Register now for SANS Cyber Defense Initiative 2016 and save $400.

San Antonio 2015

San Antonio, TX | Mon, Aug 17 - Sat, Aug 22, 2015
 

ICS515: ICS Active Defense and Incident Response

ICS515 raised my awareness of incidents affected ICS today and broadened my knowledge of techniques and tools to manage them effectively.
Steven Romero, WGMI (Wood Group Engineering)

This course is the missing piece to get companies to take threats seriously, pursue the truth, and share their findings.
Rob Cantu, DOE

ICS Active Defense and Incident Response training from SANS. This course will empower students with the ability to understand their networked industrial control system (ICS) environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security. This process of monitoring, responding to, and learning from threats is known as "active defense". It is the approach needed to appropriately counter advanced adversaries targeting ICS, as has been seen with malware such as Stuxnet, HAVEX, and BlackEnergy2. Students can expect to come out of this course fully understanding and able to deconstruct targeted ICS attacks, with a focus on delivery methods and observable attributes. This knowledge demystifies adversary capabilities and gives actionable recommendations to defenders. The course uses a hands-on approach that shows real-world malware and breaks down cyber attacks on ICS from start to finish. Students will gain a practical and technical understanding of concepts such as generating and using threat intelligence, performing network security monitoring, and executing threat triage and incident response to ensure the safety and reliability of operations. The strategy presented in the course serves as a basis for ICS organizations looking to show that defense is do-able.

You Will Learn

  • How threat intelligence is generated and how to use what is available in the community to support ICS environments. The analysis skills you learn will enable you to critically analyze and apply information from threat intelligence reports on a daily basis.
  • How to identify ICS assets and their network topologies and how to monitor ICS hotspots for abnormalities and threats. Methodologies such as network security monitoring and approaches to reducing the control system threat landscape will be introduced and reinforced through hands-on labs.
  • How to safely and properly respond to an incident internally. You will learn how to identify device malfunctions from cyber threats and prepare and use sources of forensic data that can benefit incident response. You will also break down ICS malware to understand various delivery techniques and observable behaviors.
  • How to operate through an attack and gain the information necessary to instruct teams and decision-makers on when operations must shut down, or if it is safe to respond to the threat and continue operations. We will use threat and malware analysis techniques that are effective even for undermanned operational technology (OT) security teams.
  • Through a full-day of hands-on labs, you will reinforce the concepts and skills of active defense: threat intelligence, asset identification and network security monitoring, incident response, and threat and environment manipulation. We will stress the ongoing and dynamic nature of the process and how teams can work together to ensure the safety and reliability of control system networks.

Course Syllabus
Course Contents InstructorsSchedule
  ICS515.1: Threat Intelligence Robert M. Lee Mon Aug 17th, 2015
9:00 AM - 5:00 PM
Overview

Takeaway: Today you will learn how threat intelligence is generated and how to critically analyze reports to determine what is and is not useful for ICS security. These analytical skills are useful in day-to-day operations and will enable you to approach problems in new and unique ways. We will set up the CYBATI Kit, review threat intelligence reports, and discover information available to adversaries about your ICS so that you can better prioritize network defenses.

CPE/CMU Credits: 6

Topics
  • Case Study: HAVEX
  • Introduction to Active Defense and Incident Response
  • Lab: CYBATI Kit Setup
  • Intelligence Life Cycle and Threat Intelligence
  • ICS Information Attack Surface
  • Lab: Pattern and Information Mapping
  • External Threat Intelligence
  • Internal Threat Intelligence
  • Lab: ICS Honeypot and Analysis of Competing Hypotheses
  • Sharing and Consuming Threat Intelligence
  • Lab: Consuming Threat Intelligence
 
  ICS515.2: Asset Identification and Network Security Monitoring Robert M. Lee Tue Aug 18th, 2015
9:00 AM - 5:00 PM
Overview

Takeaway: Understanding the networked environment is the only way to fully defend it: you cannot defend what you do not know. This course section will teach you to use network tools to discover assets and visualize the network. This will then enable you to perform network security monitoring to identify threats to the ICS through the recognition of abnormalities and adversary tactics.

CPE/CMU Credits: 6

Topics
  • ICS Asset and Network Visibility
  • Lab: Asset Discovery and Network Visualization
  • Identifying and Reducing the Threat landscape
  • ICS Network Security Monitoring - Collection
  • Lab: Collecting the Right Data
  • ICS Network Security Monitoring - Detection
  • Lab: Detecting the Bad Data
  • ICS Network Security Monitoring - Analysis
  • Lab: Analyzing and Responding
 
  ICS515.3: Incident Response Robert M. Lee Wed Aug 19th, 2015
9:00 AM - 5:00 PM
Overview

Takeaway: The ability to prepare for and perform incident response is vital to the safety and reliability of control systems. Incident response in the ICS environment is a young field with many challenges, but today you will learn effective tactics to collect and preserve quality forensic data. You will use this data to perform timely forensic analysis to verify that threats exist in the environment and make actionable recommendations to decision-makers.

CPE/CMU Credits: 6

Topics
  • Incident Response and Digital Forensics Overview
  • Incident Response Fundamentals
  • Building an ICS Incident Response Team
  • Preparing Ahead of Time
  • Lab: Acquisition and Verification Part 1
  • Sources of Forensic Data in ICS Networks
  • Remote and Local Systems
  • Lab: Acquisition and Verification Part 2
  • Time-Critical Incident Response
  • Lab: Indicators in Action
  • Maintaining and Restoring Operations
  • Lab: Capturing the Malware
 
  ICS515.4: Threat and Environment Manipulation Robert M. Lee Thu Aug 20th, 2015
9:00 AM - 5:00 PM
Overview

Takeaway: Understanding the threat is key to discovering its capabilities and the potential impact to the ICS. This information is also critical to making network changes for the purpose of security and sharing threat data internal and external to the organization. Today you will learn how to analyze initial attack vectors such as spearphishing emails, perform malware analysis techniques with memory forensics and dynamic malware analysis, and share threat data.

