Two Days Left to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

SEC503: Intrusion Detection In-Depth

The concepts learned in 503 helped me bridge a gap in knowledge of what we need to better protect our organization.

Greg Thys, Mary Greeley Med Ctr

This course provides a good basis of knowledge and presents important tools which will be at the core of any intrusion analysis.

Thomas Kelly, DIA

SEC503 is one of the most important courses that you will take in your information security career. While past students describe it as the most difficult class they have ever taken, they also tell us it was the most rewarding. This course isn't for people who are simply looking to understand alerts generated by an out-of-the-box Intrusion Detection System (IDS). It's for people who want to deeply understand what is happening on their network today, and who suspect that there are very serious things happening right now that none of their tools are telling them about. If you want to be able to find zero-day activities on your network before disclosure, this is definitely the class for you.

What sets this course apart from any other training is that we take a bottom-up approach to teaching network intrusion detection and network forensics. Rather than starting with a tool and teaching you how to use that tool in different situations, this course teaches you how and why TCP/IP protocols work the way they do. After spending the first two days examining what we call "Packets as a Second Language," we add in common application protocols and a general approach to researching and understanding new protocols. With this deep understanding of how network protocols work, we turn our attention to the most widely used tools in the industry to apply this deep knowledge. The result is that you will leave this class with a clear understanding of how to instrument your network and the ability to perform detailed incident analysis and reconstruction.

These benefits alone make this training completely worthwhile. What makes the course as important as we believe it is (and students tell us it is), is that we force you to develop your critical thinking skills and apply them to these deep fundamentals. This results in a much deeper understanding of practically every security technology used today.

Preserving the security of your site in today's threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks with insight and awareness. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.

Mark Twain said, "It is easier to fool people than to convince them that they've been fooled." Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic, and too many untrained analysts accept that feedback as the absolute truth. This course emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the analyst must have access and the ability to examine the alerts to give them meaning and context. You will learn to investigate and reconstruct activity to deem if it is noteworthy or a false indication.

This course delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Zeek, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Evening Bootcamp sessions and exercises force you to take the theory taught during the day and apply it to real-world problems immediately. Basic exercises include assistive hints, while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.

A Virtual machine (VM) is provided with tools of the trade. It is supplemented with demonstration PCAPs containing network traffic. This allows you to follow along on your laptop with the course material and demonstrations. The PCAPs also provide a good library of network traffic to use when reviewing the material, especially for the GCIA certification associated with this course.

SEC503 is most appropriate for students who monitor and defend their network, such as security analysts, although others may benefit from the course as well. Students range from seasoned analysts to novices with some TCP/IP background. Please note that the VMware image used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.

More

Course Syllabus and Course Contents

Day 1/2: Fundamentals of Traffic Analysis

  • Why you should capture and be able to analyze packets
  • Understanding bits, bytes, binary, and hexadecimal
  • TCP/IP concepts
  • Using tcpdump and Wireshark and their filtering techniques
  • Link layer, IPv4, IPv6, and fragmentation
  • Transport layers TCP, UDP, and ICMP

Day 3: Application Protocols

  • Scapy
  • HTTP
  • SMTP
  • Microsoft protocols
  • DNS
  • IDS evasions

Day 4: Network Monitoring: Signatures vs. Behaviors

  • Architecture for network monitoring
  • Running, installing, configuring, and customizing Snort
  • Writing Snort rules
  • Running, installing, configuring, and customizing Bro
  • Writing Bro scripts and signatures, and raising Bro notices

Day 5: Network Traffic Forensics

  • Hands-on experience analyzing incident scenarios
  • Data-driven analysis vs. alert-driven reactions
  • Hypothesis and visualization for large-scale network analysis
  • Using SiLK as open-source network flow records to expose network behavior anomalies
  • Understanding and detecting covert channels
  • Analyzing large pcap files
  • Identifying C2 activities
  • Practical analysis of TLS data

Day 6: Advanced IDS Capstone Event

  • Collaborate with fellow students to compete in a NetWars-like IDS-specific challenge

You Will Learn

  • How to analyze traffic traversing your site to avoid becoming another "Hacked!" headline
  • How to identify potentially malicious activities for which no IDS has published signatures
  • How to place, customize, and tune your IDS/IPS for maximum detection
  • Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools
  • TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
  • The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection

Hide

Course Syllabus

Overview

The first section of this course begins our bottom-up coverage of the TCP/IP protocol stack, providing a refresher or introduction, depending on your background, to TCP/IP. This is the first step in what we think of as a "Packets as a Second Language" course. Students begin to be introduced to the importance of collecting the actual packets involved in attacks and are immediately immersed in low-level packet analysis. We will cover the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, and the meaning and expected behavior of every field in the IP header. Students are introduced to the use of open-source Wireshark and tcpdump tools for traffic analysis.

