What You Will Learn
All security professionals, including penetration testers, forensic analysts, network defenders, security administrators, and incident responders, have one experience in common: CHANGE. Tools, technologies, and threats change constantly, but Python is a simple, user-friendly language that can help you keep pace with change, allowing you to write custom tools and automate tasks to effectively manage and respond to your unique threats.
Whether you are new to coding or have been coding for years, SEC573: Automating Information Security with Python will have you creating programs that make your job easier and your work more efficient. This self-paced course starts from the very beginning, assuming you have no prior experience with or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the course.
Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require. Maybe your chosen Operating System has a new feature that creates interesting forensic artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensic artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.
Or perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization. The answer is simple if you have the skills: Write tools to automate various aspects of your defenses.
Or, as a penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool or modify existing capabilities to make them perform as you need.
SEC573 is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you to better automate the daily routine of today's information security professional and to achieve more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Learn Python in-depth with us to become fully weaponized.
You Will Learn How To:
- Leverage Python to perform routine tasks quickly and efficiently
- Automate log analysis and packet analysis with file operations, regular expressions, and analysis modules to find evil
- Develop forensics tools to carve binary data and extract new artifacts
- Read data from databases and the Windows Registry
- Interact with websites to collect intelligence
- Develop UDP and TCP client and server applications
- Automate system processes and process their output
Syllabus (36 CPEs)
Download PDF-
Overview
The course begins with a brief introduction to Python and the pyWars Capture-the-Flag challenge. We set the stage for students to learn at their own pace in the pyWars lab environment, which is 100 percent hands-on. As more advanced students take on Python-based Capture-the-Flag challenges, students who are new to programming will start from the very beginning with Python essentials.
Topics
- Syntax
- Variables
- Math Operators
- Strings
- Functions
- Modules
- Control Statements
- Introspection
-
Overview
You will never learn to program by staring at PowerPoint slides. This section continues the hands-on, lab-centric approach established at the beginning of the course. It covers data structures and more detailed programming concepts. Next, we focus on invaluable tips and tricks to make you a better Python programmer and to show you how to debug your code.
Topics
- Lists
- Loops
- Tuples
- Dictionaries
- The Python Debugger
- Coding Tips
- Tricks and Shortcuts
- System Arguments
- ArgParser Module
-
Overview
In this section, we take on the role of a network defender with more logs to examine than there is time in the day. Attackers have penetrated the network and you will have to analyze the logs and packet captures to find them. We will discuss how to analyze network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltrate your data. Forensicators and offensive security professional won't be left out because reading and writing files and parsing data is also an essential skill they will apply to their craft.
Topics
- File Operations
- Python Sets
- Regular Expressions
- Log Parsing
- Data Analysis Tools and Techniques
- Long-Tail/Short-Tail Analysis
- Geolocation Acquisition
- Blacklists and Whitelists
- Packet Analysis
- Packet Reassembly
- Payload Extraction
-
Overview
In our forensics-themed section, we will assume the role of a forensic analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics, you will find that the skills covered in this section are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract those data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then, we will discuss techniques for finding artifacts in other locations, such as SQL databases, and interacting with web pages.
Topics
- Acquiring Images from Disk
- Memory and the Network
- File Carving
- The STRUCT module
- Raw Network Sockets and Protocols
- Image Forensics and PIL
- SQL Queries
- HTTP Communications with Python Built in Libraries
- Web Communications with the Requests Module
-
Overview
During our offensive-themed section, we play the role of penetration testers whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.
Topics
- Network Socket Operations
- Exception Handling
- Process Execution
- Blocking and Non-blocking Sockets
- Using the Select Module for Asynchronous Operations
- Python Objects
- Argument Packing and Unpacking
-
Overview
In this final section you will be placed on a team with other students to apply the skills you have mastered in a series of programming challenges. Participants will exercise the new skills and the code they have developed throughout the course in a series of challenges. You will solve programming challenges, exploit vulnerable systems, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!
Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME's are available to support every OnDemand student's experience.
GIAC Python Coder
The GIAC Python Coder (GPYC) certification validates a practitioner’s understanding of core programming concepts, and the ability to write and analyze working code using the Python programming language. GPYC certification holders have demonstrated knowledge of common python libraries, creating custom tools, collecting information about a system or network, interacting with websites and databases, and automating testing.
Python essentials: variable and math operations, strings and functions, and compound statements
Data structures and programming concepts, debugging, system arguments, and argparser
Python application development for pen testing: backdoors and SQL injection
Prerequisites
A basic understanding of any programming or scripting language is highly recommended but not required for this course. SEC573 starts with the most basic fundamentals of Python programming. There is no aspect of programming or Python that must be understood before attending this course. The lab environment is self-paced and this allows students who have had some experience coding advance more quickly than those who have not. You are provided a Virtual Machine that gives you the ability to complete the labs that are in your course book after the live course or your OnDemand access has finished.
Laptop Requirements
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.
Windows
You are required to bring the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.
The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
VMware
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
We will give you a USB full of tools to use during the class (which is yours to keep). We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.
Linux
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.
Mandatory Laptop Hardware Requirements
- x86- or x64-compatible 2.0 GHz CPU minimum or higher
- An available USB port with the ability to read an ExFat format.
- 8 GB or higher recommended
- Ethernet adapter: Students attending a live class will require a wired connection. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you
- 60 GB available hard drive space
During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
Author Statement
"Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. SEC573 is designed for network defenders, forensics examiners, penetration testers, and other security professionals who want to learn how to apply basic coding skills to do their job more efficiently. This course will help take your career to the next level by teaching you these highly sought-after skills. We will focus on the most important skills for security professionals, such as interacting with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your place of work."
-- Mark Baggett
Ways to Learn
- OnDemand
Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.
- Live Online
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.
- In Person (6 days)
Training events and topical summits feature presentations and courses in classrooms around the world.
Who Should Attend SEC573?
- Security professionals who benefit from automating routine tasks so they can focus on what's most important
- Forensic analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts
- Network defenders who sift through mountains of logs and packets to find evil-doers in their networks
- Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator
- Security professionals who want to evolve from security tool consumer to security solution provider
