One Week Only! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with OnDemand or vLive Training!

Brussels February 2020

Brussels, Belgium | Mon, Feb 17 - Sat, Feb 22, 2020
This course is sold out. Join the wait below or view other class locations & virtual options.

SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection Waitlist

Mon, February 17 - Sat, February 22, 2020

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

SEC699 is SANS's advanced purple team offering, with a key focus on adversary emulation for data breach prevention and detection. Throughout this course, students will learn how real-life threat actors can be emulated in a realistic, enterprise, environment. In true purple fashion, the goal of the course is to educate students on how adversarial techniques can be emulated and detected.

A natural follow-up to SEC599, this is an advanced SANS course offering, with 60 percent of class time spent on labs. Highlights of class activities include:

  • An in-depth course section on how to develop Ansible playbooks that deploy a full multi-domain enterprise environment for adversary emulation at the press of a button.
  • Development of custom MITRE Caldera modules for automated adversary emulation. If you truly want to build an emulation pipeline, automation is key!
  • Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34, and Turla.
  • Building a proper process, tooling, and planning for purple teaming
  • Cross-forest attacks where students attempt to escalate privileges from their own isolated forest to the common course forest.
  • Bypass methods for some common defense techniques (e.g., application whitelisting, Attack Surface Reduction).
  • SIGMA rule-building to detect advanced adversary techniques.
  • A spectacular capstone that pits red and blue against one another. While red attempts to infiltrate the organization, blue builds a detection capability to detect adversary techniques.

Course authors Erik Van Buggenhout (the lead author SEC599) and James Shewmaker (the co-author SEC660) are both certified GIAC Security Experts (GSEs) and are hands-on practitioners who have built a deep understanding of how cyber attacks work through both red team (penetration testing) and blue team (incident response, security monitoring, threat hunting) activities. In this course, they combine these skill sets to educate students on adversary emulation methods for data breach prevention and detection.

The six-part SEC699 journey is structured as follows:

  • On day 1, we will lay the foundations that are required to perform successful adversary emulation and purple teaming. As this is an advanced course, we will go in-depth on several tools that we'll be using and learn how to further extend existing tools.
  • Days 2 to 5 will be heavily hands-on:
    • Every morning, we will lecture on an "advanced" technique (e.g., domain delegation attacks)
    • After the morning lecture, we will perform a purple team exercise (both emulation and detection) for a specific threat actor. The advanced technique will be included in the emulation plan
  • On day 6, students will participate in an all-day lab that pits red and blue teams against one another. While red attempts to infiltrate the organization, blue builds a detection capability to detect adversary techniques.

Course Syllabus


Erik Van Buggenhout
Mon Feb 17th, 2020
9:00 AM - 5:00 PM

Overview

On day 1 we will lay the foundations for the rest of the week by:

  • Learning how to build a purple team in-house, covering process, approach, and tooling.
  • Leveraging the power of Ansible automation to deploy our lab infrastructure.
  • Building an emulation and detection pipeline using a variety of available technology (SIGMA for detection rule development, and various adversary emulation tools, with a focus on Caldera).

Even if it's just the first day, this calls heavy hands-on, as students will complete five different exercises.

Exercises
  • Exercise: Building adversary emulation plans
  • Exercise: Deploying our lab environment using Ansible
  • Exercise: Developing SIGMA and Velociraptor EDR for detection
  • Exercise: Leveraging adversary emulation tools
  • Exercise: Building a custom Caldera module

CPE/CMU Credits: 6

Topics
  • Introduction
  • Course objectives
  • Purple teaming using MITRE ATT&CK
  • Purple team planning and follow-up
  • Automation
  • Ansible automation
  • Building an emulation and detection pipeline
  • Building a stack for detection
  • Rule-based versus anomaly-based detection
  • Building a stack for adversary emulation
  • Automated emulation using MITRE Caldera

Erik Van Buggenhout
Tue Feb 18th, 2020
9:00 AM - 5:00 PM

Overview

As indicated in the overall course description: days 2 to 5 follow a common structure:

