What You Will Learn
Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.
It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.
Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.
Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more preventive and detective measures, completing the security lifecycle.
Syllabus (38 CPEs)Download PDF
Section 1 will focus on security in the design and configuration of various enterprise infrastructures. From a security perspective, proper design and configuration protects both the components being configured, as well as the rest of the organization that depends on that gear to defend other components from attacks. In other words, a good house needs a good foundation!
We'll discuss published security benchmarks, vendor guidance for securing various products, and regulatory requirements and how they impact defending infrastructure against specific attacks. To illustrate these points, we'll be looking in detail at securing and defending a router infrastructure against a number of device- and network-based attacks.
In addition, we'll cover securing Windows and Active Directory against specific attacks. Securing Private and Public Cloud Infrastructure against common attacks will also be discussed, and Active Defense approaches will be covered in some detail.
- Attack and Defense of Router Architectures
- Secure Configuration and Audit of Network Architectures
- Defenses against Attacks Mounted on Authentication Interfaces
- Defending and Attacking Critical Protocols
- Logging as a Critical Component of Defense
- Man-in-the-Middle Attacks and Defenses
- Active Defense:
- Honey Documents from Both the Attacker and Defender Perspective
- Security Benchmarks, Standards, and the Role of Audit in Defending Infrastructure
- Defense Using Authentication and Authorization, and Defending Those Services
- The Use of Logging and Security Information and Event Management (SIEM) in Defending an Organization from Attack
- Attacking and Defending Critical Protocols
- Several Man-in-the-Middle Attack Methods, and Defenses against Each
- Infrastructure Defense Using IPS, Next-Generation Firewalls, and Web Application Firewalls
- Defense of Critical Servers and Services
- Active Defense
- Defense of Private and Public Cloud Architectures
Security is all about understanding, mitigating, and controlling the risk to an organization's critical assets. An organization must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise the environment. On day two, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration tests to better understand the security posture for network services, operating systems, and applications. In addition, we'll talk about social engineering and reconnaissance activities to better emulate increasingly prevalent threats to users.
Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about scoping and planning their test projects, performing external and internal network penetration testing, web application testing, and pivoting through the environment like real-world attackers.
Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the organization's overall security.
- Scanning and Enumeration Fundamentals
- More Scanning and Enumeration Options
- Vulnerability Scanning with OpenVAS
- Exploitation + Metasploit Basics
- Basic Web App Scans and Attacks
- Metasploit and Pivoting
- Introduction to Penetration Testing Concepts
- Penetration Testing Scoping and Rules of Engagement
- Online Reconnaissance and Offensive Counterintelligence
- Social Engineering
- Network Mapping and Scanning Techniques
- Enterprise Vulnerability Scanning
- Network Exploitation Tools and Techniques
- Web Application Exploitation Tools and Techniques
- Post-Exploitation and Pivoting
- OS and Application Exploit Mitigations
- Reporting and Debriefing
"Prevention is ideal, but detection is a must" is a critical motto for network security professionals. While organizations always want to prevent as many attacks as possible, some adversaries will still sneak into the network. In cases where an attack is not successfully prevented, network security professionals need to analyze network traffic to discover attacks in progress, ideally stopping them before significant damage is done. Packet analysis and intrusion detection are at the core of such timely detection. Organizations need to not only detect attacks but also to react in a way that ensures those attacks can be prevented in the future.
Because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are more stealthy and difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst capable of differentiating between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write intrusion detection rules that detect the latest attacks before they compromise a network environment.
Traffic analysis and intrusion detection used to be treated as a separate discipline within many organizations. Today, prevention, detection, and response must be closely knit, so that once an attack is detected, defensive measures can be adapted and proactive forensics implemented, and the organization can to continue to operate. This course section will start with a brief introduction to network security monitoring, followed by a refresher on network protocols with an emphasis on fields to look for as security professionals. We'll use tools like TCPdump and Wireshark to analyze packet traces and look for indicators of attacks. We'll use a variety of detection and analysis tools, craft packets with Scapy to test detection, and touch on network forensics and the Security Onion monitoring distribution. Students will also explore Snort as a network Intrusion Detection System, and examine rule signatures in-depth.
