homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. TBT570: Team-Based Training - Blue Team and Red Team Dynamic Workshop
new

TBT570: Team-Based Training - Blue Team and Red Team Dynamic Workshop

    36 CPEs

    TBT570: Team-Based Training - Blue Team / Red Team Dynamic Workshop is a unique course during which student teams of three to five participants work together as a Blue Team to battle an adversary in real time. The technical terrain, the SANS Cyber Range, is a realistic enterprise environment.

    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    TBT570: Team-Based Training - Blue Team / Red Team Dynamic Workshop is a unique course during which student teams of three to five participants work together as a Blue Team to battle an adversary in real time. The technical terrain, the SANS Cyber Range, is a realistic enterprise environment.

    This interactive exercise is designed for people who learn by actually doing. You will not be spoon-fed through lectures or follow-along labs in this session. Instead, you will participate in a dynamic highly interactive exercise defending an environment under attack in real time as you build your skills working alongside your team. The course is designed to help students build team skills, leadership abilities, communication techniques, and technical expertise, all while under fire in a series of increasingly complex scenarios.

    Student Blue Teams use a variety of enterprise tools to analyze and respond to Advanced Persistent Threats deeply embedded in the environment, defending against a series of offensive campaigns. In addition to learning from the instructors throughout the exercise, students are encouraged to share their own skills and techniques to cross-pollinate good ideas between the different Blue Teams represented in the room.

    The various groups participating in the cyber range exercise include:

    • The Blue Teams, made up of student attendees and lead by a SANS instructor
    • The SANS Red Team, consisting of SANS offensive experts who will engage the Blue Team
    • The White Cell, the overall organizer and authority in the exercise
    • The SANS Cyber Range Ops team, who run the Cyber Range to ensure its operation and stability

    A SANS instructor will direct the Blue Teams as they uncover the attacker's command-and-control channels and work to eradicate the adversary from compromised systems. SANS will provide skilled Red Team operators who will utilize the Tactics, Techniques, and Procedures to present various Indicators of Compromise from real-world APT cases throughout the workshop in order to challenge students to build their Blue Team skills.

    The SANS White Cell oversees the exercise and ensures that it runs smoothly, while the SANS Ops team runs the underlying cyber range infrastructure. Each day finishes with a live hot-wash discussion during which the Red and Blue Teams review the activities from the day with the White Cell and each other to level-set and ensure that specific learning objectives have been met. These afternoon discussions will also allow Blue Team members from different organizations (including commercial companies, government agencies, military agencies, and more) to share their insights for dealing with such attacks.

    The live, interactive battle will occur over five days, with a sixth and final day focused on the Blue Teams and the Red Team presenting their After Action Reviews describing lessons learned. These reports make up a deliverable that students can bring back to their organization improve its security stance.

    SANS Video

    Syllabus (36 CPEs)

    Download PDF
    • Overview

      On the first day we discuss the Tactics, Techniques, and Procedures (TTPs) of today's most dangerous adversaries. We then cover how organizations can utilize a team-based approach to effectively detect and eradicate such actors in their networks. We'll cover effective small team dynamics, along with inter-team communication techniques that are essential to handling attacks on a larger-scale environment. With a series of team-based exercises, students learn how to work together more effectively as members and leaders of a team, while mastering incredibly useful tips, tricks, and skills that they can utilize right away to better defend their environments.

    • Overview

      On day 2, students get direct access to the TBT570 cyber range, along with a guided hands-on tour to orient them to the environment they'll be working in to engage adversaries through the rest of the course. The range represents the IT infrastructure of a realistic town, with several enclaves that host different components of that town, including computer servers, clients, network equipment, and Industrial Control System (ICS) devices. Using credentials and a network map, students explore the Windows Domain and its associated initial Group Policy, the SIM/SEM solution included in the range, the vulnerability scanning service, the trouble ticketing systems, and the management infrastructure.

