The goal of modern cloud and on-premises systems is to prevent compromise, but the reality is that detection and response are critical. Keeping your organization out of the breach headlines depends on how well incidents are handled to minimize loss to the company.
In SEC504, you will learn how to apply a dynamic approach to incident response. Using indicators of compromise, you will practice the steps to effectively respond to breaches affecting Windows, Linux, and cloud platforms. You will be able to take the skills and hands-on experience gained in the course back to the office and apply them immediately.
A big focus in SEC504 is applying what you learn with hands-on exercises: 50% of the course is hands-on where you will attack, defend, and assess the damage done by threat actors. You will work with complex network environments, real-world host platforms and applications, and complex data sets that mirror the kind of work you may be asked to do. You never lose access to the lab exercises, and they can be repeated as often as you like. All lab exercises come with detailed walkthrough video content to help reinforce the learning concepts in the course.
Understanding the steps to effectively conduct incident response is only one part of the equation. To fully grasp the actions attackers take against an organization, from initial compromise to internal network pivoting, you also need to understand their tools and techniques. In the hands-on environment provided by SEC504, you will use the tools of the attackers themselves in order to understand how they are applied and the artifacts the attackers leave behind. By getting into the mindset of attackers, you will learn how they apply their trade against your organization, and you will be able to use that insight to anticipate their moves and build better defenses.
In SEC504, you will learn:
- How to apply a dynamic approach to incident response
- How to identify threats using host, network, and log analysis
- Best practices for effective cloud incident response
- How to leverage PowerShell for data collection and cyber threat analysis
- Cyber investigation processes using live analysis, network insight, and memory forensics
- Defense spotlight strategies to protect critical assets
- How attackers leverage cloud systems against organizations
- Attacker techniques to evade endpoint detection tools
- How attackers exploit complex cloud vulnerabilities
- Attacker steps for internal discovery and lateral movement after an initial compromise
- How attackers exploit publicly-accessible systems including Microsoft 36
What you will receive:
- Unlimited access to all hands-on exercises that never expires
- Printed and electronic course books and a hands-on workbook
- MP3 audio files of the entire course
- Perpetual access to all hands-on lab exercises
- Detailed video walkthroughs for all lab exercises
- Visual association maps to break down complex material
- A digital index for quick-reference to all material
- Bonus content and hands-on exercises to develop your skills beyond the course
- Essential cheat sheets for tools and complex analysis tasks
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
- 64-bit Intel i5/i7 2.0+ GHz processor
- CRITICAL NOTE: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot be used for this course.
- Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be listed near the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
- Enabled "Intel-VT"
- Intel's VT (VT-x) hardware virtualization technology must be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS to enable this setting in order to complete lab exercises. If your BIOS is password-protected, you must have the password. This is absolutely required.
- 16 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Hard Drive Free Space
- 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
- Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Additional Software Requirements
VMware Player Install
- Install VMware Player 16, VMware Fusion 12, or VMware Workstation 16. Older versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation.
- Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"Attacker tools and techniques have changed, and we need to change our incident response techniques to match. Since I took over as author of SEC504 in 2019, I have rewritten the entire course to give you the skills you need to succeed at incident response. Whether the attacks are Windows-focused or involve attacking critical database platforms or exploiting cloud vulnerabilities, you'll be prepared to effectively identify the attack, minimize the impact, and respond efficiently. With your knowledge of hacker tools and techniques, and by using defense skills that dramatically improve security, you will be ready to become the subject-matter expert your organization needs to meet today's cyber threats."
"Our instructor Josh was incredible! Engaging, enthusiastic, extremely knowledgeable (especially vim, WOW). His enthusiasm is contagious and really motivating to the material. Keep up the great work Josh!" - Jen F., US Federal Agency