  • We will first perform a lecture and stand-alone lab on an advanced adversary technique and how it can be emulated.
  • Afterwards, we will build an emulation plan for a specific threat actor. The emulation plan will include the advanced technique covered in the lecture.
  • All techniques in the emulation will first be executed manually.
  • Upon manual completion of the emulation plan, we will review which steps of the plan could have been detected, and how. We will implement community SIGMA rules, but also develop our own rules to detect the steps of the emulation plan.
  • We will proceed by emulating the same plan in Caldera, where we will develop our own ATT&CK techniques as required.
  • We will test our implemented SIGMA rules by executing the automated adversary plan
Exercises
  • Exercise: Advanced initial execution
  • Exercise: Manual execution of APT-28 emulation plan
  • Exercise: Develop and implement SIGMA and Velociraptor rules for detection
  • Exercise: Develop Caldera ATT&CK techniques
  • Exercise: Automated execution of APT-28 emulation plan

CPE/CMU Credits: 6

Topics
  • Topic for the day - Advanced initial execution

    • Bypassing application whitelisting and ASR
  • Threat actor for the day - APT-28
    • APT-28 √ʬ¬ Introduction and common techniques
    • Definition of the APT-28 emulation plan
  • Implement detection use cases

    • Review opportunities for detection
  • Execute adversary emulation plan - automated
  • Conclusion

    • Debrief - Emulation plan conclusions and lessons learned

Erik Van Buggenhout
Wed Feb 19th, 2020
9:00 AM - 5:00 PM

Overview

As indicated in the overall course description: days 2 to 5 follow a common structure:

  • We will first perform a lecture and stand-alone lab on an advanced adversary technique and how it can be emulated.
  • Afterwards, we will build an emulation plan for a specific threat actor. The emulation plan will include the advanced technique covered in the lecture.
  • All techniques in the emulation will first be executed manually
  • Upon manual completion of the emulation plan, we will review what steps of the plan could have been detected, and how. We will implement community SIGMA rules, but also develop our own rules to detect the steps of the emulation plan.
  • We will proceed by emulating the same plan in Caldera, where we will develop our own ATT&CK techniques as required.
  • We will test our implemented SIGMA rules by executing the automated adversary plan.
Exercises
  • Exercise: advanced Active Directory attacks (cross-forest and delegation attacks)
  • Exercise: Manual execution of the APT-34 emulation plan
  • Exercise: Develop and implement SIGMA and Velociraptor rules for detection
  • Exercise: Develop Caldera ATT&CK techniques
  • Exercise: Automated execution of the APT-34 emulation plan

CPE/CMU Credits: 6

Topics
  • Topic for the day - Advanced AD attacks

    • Advanced Active Directory attacks
  • Threat actor for the day - APT-34
    • APT-34 - Introduction and common techniques
    • Definition of the APT-34 emulation plan
  • Implement detection use cases

    • Review opportunities for detection
  • Execute adversary emulation plan - automated
  • Conclusion

    • Debrief - Emulation plan conclusions and lessons learned

Erik Van Buggenhout
Thu Feb 20th, 2020
9:00 AM - 5:00 PM

Overview

As indicated in the overall course description: days 2 to 5 follow a common structure:

  • We will first perform a lecture and stand-alone lab on an advanced adversary technique and how it can be emulated.
  • Afterwards, we will build an emulation plan for a specific threat actor. The emulation plan will include the advanced technique covered in the lecture.
  • All techniques in the emulation will first be executed manually.
  • Upon manual completion of the emulation plan, we will review what steps of the plan could have been detected, and how. We will implement community SIGMA rules, but also develop our own rules to detect the steps of the emulation plan.
  • We will proceed by emulating the same plan in Caldera, where we will develop our own ATT&CK techniques as required.
  • We will test our implemented SIGMA rules by executing the automated adversary plan.
Exercises
  • Exercise: Stealth persistence strategies
  • Exercise: Manual execution of Turla emulation plan
  • Exercise: Develop and implement SIGMA and Velociraptor rules for detection
  • Exercise: Develop Caldera ATT&CK techniques
  • Exercise: Automated execution of Turla emulation plan

CPE/CMU Credits: 6

Topics
  • Topic for the day - Stealth persistence

    • Obtaining stealth persistence
  • Threat actor for the day - Turla
    • Turla - Introduction and common techniques
    • Definition of the Turla emulation plan
  • Implement detection use cases

    • Review opportunities for detection
  • Execute adversary emulation plan - automated
  • Conclusion

    • Debrief - Emulation plan conclusions and lessons learned

Erik Van Buggenhout
Fri Feb 21st, 2020
9:00 AM - 5:00 PM

Overview

As indicated in the overall course description: days 2 to 5 follow a common structure:

  • We will first perform a lecture and stand-alone lab on an advanced adversary technique and how it can be emulated.
  • Afterwards, we will build an emulation plan for a specific threat actor. The emulation plan will include the advanced technique covered in the lecture.
  • All techniques in the emulation will first be executed manually.
  • Upon manual completion of the emulation plan, we will review what steps of the plan could have been detected, and how. We will implement community SIGMA rules, but also develop our own rules to detect the steps of the emulation plan.
  • We will proceed by emulating the same plan in Caldera, where we will develop our own ATT&CK techniques as required.
  • We will test our implemented SIGMA rules by executing the automated adversary plan.
Exercises
  • Exercise: Azure AD attacks
  • Exercise: Manual execution of the APT-30 emulation plan
  • Exercise: Develop and implement SIGMA and Velociraptor rules for detection
  • Exercise: Develop Caldera ATT&CK techniques
  • Exercise: Automated execution of APT-30 emulation plan

CPE/CMU Credits: 6

Topics
  • Topic for the day - Azure AD attacks

    • Azure AD attacks
  • Threat actor for the day - APT-30
    • APT-30 - introduction and common techniques
    • Definition of the APT30 emulation plan
  • Implement detection use cases

    • Review opportunities for detection
  • Execute adversary emulation plan - automated
  • Conclusion

    • Debrief - Emulation plan conclusions and lessons learned

Erik Van Buggenhout
Sat Feb 22nd, 2020
9:00 AM - 5:00 PM

Overview

On this final day of the SEC699 course, participants can choose whether to join the red or blue team in an epic capstone battle to infiltrate or defend the corporate environment. Students will leverage all of the tools and techniques they√ʬ¬ve learned throughout the course!

Exercises
  • Hands-on red and blue team capstone

CPE/CMU Credits: 6

Additional Information

Baseline Hardware Requirements

  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Enabled Intel-VT
  • USB 3.0 Typ--A port
  • 16 GB RAM
  • 100 GB Free space
  • Windows 10 Pro or macOS 10.12+

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Penetration testers
  • Ethical hackers
  • Defenders who want to better understand offensive methodologies, tools, and techniques
  • Red team members
  • Blue team members
  • Purple Team members
  • Forensics specialists who want to better understand offensive tactics

This is a fast-paced, advanced course that requires a strong desire to learn advanced red and blue team techniques. The following SANS courses are recommended either prior to or as a companion to taking this course:

Experience with programming in any language is highly recommended. At a minimum, students are advised to read up on basic programming concepts.

You should also be well versed with the fundamentals of penetration testing prior to taking this course. Familiarity with Linux and Windows is mandatory. A solid understanding of TCP/IP and networking concepts is required. Please contact the author at evanbuggenhout@nviso.be if you have any questions or concerns about the prerequisites.

  • A course USB that includes a VM for adversary emulation
  • Ansible playbooks to deploy a full-blown test environment
  • Custom CALDERA plugins (which you build in class) to improve automated emulation work
  • Custom SIGMA rules (which you build in class) to improve security monitoring & detection
  • Build a purple team in your organization
  • Build realistic adversary emulation plans to better protect your organization
  • Develop custom tools and plugins for existing tools to fine-tune your red and purple teaming activities
  • Deliver advanced attacks, including application whitelisting bypasses, cross-forest attacks (abusing delegation), and stealth persistence strategies
  • Building SIGMA rules to detect advanced adversary techniques

Author Statement

"After the success of SEC599, I'm very excited to unleash this course offering upon the SANS audience! SEC699 is an amazing course that came about because we listened to student requests for a hands-on adversary emulation class leveraging an enterprise lab environment. This is it!

"SEC699 attendees will learn advanced red and blue team techniques for proper purple teaming in an enterprise environment. Throughout the week we do not just focus on explaining 'tips and tricks,' but also empower students to build and adapt their own tooling for proper adversary emulation. This includes, for example, custom Caldera, SIGMA and Velociraptor development.

"The SEC699 lab environment is fully built using Ansible playbooks and covers multiple domains and forests that can be attacked! As promised, students will receive the Ansible playbooks AND will acquire the necessary skills to further extend and tailor them for their own custom needs."

- Erik Van Buggenhout