Register now for SANS Cyber Defense Initiative 2016 and save $400.

10th Annual ICS Security Summit

Orlando, FL | Sun, Feb 22, 2015 - Mon, Mar 2, 2015

ICS515: ICS Active Defense and Incident Response

ICS515 raised my awareness of incidents affected ICS today and broadened my knowledge of techniques and tools to manage them effectively.
Steven Romero, WGMI (Wood Group Engineering)

This course is the missing piece to get companies to take threats seriously, pursue the truth, and share their findings.
Rob Cantu, DOE

Course Author - Robert M. Lee - This course is designed to empower students with the ability to understand and utilize active defense mechanisms in concert with incident response for industrial control system networks to respond to and deny cyber threats. This class uses a hands-on approach to give students a technical understanding of concepts such as generating and using threat intelligence, communicating control system needs to information technology personnel to deploy appropriate defenses, detecting malicious actors or threats on control system networks, and performing threat triage and incident response to ensure the safety and reliability of operations technology.

You Will Learn:

  • Day 1: Students will gain an understanding of threat intelligence and learn how to generate their own as well as utilize what is available in the community. Additionally, they will be able to write a technical report that can be used internally with IT defense teams to ensure control system defense needs are met.
  • Day 2: Students will be introduced to the idea of active defense as well as cyber counter intelligence to limit their control system threat landscape and deploy effective detection and defense measures against known and unknown threats.
  • Day 3: Students will learn how to safely and properly respond to an incident internally. They will be able to identify device malfunctions vs. cyber threats as well as prepare and utilize sources of forensic data that can benefit incident response. The outcome will be to determine if a shutdown is necessary in the facility or if they have time and the ability to triage and learn more.
  • Day 4: Students will learn how to operate through an attack and gain the information necessary to instruct teams and management on when operations must shutdown or if it is safe to respond to the threat and continue operations. The outcome will be identifying ways forward as well as additional information which can feed back to incident response teams and threat intelligence teams.
  • Day 5: Students will go through a single scenario that combines the concepts and skills from the categories of threat intelligence, active defense, incident response, and threat triage. It will stress the circular nature of the process and how teams can work together to ensure safety and reliability on control networks.

Course Syllabus
Course Contents InstructorsSchedule
  ICS515.1: ICS Threat Intelligence Robert M. Lee Wed Feb 25th, 2015
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Case Study: HAVEX
  • Introduction to Active Defense and Response
  • Lab: CYBATI Kit Setup
  • Intelligence Life Cycle and Threat Intelligence
  • ICS Information Attack Surface
  • Lab: Pattern and Information Mapping
  • External Threat Intelligence
  • Internal Threat Intelligence
  • Lab: ICS Honeypot
  • Sharing and Consuming Threat Intelligence
  • Lab: Consuming Threat Intelligence
  ICS515.2: Asset Identification and Network Security Monitoring Robert M. Lee Thu Feb 26th, 2015
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • ICS Asset and Network Visibility
  • Lab: Asset Discovery and Network Visualization
  • Identifying and Reducing the Threat landscape
  • ICS Network Security Monitoring - Collection
  • Lab: Collecting the Right Data
  • ICS Network Security Monitoring - Detection
  • Lab: Detecting the Bad Data
  • ICS Network Security Monitoring - Analysis
  • Lab: Analyzing and Responding
  ICS515.3: Incident Response Robert M. Lee Fri Feb 27th, 2015
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Incident Response and Digital Forensics Overview
  • Incident Response Fundamentals
  • Building an ICS Incident Response Team
  • Preparing Ahead of Time
  • Sources of Forensic Data in ICS Networks
  • Remote and Local Systems
  • Lab: Acquisition and Verification
  • Time Critical Incident Response
  • Lab: Indicators in Action
  • Maintaining and Restoring Operations
  • Lab: Capturing the Malware
  ICS515.4: Threat and Environment Manipulation Robert M. Lee Sat Feb 28th, 2015
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • ICS Threat and Environment Manipulation Goals and Considerations
  • Establishing a Safe Working Environment
  • Malware Analysis Methodologies
  • ICS Malware Analysis Essentials
  • Lab: Dynamic Malware Analysis
  • Malware manipulation
  • Lab: Neutralizing Malware Callbacks
  • Indicators of Compromise
  • Lab: IoC Development
  • Uncovering Ongoing Campaigns
  • Lab: Targeted Attack Identification
  • Environment Manipulation and Lessons Learned
  ICS515.5: Active Defense and Incident Response Challenge Robert M. Lee Sun Mar 1st, 2015
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Phase One:
    • Divide class into teams and establish roles and responsibilities
    • Introduction brief to the scenario
    • Identification of current situation, defenses, and intelligence sources
    • Introduction of Threat Intel that must be made into IoCs
  • Phase Two:
    • Give the students data from CYBATIWorks Lab Network
    • Instruct the students to analyze the large dataset to identify the infrastructure and begin searching for threats
    • Students should leverage IoCs while creating new ones against observed threats
    • The students will develop IDS signatures and/or Firewall rules, as well
  • Phase Three:
    • An active threat has infiltrated their ICS facility
    • The threat triggered on one of the IDS rules but different TTPs are being used internally
    • Students will pull information from critical nodes
    • Students will identify a second and apparently unrelated threat
  • Phase Four:
    • Students need to focus on the most significant threat and triage the network
    • Logs will be given to determine what might be active threat vs. automated
    • Students will be given a sample of the malware to perform analysis on
    • Students should develop new IDS/Firewall rules
    • Students will prepare a recommendation to management on shutting down or continuing operations and why
    • This process will indicate a circular nature to the entire process
Additional Information

