What You Will Learn
Computer exploitation is on the rise. As advanced adversaries become more numerous, more capable, and much more destructive, organizations must become more effective at mitigating their information security risks at the enterprise scale. SEC460 is the premier course on building technical vulnerability assessment skills and techniques, while highlighting time-tested practical approaches to ensure true value across the enterprise. The course covers threat management, introduces the core components of comprehensive vulnerability assessment, and provides the hands-on instruction necessary to produce a vigorous defensive strategy from day one. The course focuses on equipping information security personnel from mid-sized to large organizations who are charged with effectively and efficiently securing 10,000 or more systems.
SEC460 begins with an introduction to information security vulnerability assessment fundamentals, followed by in-depth coverage of the Vulnerability Assessment Framework. It then moves into the structural components of a dynamic and iterative information security program. Through detailed practical analysis of threat intelligence, modeling, and automation, students will learn the skills necessary to not only use the tools of the trade, but also to implement a transformational security vulnerability assessment program.
You will learn how to use real industry-standard security tools for vulnerability assessment, management, and mitigation. It is the only course that teaches a holistic vulnerability assessment methodology while focusing on the unique challenges faced in a large enterprise. You will learn on a full-scale enterprise range chock full of target machines representative of an enterprise environment, leveraging production-ready tools and a proven testing methodology.
SEC460 takes you beyond the checklist, giving you a tour of the attackers' perspective that is crucial to discovering where they will strike. Operators are more than the scanner they employ. SEC460 emphasizes this personnel-centric approach by examining the shortfalls of many vulnerability assessment programs in order to provide you with the tactics and techniques required to secure enterprise networks and cloud infrastructure against even the most advanced intrusions.
We wrap up the first five days of instruction with a discussion of triage, remediation, and reporting before putting your skills to the test on the final course day on an enterprise-grade cyber range with numerous target systems for you to analyze and explore. The cyber range is a large environment of servers, end-users, and networking gear that represents many of the systems and topologies used by enterprises. By adopting an end-to-end approach to vulnerability assessment, you can be confident that your skills will provide much-needed value to securing your organization.
Syllabus (36 CPEs)Download PDF
On the first day of SEC460, students will develop the skills needed to conduct high-value vulnerability assessments with measurable impact. We will explore the elemental components of successful vulnerability assessment programs, deconstruct the logistical precursors to value-added operations, and integrate adversarial threat modeling and intelligence.
Scale and architecture are major challenges for an enterprise. We will discuss techniques and strategies to overcome these obstacles, and perform a table-top exercise to connect theory with reality. We will also dive into fundamental information security topics, explore the nuanced differences between major categories of services, and examine the industry's foremost methodologies for vulnerability assessment. We will examine the strategic influences that impact a typical enterprise and its vulnerability management program.
The goal of SEC460 is to arm the vulnerability assessor with the knowledge and understanding required to capture and deconstruct vulnerabilities that affect the enterprise both on-premise and in the cloud. This first course section establishes a foundational basis to attain this goal using real-world case studies and hands-on exercises.
- Case Study: Equifax
- Exploring PowerShell and Win10
- Case Study: Failed Vulnerability Management Programs
- Vulnerability Management with Brinqa
- Case Study: Major Enterprise Compromise through the Cloud
- Case Study: To Patch or Not to Patch
- Threat Modeling
- Maximizing Value from Vulnerability Assessments and Programs
- Setting Up for Success at Scale: Enterprise Architecture and Strategy
- Developing Transformational Vulnerability Assessment Strategies
- Performing Enterprise Threat Modelling
- PowerShell Fundamentals
- Generating Compounding Interest from Threat Intelligence and Avoiding Information Overload
- The Vulnerability Assessment Framework
- Vulnerability Data Management Tools and Techniques
- Overview of Comprehensive Network Scanning
- Compliance Standards and Information Security
- Team Operations and Collaboration
- Discovering Open-Source Disclosure and Understanding these Risks
As the structural foundations of vulnerability management are covered on day one, this course section will pivot to the realm of direct tactical application. Comprehensive reconnaissance, enumeration, and discovery techniques are the prime elements of successful vulnerability assessment. While gaining additional familiarity with hands-on enterprise operations, you will systematically probe the environment in order to discover the relevant host, service, version, and configuration details that will drive the remainder of the assessment system.
