Last Day to Get a Free GIAC Certification Attempt or Take $350 Off Online Training!


Washington, DC | Sat, Jun 11 - Sat, Jun 18, 2016
This event is over,
but there are more training opportunities.

SEC550: Active Defense, Offensive Countermeasures and Cyber Deception

Mon, June 13 - Fri, June 17, 2016

Lots of information and content to take in from SEC550, which is great. I wrote lots of notes to read, watch, learn, and investigate further.

Edwin Kwan, Tyro Payments

SEC550 is an invaluable course. It teaches you how to identify hackers, their methods, and how to boot them from your company.

DaWyone Haynes, TransAmerica

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. You may be able to immediately implement some of the measures we discuss in this course, while others may take a while. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, determine who is attacking you, and, finally, attack the attackers.

SEC550: Active Defense, Offensive Countermeasures and Cyber Deception is based on the Active Defense Harbinger Distribution live Linux environment funded by the Defense Advanced Research Projects Agency (DARPA). This virtual machine is built from the ground up for defenders to quickly implement Active Defenses in their environments. The course is very heavy with hands-on activities - we won't just talk about Active Defenses, we will work through labs that will enable you to quickly and easily implement what you learn in your own working environment.


You Will Learn:

  • How to force an attacker to take more moves to attack your network - moves that in turn may increase your ability to detect that attacker
  • How to gain better attribution as to who is attacking you and why
  • How to gain access to a bad guy's system
  • Most importantly, you will find out how to do the above legally


Course Syllabus

Bryce Galbraith
Mon Jun 13th, 2016
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Setup
  • Mourning Our Destiny, Leaving Youth and Childhood Behind
  • Bad Guy Defenses
  • Basics and Fundamentals (Or, Don't Get Owned Doing This)
  • Playing With Advanced Backdoors
  • Software Restriction Policies
  • Legal Issues
  • Venom and Poison

Bryce Galbraith
Tue Jun 14th, 2016
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • How to Connect to Evil Servers (Without Getting Shot)
  • Recon on Bad Servers and Bad People
  • Honeypots
  • Honeyports
  • Kippo
  • Deny Hosts
  • Artillery
  • More Evil Web Servers
  • Cryptolocked

Bryce Galbraith
Wed Jun 15th, 2016
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Dealing with TOR
  • Decloak
  • Word Web Bugs (Or Honeydocs)
  • More Evil Web Servers
  • Cryptolocked

Bryce Galbraith
Thu Jun 16th, 2016
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Nova
  • Infinitely Recursive Windows Directories
  • Web Application Street Fighting with BeEF!
  • Wireless and Brotherly Love
  • Evil Java Applications with SET
  • AV Bypass (for the Good Guys!)
  • Arming Word Documents
  • Python Injection
  • Ghostwriting
  • HoneyBadger
  • Let's Try to Trojan Some Java Applications

Bryce Galbraith
Fri Jun 17th, 2016
9:00 AM - 5:00 PM


Capture the Flag challenge that draws on what you have learned over the previous four days of the course.

CPE/CMU Credits: 6

Additional Information


To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network. It is the students' responsibility to make sure that the system is properly configured with all the drivers necessary to connect to an Ethernet network.

John Strand has created a video to help you walk through the setup requirements for the course. This short 10 minute video will help ensure your system is properly configured and ready for class.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 8 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), either a real system or a virtual machine. Professional versions only, Home versions will not work.

The course includes a VMware image file of a guest Linux system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

We also require that no enterprise group policies be applied to the system. These policies can and will interfere with our labs.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you are using a Macbook or Macbook Pro with OS X 10.8 or later, you will need VMWare Fusion 5.0 or later.

VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • USB drive (not a CD drive)
  • 4 GB RAM or higher required
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • Wireless adapter
  • 40 GB available hard drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects
  • Basic understanding of Windows and Linux Command line
  • Basic TCP/IP understanding.
Other Courses People Have Taken

  • Courses that lead in to SEC550:
  • Courses that are good follow-ups to SEC550:

  • A fully functioning Active Defense Harbinger Distribution ready to deploy
  • Class books and a DVD with the necessary tools and the OCM virtual machine, which is a fully functional Linux system with the OCM tools installed and ready to go for the class and for the students' work environments.
  • Track bad guys with callback Word documents
  • Use Honeybadger to track web attackers
  • Block attackers from successfully attacking servers with honeyports
  • Block web attackers from automatically discovering pages and input fields
  • Understand the legal limits and restrictions of Active Defense
  • Obfuscate DNS entries
  • Create non-attributable Active Defense Servers
  • Combine geolocation with existing Java applications
  • Create online social media profiles for cyber deception
  • Easily create and deploy honeypots
  • Layers of defense for the bad guys
  • Software restrictions policies
  • Testing DLP systems
  • Testing command and control systems
  • OSFuscate
  • Fuzzing attacker tools for attacker-side DoS
  • Spidertrap to gunk up web crawlers
  • Thug for attack site research
  • for attack site research
  • Recon against bad people
  • Dionea
  • Honeyports from the command line
  • Kippo
  • Deny Hosts
  • Artillery
  • Weblabyrinth
  • Cryptolocked
  • Conpot for SCADA emulation
  • Decloking TOR actors
  • Word Web Bugs
  • Infinitely Recursive Directories for crashing malware
  • BeEF for the bad guys
  • Evil Java applications
  • AV bypass for the bad guys
  • Powercat
  • Ghostwriting
  • Honeybadger
  • Backdooring existing Java applications to track bad guys
  • Full-day Capture the Flag challenge

"Invaluable class for learning how to identify hackers and their methods and how to boot them from your company." - DaWyone Haynes, TransAmerica

"Real world, and blue teams need these types of tools and processes, not only will this help them defend but good for alerting-metrics." - Bryon Mangler, Mandiant

"Powerful tools were introduced. This class is a must for any IT professional let alone security teams." - William Yang, USPowergen

"This course is really what is missing right now, from the content perspective." - Bryon Mangler, Mandiant

Author Statement

I wrote this course to finally make defense fun, to finally add some confusion to the attackers, and to change the way we all look at defense. One of the most frequent questions I get is why offensive countermeasures are so important. Many people tell me that we cannot ignore patching, firewalls, policies, and other security management techniques. I cannot agree more. The techniques presented in this course are intended for organizations that have gone through the process of doing things correctly and want to go further. Get your house in order, and then play. Of course, there will be challenges for anyone trying to implement offensive countermeasures in their organization. However, they can all be faced and overcome.

- John Strand