ICS Active Defense Training | ICS Incident Response Course

What You Will Learn

ICS515: ICS Active Defense and Incident Response will help you deconstruct industrial control system (ICS) cyber attacks, leverage an active defense to identify and counter threats to your ICS, and use incident response procedures to maintain the safety and reliability of operations.

The course will empower students to understand their networked ICS environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security. This process of monitoring, responding to, and learning from threats internal to the network is known as active defense, which is needed to counter advanced adversaries targeting ICS, as has been seen with malware such as STUXNET, HAVEX, CRASHOVERRIDE, and TRISIS. Students can expect to come out of this course with the ability to deconstruct targeted ICS attacks and fight these adversaries and others.

The course uses a hands-on approach and real-world malware to break down cyber attacks on ICS from start to finish. Students will gain a practical and technical understanding of leveraging active defense concepts such as using threat intelligence, performing network security monitoring, and utilizing threat analysis and incident response to ensure the safety and reliability of operations. The strategic and technical skills presented in this course serve as a basis for ICS organizations looking to show that defense is do-able.

You Will Learn:

How to perform ICS incident response focusing on security operations and prioritizing the safety and reliability of operations.
How ICS threat intelligence is generated and how to use what is available in the community to support ICS environments. The analysis skills you learn will enable you to critically analyze and apply information from ICS threat intelligence reports on a regular basis.
How to identify ICS assets and their network topologies and how to monitor ICS hotspots for abnormalities and threats. The course will introduce and reinforce methodologies such as ICS network security monitoring and approaches to reducing the control system threat landscape.
How to analyze ICS threats and extract the most important information needed to quickly scope the environment and understand the nature of the threat.
How to operate through an attack and gain the information necessary to instruct teams and decision-makers on whether operations must shut down or it is safe to respond to the threat and continue operations.
How to use multiple security disciplines in tandem to leverage an active defense and safeguard an ICS, all reinforced with hands-on labs and technical concepts.

You Will Be Able To

Analyze ICS-specific threats and take proper courses of action to defend the industrial control systems
Establish collection, detection, and response strategies for your ICS networks
Use proper procedures during ICS incident response

This Course Will Prepare You To

Examine ICS networks and identify the assets and their data flows in order to understand the network baseline information needed to identify advanced threats
Use active defense concepts such as threat intelligence consumption, network security monitoring, malware analysis, and incident response to safeguard the ICS
Build your own Programmable Logic Controller using a CYBATIworks Kit, which you can keep after the class ends
Gain hands-on experience with samples of Havex, BlackEnergy2, and Stuxnet by engaging in labs and de-constructing these threats and others
Leverage technical tools such as Shodan, Security Onion, TCPDump, Wireshark, Snort, Bro, SGUIL, ELSA, Volatility, Redline, FTK Imager, PDF analyzers, malware sandboxes, and more
Create indicators of compromise (IOCs) in OpenIOC and YARA and gain an understanding of sharing standards such as STIX and TAXII
Take advantage of models such as the Sliding Scale of Cybersecurity, the Active Cyber Defense Cycle, and the ICS Cyber Kill Chain to extract information from threats and use it to encourage the long-term success of ICS network security

Hands-On Training

Build a Programmable Logic Controller (PLC) using a CYBATIworks Kit
Identify information available about assets online through Shodan
Complete an analysis of competing hypotheses
Ingest threat intelligence reports
Identify and leverage new active defense skills to guide incident responders to the Human Machine Interface (HMI) affected by an advanced persistent threat (APT) on the lab network
Identify which system is affected by APT malware identified in the network and assemble a sample of the threat that can be analyzed
From the infected HMI and samples of the APT malware identified, analyze the malware, extract information, and develop YARA rules to complete the active defense
Address two different hands-on, real-world scenarios, one involving data collected from an intrusion into SANS Cyber City, and the other involving data collected from a Distributed Control System (DCS) infected with malware

What You Will Receive

Electronic Download package contining ICS lab data such as packet captures and memory images

Protocol samples of OPC, ModbusTCP, DNP3, BACnet, ISO-TSAP, and more
System files from infected DCS and HMI systems

A fully functioning CYBATIworks Mini-kit that students will keep following the class

A Raspberry PI that functions as a PLC
Physical components and attachments for I/O
Commercial control system demonstration software from Rex Controls
Commercial control system demonstration software from PeakHMI
Commercial control system demonstration software from CyberLens

Samples of Stuxnet, Havex, and BlackEnergy2 in a safe Virtual Machine environment
A CYBATI Virtual Machine tailored for continued ICS education
A REMnux Virtual Machine for malware analysis
A Security Onion Virtual Machine for monitoring the network and detecting threats

Syllabus (30 CPEs)

Download PDF

Overview
Industrial control system (ICS) security professionals must be able to leverage internal and external threat intelligence to critically analyze threats, extract indicators of compromise (IOCs), document tactics, techniques, and procedures (TTPs), and guide security teams to find threats in the environment. On this first course day students will learn how threat intelligence is generated, how to critically analyze reports, and the basic tenets of active defense functions. Students will become better analysts and critical thinkers by learning skills useful in day-to-day operations, regardless of their jobs and roles. This day features five hands-on labs that include building a Programmable Logic Controller (PLC), identifying information available about assets online through Shodan, completing an analysis of competing hypotheses, visualizing the attack space, and ingesting threat intelligence reports to guide their practices over the rest of the labs in the course.
Exercises
- Building a Programmable Logic Controller
- Analyzing Competing Hypotheses
- ICS Information Attack Space
- Visualizing the ICS Information Attack Space
- Conducting a Critical Evaluation of Threat Intel Reports
Topics
- Case Study: STUXNET
- Introduction to ICS Active Defense and Incident Response
- Intelligence Life-Cycle and Threat Intelligence
- ICS Cyber Kill Chain
- Identifying and Reducing the Threat Landscape
- Sharing and Consuming ICS Threat Intelligence
Overview
Understanding the networked environment is the only way to fully defend it: you cannot defend what you do not know. This course section will teach students to use tools such as Wireshark, TCPdump, CyberLens, ELSA, Bro, and Snort to map their ICS network, collect data, detect threats, and analyze threats to drive incident response procedures. During this section, students will be introduced to the lab network and an advanced persistent threat (APT) that is present on it. Drawing on threat intelligence from the previous course section, students will have to discover, identify, and analyze the threat using their new active defense skills to guide incident responders to the affected Human Machine Interface (HMI).
Exercises
- ICS Asset Discovery
- ICS Network Visualization
- Collecting the Right Data
- Detecting Potentially Malicious Activity
- Analyzing Abnormalities
Topics
- Case Study: HAVEX
- ICS Asset and Network Visibility
- ICS Network Security Monitoring - Collection
- ICS Network Security Monitoring - Detection
- ICS Network Security Monitoring - Analysis
Overview
The ability to prepare for and perform ICS incident response is vital to the safety and reliability of control systems. ICS incident response is a core concept of ICS active defense and requires that analysts safely acquire digital evidence while scoping the environment for threats and their impact on operations. ICS incident response is a young field with many challenges, but during this section students will learn effective tactics and tools to collect and preserve forensic-quality data. Students will then use these data to perform timely forensic analysis and create IOCs. In the previous section's labs, APT malware was identified in the network. In this section, the labs will focus on identifying which system is impacted and gathering a sample of the threat that can be analyzed.
Exercises
- Acquisition in an Operational Environment
- Network Analysis During Incident Response
- Memory Forensics
- Incident Response Digging Deeper
- IOCs in Action
Topics
- Case Study: German Steelworks Attack
- Incident Response and Digital Forensics Overview
- Evidence Acquisition
- Sources of Forensic Data in ICS Networks
- Memory Forensics and Identifying Capabilities
- Integrated Timely Analysis
Overview
Understanding the threat is key to discovering its capabilities and its potential to affect the ICS. The information extracted from threats through processes such as malware analysis is also critical to being able to make the necessary changes to the environment to reduce the effectiveness of the threat. The information obtained is vital to an ICS active defense, which requires internal data collection to create and share threat intelligence. In this section, students will learn how to analyze initial attack vectors such as spearphishing emails, perform timely malware analysis techniques, analyze memory images, and create Indicators of Compromise in YARA. The previous section's labs identified the infected HMI and gathered a sample of the APT malware. In this section's labs, students will analyze the malware, extract information, and develop YARA rules to complete the active defense model introduced in the class and maintain operations.
Exercises
- Analyzing Initial Attack Vectors and Spearphishing Emails
- Timely Malware Analysis
- YARA Development
Topics
- Case Study: BlackEnergy2
- ICS Threat and Environment Manipulation Goals and Considerations
- Analyzing Acquired Evidence
- Case Study: Ukraine Power Grid Attack, 2015
- Malware Analysis Methodologies
- Case Study: CRASHOVERRIDE
- Documenting Knowledge
- Case Study: TRISIS
Overview
This section focuses on reinforcing the strategy, methodologies, skillsets, and tools introduced in the first four sections of the course. This entirely hands-on section will present students with two different scenarios. The first involves data collected from an intrusion into SANS Cyber City. The second involves data collected from a Distributed Control System (DCS) infected with malware. This section will truly challenge students to utilize their ICS active defense and incident response skills and test themselves.
Exercises
- Scenario One
  The first half of the day will introduce packet captures and system images from an intrusion into SANS Cyber City. Students will leverage their active defense skills to identify and respond.
- Scenario Two
  The second half of the day will introduce packet captures and system images from an intrusion into a DCS environment. Students will again leverage their active defense skills to identify and respond to real-world malware and understand the impact on the environment.
Topics
- Scenario One
- Scenario Two

GIAC Response and Industrial Defense

The GRID certification is for professionals who want to demonstrate that they can perform Active Defense strategies specific to and appropriate for an Industrial Control System (ICS) network and systems. Candidates are required to demonstrate an understanding of the Active Defense approach, ICS-specific attacks and how these attacks inform mitigation strategies. Candidates must also show an understanding of the strategies and fundamental techniques specific to core subjects with an ICS-focus such as network security monitoring (NSM), digital forensics and incident response (DFIR).

Active Defense Concepts and Application, Detection and Analysis in an ICS environment
Discovery and Monitoring in an ICS environment, ICS-focused Digital Forensics, and ICS-focused Incident Response
Malware Analysis Techniques, Threat Analysis in an ICS environment, and Threat Intelligence Fundamentals

Prerequisites

Students from either an IT or ICS background will do well in this course. Prior to attending the course, it is recommended that you attend SANS ICS410 or equivalent essential cybersecurity classes such as SEC401, or that you have fundamental cybersecurity experience. Students do not need previous ICS experience, but they should be comfortable with ICS terminology and systems such as SCADA, DCS, PLCs, and RTUs, and have an understanding of distinct risks and mitigation approaches in OT environments.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

64-bit system
Latest version of Windows 10 that can install and run VMware virtualization products described below.
*if you wish to use a macOS 10.15.x or later, or Linux based OS you will need to have access to a Windows 10 based VM to perform the Windows based labs contained in the courseware
Laptop with at least two USB ports
Ability to update BIOS configuration settings to enable virtualization (VT) support
VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
Ability to disable all security software on your laptop, including antivirus and/or firewalls
At least 100 GB of hard-drive space
At least 8 GB of RAM
Local Administrator Access within the host operating system and BIOS settings
Wireless Ethernet 802.11 B/G/N/AC

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"This class was developed from my experiences in the U.S. intelligence community and within the control system community dealing with advanced adversaries targeting industrial control systems. It is the class I wish I would have had available to me while protecting infrastructure against these adversaries. It is exactly what you'll need to maintain secure and reliable operations in the face of determined threats. ICS515 will empower you to prove that defense is do-able."

- Robert M. Lee

"The mixture of real-world stories and hands-on training make SANS my number one source for training." - Ian Trimble, Blue Cross Blue Shield

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (5 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend ICS515?

ICS Incident Response Team Leads and Members who want to learn how to respond to advanced threats safely in an industrial control systems with a focus on combined and continued security
ICS and Operations Technology Security Personnel who want to learn how to leverage an industrial control system active defense, including network security monitoring and threat intelligence
IT Security Professionals who want to expand their knowledge into the industrial control system field with an understanding of ICS protocols, threats, and priorities
Security Operations Center (SOC) Team Leads and Analysts who want to learn how to monitor OT networks and industrial control system assets in an ICS SOC or dual IT/OT SOC
ICS Red Team and Penetration Testers who want to learn the latest in defense tactics to identify how they can better perform, and how they can better highlight areas for improvement in industrial control system networks
Active Defenders who want to challenge themselves to identify and respond to advanced targeted threats

"ICS515 is so relevant to my day to day that I feel like I can't take notes fast enough. This is so critical for the ICS and OT community." - Ali Corl, Exelon

See prerequisites

Reviews

This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it also inspired me to learn more.

Srinath Kannan

Accenture

Very good for any ICS program, security-focused or not.

Jeremy Thomas

US Federal Department

Very good focus on the OT/ICS side & integrated into class.

Josh Tanski

Morton Salt

ICS515: ICS Active Defense and Incident Response

GIAC Response and Industrial Defense (GRID)

Course Authors:

Robert M. Lee

What You Will Learn

Syllabus (30 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Response and Industrial Defense

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend ICS515?

Reviews

Find ways to take this course