Ending Soon! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off thru Dec 11 with OnDemand or vLive Training!

SANSFIRE 2020

Washington, DC | Sat, Jun 13 - Sat, Jun 20, 2020
Live Event starts in 188 Days
 

SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses

Mon, June 15 - Sat, June 20, 2020

The methodologies in this course are imperative for industry success!

Jayce Hill, Oracle

Good, grounded definitions of the meaning and value of purple teaming.

Alex Holding, Leonardo MW

You just got hired to help our virtual organization "SYNCTECHLABS" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service... We're not even sure where to start!"

Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.

Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: "How do I prevent or detect this type of attack?" Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.

Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization "SYNCTECHLABS" in section one exercises.

In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:

  • Leveraging MITRE ATT&CK as a "common language" in the organization
  • Building your own Cuckoo sandbox solution to analyze payloads
  • Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stopping 0-day exploits using ExploitGuard and application whitelisting
  • Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
  • Detecting and preventing malware persistence
  • Leveraging the Elastic stack as a central log analysis solution
  • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
  • Blocking and detecting command and control through network traffic analysis
  • Leveraging threat intelligence to improve your security posture

SEC599 will finish with a bang. During the Defend-the-Flag challenge in the final course section, you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?

Course Syllabus


Erik Van Buggenhout
Mon Jun 15th, 2020
9:00 AM - 5:00 PM

Overview

Our six-part journey starts with an analysis of recent attacks through in-depth case studies. We will explain what's happening in real situations and introduce the Cyber Kill Chain and MITRE ATT&CK framework as a structured approach to describing adversary tactics and techniques. We will also explain what purple teaming is, typical tools associated with it, and how it can be best organized in your organization. In order to understand how attacks work, students will also compromise our virtual organization "SYNCTECHLABS" during section one exercises.

Exercises
  • One click is all it takes...
  • Hardening our domain using SCT and STIG
  • Kibana, ATT&CK Navigator, and FlightSim
  • Automated reconnaissance using SpiderFoot

CPE/CMU Credits: 6

Topics
  • Course Outline and Lab Setup
    • Course objectives and lab environment
    • What's happening out there?
    • Introducing SYNCTECHLABS
    • Exercise: One click is all it takes...
  • Adversary Emulation and the Purple Team
    • Introducing the extended Kill Chain
    • What is the purple team?
    • MITRE ATT&CK framework and "purple tools"
    • Key controls for prevention and detection
    • Exercise: Hardening our domain using SCT and STIG
    • Building a detection stack
    • Exercise: Kibana, ATT&CK Navigator, and FlightSim
  • Reconnaissance
    • Reconnaissance - Getting to know the target
    • Exercise: Automated reconnaissance using SpiderFoot

Erik Van Buggenhout
Tue Jun 16th, 2020
9:00 AM - 5:00 PM

Overview

Section 2 will cover how the attacker attempts to deliver and execute payloads in the organization. We will first cover adversary techniques (e.g., creation of malicious executables and scripts), then focus on how both payload delivery (e.g., phishing mails) and execution (e.g., double-clicking of the attachment) can be hindered. We will also introduce YARA as a common payload description language and SIGMA as a vendor-agnostic use-case description language.

Exercises
  • Stopping NTLMv2 sniffing and relay attacks in Windows
  • Building a Sandbox using Cuckoo and YARA
  • Configuring AppLocker
  • Controlling script execution in the enterprise
  • Detection with Script Block Logging, Sysmon, and SIGMA
  • Preventing payload execution using ProcFilter

CPE/CMU Credits: 6

Topics
  • Common Delivery Mechanisms
  • Hindering Payload Delivery
    • Removable media and network (NAC, MDM, etc.) controls
    • Exercise: Stopping NTLMv2 sniffing and relay attacks in Windows
    • Mail controls, web proxies, and malware sandboxing
    • YARA - A common payload description language
    • Exercise: Building a Sandbox using Cuckoo and YARA
  • Preventing Payload Execution
    • Initial execution - Application whitelisting
    • Exercise: Configuring AppLocker
    • Initial execution - Visual Basic, JS, HTA, and PowerShell
    • Exercise: Controlling script execution in the enterprise
    • Initial execution - How to detect?
    • Exercise: Detection with Script Block Logging, Sysmon, and SIGMA
    • Operationalizing YARA rules - Introducing ProcFilter
    • Exercise: Preventing payload execution using ProcFilter

Erik Van Buggenhout
Wed Jun 17th, 2020
9:00 AM - 5:00 PM

Overview

Section 3 will first explain how exploitation can be prevented or detected. We will show how security should be an integral part of the software development lifecycle and how this can help prevent the creation of vulnerable software. We will also explain how patch management fits in the overall picture.

