Choose from Eight InfoSec Courses at SANS Las Vegas 2018. Save $200 thru 12/27.

SEC460: Enterprise Threat and Vulnerability Assessment Beta

Computer exploitation is on the rise. As advanced adversaries become more numerous, more capable, and much more destructive, organizations must become more effective at mitigating their information security risks at the enterprise scale. SEC460 is the premier course focused on building technical vulnerability assessment skills and techniques, while highlighting time-tested practical approaches to ensure true value across the enterprise. The course covers threat management, introduces the core components of comprehensive vulnerability assessment, and provides the hands-on instruction necessary to produce a vigorous defensive strategy from day one. The course is focused on equipping information security personnel from organizations charged with effectively and efficiently securing 10,000 or more systems.

SEC460 begins with an introduction to information security vulnerability assessment fundamentals, followed by in-depth coverage of the Vulnerability Assessment Framework. It then moves into the structural components of a dynamic and iterative information security program. Through a detailed, practical analysis of threat intelligence, modeling, and automation, students will learn the skills necessary to not only use the tools of the trade, but also to implement a transformational security vulnerability assessment program.

SEC460 will teach you how to use real industry-standard security tools for vulnerability assessment, management, and mitigation. It is the only course that teaches a holistic vulnerability assessment methodology while focusing on challenges faced in a large enterprise. You will learn on a full-scale enterprise range chock full of target machines representative of an enterprise environment, leveraging production-ready tools, and a proven testing methodology .

This course takes you beyond the checklist, giving you a tour of the attackers' perspective that is crucial to discovering where they will strike. Operators are more than the scanner they employ. SEC460 emphasizes this personnel-centric approach by examining the shortfalls of many vulnerability assessment programs in order to provide you with the tactics and techniques required to secure networks against even the most advanced intrusions.

We wrap up the first five days of instruction with a discussion of triage, remediation, and reporting before putting your skills to the test on the final day against an enterprise-grade cyber range with numerous target systems for you to analyze and explore. The cyber range is a large environment of servers, end-users, and networking gear that represents many of the systems and topologies used by enterprises. By adopting an end-to-end approach to vulnerability assessment, you can be confident that your skills will provide much-needed value in securing your medium- or large-scale organization.

More

This course will prepare you to:

  • Perform end-to-end vulnerability assessments
  • Develop customized vulnerability discovery, management, and remediation plans
  • Conduct threat intelligence gathering and analysis to create a tailored cybersecurity plan that integrates various attack and vulnerability modeling frameworks
  • Implement a proven testing methodology using industry-leading tactics and techniques
  • Adapt information security approaches to target real-world enterprise challenges
  • Configure and manage vulnerability assessment tools to limit risk added to the environment by the tester
  • Operate enumeration tools like Nmap, Kansa, Bloodhound, and WPScan to identify network nodes, services, configurations, and vulnerabilities that an attacker could use as an opportunity for exploitation
  • Conduct infrastructure vulnerability enumeration at scale across numerous network segments, in spite of divergent network infrastructure and nonstandard configurations
  • Conduct web application vulnerability enumeration in enterprise environments while solving complex challenges resulting from scale
  • Perform manual discovery and validation of cybersecurity vulnerabilities that can be extended to custom and unique applications and systems
  • Manage large vulnerability datasets and perform risk calculation and scoring against organization-specific risks
  • Implement vulnerability triage and prioritize mitigation

Hide

Course Syllabus

Overview

In this section of the course, students will develop the skills needed to conduct high-value vulnerability assessments with measurable impact. We will explore the elemental components of successful vulnerability assessment programs, deconstruct the logistical precursors to value-added operations, and integrate adversarial threat modeling and intelligence.

Scale and architecture are major challenges to an enterprise. We will discuss techniques and strategies to overcome these obstacles, and perform a table-top exercise to connect theory with reality. We will also dive into fundamental information security topics, explore the nuanced differences between major categories of services, and examine the industry's foremost methodologies for vulnerability assessment. We will examine the strategic influences that impact a typical enterprise and its vulnerability management program.