The enterprise and cloud are becoming ever more intertwined as time goes on. Often, it can be difficult to recommend moving toward this transformation within your enterprise, but the transformation is happening, it is constantly evolving, and it is vulnerable. In this course section we will take a hands-on approach to the discussion of the cloud by examining technologies and dissecting the attack surface that is rapidly becoming a core component of our enterprise vulnerability space. We'll look into assessment tools for the cloud and observe real attacks in action. Together, we can identify the potential for vulnerability and strike first.
As we begin active scrutiny of the enterprise, you will learn how to interpret tool output and form a detailed network map. We will explore proven methods to ensure the integrity of our dataset as we identify IP addresses, operating systems, platforms, and services. The day culminates with an introduction to the PowerShell scripting language focusing on large-scale system management, vulnerability discovery, and mitigation.
- PowerShell Primer
- Whois, DNS, and Advanced Reconnaissance
- Reconnaissance Automation
- Scanning with Nmap
- Enterprise and Cloud Scanning
- PowerShell as an Operations Platform
- PowerShell Operations for Discovery
- Automating Vulnerability Assessment Tasks with PowerShell
- Active and Passive Reconnaissance
- Reconnaissance Frameworks
- Identification and Enumeration with DNS
- DNS Zone Speculation and Dictionary-Enabled Discovery
- Port Scanning with Nmap and Zenmap
- Scanning Large-Scale Environments
- Commonplace Services
- Scanning the Network Perimeter and Engaging the DMZ
- Trade-offs: Speed, Efficiency, Accuracy, and Thoroughness
- The Fundamentals of the Enterprise Cloud
- Scanning the Enterprise Cloud
The third course section begins by delving into the next phase of the Vulnerability Assessment Framework and charging into the most exciting topic in security testing: automation to handle scale. We start by breaking vulnerability scanning into its elemental components to gain an understanding of vulnerability measurement that can be applied to task automation. This focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying, observing, inciting, or assessing the entry points that threats leverage during network attacks.
This day is dedicated to learning the hierarchy of vulnerability discovery and translates easily to frontline operations. We'll use premier industry tools like Rapid7's Nexpose/InsightVM and Acunetix MVS, while simultaneously exploring manual testing procedures. We'll also cover application-specific testing tools and techniques to provide you with a broad perspective and actionable experience.
- Vulnerability Discovery
- Estimating and Assigning Risk
- General-Purpose Vulnerability Scanning with Nexpose/InsightVM
- Application-Specific Scanning with Nikto, Acunetix, and WPScan
- Scanning Enterprise and Cloud Infrastructure
- Assigning a Confidence Value and Validating Exploitative Potential of Vulnerabilities
- Enhanced Vulnerability Scanning
- Risk Assessment Matrices and Rating Systems
- Quantitative Analysis Techniques Applied to Vulnerability Scoring
- Performing Tailored Risk Calculation to Drive Triage
- General Purpose vs. Application-Specific Vulnerability Scanning
- Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale
- Scan Policies and Compliance Auditing
- Performing Vulnerability Discovery with Open-Source and Commercial Appliances
- Scanning with the Nmap Scripting Engine, Nexpose/InsightVM, and Acunetix
- The Windows Domain: Exchange, SharePoint, and Active Directory
- Testing for Insecure Cryptographic Implementations Including SSL
- Assessing VOIP Environments
- Discovering Vulnerabilities in the Enterprise Backbone: Active Directory, Exchange, and SharePoint
- Minimizing Supplemental Risk while Conducting Authenticated Scanning through Purposeful Application of Least Privilege
- Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches, and VLANs
- Manual Vulnerability Discovery Automated to Attain Maximal Efficacy
- Enterprise Cloud Vulnerability Discovery
Throughout the fourth day of SEC460 we will tackle vulnerability validation, which is the next phase of our overarching testing methodology. Simultaneously, we will confront and address the biggest headaches common to a vulnerability assessment at scale. At large scale, vulnerability data can be overwhelming and possibly even contradictory. We will cover the specific techniques needed to wade through and better focus those data. Next, we will examine techniques for collaboration and data management with the Acheron tool to analyze vulnerability data across an organization. Later in the day, we will apply our understanding of the vulnerability concept to evolve our PowerShell skills and take action on an enterprise scale.
