Train at Home with Top Cybersecurity Experts - SANS OnDemand

Cyber Defense Initiative® 2013

Washington, DC | Thu, Dec 12 - Thu, Dec 19, 2013
This event is over,
but there are more training opportunities.

SEC501: Advanced Security Essentials - Enterprise Defender

Thu, December 12 - Tue, December 17, 2013

A must for cyber security professionals!

Gary Oakley, BMPC

By far, this is the most interesting, informative, and immediately applicable course I've taken.

Ken Ortiz, NOAA Fisheries

Cyber security continues to be a critical area for organizations and will continue to increase in importance as attacks become stealthier, have a greater financial impact on an organization, and cause reputational damage. While Security Essentials lays a solid foundation for the security to engage the battle.

A key theme is that prevention is ideal, but detection is a must. We need to be able to ensure that we constantly improve our security to prevent as many attacks as possible. This prevention/protection occurs on two fronts - externally and internally. Attacks will continue to pose a threat to an organization as data becomes more portable and networks continue to be porous. Therefore a key focus needs to be on data protection, securing our critical information no matter whether it resides on a server, in a robust network architecture, or on a portable device.

Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore we need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks and looking for indication of an attack. It also includes performing penetration testing and vulnerability analysis against an organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react to it in a timely fashion and perform forensics. By understanding how the attacker broke in, this can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.

Course Syllabus

Dr. Eric Cole
Thu Dec 12th, 2013
9:00 AM - 5:00 PM


Protecting a network from attack starts with designing, building, and implementing a robust network infrastructure. There are many aspects to implementing a defense-in-depth network that are often overlooked since companies focus too often only on functionality. Achieving the proper balance between business drivers and core protection of information is very difficult, and an organization must build a network that is mission resilient to a variety of attacks that might occur.

On the first day students will learn not only how to design and build a network that can both prevent attacks and recover after compromise, but also how to retrofit an existing network to achieve the level of protection that is required. Building a network is easy, but integrating all of the components so the network can withstand a variety of attacks and support the mission of the organization takes a special skill. Students will learn how to design and implement a functionality-rich, secure network and also how to maintain and update it as the threat landscape evolves.

CPE/CMU Credits: 6

  • Introducing Network Infrastructure as Targets for Attack
  • Impact of compromised routers and switches
  • Escalating privileges at layers 2 and 3
  • Weaknesses in Cisco router and switch architecture
  • Integrating and understanding existing and network devices to defend against attacks
  • Implementing the Cisco Gold Standard to Improve Security
  • CISecurity Level 1 and 2 Benchmarks for Routers
  • SANS Gold Standard switch configuration
  • Implementing security on an existing network and rolling out new devices
  • Advanced Layer 2 and 3 Controls
  • Routing protocol authentication
  • Filtering with access control lists
  • DHCP, ARP snooping, and Port Security
  • Introduction to Network Admission Control and 802.1x

Dr. Eric Cole
Fri Dec 13th, 2013
9:00 AM - 5:00 PM


Prevention is ideal, but detection is a must - this is a critical motto of security professionals. While organizations always like to prevent as many attacks as possible, some will still sneak into the network. In cases where an attack can not be prevented, security professionals must understand the indications and warnings that are indicative of attack and detect them before they cause significant harm. Packet analysis and intrusion detection is at the core of timely detection. Not only should attacks be detected, but organizations should react to make sure that these attacks can be prevented in the future.

Based on the changing landscape of attacks, detecting attacks is becoming more difficult because attacks are now more stealthy and difficult to find. Only by understanding the core principles of traffic analysis can one become a skilled analyst and be able to differ between normal traffic and attack traffic. In addition, new attacks are coming out all the time. So security professionals must be able to write rules that detect new, advanced zero-day attacks before they compromise a network.

In the past, traffic analysis and intrusion detection was treated as a separate discipline within many organizations. Today, prevention, detection, and reaction must all be closely knit so that once an attack is detected, defensive measures can be adapted, proactive forensics can be implemented, and the organization can to continue to operate.

CPE/CMU Credits: 6

  • Architecture Design and Preparing Filters
  • Building intrusion detection capability into a network
  • Understanding the components currently in place
  • Detection Techniques and Measures
  • Understanding various types of traffic occurring on a network
  • Knowing how normal traffic works
  • Differentiating between attacks and normal users on a network
  • Advanced IP Packet Analysis
  • Performing deep packet inspection and understanding usage of key fields
  • Event correlation and analysis
  • Analyzing an entire network instead of a single device
  • Building advanced snort rules
  • Intrusion Detection Tools
  • Installing and using analysis software
  • Wireshark
  • Building custom filters

Dr. Eric Cole
Sat Dec 14th, 2013
9:00 AM - 5:00 PM


Security is all about understanding, mitigating, and controlling risk to an organization's critical assets. Therefore an organization must understand what the changing threat landscape is and compare that against its own vulnerabilities that could be used to compromise a network. While this was never an easy task, it is becoming much more difficult since the threats are evolving very rapidly and organizations are so complex. On day three students will understand the variety of tests that can be run against an organization and how to perform penetration testing in an effective manner.

