What You Will Learn
Computers, networks, and programmable logic controllers operate most of the physical infrastructure of our modern world, ranging from electrical power grids, water systems, and traffic systems all the way down to HVAC systems and industrial automation. Increasingly, security professionals need the skills to assess and defend these important infrastructures. In this innovative and cutting-edge course based on the SANS CyberCity kinetic range, you will learn how to analyze and assess the security of control systems and related infrastructures, finding vulnerabilities that could result in significant kinetic impact.
Syllabus (36 CPEs)Download PDF
- Mission 1: Camera mission: Visualizing the battlespace.
- Mission 2: Team-building mission: Recon, social networking, intel gathering, and controlling billboards.
- Mission 3: Water Reservoir mission: Ensure the water reservoir Human Machine Interface and data historian properly reflect water records to prevent contamination.
- Mission 4: Train Derailment mission: Interact with SCADA-controlled train switching junctions to prevent a disaster.
- Mission 5: Street light mission: Restore streetlights through manipulating an Operator Interface Terminal.
- Mission 6: Bank alarm mission: Control a bank alarm system using intel gained from assets across the city.
- Mission 7: Traffic light mission: Manipulating and injecting Modbus for system control.
- Mission 8: Radar tower mission: Malware analysis and escaping restricting environments.
- Mission 9: City-wide power grid mission: Gain control of SCADA systems to restore power on a city-wide basis.
- Mission 10: Landing strip mission: Neutralize a cyber attack to restore lighting to an airfield landing strip.
- Mission 11: Rocket launcher mission: Retake control of a rocket launcher and discharge its weapons safely.
- Mission 12: Gas pipeline mission: Crack crypto weaknesses to restore pressure in the gas pipeline to prevent catastrophe.
- Mission 13: Residential power grid mission: Regain control of power grid systems to restore the residential infrastructure after a blackout.
- Mission 14: Retailer HVAC mission: Prevent attackers from destroying a retailer who hacked via a contractor and left a time bomb.
- Mission 15: ISP Infiltration: Perform a pen test on the ISP.
During the final day of SEC562, you'll apply the knowledge and skills you've built all week in SANS first ever course with a red-team/blue-team face off, all inside of CyberCity. Your team will defend your CyberCity turf against attackers while vying to expand your control over various portions of the city. The CyberCity power grid will light up to indicate your level of control over city assets and your progress through a variety of bonus missions as you adapt your skills to achieve even more.
IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS
To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.
IMPORTANT NOTE:You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to install and run VMware virtualization products described above.
Mandatory Laptop Hardware Requirements
- x86- or x64-compatible 1.5 GHz CPU Minimum or higher
- DVD Drive (not a CD drive)
- 8 GigaByte RAM minimum
- Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
- 60 GigaByte available hard drive space
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described above.
During the workshop, you will be connecting to one of the most hostile networks on planet Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
The world faces a critical shortage of individuals with the skills needed to defend the computer systems and network infrastructures that control our physical world. We built this course to help fill that gap, teaching cyber warriors how to analyze, control, and defend countless control systems, protocols, and other kinetic infrastructures they will increasingly face in the future. The course is chock full of practical skills that security professionals can use in their own practice. The coolest part of the course is the fact that students can actually see the impact on the city of their hands-on lab work through real-time streaming video to the classroom. For example, when you restore the power grid, you will actually see the lights in the city turn back on (and a newspaper article get published in real-time about the end of the blackout). Nearly every mission in the course provides visual impacts, which inspire and excite students and instructors alike.
-- Ed Skoudis, Josh Wright, and Tim Medin