We begin our exploration of the TCP/IP communication model with the study of the link layer, the IP layer, both IPv4 and IPv6, and packet fragmentation in both. We describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

All traffic is discussed and displayed using both Wireshark and tcpdump, with the pros and cons of each tool explained and demonstrated. Students can follow along with the instructor viewing the sample traffic capture files supplied. Multiple hands-on exercises after each major topic offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 8

Topics

Concepts of TCP/IP

  • Why is it necessary to understand packet headers and data?
  • TCP/IP communications model
  • Data encapsulation/de-encapsulation
  • Discussion of bits, bytes, binary, and hex

Introduction to Wireshark

  • Navigating around Wireshark
  • Examination of Wireshark statistics
  • Stream reassembly
  • Finding content in packets

Network Access/Link Layer: Layer 2

  • Introduction to 802.x link layer
  • Address resolution protocol
  • ARP spoofing

IP Layer: Layer 3

  • IPv4
    • Examination of fields in theory and practice
    • Checksums and their importance, especially for an IDS/IPS
    • Fragmentation: IP header fields involved in fragmentation, composition of the fragments, fragmentation attacks
  • IPv6
    • Comparison with IPv4
    • IPv6 addresses
    • Neighbor discovery protocol
    • Extension headers
    • IPv6 in transition
Overview

Section 2 continues where the first section ended, completing the "Packets as a Second Language" portion of the course and laying the foundation for the much deeper discussions to come. In this section, students will gain a deep understanding of the primary transport layer protocols used in the TCP/IP model. Two essential tools, Wireshark and tcpdump, are further explored, using advanced features to give you the skills to analyze your own traffic. The focus of these tools is to filter large scale data down to traffic of interest using Wireshark display filters and tcpdump Berkeley Packet Filters. These are used in the context of our exploration of the TCP/IP transport layers covering TCP, UDP, and ICMP. Once again, we discuss the meaning and expected function of every header field, covering a number of modern innovations that have very serious implications for modern network monitoring, and we analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

Once again, students can follow along with the instructor viewing the sample capture files supplied. Hands-on exercises after each major topic offer you the opportunity to reinforce what you just learned.

The bootcamp material at the end of this section moves students out of theory and begins to work through real-world application of the theory learned in the first two sections. Students learn the practical mechanics of command line data manipulation that are invaluable not only for packet analysis during an incident but also useful for many other information security and information technology roles.

CPE/CMU Credits: 8

Topics

Wireshark Display Filters

  • Examination of some of the many ways that Wireshark facilitates creating display filters
  • Composition of display filters

Writing BPF Filters

  • The ubiquity of BPF and utility of filters
  • Format of BPF filters
  • Use of bit masking

TCP

  • Examination of fields in theory and practice
  • Packet dissection
  • Checksums
  • Normal and abnormal TCP stimulus and response
  • Importance of TCP reassembly for IDS/IPS

UDP

  • Examination of fields in theory and practice
  • UDP stimulus and response

ICMP

  • Examination of fields in theory and practice
  • When ICMP messages should not be sent
  • Use in mapping and reconnaissance
  • Normal ICMP
  • Malicious ICMP

Real-World Analysis -- Command Line Tools

  • Regular Expressions fundamentals
  • Rapid processing using command line tools
  • Rapid identification of events of interest
Overview

Section 3 builds on the foundation of the first two sections of the course, moving into the world of application layer protocols. Students are introduced to the versatile packet crafting tool Scapy. This is a very powerful Python-based tool that allows for the manipulation, creation, reading, and writing packets. Scapy can be used to craft packets to test the detection capability of an IDS/IPS, especially important when a new user-created IDS rule is added, for instance for a recently announced vulnerability. Various practical scenarios and uses for Scapy are provided throughout this section.

