What You Will Learn
TBT570: Team-Based Training - Blue Team / Red Team Dynamic Workshop is a unique course during which student teams of three to five participants work together as a Blue Team to battle an adversary in real time. The technical terrain, the SANS Cyber Range, is a realistic enterprise environment.
This interactive exercise is designed for people who learn by actually doing. You will not be spoon-fed through lectures or follow-along labs in this session. Instead, you will participate in a dynamic highly interactive exercise defending an environment under attack in real time as you build your skills working alongside your team. The course is designed to help students build team skills, leadership abilities, communication techniques, and technical expertise, all while under fire in a series of increasingly complex scenarios.
Student Blue Teams use a variety of enterprise tools to analyze and respond to Advanced Persistent Threats deeply embedded in the environment, defending against a series of offensive campaigns. In addition to learning from the instructors throughout the exercise, students are encouraged to share their own skills and techniques to cross-pollinate good ideas between the different Blue Teams represented in the room.
The various groups participating in the cyber range exercise include:
- The Blue Teams, made up of student attendees and lead by a SANS instructor
- The SANS Red Team, consisting of SANS offensive experts who will engage the Blue Team
- The White Cell, the overall organizer and authority in the exercise
- The SANS Cyber Range Ops team, who run the Cyber Range to ensure its operation and stability
A SANS instructor will direct the Blue Teams as they uncover the attacker's command-and-control channels and work to eradicate the adversary from compromised systems. SANS will provide skilled Red Team operators who will utilize the Tactics, Techniques, and Procedures to present various Indicators of Compromise from real-world APT cases throughout the workshop in order to challenge students to build their Blue Team skills.
The SANS White Cell oversees the exercise and ensures that it runs smoothly, while the SANS Ops team runs the underlying cyber range infrastructure. Each day finishes with a live hot-wash discussion during which the Red and Blue Teams review the activities from the day with the White Cell and each other to level-set and ensure that specific learning objectives have been met. These afternoon discussions will also allow Blue Team members from different organizations (including commercial companies, government agencies, military agencies, and more) to share their insights for dealing with such attacks.
The live, interactive battle will occur over five days, with a sixth and final day focused on the Blue Teams and the Red Team presenting their After Action Reviews describing lessons learned. These reports make up a deliverable that students can bring back to their organization improve its security stance.
Syllabus (36 CPEs)Download PDF
On the first day we discuss the Tactics, Techniques, and Procedures (TTPs) of today's most dangerous adversaries. We then cover how organizations can utilize a team-based approach to effectively detect and eradicate such actors in their networks. We'll cover effective small team dynamics, along with inter-team communication techniques that are essential to handling attacks on a larger-scale environment. With a series of team-based exercises, students learn how to work together more effectively as members and leaders of a team, while mastering incredibly useful tips, tricks, and skills that they can utilize right away to better defend their environments.
On day 2, students get direct access to the TBT570 cyber range, along with a guided hands-on tour to orient them to the environment they'll be working in to engage adversaries through the rest of the course. The range represents the IT infrastructure of a realistic town, with several enclaves that host different components of that town, including computer servers, clients, network equipment, and Industrial Control System (ICS) devices. Using credentials and a network map, students explore the Windows Domain and its associated initial Group Policy, the SIM/SEM solution included in the range, the vulnerability scanning service, the trouble ticketing systems, and the management infrastructure.
On day 3, we up the ante by introducing a more advanced adversary into the environment, played by the Red Team instructor. The session starts with an intel in-briefing, describing the situation and what is currently known about the new Advanced Persistent Threat (APT) adversary and its goals. Students apply the tools and techniques learned in Days 1 and 2, along with any additional optional tools that they brought with them, to find and battle the adversary in real time. The Blue Team instructor and TA act as coaches and advisors, as students build their skills in a realistic scenario.
By day 4, TBT570 students are working together very effectively as a team of teams. And that's a very good thing, because we up the capabilities of the adversary in Campaign B. For this campaign, students will face a nation-state-level adversary, presenting Indicators of Compromise (IOCs) and TTPs of a specific APT. After an initial intel in-briefing, students hunt for this adversary, supported with the coaching and encouragement of the Blue Team instructor and TA. By analyzing the IOCs presented by the attacker, students will do research to attempt to attribute these actions to a specific adversary. They can then use this intelligence to anticipate the adversary's next moves and to identify other IOCs left by this actor. With this information, students can disrupt various components of the attacker's multiple Command and Control channels to thwart the adversary in the environment.
On day 5, we really throw everything we've got at the now much more experienced student Blue Team. Our most skilled and powerful adversary utilizes custom malware created just for this course to engage in Campaign C. Using a whole host of nation-state techniques to pillage, pilfer, and plunder, this subtle attacker undermines systems stealthily and uses numerous techniques to pivot through the environment to achieve a series of goals. All along the way, students use the hands-on skills and knowledge they've gained throughout the course to find and dispel this attacker. It's a fearsome battle, but armed with their skills and some tips, hints, and encouragement from the Blue Team instructor and TA, students will further build out their abilities as they defeat this adversary and then conduct the daily shot validation meeting.
Throughout the previous five days of the course, instructors and TAs encouraged students to maintain a daily log of useful lessons they learned in class and will be able to apply when they get back to the office. On day 6, student teams work to create an After-Action Review/Post Mortem presentation. Using a presentation template we provide, students write up the lessons they learned in each campaign and reflect on how they'll apply those lessons when they get back to the office. The Blue Team instructor and TA provide useful tips in developing and presenting the review information. Students then present their results to the rest of the class, so everyone benefits from the lessons learned by each student.
Students are expected to have moderate to deep cyber security skills in cyber defense, digital forensics, and incident response. Such expertise can be gained from three or more years in a technical role as a security analyst, incident responder, or cyber defender, or through taking three or more 500-level SANS courses in those topics.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.
Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
The course includes a VMware image file of a guest Linux system that is larger than 20 GB. Therefore, you need at least 60 gigs free in your file system.
IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some labs, so make sure you have the anti-virus administrator privileges to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
Enterprise VPN clients may interfere with the network configuration required to participate in the course. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in course.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware.
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware as described above. The course does not support Virtual Box, HyperV, or other non-VMware virtualization products.
Mandatory Laptop Hardware Requirements:
- x64-compatible 2.0 GHz CPU minimum or higher
- 8 GB minimum
- Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
- 60 GB available hard-drive space
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described herein.
During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
The SANS Blue Team / Red Team Dynamic Workshop course can really take an organization's skills to the next level. Whenever we've run this session, the take-aways have been INCREDIBLE - participants' skills and capabilities grow massively as they learn to function as an efficient team. And, the level-setting that we do at the end of each day helps ensure that the operations tempo remains vivid and exciting while learning occurs. This course is really an incredible opportunity for people who already have three or more years' experience and are looking to really ramp up their skills to be game changers in their organizations.
- Ed Skoudis, SANS Fellow