- Analyzing PCAPs with TCPdump
- Attack Analysis with Wireshark
- Crafting Packets to Test Network Monitoring
- Network Forensics with Security Onion: Detecting Malicious Activity
- Extracting PCAP Content for Forensics
- Snort Basics
- Wireshark Network Compromise Analysis
- Network Security Monitoring
- IP, TCP, and UDP Refresher
- Advanced Packet Analysis
- Introduction to Network Forensics with Security Onion
- Identifying Malicious Content and Streams
- Extracting and Repairing Content from PCAP files
- Traffic Visualization Tools
- Intrusion Detection and Intrusion Prevention
- Snort In-Depth
- Writing Snort Signatures
- Handling Encrypted Network Traffic
"Bad guy elimination" is the core mission for Digital Forensics and Incident Response (DFIR) professionals. Incidents happen, and organizations rely on these professional responders to find, scope, contain, and remediate evil from their networks. Investigators employ DFIR practices to determine what happened. DFIR teams conduct investigations to find evidence of compromise, remediate the environment, and provide data to generate local threat intelligence for operations teams in order to continuously improve detection. While traditionally seen as a finite process, incident response is now viewed as ongoing, with DFIR professionals searching for evidence of an attacker that has existed in the environment without detection by applying new threat intelligence to existing evidence - the crux of the concept of "threat hunting."
In this section, you will learn the core concepts of both "Digital Forensics" and "Incident Response." We'll explore some of the hundreds of artifacts that can give forensic investigators specific insight about what occurred during an incident. You will also learn how incident response currently operates, after years of evolving, in order to address the dynamic procedures used by attackers to conduct their operations. We'll look at how to integrate DFIR practices into a continuous security operations program.
We'll cover the general guidelines for a cyclical, six-step incident response process. Each step will be examined in detail, including practical examples of how to apply it. Lastly, you'll learn the artifacts that can best be used to determine the extent of suspicious activity within a given environment and how to migrate techniques to a large data set for enterprise-level analysis.
- Data Recovery with FTK Imager and Photorec
- Ransomware Timeline Analysis
- Ransomware Network Analysis
- DFIR Core Concepts: Digital Forensics
- Definitions and Use Cases/Mission Areas
- Performing Forensically Sound Analysis
- Forensic Artifacts in the Windows Environment
- Digital Forensics Tools
- DFIR Core Concepts: Incident Response
- Definitions and Use Cases
- Generating and Using Threat Intelligence for Incident Response
- DFIR Sub-disciplines: Endpoint, Network, Threat Intelligence, Reverse Engineering
- Incident Response Tools
- Modern DFIR: A Live and Continuous Process
- Definitions and Use Cases
- Six-Step Process Guidelines: Preparation, Identification/Scoping, Containment/Intelligence Development, Eradication/Remediation, Recovery, Follow-up/Lessons Learned
- Widening the Net: Scaling the DFIR Process and Scoping a Compromise
- Definitions and Use Cases
- Generation and Consumption of Threat Intelligence
- Examples of Artifacts to Support Scoping
- Scoping as a Continuous Component of Modern Incidence Response
- Scoping and Scaling Tools
Malicious software is responsible for many incidents in almost every type of organization. Types of Malware vary widely, from Ransomware and Rootkits to Crypto Currency Miners and Worms. We will define each of the most popular types of malware and walk through multiple examples. The four primary phases of malware analysis will be covered: Fully Automated Analysis, Static Properties Analysis, Interactive Behavior Analysis, and Manual Code Reversing. You will complete various in-depth labs requiring you to fully dissect a live Ransomware specimen from static analysis through code analysis. You will get hands-on experience with tricking the malware through behavioral analysis techniques, as well as decrypting files encrypted by Ransomware by extracting the keys through reverse engineering. All steps are well defined and tested to ensure that the process to achieve these goals is actionable and digestible.