The focus of the section is on some of the most widely used, and sometimes vulnerable, crucial application protocols: DNS, HTTP(S), SMTP, and Microsoft communications. Particular attention is given to protocol analysis, a key skill in intrusion detection. Additional Wireshark capabilities are explored in the context of incident investigation and forensic reconstruction of events based on indicators in traffic data.

The course day ends with a discussion of modern IDS/IPS evasions, the bane of the analyst. Students are introduced to the theory behind these evasions, and several undocumented modern evasions are explained, along with discussion of the current detection gaps in the IDS marketplace at large. The theory and possible implications of evasions at different protocol layers are examined.

Again, students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer students the opportunity to reinforce what they just learned.

The end of section 3 again moves students from the realm of theory to practical application. Students continue in a guided exploration of real-world network data, applying the skills and knowledge learned over the first three sections of the course to an investigation of the data that will be used in the final capstone challenge.

CPE/CMU Credits: 8

Topics

Scapy

  • Packet crafting and analysis using Scapy
  • Writing a packet(s) to the network or a pcap file
  • Reading a packet(s) from the network or from a pcap file
  • Practical Scapy uses for network analysis and network defenders

Advanced Wireshark

  • Exporting web objects
  • Extracting arbitrary application content
  • Wireshark investigation of an incident
  • Practical Wireshark uses for analyzing SMB protocol activity
  • Tshark

Detection Methods for Application Protocols

  • Pattern matching, protocol decode, and anomaly detection challenges

DNS

  • DNS architecture and function
  • Caching
  • DNSSEC
  • Malicious DNS, including cache poisoning

Microsoft Protocols

  • SMB/CIFS
  • MSRPC
  • Detection challenges
  • Practical Wireshark application

Modern HTTP and TLS

  • Protocol format
  • Why and how this protocol is evolving
  • Detection challenges

SMTP

  • Protocol format
  • STARTTLS
  • Sample of attacks
  • Detection challenges

IDS/IPS Evasion Theory

  • Theory and implications of evasions at different protocol layers
  • Sampling of evasions
  • Necessity for target-based detection

Identifying Traffic of Interest

  • Finding anomalous application data within large packet repositories
  • Extraction of relevant records
  • Application research and analysis
  • Hands-on exercises after each major topic that offer students the opportunity to reinforce what they just learned.
Overview

The fundamental knowledge gained from the first three sections provides the foundation for deep discussions of modern network intrusion detection systems during section 4. Everything that students have learned so far is now synthesized and applied to designing optimized detection rules for Snort/Firepower, and this is extended even further with behavioral detection using Zeek (formerly known as Bro).

We begin with a discussion on network architecture, including the features of intrusion detection and prevention devices, along with a discussion about options and requirements for devices that can sniff and capture the traffic for inspection. This section provides an overview of deployment options and considerations, and allows students to explore specific deployment considerations that might apply to their respective organizations.

The remainder of the section is broken into two main parts. The first covers the most commonly used approach, signature-based detection using Snort or Firepower. The second is an introduction to Zeek, followed by a shift to constructing anomaly-based behavioral detection capabilities using Zeek's scripting language and cluster-based approach. One student who was already running Zeek (or Bro) prior to class commented that, "after seeing this section of the class, I now understand why [Zeek] matters; this is a real game changer."

After covering basic proficiency in the use of Zeek, the instructor will lead students through a practical threat analysis process that is used as the basis for an extremely powerful correlation script to identify any potential phishing activity within a defended network. Further practical examples are provided to students, demonstrating how this approach to behavioral analysis and correlation can close the enormous gap in relying solely on signature-based detection tools.

This section has less formal instruction and longer hands-on exercises to encourage students to become more comfortable with a less guided and more independent approach to analysis. This is intended to simulate the environment of an actual incident investigation that you may encounter at your sites. Hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

The material at the end of this section once again moves students out of theory and into practical use in real-world situations. Students continue to expand their understanding of the developing incident under analysis in preparation for the final capstone by applying all of the techniques learned so far.

