configuring AppLocker
      • Initial execution - Visual Basic, JS, HTA, and PowerShell
      • Exercise: Controlling script execution in the enterprise
      • Initial execution - How to detect?
      • Exercise: Detection with Script Block Logging, Sysmon, and SIGMA
      • Operationalizing YARA rules - Introducing ProcFilter
      • Exercise: Preventing payload execution using ProcFilter
  • Overview

    Section 3 will first explain how exploitation can be prevented or detected. We will show how security should be an integral part of the software development lifecycle and how this can help prevent the creation of vulnerable software. We will also explain how patch management fits in the overall picture.

    Next, we will zoom in on exploit mitigation techniques, both at compile-time (e.g., ControlFlowGuard) and at run-time (ExploitGuard). We will provide an in-depth explanation of what the different exploit mitigation techniques (attempt to) cover and how effective they are. We'll then turn to a discussion of typical persistence strategies and how they can be detected using Autoruns and OSQuery. Finally, we will illustrate how command and control channels are being set up and what controls are available to the defender for detection and prevention.

    Exercises
    • Exploit mitigation using Compile-Time Controls
    • Exploit mitigation using ExploitGuard
    • Catching persistence using Autoruns and OSQuery
    • Detecting command and control channels using Suricata, JA3 and RITA
    Topics
    • Protecting Applications from Exploitation
      • Software development lifecycle (SDL) and threat modeling
      • Patch management
      • Exploit mitigation techniques
      • Exercise: Exploit mitigation using Compile-Time Controls
      • Exploit mitigation techniques - ExploitGuard, EMET, and others
      • Exercise: Exploit mitigation using ExploitGuard
    • Avoiding Installation
      • Typical persistence strategies
      • How do adversaries achieve persistence?
      • Exercise: Catching persistence using Autoruns and OSQuery
    • Foiling Command and Control
      • Detecting command and control channels
      • Exercise: Detecting command and control channels using Suricata, JA3, and RITA
  • Overview

    Section 4 will focus on how adversaries move laterally throughout an environment. A key focus will be on Active Directory (AD) structures and protocols (local credential stealing, NTLMv2, Kerberosm, etc.). We will discuss common attack strategies, including Windows privilege escalation, UAC bypasses, (Over-) Pass-the-Hash, Kerberoasting, Silver Tickets, and others. We'll also cover how BloodHound can be used to develop attack paths through the AD environment. Finally, we will discuss how lateral movement can be identified in the environment and how cyber deception can be used to catch intruders red-handed!

    Exercises
    • Implementing LAPS
    • Local Windows privilege escalation techniques
    • Hardening Windows against credential compromise
    • Mapping attack paths using BloodHound
    • Kerberos attack strategies
    • Detecting lateral movement in AD
    Topics
    • Protecting Administrative Access
      • Active Directory security concepts
      • Principle of least privilege and UAC
      • Exercise: Implementing LAPS
      • Privilege escalation techniques in Windows
      • Exercise: Local Windows privilege escalation techniques
    • Key Attack Strategies against AD
      • Abusing local admin privileges to steal more credentials
      • Exercise: Hardening Windows against credential compromise
      • Bloodhound - Mapping out AD attack paths
      • Exercise: Mapping attack paths using BloodHound
      • Kerberos attacks: Kerberoasting, Silver tickets, Over-PtH
      • Exercise: Kerberos attack strategies
    • How Can We Detect Lateral Movement?
      • Key logs to detect lateral movement in AD
      • Deception - Tricking the adversary
      • Exercise: Detecting lateral movement in AD
  • Overview

    Section five focuses on stopping the adversary during the final stages of the attack:

    • How does the adversary obtain "domain dominance" status? This includes the use of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync and DCShadow.
    • How can data exfiltration be detected and stopped?
    • How can threat intelligence aid defenders in the Cyber Kill Chain?
    • How can defenders perform effective incident response?

    As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.

    Exercises
    • Domain dominance
    • Detecting data exfiltration
    • Leveraging threat intelligence with MISP and Loki
    • Hunting your environment using OSQuery
    • Finding malware using Volatility and YarGen
    Topics
    • Domain Dominance
      • Dominating the AD - Basic strategies
      • Golden Ticket, Skeleton Key, DCSync, and DCShadow
      • Detecting domain dominance
      • Exercise: Domain dominance
    • Data Exfiltration
      • Common exfiltration strategies
      • Exercise: Detecting data exfiltration
    • Leveraging Threat Intelligence
      • Defining threat intelligence
      • Exercise: Leveraging threat intelligence with MISP and Loki
    • Threat Hunting and Incident Response
      • Proactive threat hunting strategies
      • Exercise: Hunting your environment using OSQuery
      • Incident response process
      • Exercise: Finding malware using Volatility and YarGen
  • Overview

    The course culminates in a team-based Defend-the-Flag competition. Section six is a full chapter of hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls promoted all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.

    Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME's are available to support every OnDemand student's experience.

    Topics
    • Applying Previously Covered Security Controls In-depth
    • Reconnaissance
    • Weaponization
    • Delivery
    • Exploitation
    • Installation
    • Command and Control
    • Action on Objectives

GIAC Defending Advanced Threats

The GIAC Defending Advanced Threats (GDAT) certification covers both offensive and defensive topics in-depth. GDAT-certified professionals have a thorough understanding of how advanced cyber adversaries operate and how the IT environment can be improved to better prevent, detect, and respond to incidents.

  • Advanced persistent threat models and methods
  • Detecting and preventing payload deliveries, exploitation, and post-exploitation activities
  • Using cyber deception to gain intelligence for threat hunting and incident response
  • Adversary Emulation
More Certification Details

Prerequisites

  • Experience with Linux and Windows from the command line (including PowerShell)
  • Familiarity with Windows Active Directory concepts
  • A baseline understanding of cyber security topics
  • A solid understanding of TCP/IP and networking concepts

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC599 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 75GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY SEC599 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years, I started to see a trend developing. Often, over half of the students in my classes were not actually penetration testers or those who would be writing zero-days. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."

-- Stephen Sims

"During my InfoSec career, I focused on penetration testing for the first five years, then shifted my focus more and more to the world of incident response. That's when I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries' attacking moves.

"SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish.

"Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I'm very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-the-Flag' exercise on Day 6."

-- Erik Van Buggenhout

"SEC599 gave me interesting insight into Exploit Guard that will certainly drive great conversation at work. Best labs of any class I've taken." - Jeremiah Hainly, The Hershey Company

Register for SEC599

Learn about Group Pricing

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

Loading...