What You Will Learn
Our virtual organization, GLOBEX, is struggling with typical cybersecurity challenges. The organization is growing, moving towards multiple cloud environments, and supporting continuous deployment. You just got hired as a security expert and your manager tells you that our environment is increasingly complex and we are facing more and more cyber threats. We need you to focus on and improve our core security services with a limited security team.
SEC598: Security Automation for Offense, Defense, and Cloud will equip you with the expertise to apply automated solutions to prevent, detect, and respond to security incidents. The cybersecurity skill gap continues to push organizations to adopt automation to deal with security operations, so most automation training focuses exclusively on DevSecOps and automation tools/scripting. SEC598 takes another approach: students first train to understand the concept of automation, then learn how existing technologies can be best leveraged to build automation stories that translate repeatable problems to automated scripts.
SEC598 gives students real-world examples of how to automate tasks within complex environments. The course features more than 15 labs plus a capstone exercise where students develop automation stories to attack and defend a simulated organization. The six-part course starts with an introduction to security automation, describing concepts such as infrastructure as code, configuration management tooling, emulations, and playbook development. Students will then apply these concepts starting with the engineering process within hybrid environments. You will learn how to use different technologies to assess, deploy, and monitor environments, combining configuration management tools, infrastructure as code, security orchestration, automation and response (SOAR) engines, and cloud native services for automation. You will then learn how to use this automation specifically for offense and defensive by looking at certain techniques being used to emulate adversaries and automate security testing.
You will see how infrastructure as code enables red teamers to become more efficient and stealthier before we turn to a discussion of how certain defense techniques can be automated. There is no other training that offers such a comprehensive understanding and application of security automation to the spectrum of cyber security teams
You Will Learn:
- Prevention, detection, and response for specific attack techniques used by real-world adversaries and penetration testers
- Offensive and defensive perspectives of these attack techniques through hands-on exercises
- How to translate repeatable activities into automated tasks
- How to improve the efficiency and effectiveness of a security operations team
- Cloud security automation in AWS and Azure
- Where to apply security automation and how to properly engineer your environment for automation
- The power of leveraging automation in purple team exercises
You Will Be Able To:
- Understand the security issues that most organizations are facing today.
- Translate security issues into smaller problems, define automated solutions for those specific problems, and then fully chain features that can be used to tackle multiple issues in an automated manner.
- Use tools like Terraform, Ansible, CHEF Puppet, and many more to locally automate secure configurations, set a desired-state configuration, deploy infrastructure as code in different environments, and detect and respond to security incidents in an automated manner.
- Evaluate real-world scenarios within a combination of on-premise and cloud environments using a reference framework that can be immediately used and implemented in your organization.
Syllabus (36 CPEs)
Section one lays the foundation for the remainder of the course by explaining overall security automation concepts and how they can be used within different environments and technology stacks. Concepts to be discussed include automation triggers, desired state configuration and security automation, and SOAR.
- Lab 1.1: Red Team Exercise
- Lab 1.2: Desired State Configuration
- Lab 1.3: Linking Triggers to Automation Scripting
- Lab 1.4: Defining Your First Automation Playbook
Course Outline and Lab Setup
- Course Objective and Lab Environment
- Why Security Automation Matters
- Introducing GLOBEX Automation
Security Architecture and Configuration
- Current State of Enterprise Architecture
- Infrastructure as Code
- Desired State Configuration
Security Automation Fundamentals
- Triggers for Automation
- Automation Playbooks
- Automated Incident Response
- How to Apply SOAR and SOEL
Section two focuses on security task automation in your infrastructure and explains how security automation can be engineered with built-in scripting and configuration management tooling. We will analyze how PowerShell can be used for desired state configuration to detect and respond to system misconfigurations. We will also look at what you can achieve with infrastructure as code tooling and a variety of SOAR tools. Finally, we will discuss playbook design and development for automated incident handling and mitigation techniques.
- LAB 2.1: PowerShell OS Hardening
- LAB 2.2: Hardening with Ansible
- LAB 2.3: Creating a Cortex Analyzers Responder
- LAB 2.4: XSOAR Playbook Development
- Automating Security Hardening
- PowerShell Basics
- Configuration Management Tooling
- Security Orchestration and Automation
- Security Automation with Python
- Security Orchestration Tools
- SOAR Playbooks
- Automated Security Controls
- Automating Security Compliance
- Automating Security Hardening
- Introduction to Cloud Environments
- Cloud 101
Sections one and two covered security automation based largely on on-premise technology stacks, so in section three we will move towards cloud native automation tooling. Attendees will gain an in-depth understanding of cloud native technologies used for security automation. We will zoom into blueprinting, compliance validation, and automated remediation by using real-world examples of cloud misconfigurations.
- Lab 3.1: Detecting an Exposed Server with Azure Policy
- Lab 3.2: Creating Automated Actions in Azure
- Lab 3.3 Locking Down an Azure Storage Account
- Lab 3.4: Using the Amazon Web Services (AWS) Configuration Rule
- Lab 3.5: Integrating AWS/Azure with Third-Party API
- Lab 3.6: Deploying Reference Architecture with ARM Templates and the AWS CloudFormation Template
Introduction to the Cloud
- Azure Basics
- AWS Basics
Microsoft Azure Automation
- Azure Policy and Blueprinting
- Security Monitoring and Automation Triggers
- How to Automate within Microsoft Cloud Environments
- Logic App and Azure Functions
- AWS Configuration
- Security Monitoring via CloudWatch and CloudTrail
- How to Automate within AWS
Bringing It All Together
- Reference Architectures and Blueprints
In section four, we will use the automation techniques we learned in previous sections for offensive security automation activities. This section presents examples on how to automate offensive techniques used by real-world adversaries and goes on to explain how chaining attack techniques can be used to emulate these adversaries.
- Lab 4.1: Configuring the Atomic Red Team
- Lab 4.2: Fully Automating Adversary Techniques
- Lab 4.3: Using Caldera to Run a Breach Exercise
- History of Offensive Security
- Introduction to Purple Teaming
- The MITRE ATT&CK Framework
Automating Offensive Security Testing
- Focus of Automation within Offensive Security
- Automated ATT&CK Testing with SOAR and the Atomic Red Team
Emulating Real-World Cyber Attacks
- Adversary Emulation
- Autonomous Breach-and-Simulation Exercise
Chaining Techniques and Automating Adversaries
- Creating Your Automated Chaos (Netflix Use Case)
Offensive Security in the Cloud
- Automated Testing for Cloud
Section five focuses on defensive security controls and how we use automation to prevent, detect, and respond to security incidents. Students will gain an in-depth understanding of how attacks can be detected and how to enrich incidents to minimize false positives and automatically trigger responses.
- Lab 5.1: Creating an Incident Response Playbook in PowerShell
- Lab 5.2: Creating an Incident Response Playbook using XSOAR
- Lab 5.3: Terraform in Action: Secured Infrastructure
- Lab 5.4: Detecting a Specific APT with Known Techniques and Automating Security Controls to Detect and Respond to This Attack
The final course section is a capstone event where students can apply and reinforce all the skills they've learned in a friendly, competitive environment. The capstone is a full day of challenging hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure the presence of detection and defensive capabilities.
- Applying Previously Covered Security Controls In-Depth
- Applying and Fine-Tuning Detection Capabilities and Using Automation to Reduce the False Positive Ratio
- Configuration Management Tools
- Infrastructure as Code Templates
- XSOAR Playbook Development
- AWS Configuration Rules and ARM Templates
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
As the course leverages the SANS OnDemand platform, the labs will be browser-based. The sections below outline the key requirements for optimal lab experiences.
Students must bring a laptop to class running any of the following OS families:
- Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
- For troubleshooting reasons, please ensure you have local administrator privileges on your laptop
An up-to-date version of the following browser families is supported:
- Microsoft Edge
- Google Chrome
- Mozilla Firefox
- x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
- 4 GB RAM minimum with 8 GB or higher recommended
- A wireless network adapter
- 10 GB available hard-drive space
During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
I started my career as a security engineer and was always interested in learning more about offensive security and how to implement certain defense mechanisms in response, especially from the perspective of the technology used. I quickly became aware that a structured solution was required to reduce the overall security risk exposure for the organizations I was working with.
Over the past years I have seen that automation and orchestration can maximize the value of current security operations centers. Many of these organizations have the same challenges: hunting for talent, supporting an ever-increasing technology landscape, and how to reduce the time to handle and respond to incidents.
I am very excited to release SEC598, which is purely focused on automation, and I am convinced that SEC598 gives you an in-depth understanding of automation concepts, technologies and how to apply them for offense and defense. This course was created together with SANS ISC handlers, providing a unique mix of offensive and defensive skills.