Next, we will zoom in on exploit mitigation techniques, both at compile-time (e.g., ControlFlowGuard) and at run-time (ExploitGuard). We will provide an in-depth explanation of what the different exploit mitigation techniques (attempt to) cover and how effective they are. We'll then turn to a discussion of typical persistence strategies and how they can be detected using Autoruns and OSQuery. Finally, we will illustrate how command and control channels are being set up and what controls are available to the defender for detection and prevention.

Exercises
  • Exploit mitigation using Compile-Time Controls
  • Exploit mitigation using ExploitGuard
  • Catching persistence using Autoruns and OSQuery
  • Detecting command and control channels using Suricata, JA3 and RITA

CPE/CMU Credits: 6

Topics
  • Protecting Applications from Exploitation
    • Software development lifecycle (SDL) and threat modeling
    • Patch management
    • Exploit mitigation techniques
    • Exercise: Exploit mitigation using Compile-Time Controls
    • Exploit mitigation techniques - ExploitGuard, EMET, and others
    • Exercise: Exploit mitigation using ExploitGuard
  • Avoiding Installation
    • Typical persistence strategies
    • How do adversaries achieve persistence?
    • Exercise: Catching persistence using Autoruns and OSQuery
  • Foiling Command and Control
    • Detecting command and control channels
    • Exercise: Detecting command and control channels using Suricata, JA3, and RITA

Erik Van Buggenhout
Thu Jun 18th, 2020
9:00 AM - 5:00 PM

Overview

Section 4 will focus on how adversaries move laterally throughout an environment. A key focus will be on Active Directory (AD) structures and protocols (local credential stealing, NTLMv2, Kerberosm, etc.). We will discuss common attack strategies, including Windows privilege escalation, UAC bypasses, (Over-) Pass-the-Hash, Kerberoasting, Silver Tickets, and others. We'll also cover how BloodHound can be used to develop attack paths through the AD environment. Finally, we will discuss how lateral movement can be identified in the environment and how cyber deception can be used to catch intruders red-handed!

Exercises
  • Implementing LAPS
  • Local Windows privilege escalation techniques
  • Hardening Windows against credential compromise
  • Mapping attack paths using BloodHound
  • Kerberos attack strategies
  • Detecting lateral movement in AD

CPE/CMU Credits: 6

Topics
  • Protecting Administrative Access
    • Active Directory security concepts
    • Principle of least privilege and UAC
    • Exercise: Implementing LAPS
    • Privilege escalation techniques in Windows
    • Exercise: Local Windows privilege escalation techniques
  • Key Attack Strategies against AD
    • Abusing local admin privileges to steal more credentials
    • Exercise: Hardening Windows against credential compromise
    • Bloodhound - Mapping out AD attack paths
    • Exercise: Mapping attack paths using BloodHound
    • Kerberos attacks: Kerberoasting, Silver tickets, Over-PtH
    • Exercise: Kerberos attack strategies
  • How Can We Detect Lateral Movement?
    • Key logs to detect lateral movement in AD
    • Deception - Tricking the adversary
    • Exercise: Detecting lateral movement in AD

Erik Van Buggenhout
Fri Jun 19th, 2020
9:00 AM - 5:00 PM

Overview

Section five focuses on stopping the adversary during the final stages of the attack:

  • How does the adversary obtain "domain dominance" status? This includes the use of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync and DCShadow.
  • How can data exfiltration be detected and stopped?
  • How can threat intelligence aid defenders in the Cyber Kill Chain?
  • How can defenders perform effective incident response?

As always, theoretical concepts will be illustrated during the different exercises performed throughout the day.