- Static Properties Analysis of Ransomware
- Using Linux Tools such as File, Strings, clamscan, pescan, and VirusTotal
- Using Windows Tools such as PeStudio and strings2
- Interactive Behavior Analysis of Ransomware - Part I
- Use Process Monitor to Monitor File System, Network, Process Activity, and Registry Access
- Use Process Hacker to Examine Process Behavior and Memory
- Interactive Behavior Analysis of Ransomware - Part II
- Perform Advanced Behavioral Analysis against the Ransomware Specimen
- Trick the Ransomware into Thinking It Is Able to Reach Online Resources
- Utilize the Burp Proxy Tool to Modify Data to and from the Ransomware
- Convince the Ransomware that Payment Was Made to Recover All Files
- Manual Code Reversing of Ransomware
- Perform Code Analysis of the Ransomware
- Perform Deobfuscation for Further Analysis and Crypto Key Recovery
- Utilize PowerShell to Interact with the .NET Framework and Decrypt Files
- Introduction to Malware Analysis
- The Many Types of Malware
- ATM/Cash Machine Malware
- Building a Lab Environment for Malware Analysis
- Malware Locations and Footprints
- Fully Automated Malware
- Cuckoo Sandbox
- Static Properties Analysis
- Interactive Behavior Analysis
- Manual Code Reversing
- Tools such as IDA, PeStudio, ILSpy, Process Hacker, Process Monitor, NoFuserEx, etc.
The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture-the-Flag engine will be provided to score students as they submit flags to score points. More difficult challenges will be worth more points. In this defensive exercise, challenges include packet analysis, routing protocols, scanning, malware analysis, and other challenges related to the course material.
GIAC Certified Enterprise Defender
The GIAC Certified Enterprise Defender (GCED) certification builds on the security skills measured by the GIAC Security Essentials certification. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.
Incident handling and computer crime investigation
Computer and network hacker exploits
Hacker tools (Nmap, Nessus, Metasploit and Netcat)
While not required, it is recommended that students take SANS's SEC401: Security Essentials course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.
A properly configured laptop is required to participate in SEC501: Advanced Security Essentials - Enterprise Defender. Students must have Administrator privileges . Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.
For this course, SANS will provide you with the following virtual machines:
- Custom 64-bit Kali Linux
- Custom Windows 10 64-bit
- Security Onion
- Cisco CSR 1000V
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:
- CPU: 64-bit Intel i5 x 64 2.0+ GHz processor or higher-based system is mandatory for this class
- 16 GB RAM (32GB of memory is strongly recommended)
- 80 GB of available disk space (more space is recommended)
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- VMware Workstation Pro 15.5.X+ or Fusion 11.5+
Please note: VMware Workstation or Fusion are mandatory. You must have the ability to take virtual machine snapshots, and you cannot do this with VMware Player.
You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website (see above). If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course. Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
While the labs will run fine for Mac/Fusion students, the lab workbook was written from a Windows host and VMware Workstation perspective. Students opting to bring Mac OS or Linux as their host OS are expected to manage any OS or virtualization software issues that might arise.
We suggest going over the following checklist to make sure that your laptop is prepared for SEC501: Advanced Security Essentials - Enterprise Defender:
- The laptop meets hardware requirements outlined in this section.
- If you use a trial copy of VMware Workstation, make sure that the VMware license will not expire before the class ends.
- The Windows VMware machine runs using host-only networking mode.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"I started off working as a network engineer and architect building enterprise networks. This role organically transitioned into secure design and engineering. My interest at the time in penetration testing and exploitation allowed me to verify that our designs being put into production were truly hardened. This interest eventually drove me into a career in full-blown reverse engineering and 0-day bug discovery/exploit development. After a long history of writing and teaching courses for SANS on advanced penetration testing and exploit writing, I am excited to take that experience and apply it back into defense. We selected a group of rock star authors to build the SEC501 syllabus and content, including Dave Shackleford, Phil Hagen, Matt Bromiley, and Rob Vandenbrink."
- Stephen Sims