CPE/CMU Credits: 6

Topics
  • ICS Threat and Environment Manipulation Goals and Considerations
  • Establishing a Safe Working Environment
  • Initial Attack Vectors
  • Lab: Spearphishing Analysis
  • Memory Forensics
  • Lab: Memory Forensics
  • Malware Analysis Methodologies
  • ICS Malware Analysis Essentials
  • Lab: Dynamic Malware Analysis
  • Indicators of Compromise
  • Lab: Indicators of Compromise Development
  • Uncovering Ongoing Campaigns
  • Environment Manipulation and Lessons Learned
 
  ICS515.5: Active Defense and Incident Response Challenge Robert M. Lee Fri Aug 21st, 2015
9:00 AM - 5:00 PM
Overview

Takeaway: Today focuses on reinforcing the strategy, methodologies, and skillsets that were introduced through the first four days of the course. This entirely hands-on session will present you with two scenarios to demonstrate different types of threats that affect ICS operations and will challenge you to respond to them appropriately.

CPE/CMU Credits: 6

Topics
  • Scenario One will present data from a complex ICS environment and require you to:
    • Map the environment
    • Perform network security monitoring to identify abnormalities
    • Identify the adversary's capability in the network data and on the HMI
    • Analyze the malicious capability
  • Scenario Two will present a real-world advanced persistent threat capability and challenge you to:
    • Analyze abnormal data in network captures
    • Perform forensic techniques on incident response captures
    • Identify the malicious capability and its functionality
    • Seek out and utilize threat intelligence to understand the adversary campaign
 
Additional Information
 
  Testimonials

"This course is the missing piece to get companies to take threats seriously, pursue the truth, and share their findings." - Rob Cantu, DOE

"Awesome!! This course being my 6th SANS course, Robert Lee demonstrated and reiterated the fact that SANS has world's best instructors!!" - Srinath Kannan, Accenture

"This course covered quite a bit of topics that showed an attack from start to finish. I liked it because most other classes only show specific steps, not the whole picture." - Anonymous

 
  Laptop Required

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

  • 64-bit system
  • Laptop with Windows 7 or Windows 8.1 installed on the host or in a Virtual Machine
  • Laptop with at least two USB ports
  • Latest VMware Player (7 or higher), VMware Workstation (11 or higher), or VWware Fusion installed
  • Ability to disable all security software on your laptop, including antivirus and/or firewalls
  • At least 100 GB of hard-drive space
  • At least 6 GB of RAM (8 GB recommended)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Information Technology and Operational Technology (IT and OT) Cybersecurity Personnel
  • IT and OT Support Personnel
  • ICS Incident Responders
  • ICS Engineers
  • Security Operations Center Personnel
 
  Prerequisites

Students from various technical backgrounds will do well in this course. Command line experience will be helpful, as well as having taken SANS SEC401 or ICS410, or equivalent essential cybersecurity experience.

 
  Other Courses People Have Taken

Other Courses People Have Taken

  • Courses that lead-in to ICS515:
  • Courses that are prerequisites for ICS515:
    • Essential cybersecurity experience and fundamental control system knowledge (through courses equivalent to ICS410, SEC401, or relevant work experience)
  • Courses that are good follow-ups to ICS515:

 
  What You Will Receive

A fully-functioning ICS515 CYBATIWorks Mini-Kit that students keep following the class. The kit includes a Raspberry PI that functions as a PLC, physical components and attachments for I/O, a virtual machine with commercial control system demonstration software from Rex Controls and PeakHMI, and industrial protocols and software including OPC, ModbusTCP, DNP3, and more.

 
  You Will Be Able To
  • Use the skills gained from hands-on experience with the following tools:
    • CYBATIWorks Kit and Virtual Machine with PeakHMI
    • Wireshark and TCPDump for network traffic capturing and packet analysis
    • Snort for tailoring and tuning Intrusion Detection System rules
    • Mandiant's Redline and FTK Imager for forensic data acquisition and validation
    • OpenIOC and YARA for developing Indicators of Compromise
    • Xplico and NetworkMiner for network flow and data analysis
    • Volatility and Foremost for fundamental malware analysis skills
    • Command line tools for analyzing spearphishing emails
 
  Hands-on Training
  • Lab: CYBATI Kit Setup
  • Lab: Pattern and Information Mapping
  • Lab: ICS Honeypot and Analysis of Competing Hypotheses
  • Lab: Consuming Threat Intelligence
  • Lab: Asset Discovery and Network Visualization
  • Lab: Collecting the Right Data
  • Lab: Detecting the Bad Data
  • Lab: Analyzing and Responding
  • Lab: Acquisition and Verification Part 1
  • Lab: Acquisition and Verification Part 2
  • Lab: Capturing the Malware
  • Lab: Indicators in Action
  • Lab: Spearphishing Analysis
  • Lab: Memory Forensics
  • Lab: Dynamic Malware Analysis
  • Lab: Indicators of Compromise Development
  • All of day five is spent working through hands-on activities
 

Author Statement

"This class was developed from my experiences in the U.S. intelligence community and within the control system community dealing with advanced adversaries targeting industrial control systems. It is the class I wish I would have had available to me while protecting infrastructure against these adversaries. It is exactly what you'll need to maintain secure and reliable operations in the face of determined threats. ICS515 will empower you to prove that defense is do-able."

- Robert M. Lee