Exercises
  • Enterprise Engagement Planning and Logistics
  • Discovering Enterprise Assets and Vulnerabilities through Effective Scanning
  • Threat Modeling
  • Open-Source Intelligence Gathering
  • Virtualization Familiarization and Test Systems Tour

CPE/CMU Credits: 6

Topics
  • Maximizing Value from Vulnerability Assessments and Programs
  • Setting Up for Success at Scale: Enterprise Architecture and Strategy
  • Developing Transformational Vulnerability Assessment Strategies
  • Performing enterprise threat modelling
  • Generating Compounding Interest from Threat Intelligence and Avoiding Information Overload
  • The Vulnerability Assessment Framework
  • Overview of Comprehensive Network Scanning
  • Compliance Standards and Information Security
Overview

Having mastered the structural foundations of vulnerability management, we pivot to the realm of direct, tactical application. Comprehensive reconnaissance, enumeration, and discovery techniques are the prime elements of successful vulnerability assessment. While gaining additional familiarity with hands-on enterprise operations, you will systematically probe the environment in order to discover the relevant host, service, version, and configuration details that will drive the remainder of the assessment system.

As we begin active scrutiny of the enterprise, you will learn how to interpret tool output and form a detailed network map. We will explore proven methods to ensure the integrity of our dataset as we identify IP addresses, operating systems, platforms, and services. The day culminates with an introduction to the PowerShell scripting language focusing on large-scale system management, vulnerability discovery, and mitigation.

Exercises
  • Whois, DNS, and Advanced Reconnaissance
  • Knocking on the DMZ and Port Scanning the Perimeter
  • Enterprise-Scale Scanning and Enumeration
  • Active Directory and the Windows Domain
  • PowerShell Primer

CPE/CMU Credits: 6

Topics
  • Active and Passive Reconnaissance
  • Identification and Enumeration with DNS
  • DNS Zone Speculation and Dictionary-Enabled Discovery
  • Port Scanning with Nmap and Zenmap
  • Scanning Large-Scale Environments
  • Commonplace Services
  • Scanning the Network Perimeter and Engaging the DMZ
  • The Windows Domain: Exchange, SharePoint, and Active Directory
  • Recruiting Disparate Data Sources: Patches, Hotfixes, and Configurations
  • Trade-offs: Speed, Efficiency, Accuracy, and Thoroughness
  • Introduction to PowerShell
Overview

We begin day three by delving into the next phase of the Vulnerability Assessment Framework and charging into the most exciting topic in security testing: automation to handle scale. We start by breaking vulnerability scanning into its elemental components and gaining an understanding of vulnerability measurement that can be applied to task automation. This focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying, observing, inciting, or assessing the entry points that threats leverage during network attacks. Later in the day, we will apply our understanding of the vulnerability concept to evolve our PowerShell skills and take action on an enterprise scale.

This portion of the course is dedicated to learning by application and translates easily to frontline operations. We'll use premier industry tools like Rapid7's Nexpose, while simultaneously exploring manual testing procedures. We'll also cover application-specific testing tools and techniques to provide you with a broad perspective and actionable experience.

Exercises
  • Network Vulnerability Scanning with Nexpose
  • Tools of the Trade and WebApp Assessment
  • Enterprise PowerShell: Windows Remoting, WMI, Third-Party Cmdlets, and More
  • Integration and Synergy to Reduce the Vulnerability Lifecycle

CPE/CMU Credits: 6

Topics
  • Enhanced Vulnerability Scanning
  • Risk Assessment Matrices and Rating Systems
  • Quantitative Analysis Techniques Applied to Vulnerability Scoring
  • Performing Tailored Risk Calculation to Drive Triage
  • General Purpose vs. Application Specific Vulnerability Scanning
  • Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale
  • Scan Policies and Compliance Auditing
  • Performing Vulnerability Discovery with Open-Source and Commercial Appliances
  • Nmap Scripting Engine and OpenVAS
  • Testing for Insecure Cryptographic Implementations Including SSL
  • Assessing VOIP Environments
  • Discovering Vulnerabilities in the Enterprise Backbone: Active Directory, Exchange, and SharePoint
  • Evaluating Vulnerability Risk in Custom and Unique Systems including Web Applications
  • Minimizing Supplemental Risk while Conducting Authenticated Scanning through Purposeful Application of Least Privilege
  • Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches, and VLANs
  • Manual Vulnerability Discovery Automated to Attain Maximal Efficacy
Overview

Over the course of this day we will tackle the next phase of our overarching testing methodology, vulnerability validation, while simultaneously confronting the biggest headaches common to a vulnerability assessment at scale. At large scale, vulnerability data can be overwhelming and possibly even contradictory. We will cover the specific techniques needed to wade through and better focus those data. Next, we will examine techniques for collaboration and data management with the Acheron tool for analyzing vulnerability data across an organization.