"Awesome!! This course being my 6th SANS course, Robert Lee demonstrated and reiterated the fact that SANS has world's best instructors!!" - Srinath Kannan, Accenture

"This course covered quite a bit of topics that showed an attack from start to finish. I liked it because most other classes only show specific steps, not the whole picture." - Anonymous

  Laptop Required

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

  • 64-bit system
  • Laptop with Windows 7 or Windows 8.1 installed
  • Laptop with at least two USB ports.
  • Latest VMware Player 7 or higher installed.
  • Ability to disable all security software on their laptop such as Antivirus and/or firewalls
  • At least one hundred (100) GB of free hard drive space
  • At least six (6) GB of RAM (8 GB recommended)

If you have additional questions about the laptop specifications, please contact

  Who Should Attend
  • IT and OT Support
  • IT and OT Cybersecurity
  • ICS Engineers

Students from various technical backgrounds will do well in this course. Command line experience will be helpful, as well as SEC401, ICS410, or equivalent essential cybersecurity experience.

  Other Courses People Have Taken

Other Courses People Have Taken

Courses that Lead-in:

Courses that are Pre-reqs:

  • Essential cybersecurity experience (through courses equivalent to ICS410, SEC401, relevant work experience)

Courses that are good follow-ups:

  What You Will Receive
  • This course provides the student with a full functioning Cybati Works Mini-Kit
  • The ICS515 kit includes a Raspberry PI with PiFace Digital, Snap-Circuit components, Wireless and Magnetic I/O, USB cables (with Volt/Amp meter), memory, and the Virtual Machine with OPC, HMI, PLC, RTU, I/O, industrial protocols, commercial control system demonstration software from Rex Controls and PeakHMI
  • This course also makes use of numerous Virtual Machine environments throughout the hands on labs.
  You Will Be Able To
  • Participants will gain hands-on experience with the following tools:
    • CYBATIWorks Kit and Virtual Machine with PeakHMI
    • Snort and Bro for tailoring and tuning Intrusion Detection System rules
    • Wireshark and TCPDump for network traffic capturing and packet analysis
    • FTK Imager and MD5Deep for forensic data acquisition and validation
    • OpenIOC and YARA for developing Indicators of Compromise
    • Xplico and NetworkMiner for network flow and data analysis
  Hands-on Training
  • Lab: CYBATI Kit Setup
  • Lab: Pattern and Information Mapping
  • Lab: ICS Honeypot
  • Lab: Consuming Threat Intelligence
  • Lab: Asset Discovery and Network Visualization
  • Lab: Collecting the Right Data
  • Lab: Detecting the Bad Data
  • Lab: Analyzing and Responding
  • Lab: Acquisition and Verification
  • Lab: Indicators in Action
  • Lab: Capturing the Malware
  • Lab: Dynamic Malware Analysis
  • Lab: Neutralizing Malware Callbacks
  • Lab: IoC Development
  • Lab: Targeted Attack Identification
  • Day 5 is an entire day working through hands on activities

Author Statement

In taking this course you will leave with the skills to identify and understand your networked infrastructure, monitor it for advanced threats, quickly respond to identified threats while keeping operations running, and extract lessons learned from interactions with the adversary to incorporate in your team's defense efforts or share with others in the form of threat intelligence. - Robert M. Lee