Please note:
Associated Certification: GIAC Certified Incident Handler (GCIH)
The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the hundreds to thousands of daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.
This course will enable you to turn the tables on computer attackers by helping you understand their tactics and strategies, providing you with hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process to respond to computer incidents and a detailed description of how attackers undermine systems so you can prevent, detect, and respond to them. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. Applying these skills in your own organization will enable you to discover the flaws in your system before the bad guys do!
The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to thwart attacks.
You will learn:
If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.
We are often asked the differences between SEC504 and SEC560, and what is covered in each course. Please see our FAQ to further clarify the course details.
Responding to an incident of any size is a complex task. Effective response requires careful consideration and input from several stakeholders, including business and information security concerns. With new vulnerabilities being discovered on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents such as fires, floods, and crime all require a solid incident handling approach to getting systems and services back online as quickly and securely as possible.
The course starts by examining the key components of both incident response and digital investigations. Informed by several incidents, we consider the goals and outcomes that are important to both business operations and security. The dynamic approach put forth can be applied to the specific needs of an individual business and incident. We then shift to more practical matters, examining issues surrounding live systems and identifying abnormal activity. Continuing the practical focus, we look at investigative techniques for examining evidence from the network and memory. We also cover techniques to determine if an unknown program is malicious, and if so, what footprints are left behind.
CPE/CMU Credits: 8
Incident Response
Digital Investigations
Live Examination
Digital Evidence
Network Investigations
Memory Investigations
Malware Investigations
Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage and open-source intelligence attackers conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and turnkey platforms, or vulnerable Wi-Fi and proprietary wireless systems. Attackers will also leverage detailed scanning and interrogation of complex Windows Active Directory domains, identifying and manipulating configuration policies to their significant advantage.
This course section covers the details associated with the beginning phases of many cyber attacks. We will introduce important frameworks for understanding the tools, techniques, and practices of modern attackers through the MITRE ATT&CK Framework, using it as a starting point to investigate the pre-attack steps attackers employ. We will leverage local and cloud-based tools to conduct effective reconnaissance of a target organization, identifying the information disclosure that will reveal weaknesses for initial compromise. We'll then take a deep dive into scanning techniques, both from a network perspective and with a focus on the complexities of modern Windows Active Directory forests to map out an attack plan that will grant an attacker privileged access. We will also spotlight defensive techniques using free and open-source tools that provide you with a competitive advantage to detect attacks on your organization.
CPE/CMU Credits: 6
Introducing the MITRE ATT&CK Framework
Reconnaissance
Scanning
Enumerating Windows Active Directory Targets
Defense Spotlight: DeepBlueCLI
Any attacker will tell you the same thing: Password compromise is better than exploit compromise. Not only is system access through a valid username and password more reliable than exploits, using authenticated credentials will also blend into normal system use, creating fewer logs and system anomalies that could lead to detection. Because these attacks are so prevalent, we dig into password-based attacks in significant detail, equipping you with the tools to test your systems with the same skill and technique as the sophisticated adversaries you must defend against.
This course day starts with straightforward password guessing attacks, quickly investigating the techniques attackers employ to make this an effective process that bypasses defense systems such as account lockout. We will investigate the critical topics of creating effective password guessing lists from other network compromises, and how attackers leverage user password reuse against your organization. We'll dig into the algorithms behind password hashing, using several tools to recover plaintext passwords while optimizing the cracking process to complete in days, not years. We will also get a jump-start on understanding essential network attack topics through the use of easy backdoors, forward and reverse shells, and discrete data transfer within the organization, all through an unassuming system binary. We will also investigate defensive measures that you can immediately apply when you get back to work, including the use of the Domain Password Audit Tool (DPAT) and Elastic Stack (formerly ELK) tools for monitoring authentication logs in your organization.
CPE/CMU Credits: 6
Password Attacks
Defense Spotlight: Log Analysis with Elastic Stack (formerly ELK)
Understanding Password Hashes
Password Cracking Attacks
Defense Spotlight: Domain Password Auditing
Netcat: The Attacker's Best Friend
Public-facing and drive-by attacks represent significant risk areas for organizations, and they are a popular attack vector for adversaries targeting your organization. Public-facing targets such as web applications, VPN servers, email systems, and other supporting protocols are quickly identified by an adversary and assessed for vulnerabilities. In drive-by attacks, adversaries compromise and leverage the trust inherent to third-party websites to trick users into taking actions that render their systems vulnerable.
