What You Will Learn
You just got hired to help our virtual organization "SYNCTECHLABS" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service... We're not even sure where to start!"
Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.
Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: "How do I prevent or detect this type of attack?" Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.
Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization "SYNCTECHLABS" in section one exercises.
In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:
- Leveraging MITRE ATT&CK as a "common language" in the organization
- Building your own Cuckoo sandbox solution to analyze payloads
- Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
- Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
- Stopping 0-day exploits using ExploitGuard and application whitelisting
- Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
- Detecting and preventing malware persistence
- Leveraging the Elastic stack as a central log analysis solution
- Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
- Blocking and detecting command and control through network traffic analysis
- Leveraging threat intelligence to improve your security posture
SEC599 will finish with a bang. During the Defend-the-Flag challenge in the final course section, you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?
Syllabus (36 CPEs)Download PDF
Our six-part journey starts with an analysis of recent attacks through in-depth case studies. We will explain what's happening in real situations and introduce the Cyber Kill Chain and MITRE ATT&CK framework as a structured approach to describing adversary tactics and techniques. We will also explain what purple teaming is, typical tools associated with it, and how it can be best organized in your organization. In order to understand how attacks work, students will also compromise our virtual organization "SYNCTECHLABS" during section one exercises.
- One click is all it takes...
- Hardening our domain using SCT and STIG
- Kibana, ATT&CK Navigator, and FlightSim
- Automated reconnaissance using SpiderFoot
- Course Outline and Lab Setup
- Course objectives and lab environment
- What's happening out there?
- Introducing SYNCTECHLABS
- Exercise: One click is all it takes...
- Adversary Emulation and the Purple Team
- Introducing the extended Kill Chain
- What is the purple team?
- MITRE ATT&CK framework and "purple tools"
- Key controls for prevention and detection
- Exercise: Hardening our domain using SCT and STIG
- Building a detection stack
- Exercise: Kibana, ATT&CK Navigator, and FlightSim
- Reconnaissance - Getting to know the target
- Exercise: Automated reconnaissance using SpiderFoot
Section 2 will cover how the attacker attempts to deliver and execute payloads in the organization. We will first cover adversary techniques (e.g., creation of malicious executables and scripts), then focus on how both payload delivery (e.g., phishing mails) and execution (e.g., double-clicking of the attachment) can be hindered. We will also introduce YARA as a common payload description language and SIGMA as a vendor-agnostic use-case description language.
- Stopping NTLMv2 sniffing and relay attacks in Windows
- Building a Sandbox using Cuckoo and YARA
- Configuring AppLocker
- Controlling script execution in the enterprise
- Detection with Script Block Logging, Sysmon, and SIGMA
- Preventing payload execution using ProcFilter
- Common Delivery Mechanisms
- Hindering Payload Delivery
- Removable media and network (NAC, MDM, etc.) controls
- Exercise: Stopping NTLMv2 sniffing and relay attacks in Windows
- Mail controls, web proxies, and malware sandboxing
- YARA - A common payload description language
- Exercise: Building a Sandbox using Cuckoo and YARA
- Preventing Payload Execution
- Initial execution - Application whitelisting
- Exercise: Configuring AppLocker
- Initial execution - Visual Basic, JS, HTA, and PowerShell
- Exercise: Controlling script execution in the enterprise
- Initial execution - How to detect?
- Exercise: Detection with Script Block Logging, Sysmon, and SIGMA
- Operationalizing YARA rules - Introducing ProcFilter
- Exercise: Preventing payload execution using ProcFilter
Section 3 will first explain how exploitation can be prevented or detected. We will show how security should be an integral part of the software development lifecycle and how this can help prevent the creation of vulnerable software. We will also explain how patch management fits in the overall picture.
Next, we will zoom in on exploit mitigation techniques, both at compile-time (e.g., ControlFlowGuard) and at run-time (ExploitGuard). We will provide an in-depth explanation of what the different exploit mitigation techniques (attempt to) cover and how effective they are. We'll then turn to a discussion of typical persistence strategies and how they can be detected using Autoruns and OSQuery. Finally, we will illustrate how command and control channels are being set up and what controls are available to the defender for detection and prevention.
- Exploit mitigation using Compile-Time Controls
- Exploit mitigation using ExploitGuard
- Catching persistence using Autoruns and OSQuery
- Detecting command and control channels using Suricata, JA3 and RITA
- Protecting Applications from Exploitation
- Software development lifecycle (SDL) and threat modeling
- Patch management
- Exploit mitigation techniques
- Exercise: Exploit mitigation using Compile-Time Controls
- Exploit mitigation techniques - ExploitGuard, EMET, and others
- Exercise: Exploit mitigation using ExploitGuard
- Avoiding Installation
- Typical persistence strategies
- How do adversaries achieve persistence?