Exercises
  • Client-Side Vulnerability Validation with PowerShell and the Kansa Incident Response Framework Tool
  • Vulnerability Validation Against Linux Servers with the Nmap Scripting Engine
  • Manual Validation of Vulnerable Conditions Using Tailored PowerShell Scripting
  • Composing a Vulnerability Knowledge Base with Acheron, an Excellent Free Tool for Managing Vulnerability Data

CPE/CMU Credits: 6

Topics
  • Assigning a Confidence Value and Validating Exploitative Potential of Vulnerabilities
  • Manual Vulnerability Validation Targeting Enterprise Infrastructure
  • Converting Disparate Datasets into a Central, Normalized, and Relational Knowledge Base
  • Managing Large Repositories of Vulnerability Data
  • Querying the Vulnerability Knowledge Base
  • Triage: Assessing the Relative Importance of Vulnerabilities Against Strategic Risk
Overview

Many well-intentioned vulnerability assessment programs begin with zeal and vitality, but after the discovery of vulnerabilities there is often a tendency to ignore the risk reality and shift back to the status quo. Over the previous course modules we focused on knowing the target environment and uncovering its weak points. Now it's time for decision and action based on an understanding of the risks the organization faces. Developing an actionable vulnerability remediation plan with time-based success targets sets the stage for continuous improvement, and that's exactly what we cover in this section of the course. Developing this plan in conjunction with the Vulnerability Assessment Report is an opportunity to galvanize the team, while enhancing the vulnerability assessment value proposition.

Exercises
  • Creating and Navigating Vulnerability Prioritization Schemas in Acheron
  • Bloodhound, the Hunt for Domain Administrator
  • Integrating PowerShell and Acheron for Rapid Remediation
  • Effective Technical Communications to Better Manage Risk

CPE/CMU Credits: 6

Topics
  • Team Operations and Collaboration
  • Security Operations Project Management Essentials
  • Transforming Triage Listing into the Vulnerability Remediation Plan
  • Developing the Cybersecurity Risk Sight Picture
  • Connecting Related Datasets and Framing the Narrative
  • Developing a Web of Network and Host Affiliations
  • Modeling Account Relationships on Active Directory Forests
  • Creating Effective Vulnerability Assessment Reports
  • Curbing the Vulnerability Lifecycle and Aspiring to Zero Hour
  • Closure: Be a Positive Influence in the Context of the Global Information Security Crisis
Overview

In celebration of your diligence, curiosity, and mad new vulnerability skills, we welcome you to your final hands-on challenge to hammer home your capabilities. The guided scenario on this final course day is designed to test your mettle through trial and detailed work in a fun capture-the-flag-style environment. The challenge is the canvas upon which you can hone your skills and measure your maturing talents. Armed for the fight, you will doubtless rise to the challenge... and triumph!

The scenario: An organization called "The Foundry" has engaged you to perform a vulnerability assessment of its environment. The organization is very aware of your particular set of vulnerability assessment skills, and treasures the insights it is certain you will provide to help secure the organization against its formidable adversaries, including nefarious cybercrime cartels and jealous nation-state actors. Teams will work together to help squash issues that would lead to a compromise of The Foundry's precious assets.

Exercises
  • A Full-Day Campaign Powered by the NetWars Scoring Engine, a Simulation Environment Used by Cutting-Edge Commercial Organizations, Government Agencies, and Military Groups
  • Use the Tactics, Techniques, and Procedures Learned Throughout the Course
  • Accomplish an Enterprise Vulnerability Assessment Against a Target Environment

CPE/CMU Credits: 6

Topics
  • Tactical Employment of the Vulnerability Assessment Framework
  • Threat Modeling
  • Discovery
  • Vulnerability Scanning
  • Validation
  • Data Management and Triage

Additional Information

IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the enterprise laboratory environment. It is the students' responsibility to make sure that the system is configured with all the necessary drivers to join an Ethernet network.

Course exercises are based around a virtual Windows operations platform, but there is interface with a diverse set of enterprise environments. The tailored operations platform designed for this course will provide the optimal learning experience. VMware Player or VMware Workstation is required for the class. If you plan to use a Mac, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.