- Manual Validation Using Inherent Tools and Systems
- Authenticated Scanning with Nexpose and Acunetix
- Vulnerability Validation with PowerShell and WinRM
- Windows Domain Vulnerability Discovery
- Configuration Auditing
- Data Integration and Synergy to Reduce the Vulnerability Lifecycle
- Testing Egress Controls
- Maximizing Remediation Efforts through Triage
- Recruiting Disparate Data Sources: Patches, Hotfixes, and Configurations
- Manual Vulnerability Validation Targeting Enterprise Infrastructure
- Converting Disparate Datasets into a Central, Normalized, and Relational Knowledge Base
- Managing Large Repositories of Vulnerability Data
- Querying the Vulnerability Knowledge Base
- Evaluating Vulnerability Risk in Custom and Unique Systems, including Web Applications
- Triage: Assessing the Relative Importance of Vulnerabilities Against Strategic Risk
Many well-intentioned vulnerability assessment programs begin with zeal and vitality, but after the discovery of vulnerabilities there is often a tendency to ignore the risk reality and shift back to the status quo. During the previous course sections we focused on knowing the target environment and uncovering its weak points. Now it's time for decision and action based on an understanding of the risks the organization faces. Developing an actionable vulnerability remediation plan with time-based success targets sets the stage for continuous improvement, and that's exactly what we cover in this course section. Developing this plan in conjunction with the Vulnerability Assessment Report is an opportunity to galvanize the team, while enhancing the vulnerability assessment value proposition.
- Domain Password Auditing with DPAT
- Password Cracking and Trend Analysis with CryptBreaker
- Auditing Domain Trust Relationships
- SEC460 Enterprise NetWars
- Analyzing User Password Selection and Addressing Underlying Vulnerabilities
- Creating and Navigating Vulnerability Prioritization
- Domain Password Auditing
- Discovering Negative Security Policy Implementation
- Developing a Web of Network and Host Affiliations
- Modeling Account Relationships on Active Directory Forests
- Designing Vulnerability Mitigations and Compensating Controls
- Azure AD Password Protection
- Creating Effective Vulnerability Assessment Reports
- Transforming Triage Listing into the Vulnerability Remediation Plan
- Kerberos and Domain Authentication
- Closure: Be a Positive Influence in the Context of the Global Information Security Crisis
In celebration of your diligence, curiosity, and new vulnerability skills, we welcome you to your final hands-on challenge to hammer home the capabilities you have learned. The guided scenario in this final course section is designed to test your mettle by trial and detailed work in a fun capture-the-flag-style environment. The challenge is the canvas upon which you can hone your skills and measure your maturing talents. Armed for the fight, you will doubtless rise to the challenge...and triumph!
The scenario: The Ellingson Mineral Company (EMC) has engaged you to perform a vulnerability assessment of its environment. EMC is very aware of your particular set of vulnerability assessment skills, and it treasures the insights it is certain you will provide to help secure the company against its formidable adversaries, including nefarious cybercrime cartels and jealous nation-state actors. Teams will work together to resolve issues that would lead to a compromise of EMC's precious assets.