- Exercise: Catching persistence using Autoruns and OSQuery
- Foiling Command and Control
- Detecting command and control channels
- Exercise: Detecting command and control channels using Suricata, JA3, and RITA
Section 4 will focus on how adversaries move laterally throughout an environment. A key focus will be on Active Directory (AD) structures and protocols (local credential stealing, NTLMv2, Kerberosm, etc.). We will discuss common attack strategies, including Windows privilege escalation, UAC bypasses, (Over-) Pass-the-Hash, Kerberoasting, Silver Tickets, and others. We'll also cover how BloodHound can be used to develop attack paths through the AD environment. Finally, we will discuss how lateral movement can be identified in the environment and how cyber deception can be used to catch intruders red-handed!
- Implementing LAPS
- Local Windows privilege escalation techniques
- Hardening Windows against credential compromise
- Mapping attack paths using BloodHound
- Kerberos attack strategies
- Detecting lateral movement in AD
- Protecting Administrative Access
- Active Directory security concepts
- Principle of least privilege and UAC
- Exercise: Implementing LAPS
- Privilege escalation techniques in Windows
- Exercise: Local Windows privilege escalation techniques
- Key Attack Strategies against AD
- Abusing local admin privileges to steal more credentials
- Exercise: Hardening Windows against credential compromise
- Bloodhound - Mapping out AD attack paths
- Exercise: Mapping attack paths using BloodHound
- Kerberos attacks: Kerberoasting, Silver tickets, Over-PtH
- Exercise: Kerberos attack strategies
- How Can We Detect Lateral Movement?
- Key logs to detect lateral movement in AD
- Deception - Tricking the adversary
- Exercise: Detecting lateral movement in AD
Section five focuses on stopping the adversary during the final stages of the attack:
- How does the adversary obtain "domain dominance" status? This includes the use of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync and DCShadow.
- How can data exfiltration be detected and stopped?
- How can threat intelligence aid defenders in the Cyber Kill Chain?
- How can defenders perform effective incident response?
As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.
- Domain dominance
- Detecting data exfiltration
- Leveraging threat intelligence with MISP and Loki
- Hunting your environment using OSQuery
- Finding malware using Volatility and YarGen
- Domain Dominance
- Dominating the AD - Basic strategies
- Golden Ticket, Skeleton Key, DCSync, and DCShadow
- Detecting domain dominance
- Exercise: Domain dominance
- Data Exfiltration
- Common exfiltration strategies
- Exercise: Detecting data exfiltration
- Leveraging Threat Intelligence
- Defining threat intelligence
- Exercise: Leveraging threat intelligence with MISP and Loki
- Threat Hunting and Incident Response
- Proactive threat hunting strategies
- Exercise: Hunting your environment using OSQuery
- Incident response process
- Exercise: Finding malware using Volatility and YarGen
The course culminates in a team-based Defend-the-Flag competition. Section six is a full chapter of hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls promoted all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.
Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME's are available to support every OnDemand student's experience.
- Applying Previously Covered Security Controls In-depth
- Command and Control
- Action on Objectives
GIAC Defending Advanced Threats
"The GDAT certification is unique in how it covers both offensive and defensive security topics in-depth. Holders of the GDAT certification have demonstrated advanced knowledge of how adversaries are penetrating networks, but also what security controls are effective to stop them. Next to knowing what controls are instrumental to prevent recent attacks, certified GDAT professionals know that prevent-only is not feasible and thus know how to detect and respond to attacks. Combining all these skills, they have the ability to prevent, detect, and respond to both traditional and APT-style attacks!" - Erik Van Buggenhout, Course Author, SANS SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Advanced persistent threat models and methods
Detecting and preventing payload deliveries, exploitation, and post-exploitation activities
Using cyber deception to gain intelligence for threat hunting and incident response
- Experience with Linux and Windows from the command line (including PowerShell)
- Familiarity with Windows Active Directory concepts
- A baseline understanding of cyber security topics
- A solid understanding of TCP/IP and networking concepts
As the course leverages the SANS OnDemand platform, the labs will be browser-based. The sections below outline the key requirements for optimal lab experiences.
Students must bring a laptop to class running any of the following OS families:
- Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
- For troubleshooting reasons, please ensure you have local administrator privileges on your laptop
An up-to-date version of the following browser families is supported:
- Microsoft Edge
- Google Chrome
- Mozilla Firefox
- x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
- 4 GB RAM minimum with 8 GB or higher recommended
- A wireless network adapter
- 10 GB available hard-drive space
During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years, I started to see a trend developing. Often, over half of the students in my classes were not actually penetration testers or those who would be writing zero-days. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."
-- Stephen Sims
"During my InfoSec career, I focused on penetration testing for the first five years, then shifted my focus more and more to the world of incident response. That's when I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries' attacking moves.
"SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish.
"Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I'm very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-the-Flag' exercise on Day 6."
-- Erik Van Buggenhout