CPE/CMU Credits: 8

Topics

Network Architecture

  • Instrumenting the network for traffic collection
  • IDS/IPS deployment strategies
  • Hardware to capture traffic

Introduction to IDS/IPS Analysis

  • Function of an IDS
  • The analyst's role in detection
  • Flow process for Snort and Bro
  • Similarities and differences between Snort and Bro

Snort

  • Introduction to Snort
  • Running Snort
  • Writing Snort rules
  • Solutions for dealing with false negatives and positives
  • Tips for writing efficient rules

Zeek

  • Introduction to Zeek
  • Zeek Operational modes
  • Zeek output logs and how to use them
  • Practical threat analysis
  • Zeek scripting
  • Using Zeek to monitor and correlate related behaviors
  • Hands-on exercises, one after each major topic, offer students the opportunity to reinforce what they just learned.
Overview

The fifth section continues the trend of less formal instruction and more practical application in hands-on exercises. It consists of three major topics, beginning with practical network forensics and an exploration of data-driven monitoring vs. alert-driven monitoring, followed by a hands-on scenario that requires students to use all of the skills developed so far. The second topic continues the theme of data-driven analysis by introducing large-scale analysis and collection using NetFlow and IPFIX data. Following a discussion of the powerful correlations and conclusions that can be drawn using the network metadata, students will work on a second guided scenario that leverages this set of tools, in addition to other skills learned throughout the week. The section concludes with a detailed discussion of practical TLS analysis and interception and more general command and control trends and detection/analysis approaches. A third scenario is provided for students to work on after class.

CPE/CMU Credits: 8

Topics

Introduction to Network Forensics Analysis

  • Theory of network forensics analysis
  • Phases of exploitation
  • Data-driven analysis vs. Alert-driven analysis
  • Hypothesis-driven visualization

Using Network Flow Records

  • NetFlow and IPFIX metadata analysis
  • Using SiLK to find events of interest
  • Identification of lateral movement via NetFlow data

Examining Command and Control Traffic

  • Introduction to command and control traffic
  • TLS interception and analysis
  • TLS profiling
  • Covert DNS C2 channels: dnscat2 and Ionic
  • Other covert tunneling, including The Onion Router (TOR)

Analysis of Large pcaps

  • The challenge of analyzing large pcaps
  • Students analyze three separate incident scenarios.
Overview

The course culminates with a fun, hands-on, score-server-based IDS challenge. Students compete as solo players or on teams to answer many questions that require using tools and theory covered in the first five sections. The challenge presented is based on hours of live-fire, real-world data in the context of a time-sensitive incident investigation. The challenge is designed as a "ride-along" event, where students are answering questions based on the analysis that a team of professional analysts performed of this same data.

CPE/CMU Credits: 6

Additional Information

IMPORTANT - BRING YOUR OWN LAPTOP

You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

You can use any version of Windows, Mac OSX, or Linux, as long as your core operating system can install and run current VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 60 gigabytes of free hard disk space.

Please download and install one of the following: VMware Workstation 14, VMware Player 14, or VMware Fusion 10 or higher on your system prior to the beginning of the class. If you do not own a licensed copy of VMware Workstation, VMware Player, or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 2.4 GHz CPU minimum or higher
  • USB Port
  • 8GB RAM or higher
  • 60 GB free hard drive space
  • Windows 7/8/10, Mac OS X, or Linux -- any type
  • VMWare Workstation, Fusion, or Player, as stated above
  • Wireless Ethernet 802.11 B/G/N/AC

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Intrusion detection (all levels), system, and security analysts

  • Analysts will be introduced to or become more proficient in the use of traffic analysis tools for signs of intrusions.

Network engineers/administrators

  • Network engineers/administrators will understand the importance of optimal placement of IDS sensors and how the use of network forensics such as log data and network flow data can enhance the capability to identify intrusions.

Hands-on security managers

  • Hands-on security managers will understand the complexities of intrusion detection and assist analysts by providing them with the resources necessary for success.
  • Students must have at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP and Hex Quizzes.
  • Familiarity and comfort with the use of Linux commands such as cd, sudo, pwd, ls, more, less
Other Courses People Have Taken

Courses that lead in to SEC503:

Courses that are prerequisites for SEC503:

Courses that are good follow-ups to SEC503:

  • Course book with each section's material
  • Workbook with hands-on exercises and questions
  • DVD with the Packetrix Linux VMware image
  • TCP/IP pamphlet cheat sheet
  • MP3 audio files of the complete course lecture
  • Configure and run open-source Snort and write Snort signatures
  • Configure and run open-source Bro to provide a hybrid traffic analysis framework
  • Understand TCP/IP component layers to identify normal and abnormal traffic
  • Use open-source traffic analysis tools to identify signs of an intrusion
  • Comprehend the need to employ network forensics to investigate traffic to identify a possible intrusion
  • Use Wireshark to carve out suspicious file attachments
  • Write tcpdump filters to selectively examine a particular traffic trait
  • Craft packets with Scapy
  • Use the open-source network flow tool SiLK to find network behavior anomalies
  • Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire

The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:

  • Day 1: Hands-On: Introduction to Wireshark
  • Day 2: Hands-On: Writing tcpdump filters
  • Day 3: Hands-On: IDS/IPS evasion theory
  • Day 4: Hands-On: Snort rules
  • Day 5: Hands-On: Analysis of three separate incident scenarios
  • Day 6: Hands-On: The entire day is spent engaged in the NetWars: IDS Version challenge

"This course is outstanding! It has changed my view on my network defense tools and the need to correlate data through multiple tools." Ben Clark, EY LLP

"I feel like I have been working with my eyes closed before this course." S. Ainscow, Barrett Steel

"As a cyber security analyst looking to work my way up to senior analyst, this course content seems incredibly relevant." Karishma Malde, e2e-assure

"I got a deeper understanding of key topics from SEC503. This training will help me get more data out of my investigations." Alphonse Wichrowski, Allegiant Air

Author Statement

When I began developing network monitoring and intrusion detection tools in the mid-1990s, I quickly realized that there were effectively no commercial solutions and no meaningful training. I had the pleasure of attending the initial version of this very course in late 1998 and knew immediately that I had found my home. Since that time, I've come to realize that network monitoring, intrusion detection, and packet analysis represent some of the very best data sources within our enterprise. These can be used to very rapidly confirm whether or not an incident has occurred, and allow an experienced analyst to determine, often in seconds or minutes, what the extent of a compromise might be. In a very real sense, I have found this to be the most important course that SANS has to offer. Not only will it cause you to think about your network in a very different way as a defender, but it is incredibly relevant for penetration testers who are looking to "fly under the radar." The concepts that you will learn in this course apply to every single role in an information security organization!

- David Hoelzer

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Online options available. Train from any location.

24 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Security
Jul 29, 2019 -
Aug 3, 2019
 

Training Event
Security
Aug 19, 2019 -
Aug 24, 2019
 

Training Event
Security
SANS Canberra Spring 2019
Canberra, Australia
Sep 16, 2019 -
Sep 21, 2019
 

Training Event
Security
Sep 9, 2019 -
Sep 14, 2019
 

Training Event
Security
Sep 9, 2019 -
Sep 14, 2019
 

Training Event
Security
Sep 23, 2019 -
Sep 28, 2019
 

Training Event
Security
SANS London September 2019
London, United Kingdom
Sep 23, 2019 -
Sep 28, 2019
 

Training Event
Security
Oct 7, 2019 -
Oct 12, 2019
 

Training Event
Security
SANS October Singapore 2019
Singapore, Singapore
Oct 14, 2019 -
Oct 19, 2019
 

Training Event
Security
SANS San Diego 2019
San Diego, CA
Oct 7, 2019 -
Oct 12, 2019
 

Summit
Security
Oct 9, 2019 -
Oct 14, 2019
 

Training Event
Security
Waitlist
Oct 19, 2019 -
Oct 24, 2019
 

Training Event
Security
SANS Santa Monica 2019
Santa Monica, CA
Oct 21, 2019 -
Oct 26, 2019
 

Training Event
Security
Dec 2, 2019 -
Dec 7, 2019
 

Training Event
Security
Dec 9, 2019 -
Dec 14, 2019
 

Training Event
Security
Dec 12, 2019 -
Dec 17, 2019
 

Training Event
Security
Feb 3, 2020 -
Feb 8, 2020
 

Community SANS
Security
Staff
Sep 23, 2019 -
Sep 28, 2019
 

Community SANS
Security
Nov 4, 2019 -
Nov 9, 2019
 

vLive
Security
Online
Oct 28, 2019 -
Dec 11, 2019
 

OnDemand
Security
Online
Anytime  

Simulcast
Security
Online
Oct 7, 2019 -
Oct 12, 2019
 

SelfStudy
Security
Online
Staff
Anytime  

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.