- A Full-Day Campaign Powered by the NetWars Scoring Engine, a Simulation Environment Used by Cutting-Edge Commercial Organizations, Government Agencies, and Military Groups
- Use the Tactics, Techniques, and Procedures Learned Throughout the Course
- Accomplish an Enterprise Vulnerability Assessment Against a Target Environment
- Tactical Employment of the Vulnerability Assessment Framework
- Threat Modeling
- Vulnerability Scanning
- Data Management and Triage
GIAC Enterprise Vulnerability Assessor
As advanced adversaries become more numerous, more capable, and much more destructive, organizations must become more effective at mitigating their information security risks at the enterprise scale. GIAC Enterprise Vulnerability Assessor is the premier certification focused on validating technical vulnerability assessment skills and time-tested practical approaches to ensure security across the enterprise. The GEVA-certified practitioner will be capable of handling threat management, comprehensively assessing vulnerabilities, and producing a vigorous defensive strategy from day one.
Vulnerability assessment framework planning and methodology in an enterprise environment
Discovery and validation of vulnerabilities using tactics like network scanning and PowerShell scripting
Remediation and reporting techniques utilizing proper data management
As this is a lab-oriented, specialized, and technical course, functional knowledge of information security concepts, technology, and networking is highly recommended.
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the enterprise laboratory environment.
Course exercises are based around a virtual Windows operations platform. The tailored operations platform designed for this course will provide the optimal learning experience. VMware Player or VMware Workstation is required for the class. If you plan to use a Mac, please make sure you bring VMware Fusion.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
You also must have a minimum of 8 GB of RAM for the Virtual Machine to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.
The course includes a VMware image file of a guest Windows system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.
IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
We will also provide a licensed Enterprise Edition Windows 10 image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.
Mandatory System Requirements
- System running Windows, Linux, or Mac OS X 64-bit version
- At least 8 GB of RAM
- 40 GB of available disk space (more space is recommended)
- Administrator access to the operating system
- Anti-virus software will need to be disabled to ensure an ideal learning environment
- An available USB type-A port
- Wireless NIC for network connectivity
- Workstation must be OPSEC SAFE and should NOT contain any personal or company data; you will connect to a high-risk, live-fire environment
- Verify that under BIOS, Virtual Support is ENABLED
Mandatory Downloads Prior to Coming to Class:
- Installed 64-bit host operating systems (Windows is recommended)
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
I have confirmed that:
- I have administrator access to the operating system
- I have at least 8 GB of RAM and 40 GB of available disk space
- Anti-virus is disabled
- The system includes a working USB port
- I have downloaded and installed the VMWare Workstation, Fusion, or Player
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"Having worked with many different environments in my career, being able to manage threats and vulnerabilities at enterprise scale has always struck me as critically important. This course is the result of decades of experience performing vulnerability assessments. We walk the walk going through theory and exercises that are practical techniques for managing modern threats and vulnerabilities. We use tools, methodologies, and automation that will give you a manageable strategy applicable to any environment."
- Adrien de Beaupre
"Assuming the role of standard-bearer for a community comprised of many of today's foremost thought leaders may seem like a daunting proposition at first. However, the opportunity to introduce aspiring new hackers to a tribe of like minds is a singular and enduring pleasure. Because SEC460 is a foundational course in the SANS Penetration Testing Curriculum, it is itself a herald and a promise. For some newcomers, the first adventure with SANS is the spark of awakening for their inner hacker. It acts as a catalyst, facilitating personal evolution and even genesis of a lifelong passion. Adrien de Beaupre and I have meticulously crafted the SEC460 challenge to be a formative experience, attainable by all yet elementary to none. Few things are more gratifying than watching an assiduous mind, armed for the fight, rising to meet the challenge with a flourish and a coup de grace, and ending in triumph!"
- Matthew Toussain