Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Crystal City 2018

Arlington, VA | Mon, Jun 18 - Sat, Jun 23, 2018
This event is over,
but there are more training opportunities.

SEC599: Defeating Advanced Adversaries - Implementing Kill Chain Defenses New

Mon, June 18 - Sat, June 23, 2018

This course is well balanced and a great means to educate blue teamers of offensive capabilities.

Mohammed Hleihel, Mary Kay Inc.

Course content and labs were fantastic! Very good in identifying malicious actions taken and what to look out for -- great blue team related material.

Jason Thurott, Hyatt

You just got hired to help our virtual organization "SyncTechLabs" build out a cyber security capability. On your first day, your manager tells you: "We really don't know where to start! We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service...We're not even sure where to start!"

Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Implementing Kill Chain Defenses will arm you with the knowledge and expertise you need to detect and respond to today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls designed to stop advanced adversaries

Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked "But how do I prevent this type of attack?" With more than 20 labs plus a full-day "Defend-The-Flag" exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.

Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" in our Day 1 exercises.

Throughout days two through five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:

  • Building your own mail sandbox solution to detect spear phishing
  • Developing effective group policies to stop malicious code execution
  • Stopping 0-day exploits using exploit mitigation techniques and application whitelisting
  • Detecting and avoiding malware persistence
  • Detecting and preventing lateral movement through sysmon, Windows event monitoring, and group policies
  • Blocking and detecting command and control through network traffic analysis
  • Leveraging threat intelligence to improve your security posture

In designing the course and its exercises, the authors went the extra mile to ensure that attendees "build" something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.

SEC599 will finish with a bang. During the "Defend-the-Flag" challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?


This Course Will Prepare You To:

  • Understand how recent high-profile attacks were delivered and how they could have been stopped
  • Implement security controls throughout the different phases in the APT Attack Cycle to prevent, detect, and respond to attacks. We will define the following stages in the APT Attack Cycle:
    • Reconnaissance
    • Weaponization
    • Delivery
    • Exploitation
    • Installation
    • Command and control
    • Action on objectives
  • Carry out a series of practical exercises:
    • Compromise a virtual organization to understand how attackers operate
    • Build your own mail sandbox solution to detect spear phishing
    • Develop effective group policies to stop malicious code execution
    • Stop 0-day exploits using exploit mitigation techniques and application whitelisting
    • Detect and avoid malware persistence using host-based IDS techniques
    • Detect and prevent lateral movement through sysmon, Windows event monitoring, and group policies
    • Block and detect command and control through network analysis
    • Leverage threat intelligence in the APT Attack cycle


Course Syllabus

James Shewmaker
Mon Jun 18th, 2018
9:00 AM - 5:00 PM


Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what's happening out there and introduce the APT Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" during the day's exercises.

  • One click is all it takes...You will compromise our virtual organization through a series of offensive tasks to mimic that of an adversary or red team, including gaining an initial foothold, performing lateral movement, maintaining persistence, all while remaining stealthy.

CPE/CMU Credits: 6

  • Course outline and lab set-up
  • Current threat and attack landscape
  • Introducing the APT Attack Cycle
  • Recent attacks - case studies
  • Knowing yourself - Understanding your own environment
  • Understanding and limiting your organization's footprint

James Shewmaker
Tue Jun 19th, 2018
9:00 AM - 5:00 PM


Day 2 will cover how attackers take their first steps. How do they perform reconnaissance and what can we do to hinder it? The courseware will cover technical controls, but will also touch upon "soft topics" such as security awareness.

After reconnaissance is performed and vulnerabilities are spotted, the adversary will weaponize the payload and deliver it to the target. We will analyze how delivery of the payload can be detected and blocked. We will cover a variety of techniques, including mail-based controls (e.g., SMTP file and URL carving, sandboxing, etc.) and web-based controls (access controls using web proxies).

  • Building our a sandbox using Suricata and Cuckoo
  • Finding the needle in the haystack using YARA
  • Deploying PfSense firewall with Squid and ClamAV
  • Developing eye-candy using Kibana
  • Controlling scripting with GPOs

CPE/CMU Credits: 6

  • Strategies for preventing/detecting payload delivery
  • End-user security awareness
  • Leveraging Suricata IDS / IPS
  • Mail security controls (AV, SMTP file, and URL carving)
  • Mail attachment sandboxing
  • Zooming in on YARA rules
  • Controlling scripts in the enterprise
  • Web proxy configuration to defeat drive-by downloads

James Shewmaker
Wed Jun 20th, 2018
9:00 AM - 5:00 PM


Day 3 will explain how exploitation can be prevented. Attendees will gain an in-depth understanding of current exploitation tactics. We will introduce effective security controls to stop exploitation attempts dead in their tracks. We will assess tools and techniques aimed at protecting both your network and your hosts and applications. Typical items that will be discussed include network authentication, OS hardening, application threat modeling, client and OS patch management, and exploit mitigation techniques.