Finding basic vulnerabilities is easy, but it is not very effective if these are not the vulnerabilities that attackers will use to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about both external and internal penetration testing and the methods of black, gray, and white box testing.

Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the overall security of an organization.

CPE/CMU Credits: 6

  • Variety of Penetration Testing Methods
  • Frequency and use of vulnerability analysis, penetration testing, and security assessment
  • Vulnerability Analysis
  • How to perform vulnerability analysis
  • Key areas to identify and ways to fix potential problems
  • Key Tools and Techniques
  • Tools, techniques, and methods used in testing
  • Basic Pen Testing
  • Methods and means of performing a pen test
  • Focus, requirements, and outputs of a successful test
  • Prioritizing and remediation of issues
  • Advanced Pen Testing
  • Understanding and mapping to an organization infrastructure
  • Application testing and system analysis

Dr. Eric Cole
Sun Dec 15th, 2013
9:00 AM - 5:00 PM


Any organizations that are connected to the Internet or that have employees are going to have attacks launched against them. Even with a keen focus on robust network design, preventive security, and finding vulnerabilities through penetration testing, some attacks will still occur. In these cases identifying, analyzing, and responding is critical.

Security professionals need to understand how to perform incident response, analyze what is occurring, and restore their organization back to a normal state as soon as possible. Day four will equip students with a proven six-step process to follow in response to an attack - prepare, identify, contain, eradicate, recover and learn from previous incidents. Cyber incidents are a lot like a fire. The sooner you detect them, the easier they are to deal with and the less damage they cause. Therefore prompt incident response is a key follow-on to intrusion analysis.

Another key aspect of incident response is forensic analysis and discovery. Students will learn how to perform forensic investigation and find indication of an attack. This information will be fed into the incident response process and ensure the attack is prevented from occurring again in the future.

CPE/CMU Credits: 6

  • Incident Handling Process and Analysis
  • Preparing for an incident
  • Identifying and responding
  • Containing a problem to preserve mission resilience
  • Identify and eradicate the problem
  • Recovery system data, including restoring to normal operation
  • Lesson learned and follow-up reporting
  • Forensics and Incident Response
  • Windows response skills
  • Windows forensics tool chest
  • Linux/Unix response and analysis
  • Linux/Unix tools and system analysis

Dr. Eric Cole
Mon Dec 16th, 2013
9:00 AM - 5:00 PM


As security professionals continue to build more proactive security measures, attackers methods will continue to evolve. A common way for attackers to target, control, and break into as many systems as possible is through the use of malware. Therefore, it is critical that students understand what type of malware is currently available to attackers and future trends and methods of exploiting systems. With this knowledge students can then learn how to analyze, defend, and detect malware on systems and minimize the impact to the organization.

CPE/CMU Credits: 6

  • Malware
  • Type of malware and corresponding behavior
  • Dealing with malware
  • Tying malware into intrusion analysis and incident response
  • Microsoft Malware
  • Using Microsoft Windows basic built-in CLI tools
  • Using Microsoft Windows Advanced built-in CLI tools
  • Using Microsoft Windows built-in GUI tools
  • External Tools and Analysis
  • Using external tools to fight BHO
  • Fighting Rootkits with Basic and Advanced tools
  • Inspecting Active Processes
  • Using online resources to get help

Dr. Eric Cole
Tue Dec 17th, 2013
9:00 AM - 5:00 PM


Cyber security is all about managing, controlling, and mitigating risk to your critical assets. In almost every organization, your critical assets are composed of data or information. Whether it is a customer list, research plans, intellectual property, classified information, or a marketing plan, this data represents the life line of your organization and must be properly protected. Perimeters are still important and critical, but we are moving away from a fortress model and moving towards a focus on data. This is based primarily on the fact that our networks are becoming more porous, and our data is more portable.

Information no longer solely resides on your servers where properly configured access controls list can limit access and protect our information. The same intellectual property that is protected on a server behind a strong perimeter can now be copied to laptops (i.e. portable servers) and be plugged into networks (i.e. hotels, airports and coffee shops) that have no firewalls or security devices in place. This means the data must be able to be protected no matter where it resides, since a compromise of sensitive data will have an impact to the company, no matter how it was stolen.

Building a strong perimeter defense is a critical first step, but focusing in on protecting and controlling critical data from loss is another key step in building a strong preventive measure. Proactive security must be put in place to make sure critical information is properly protected and exposure is minimized.