Workstation

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system as long as you can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM for the VM to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

The course includes a VMware image file of a guest Windows system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

You will use VMware to virtualize a Windows vulnerability assessment platform. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed and functioning on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will give you a USB full of security tools to experiment with during the class and to take home for further examination at your leisure. We will also provide a licensed Enterprise Edition Windows 10 image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Mandatory System Requirements

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB of RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled to ensure an ideal learning environment
  • An available USB type-A port
  • Wireless NIC for network connectivity
  • Ethernet adaptor (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • Workstation must be OPSEC SAFE and should NOT contain any personal or company data; you will connect to a high-risk, live-fire environment
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class:

  • Installed 64-bit host operating systems (Windows is recommended)
  • Download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to the start of class

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

SEC460 Checklist:

  • I have confirmed that:
  • I have administrator access to the operating system
  • I have at least 8 GB RAM and 40 GB available disk space
  • Anti-virus is disabled
  • The system includes a working USB port
  • I downloaded and installed the VMWare Workstation, Fusion, or Player

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Vulnerability Assessors
  • Security Auditors
  • Compliance Professionals
  • Penetration Testers
  • Vulnerability Program Managers
  • Security Analysts
  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • System Administrators

SEC460 Enterprise Threat and Vulnerability Assessment provides foundational concepts and skills useful throughout the SANS Penetration Testing and Vulnerability Assessment curriculum. The course rapidly accelerates the acquisition of knowledge by IT and information security professionals from a multitude of backgrounds. Nevertheless, as this is a lab-oriented, specialized, and technical course, functional knowledge of information security concepts, technology, and networking is highly recommended. Newcomers to the security community may find that SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling provides a more accessible path to begin your journey.

  • A Windows Virtual Machine Customized for the Security Tester
  • Evaluation licenses for high-end commercial appliances including Rapid7 Nexpose and IBM AppScan
  • MP3 audio files of the complete course lectures
  • All policy and configuration files that can be used to implement a comprehensive vulnerability assessment strategy
  • Numerous custom PowerShell scripts to perform automated vulnerability testing or provide a shell for your own unique needs
  • A proven Vulnerability Assessment Framework to guide your operations and assure sustained and iterative value from your services
  • A USB 3.0 thumb drive that includes all course tools, VMs, and cheat sheets

Security 460: Enterprise Threat and Vulnerability Assessment is designed with numerous hands-on scenarios and exercises, each one designed to reinforce the concepts covered in the course. In the hands-on portion, you will interact with industry-grade tools on a meticulously crafted cyber range. The range is a large environment with many of the same systems you will encounter in a typical enterprise. Lab exercises throughout the course allow students to practice practical techniques and overcome issues commonly encountered in real-world enterprise vulnerability assessments.

Topics include:

  • Enterprise Engagement Planning and Logistics
  • Open-Source Intelligence Gathering
  • Active and Passive Reconnaissance
  • DNS Zone Speculation and Dictionary-Enabled Discovery
  • The Windows Domain: Exchange, SharePoint, and Active Directory
  • Network Vulnerability Scanning with Nexpose
  • Web Application Scanning with IBM ApScan
  • Enterprise PowerShell: Windows Remoting, WMI, Third-Party Cmdlets, and More
  • Triage, Reporting, Remediation, and More

Author Statement

"Having worked with many different environments in my career one thing that has always struck me is how to manage threats and vulnerabilities at enterprise scale. This course is the results of decades of experience performing vulnerability assessments. We walk the walk going through theory and exercises that are practical techniques for managing modern threats and vulnerabilities. We use tools, methodology, and automation that will give you a manageable strategy applicable to any environment." - Adrien de Beaupre

"Assuming the role of standard-bearer for a community comprised of many of today's foremost thought-leaders may seem like a daunting proposition at first. However, the opportunity to introduce aspiring new hackers to a tribe of like minds is a singular and enduring pleasure. Because SEC460 is a foundational course in the SANS penetration testing curriculum, it is itself a herald and a promise. For some newcomers, the first adventure with SANS is the spark of awakening for their inner hacker. It acts as a catalyst facilitating personal evolution and even genesis of a lifelong passion . The course authors, Adrien de Beaupre, Tim Medin, and myself, have meticulously crafted the SEC460 challenge to be a formative experience, attainable by all yet elementary to none. Few things are more gratifying than watching an assiduous mind, armed for the fight, rising to meet the challenge with a flourish and a coup de grace, and ending in triumph!" - Matthew Toussain

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method


1 Training Result

*Course contents may vary depending upon location, see specific event description for details.