This course section examines the hacker tools for compromising your exposed systems through exploit frameworks such as Metasploit. We also dig into the concepts and techniques behind drive-by and watering-hole attacks, and how attackers create the exploits and system-compromise tools through malicious installers, browser JavaScript, and malicious Microsoft Office documents. We'll examine the attacks specific to web applications in an organization, both from the perspective of the unauthenticated and the authenticated user, with practical exploit steps for the most popular web application vulnerabilities. In addition to examining the hacker tools, we'll also investigate several freely available and practical defense steps, including the use of the Windows SRUM database for historical system activity reporting, and the use of Elastic Stack (formerly ELK) tools for assessing web server logging data to identify signs of attack.
CPE/CMU Credits: 6
Using Metasploit for System Compromise
Drive-By and Watering Hole Attacks
Defense Spotlight: System Resource Usage Monitor (SRUM)
Web Application Attacks
Defense Spotlight: Effective Web Server Log Analysis
Rarely is it an attacker's goal to simply compromise a system. More often, the attacker's compromise is the initial step, followed by post-exploitation attacks to gain additional network access, or to retrieve sensitive data within the organization. Along the way, attackers will also have to deal with defense controls designed to thwart their efforts, including endpoint protection, server lock-down, and restricted privilege environments.
This course section examines the attacker steps after the initial compromise is over. We will dig into the techniques attackers use to implant malware after bypassing endpoint detection and response platforms, how they pivot through the network using third-party and built-in tools, and how they leverage the initial foothold on your network for internal network scanning and asset discovery. We will look at how the compromise of a single host grants attackers privileged network insider access to open up a whole new field of attacks, and how they will use that access wisely, covering their tracks on hosts and on the network to evade detection systems. We will look at how attackers, with their initial access established, then access, collect, and exfiltrate data from compromised networks. We will finish the lecture component of the course with a look at where to go from here in your studies, examining resources and best practices to turn your new skills into permanent, long-term recall.
CPE/CMU Credits: 6
Endpoint Security Bypass
Pivoting and Lateral Movement
Privileged Insider Network Attacks
Covering Tracks
Defense Spotlight: Real Intelligence Threat Analytics (RITA)
Post-Exploitation Data Collection
Where To Go From Here
Over the years, the security industry has become smarter and more effective in stopping attackers. Unfortunately, attackers themselves are also getting smarter and more sophisticated. One of the most effective ways to stop an adversary is to actually test the environment with the same tools and tactics that the attacker will use against you. Our Capture-the-Flag event is a full day of hands-on activity that involves you working as a consultant for a fictitious company that has recently been compromised. You will apply all of the skills you've learned in class, using the same techniques attackers use to compromise modern, sophisticated network environments. Working together as teams, small groups will scan, exploit, and complete post-exploitation tasks against a cyber range of target systems including Windows, Linux, Internet of Things, and cloud targets. This hands-on challenge is designed to help players practice their skills and reinforce concepts learned throughout the course while challenging each individual player in an environment that replicates modern networks. Powered by the NetWars engine, the event guides players to successfully compromise target systems, bypass endpoint protection platforms, pivot to internal network high-value hosts, and exfiltrate data that are of greatest value to the target organization. The winners will win the coveted SEC504 challenge coin.
CPE/CMU Credits: 6
Hands-on Analysis
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
CPU
BIOS
RAM
Hard Drive Free Space
Operating System
Additional Software Requirements
VMware Player Install
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
"SEC504 is a great class overall that is perfect for pen testers and defenders alike. It has greatly helped me understand how attackers think, how they gather information, and how they maintain and gain control of systems." - Evan Brunk, Acuity Insurance
Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.
"When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.
In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We'll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you'll be better prepared to identify attacks and protect your network from sophisticated adversaries."
-Joshua Wright
"Our instructor Josh was incredible! Engaging, enthusiastic, extremely knowledgeable (especially vim, WOW). His enthusiasm is contagious and really motivating to the material. Keep up the great work Josh!" - Jen F., US Federal Agency