CPE/CMU Credits: 6

  • Risk Management
  • Calculating and understanding risk across an organization
  • Building proper risk mitigation plans
  • Applying proactive risk management processes
  • Incorporating risk management into all business processes
  • Understanding insider threat
  • Data Classification
  • Building a data classification program
  • Key aspects on deploying and implementing classification of critical information
  • Staged role out of classifying new and existing information
  • Managing and maintaining portable data classification
  • Digital Rights Management
  • Understanding what digital rights are
  • Balancing digital rights with data classification
  • Managing access across the enterprise
  • Balancing functionality and security
  • Data Loss Prevention (DLP)
  • Identifying requirements and goals for preventing data loss
  • Peeling through the hype of DLP
  • Identifying practical DLP solutions that work
  • Managing, evaluating, implementing, and deploying DLP

Additional Information

A properly configured laptop is required to participate in this course. Students must have Administrator privileges and antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed that you cannot lose data on, it is recommended to obtain a clean hard drive, replace it with the new drive.

Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:

  • DVD-RW drive
  • 4 GB RAM (more memory is strongly recommended)
  • 40GB of available disk space (more space is recommended)
  • 4GB USB memory stick
  • Windows 7 32-bit virtual machine

Please note: Windows 7 32-bit is an explicit requirement for Sec501 and later versions of Windows operating systems will not work.


You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website. If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course. It is recommended that you use VMware Workstation.

SIFT (SANS Incident Forensic Toolkit)

In the labs we will utilize the SIFT Workstation to introduce the student to the SIFT Workstation and to teach hands-on response techniques. The SIFT Workstation was created and maintained by Rob Lee. Full instruction using the SIFT Workstation is accomplished in Forensics 508: Computer Forensic Investigations and Incident Response. Forensics 508 teaches how to respond to technically savvy criminals and challenging intrusion cases. You can download SIFT at: the SIFT Kit Download Page.

Since the native Windows compression utility is unable to extract the SIFT main image file, you will need to download a compression utility. You can download WinRAR from the WinRAR website. To begin the installation, double-click the executable file and accept the default settings. Note that WinZip will also work.

You will need to save the download to your local disk and use WinRAR to extract the files to the local disk and into the default path location. Once the Download is complete, launch VMware and find the folder SIFT Workstation v1.3. Within that directory you will find the Forensic Workstation .vmx file needed to launch SIFT. Open up the virtual image and download VMware Tools if prompted to.

Additional Tools You Will Receive

We will provide you with additional tools for completing hands-on exercises. Hardware requirements outlined above are meant to ensure that you have sufficient memory and disk space available to simultaneously run the SIFT Workstation virtual machine. The tools can also be downloaded from the Internet. For simplicity, you may want to create a folder on your desktop (e.g., 501 Day 4 Downloads) to use as a location for additional tools if you are downloading them from the Internet.

Final Checklist

We suggest going over the following checklist to make sure that your laptop is prepared for the course:

  • The laptop meets hardware requirements outlined in this note.
  • VMware Workstation and that the VMware license will not expire before the class (if using a trial copy).
  • You created a Windows 7 virtual machine image (no latest updates from Microsoft needed).
  • The Windows VMware machine runs using host-only networking mode.

If you have additional questions about the laptop specifications, please contact

  • Identify the threats against network infrastructures and build defensible networks that minimize the impact of attacks
  • Learn the tools that can be used to analyze a network to both prevent and detect the adversary
  • Decode and analyze packets using various tools to identify anomalies and improve network defenses
  • Understand how the adversary companies works and how to respond to attacks
  • Perform penetration testing against an organization to determine vulnerabilities and points of compromise
  • Understand the 6 steps in the incident handling process and be able to create and run an incident handling capability
  • Learn how to use various tools to identify and remediate malware across your organization
  • Create a data classification program and be able to deploy data loss prevention solutions at both a host and network level

Author Statement

It is always a thrill after I finish teaching SEC401 to see students leave with a fire in their eyes and an excitement about them. They walked into class feeling overwhelmed that security is a lost cause, but now they leave class understanding what they need to do and have a focus and drive to do the right thing to secure their organizations. However the next question we receive on a constant basis is, what course should I take next? How do I continue my journey? Well, it depends on what your focus area is. Do you want to get more into perimeter protection, IDS, operating system security, etc? The challenge is that many students have positions that do not allow them to focus on one area â they need to understand all of the key areas across security. What students are telling us is that they want a Security Essentials part 2 or a 500-level continuation of Security Essentials covering the next level of technical knowledge. In Security 501, SANS has decided to give students just what they have been asking for, and I am beyond thrilled with the results. We have identified core foundation areas that compliment SEC401 with no overlap and continue to build a solid security foundation for network practitioners.

This is illustrated by one student who after a recent class ran up to me, gave me a big hug (he was a retired football player, so I did not argue), and said, "SANS is awesome. I have been frustrated in my job for over a year and had lost hope that you really could secure an organization and that anything I did made a difference. Just as my light of hope was burning out, I decided to take the Security Essentials course, figuring it was a lost cause. After this class the fire is burning brighter than it ever was. I feel like a kid again and cannot wait to go back to my company and make a difference. However, I think my boss is scared because I called him eight times throughout the week, telling him all of the great information and practical knowledge I learned."

After teaching thousands of students, I am confident you will have similar results and be just as excited. However, just for reference, hugs are optional.

- Eric Cole