Exercises
  • Domain dominance
  • Detecting data exfiltration
  • Leveraging threat intelligence with MISP and Loki
  • Hunting your environment using OSQuery
  • Finding malware using Volatility and YarGen

CPE/CMU Credits: 6

Topics
  • Domain Dominance
    • Dominating the AD - Basic strategies
    • Golden Ticket, Skeleton Key, DCSync, and DCShadow
    • Detecting domain dominance
    • Exercise: Domain dominance
  • Data Exfiltration
    • Common exfiltration strategies
    • Exercise: Detecting data exfiltration
  • Leveraging Threat Intelligence
    • Defining threat intelligence
    • Exercise: Leveraging threat intelligence with MISP and Loki
  • Threat Hunting and Incident Response
    • Proactive threat hunting strategies
    • Exercise: Hunting your environment using OSQuery
    • Incident response process
    • Exercise: Finding malware using Volatility and YarGen

Erik Van Buggenhout
Sat Jun 20th, 2020
9:00 AM - 5:00 PM

Overview

The course culminates in a team-based Defend-the-Flag competition. Section six is a full chapter of hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber security controls promoted all week long. This challenging exercise will reinforce key principles in a fun, hands-on, team-based challenge.

Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME's are available to support every OnDemand student's experience.

CPE/CMU Credits: 6

Topics
  • Applying Previously Covered Security Controls In-depth
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Action on Objectives

Additional Information

As the course leverages the SANS OnDemand platform, the labs will be browser-based. The sections below outline the key requirements for optimal lab experiences.

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Windows 7, 8.1, or 10
  • MacOS Mavericks, Yosemite, El Capitan, or Sierra
  • Linux-based distributions could work, but this will depend on your exact distribution
  • For troubleshooting reasons, please ensure you have local administrator privileges on your laptop

Browser

An up-to-date version of the following browser families is supported:

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

Hardware

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • A wireless network adapter
  • 10 GB available hard-drive space

During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security architects and security engineers who want to better understand how the defenses they put in place make an impact on adversary operations
  • Red teamers and penetration testers who want to better understand how blue team techniques could stop their attacks
  • Technical security managers who want to understand what security controls should be prioritized
  • Security Operations Center analysts and engineers who want to better understand how they can detect adversary techniques
  • Individuals looking to better understand how persistent cyber adversaries operate and how the IT environment can be improved to better prevent, detect, and respond to incidents.
  • Experience with Linux and Windows from the command line (including PowerShell)
  • Familiarity with Windows Active Directory concepts
  • A baseline understanding of cyber security topics
  • A solid understanding of TCP/IP and networking concepts
  • MP3 audio files of the complete course lecture
  • 32GB USB 3.0 stick that includes:
    • Virtual machines for training
    • Course workbook
    • Download link to the target VMs
  • Understand how recent high-profile attacks were delivered and how they could have been stopped
  • Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks

SEC599 leverages SANS OnDemand systems, where attendees will be able to complete the 20+ labs in the course in a full-fledged browser environment. This eliminates possible issues with student laptops and increases time spent on actually learning security topics, not configuring virtual machines. The student VMs are provided to allow students to continue learning at home!

Examples of the practical labs and exercises you will complete in this course will enable you to:

  • Use MITRE ATT&CK Navigator to assess different techniques
  • Leverage MITRE ATT&CK as a "common language" in the organization
  • Build your own Cuckoo sandbox solution to analyze payloads
  • Develop effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlight key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stop 0-day exploits using ExploitGuard and application whitelisting
  • Highlight key bypass strategies in application whitelisting (focus on AppLocker), including:
    • Detecting and avoiding malware persistence using Autoruns and OSQuery
    • Leveraging the Elastic stack as a central log analysis solution
    • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
    • Blocking and detecting command and control through network traffic analysis using Suricata, Zeek, and RITA
    • Leveraging threat intelligence to improve your security posture using MISP, Loki, and Volatility

Author Statement

"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years, I started to see a trend developing. Often, over half of the students in my classes were not actually penetration testers or those who would be writing zero-days. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."

-- Stephen Sims

"During my InfoSec career, I focused on penetration testing for the first five years, then shifted my focus more and more to the world of incident response. That's when I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries' attacking moves.

"SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish.

"Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I'm very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-the-Flag' exercise on Day 6."

-- Erik Van Buggenhout