  • Hardening your Windows environment using GPOs
  • Hands-on exploitation mitigation with EMET
  • Configuring AppLocker to stop malicious payload execution
  • End-point monitoring using sysmon and YARA rules

CPE/CMU Credits: 6

  • Protecting the network
    • Network access control and 802.1X
  • Protecting your hosts
    • OS hardening and best practices and policies
    • Client and OS patch management
    • End-point protection solutions
    • Exploit mitigation techniques
  • Protecting your own software
    • Security in the Software Development Lifecycle (SDL)
    • Security assessments and bug bounties
    • Application threat modeling
  • Protecting other software

James Shewmaker
Thu Jun 21st, 2018
9:00 AM - 5:00 PM


Day 4 will continue with discussion about exploit prevention techniques, but we'll also zoom in on persistence techniques typically employed by advanced adversaries and how command and control is established. If adversaries successfully exploit a vulnerability, their next step is to attempt to maintain their access, escalate privileges, and set up a command and control channel.

  • Implementing OSSEC to detect persistence
  • Implementing VLANs using PfSense
  • Detecting AD attacks (pass-the-hash, Mimikatz, etc.) using sysmon and Windows event logs
  • Limiting outbound network traffic using PfSense
  • Using Suricata to detect network anomalies

CPE/CMU Credits: 6

  • Network architecture and segmentation recommendations
  • Monitoring the Active Directory environment for suspicious behavior
  • Typical persistence strategies and approaches
  • Detecting and avoiding persistence in the enterprise
  • Full packet capture and IDS strategies
  • Traffic profiling
  • NetFlow analysis and recommendations
  • Identifying command and control

James Shewmaker
Fri Jun 22nd, 2018
9:00 AM - 5:00 PM


Day 5 focuses on stopping the adversary during the final stages of the attack:

  • How can data exfiltration be detected and stopped?
  • How can cyber deception be used to slow down and stop advanced adversaries?
  • How can threat intelligence aid defenders in the APT Attack Cycle?
  • How can defenders perform effective incident response?

As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.

  • Preparing and planting canaries with CanaryTokens
  • Detecting data exfiltration using Suricata
  • Making your honeypot irresistibly sweet
  • Installing MISP and obtaining threat intelligence
  • Incident response using GRR
  • Querying your hosts using OSQuery

CPE/CMU Credits: 6

  • Data exfiltration
    • Planting canaries with Canarytokens
    • Detecting exfiltration on the network
  • Vector-oriented defenses
    • Ransomware
    • Hacktivists
    • Cyber espionage
  • Cyber deception strategies
    • Honeypots
  • Leveraging threat intelligence
  • Patrolling the neighborhood
    • Monitoring your endpoints using OSQuery
  • Incident response
    • Leveraging GRR to respond to incidents in your environment

James Shewmaker
Sat Jun 23rd, 2018
9:00 AM - 5:00 PM


The course culminates in a team-based Defend the Flag competition. Day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls taught all week long. This challenging exercise will reinforce key principles in a fun challenge that will put your new skills to the test in an environment just like the ones you'll be working in when you return to your jobs.

CPE/CMU Credits: 6

  • Applying previously covered security controls in-depth
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and control
  • Action on objectives

Additional Information

As the course leverages the SANS OnDemand platform, the labs will be browser-based. The following are key requirements for optimal lab experience:

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Windows 7, 8.1 or 10
  • MacOS Mavericks, Yosemite, El Capitan or Sierra:
  • Linux-based distributions could work, but this will depend on your exact distribution
  • For troubleshooting reasons, please ensure you have local administrator privileges to your laptop


An up to date version of the following browser families is supported:

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox


  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 10 GB available hard-drive space

During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Security Architects
  • Security Engineers
  • Technical Security Managers
  • Security Operations Center Analysts, Engineers, and Managers
  • IT Administrators
  • Individuals looking to better understand how advanced persistent cyber adversaries operate and how the IT environment can be improved to better prevent, detect, and respond to incidents
  • Experience with Linux and Windows from the command line
  • Familiarity with Windows Active Directory concepts
  • A solid understanding of TCP/IP and networking concepts
  • MP3 audio files of the complete course lecture
  • 32GB USB 3.0 stick that includes the key solutions built through the course
    • A mail sandbox solution
    • An open-source IDS/IPS system
    • An ELK stack for data visualization and dashboarding
    • An open-source firewall with built-in web proxy capabilities

SEC599 leverages the SANS OnDemand platform, where attendees will be able to complete more than 20 labs in the course using a full-fledged browser environment. This eliminates possible issues with hardware and software compatibility by spooling up a "per-instance" virtual environment for each exercise mimicking that of a real-world production environment. Each student will be sandboxed into a unique instance providing domain isolation and preventing other students from impacting their environment.

Author Statement

"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years, I started to see a trend developing. Often, over half of the students in each class were not actually penetration testers or those who would be writing 0-days. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."

- Stephen Sims

"During my InfoSec career, I first focused on penetration testing for more than five years, then I shifted my focus more and more to the world of incident response. That's when I started observing the need for a structured approach to Cyber Defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense in-depth approach where we can implement security controls that counter each and every one of their attacking moves. SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT Attack Cycle will provide in-depth technical insight into how attacks work from start to finish. Both Stephen Sims and I have extensive experience in penetration testing and incident response, which makes us ideally positioned to develop this course. I personally am VERY excited about this course, as I believe it fills a gap in the Cyber Defense curriculum. The course is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course is designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-The-Flag' exercise on Day 6."

- Erik Van Buggenhout