    • Overview

      On day 3, we up the ante by introducing a more advanced adversary into the environment, played by the Red Team instructor. The session starts with an intel in-briefing, describing the situation and what is currently known about the new Advanced Persistent Threat (APT) adversary and its goals. Students apply the tools and techniques learned in Days 1 and 2, along with any additional optional tools that they brought with them, to find and battle the adversary in real time. The Blue Team instructor and TA act as coaches and advisors, as students build their skills in a realistic scenario.

    • Overview

      By day 4, TBT570 students are working together very effectively as a team of teams. And that's a very good thing, because we up the capabilities of the adversary in Campaign B. For this campaign, students will face a nation-state-level adversary, presenting Indicators of Compromise (IOCs) and TTPs of a specific APT. After an initial intel in-briefing, students hunt for this adversary, supported with the coaching and encouragement of the Blue Team instructor and TA. By analyzing the IOCs presented by the attacker, students will do research to attempt to attribute these actions to a specific adversary. They can then use this intelligence to anticipate the adversary's next moves and to identify other IOCs left by this actor. With this information, students can disrupt various components of the attacker's multiple Command and Control channels to thwart the adversary in the environment.

    • Overview

      On day 5, we really throw everything we've got at the now much more experienced student Blue Team. Our most skilled and powerful adversary utilizes custom malware created just for this course to engage in Campaign C. Using a whole host of nation-state techniques to pillage, pilfer, and plunder, this subtle attacker undermines systems stealthily and uses numerous techniques to pivot through the environment to achieve a series of goals. All along the way, students use the hands-on skills and knowledge they've gained throughout the course to find and dispel this attacker. It's a fearsome battle, but armed with their skills and some tips, hints, and encouragement from the Blue Team instructor and TA, students will further build out their abilities as they defeat this adversary and then conduct the daily shot validation meeting.

    • Overview

      Throughout the previous five days of the course, instructors and TAs encouraged students to maintain a daily log of useful lessons they learned in class and will be able to apply when they get back to the office. On day 6, student teams work to create an After-Action Review/Post Mortem presentation. Using a presentation template we provide, students write up the lessons they learned in each campaign and reflect on how they'll apply those lessons when they get back to the office. The Blue Team instructor and TA provide useful tips in developing and presenting the review information. Students then present their results to the rest of the class, so everyone benefits from the lessons learned by each student.

    Prerequisites

    Students are expected to have moderate to deep cyber security skills in cyber defense, digital forensics, and incident response. Such expertise can be gained from three or more years in a technical role as a security analyst, incident responder, or cyber defender, or through taking three or more 500-level SANS courses in those topics.

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

    Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.

    Windows

    Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

    The course includes a VMware image file of a guest Linux system that is larger than 20 GB. Therefore, you need at least 60 gigs free in your file system.

    IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some labs, so make sure you have the anti-virus administrator privileges to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

    Enterprise VPN clients may interfere with the network configuration required to participate in the course. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in course.

    VMware

    Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

    Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

    VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

    We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware.

    Linux

    You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware as described above. The course does not support Virtual Box, HyperV, or other non-VMware virtualization products.

    Mandatory Laptop Hardware Requirements:

    • x64-compatible 2.0 GHz CPU minimum or higher
    • 8 GB minimum
    • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
    • 60 GB available hard-drive space
    • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described herein.

    During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.

    By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

    Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

    SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

    Author Statement

    The SANS Blue Team / Red Team Dynamic Workshop course can really take an organization's skills to the next level. Whenever we've run this session, the take-aways have been INCREDIBLE - participants' skills and capabilities grow massively as they learn to function as an efficient team. And, the level-setting that we do at the end of each day helps ensure that the operations tempo remains vivid and exciting while learning occurs. This course is really an incredible opportunity for people who already have three or more years' experience and are looking to really ramp up their skills to be game changers in their organizations.

    - Ed Skoudis, SANS Fellow

    No scheduled events for this course.

    Who Should Attend TBT570?

    • SOC Analysts
    • Hunt Team members
    • Blue Team members
    • Incident responders
    • Red Teamers looking to better understand Blue Team operations
    See prerequisites
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cyber Security Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia (Slovak Republic)
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe
    • © 2022 SANSâ„¢ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn