New

SEC598: Security Automation for Offense, Defense, and Cloud

  • In Person (6 days)
  • Online
36 CPEs

SEC598: Security Automation for Offense, Defense, and Cloud will equip you with the expertise to apply automated solutions to prevent, detect, and respond to security incidents. Students first train to understand the concept of automation, then learn how existing technologies can be best leveraged to build automation stories that translate repeatable problems to automated scripts.

What You Will Learn

The machines aren't taking over. You are!

Mastering automation workflows is a force multiplier for security teams. As the scope of work increases in both volume and complexity across today's modern enterprise, security teams find themselves in an uphill battle to prevent, detect, emulate, and respond to threats against their organization.

To combat this ongoing issue, world-class security teams have learned to unleash the power of automation. Highly skilled security and automation engineers are able to implement solutions that allow their teams to shift their daily focus away from high-volume, low priority tasks to business critical, high-priority initiatives.

Over the span of this course, you will interact with a real-world fictitious organization, GLOBEX, where you'll interact with over 15 lab exercises and a capstone centered on security automation use cases that you can take back and implement within your own organization.

You Will Be Able To

  • Translate repeatable activities into automated tasks
  • Automate prevention, detection, and response capabilities for specific attack techniques used by real-world adversaries and red teamers
  • Improve the effectiveness of your SOC by uncovering opportunities for efficiencies across tier 1 and tier 2 responsibilities
  • Learn how to use terraform for advanced capabilities, IaC modules, and setting up dynamic Red Team and Pentest infrastructure
  • Set up a Cloud Adversary Emulation capability and leverage cloud native tools to measure detection capabilities and automated response implementation
  • Leverage Infrastructure as Code tools to set up automated threat hunting, containment, acquisition, quarantine, and Incident Response workflows.
  • Leverage Infrastructure as Code to deploy automated Cyber Range capabilities for on-premise, cloud native, and hybrid, enhancing security programs and their understanding of attack tools and defensive controls
  • Deploy and maintain Adversary Emulation as Code and Detection Engineering using CI/CD workflows, helping to advance Red Team Operator and penetration testing capabilities
  • Leverage technologies such as Terraform, Ansible, Chef, Puppet, and SOAR tools to automate secure configurations, set a desired-state configuration, deploy infrastructure as code in different environments, and detect and respond to security incidents
  • Implement cloud security automation in AWS and Azure
  • Create a continuous, automation-enhanced approach to purple teaming

Skills Learned

  • Understand the security issues that most organizations are facing today.
  • Translate security issues into smaller problems, define automated solutions for those specific problems, and then fully chain features that can be used to tackle multiple issues in an automated manner.
  • Use tools like Terraform, Ansible, CHEF Puppet, and many more to locally automate secure configurations, set a desired-state configuration, deploy infrastructure as code in different environments, and detect and respond to security incidents in an automated manner.
  • Evaluate real-world scenarios within a combination of on-premise and cloud environments using a reference framework that can be immediately used and implemented in your organization.

What You Will Receive

  • Access to the in-class Virtual Training Lab for over 23 in-depth labs.
  • Virtual machine including automation tools, example Infrastructure as Code (IaC) templates for automation, Cyber Range tools, and offensive security testing tools.
  • Virtual machine including fourteen (14) perpetual use labs
  • Access to recorded course audio to help hammer home important automation techniques with offensive and defensive  lessons.

Additional Resources

Syllabus (36 CPEs)

Download PDF
  • Overview

    Section one lays the foundation for the remainder of the course by explaining overall security automation concepts and how they can be used within different environments and technology stacks. Concepts to be discussed include automation triggers, desired state configuration and security automation.

    Exercises
    • Lab 1.1: Red Team Exercise
    • Lab 1.2: OS Hardening baselines with Ansible
    • Lab 1.3: Linking Triggers to Automation Scripting
    • Lab 1.4: Define Your First Automation Playbook
    Topics
    • Course Outline & Lab Setup:
      • Course Objective & Lab Environment
      • Why Security Automation Matters
      • Introducing GLOBEX Automation
    • Security Architecture & Configuration
      • Current state of Enterprise Architecture
      • Security Engineering CI/CD Approach
      • Infrastructure as Code
      • Desired State Configuration
    • Security Automation fundamentals:
      • Triggers for Automation
      • Automation Playbooks
      • How to apply SOAR and SOEL
  • Overview

    Section two focuses on security task automation in your infrastructure and explains how security automation can be engineered with built-in scripting and configuration management tooling. We will analyze how PowerShell can be used for desired state configuration to detect and respond to system misconfigurations. We will also look at what you can achieve with infrastructure as code tooling and a variety of SOAR tools. Finally, we will discuss playbook design and development for automated incident handling and mitigation techniques.

    Exercises
    • PowerShell OS hardening
    • Cloud Management with Terraform
    • Deploying a Firing Range with Terraform
    • Create a Tines Story
    • Create an IOC malware analysis playbook
    Topics
    • Automate Security Hardening
      • PowerShell for Automation
      • PowerShell OS hardening
      • Configuration management tooling
      • Hardening with Ansible
      • Building firing ranges
      • Cloud Management with Terraform
    • Security Orchestration and Automation
      • Security Automation with Python
      • Security Orchestration tools
      • SOAR playbook development
  • Overview

    Sections one and two covered security automation based largely on on-premise technology stacks, so in section three we will move towards cloud native automation tooling. Attendees will gain an in-depth understanding of cloud native technologies used for security automation. We will zoom into blueprinting, compliance validation, and automated remediation by using real-world examples of cloud misconfigurations.

    Exercises
    • Lab 3.1: Detecting an Exposed Server with Azure Policy
    • Lab 3.2: Creating Automated Actions in Azure with Sentinel and Logic Apps
    • Lab 3.3: Cloud-Native IR for Compromised Systems
    • Lab 3.4: Integrating AWS/Azure with Third-Party API
    Topics
    • Introduction to Cloud
      • Azure Basics
      • AWS Basics
    • Microsoft Azure Automation
      • Azure Policy and Blueprinting
      • Detect exposed server with Azure Policy
      • Security monitoring and automation triggers
      • Create automated actions in Azure
      • How to automate within MS cloud environments
      • Logic App and Azure Function
      • Locking down an Azure Storage Account
    • Amazon Web Services Automation
      • AWS Configuration
      • AWS Configuration Rule
      • Security monitoring via CloudWatch and CloudTrail
      • How to automate within AWS
      • Integrate AWS/Azure with 3rd party API
  • Overview
    • In section four, we will use the automation techniques we learned in previous sections for offensive security automation activities. This section presents examples on how to automate offensive techniques used by real-world adversaries and goes on to explain how chaining attack techniques can be used to emulate these adversaries.
    Exercises
    • Lab 4.1: Configuring Atomic Red Team
    • Lab 4.2: Fully Automating Adversary Techniques
    • Lab 4.3: Using Caldera to Run a Breach Exercise
    • Lab 4.4: Cloud Adversary Simulation with Automated Detections
    • Lab 4.4: Adversary Emulation as Code using API, Tines, and Github
    Topics
    • Introduction
      • The history of Offensive Security
      • Introduction to Adversary Emulation & Purple Teaming
      • The MITRE ATT&CK Framework
    • Emulating Adversary Tactics & Techniques
      • Adversary emulation tooling
      • Zooming in on Atomic Red Team
      • Configuring Atomic Red Team
      • Breach and Attack Simulation tools
      • Fully automate adversary technique
      • Chaining techniques and automate adversaries
      • Cloud Adversary Emulation
      • Using Caldera to run a breach exercise
      • AI-Powered Cyberattacks
    • Chaos Engineering
      • Create your automated chaos
      • Adversary Emulation as Code using API, Tines, and Github
  • Overview

    Section five focuses on defensive security controls and how we use automation to prevent, detect, and respond to security incidents. Students will gain an in-depth understanding of how attacks can be detected and how to enrich incidents to minimize false positives and automatically trigger responses.

    Exercises
    • Lab 5.1: Automated Triage and Analysis with Velociraptor and Timesketch
    • Lab 5.2: Creating an Incident Response Playbook in PowerShell
    • Lab 5.3: Creating an Incident Response Playbook using Tines
    • Lab 5.4: Detecting a Specific APT with Known Techniques and Automating Security Controls to Detect and Respond to This Attack
    Topics
    • Introduction
      • History of defensive security
      • Focus of automation within defensive security
    • Detection and Incident Response
      • Automating Defense In-Depth
      • Incident Response phases and where to automate
      • Incident Response Playbooks
      • Create an IR Playbook in PowerShell
    • Automate Incident Response using Tines
      • Create an IR playbook using Tines
    • Bringing it all together: Adversary emulation vs incident response
      • Detect a specific ATP with known techniques and automate security
      • Create an Adversary Emulation & Detection Playbook
  • Overview

    The final course section is a capstone event where students can apply and reinforce all the skills they've learned in a friendly, competitive environment. The capstone is a full day of challenging hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure the presence of detection and defensive capabilities.

    Topics
    • Applying Previously Covered Security Controls In-depth
    • Applying and fine-tuning detection capabilities and use automation to reduce false / positive ratio
    • Configuration management tools
    • Infrastructure as code templates
    • Tines playbook development
    • AWS Configuration rules & ARM templates.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

As the course leverages the SANS OnDemand platform, the labs will be browser-based. The sections below outline the key requirements for optimal lab experiences.

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
  • Note: Apple Silicon devices cannot perform the necessary virtualization and cannot be used for this course.
  • For troubleshooting reasons, please ensure you have local administrator privileges on your laptop

Browser

An up-to-date version of the following browser families is supported:

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

Hardware

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • A wireless network adapter
  • 10 GB available hard-drive space

During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

I started my career as a security engineer and was always interested in learning more about offensive security and how to implement certain defense mechanisms in response, especially from the perspective of the technology used. I quickly became aware that a structured solution was required to reduce the overall security risk exposure for the organizations I was working with.

Over the past years I have seen that automation and orchestration can maximize the value of current security operations centers. Many of these organizations have the same challenges: hunting for talent, supporting an ever-increasing technology landscape, and how to reduce the time to handle and respond to incidents.

I am very excited to release SEC598, which is purely focused on automation, and I am convinced that SEC598 gives you an in-depth understanding of automation concepts, technologies and how to apply them for offense and defense. This course was created together with SANS ISC handlers, providing a unique mix of offensive and defensive skills.

Register for SEC598

Learn about Group Pricing

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

Loading...