Secure Asia Pacific 2021

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.

Windows

You are required to bring the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

We will give you a USB full of tools to use during the class (which is yours to keep). We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

• x86- or x64-compatible 2.0 GHz CPU minimum or higher
• An available USB port with the ability to read an ExFat format.
• 8 GB or higher recommended
• Ethernet adapter: Students attending a live class will require a wired connection. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you
• 60 GB available hard drive space

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Security professionals who benefit from automating routine tasks so they can focus on what's most important
• Forensic analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts
• Network defenders who sift through mountains of logs and packets to find evil-doers in their networks
• Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator
• Security professionals who want to evolve from security tool consumer to security solution provider

A basic understanding of any programming or scripting language is highly recommended but not required for this course. SEC573 starts with the most basic fundamentals of Python programming. There is no aspect of programming or Python that must be understood before attending this course. The lab environment is self-paced and this allows students who have had some experience coding advance more quickly than those who have not. You are provided a Virtual Machine that gives you the ability to complete the labs that are in your course book after the live course or your OnDemand access has finished.

Other Courses People Have Taken

Courses that lead in to SEC573:

• SEC504
• SEC560
• SEC660
• SEC542
• SEC642
• SEC503
• SEC401

Courses that are good follow-ups to SEC573:

• SEC560
• SEC660
• SEC542
• SEC642
• SEC555
• SEC511

• A USB containing a virtual machine filled with sample code and working examples
• MP3 audio files of the complete course lecture

• Modify existing open-source tools to customize them to meet the needs of your organization.
• Manipulate log file formats to make them compatible with various log collectors.
• Write new tools to analyze log files and network packets to identify attackers in your environment.
• Develop tools that extract otherwise inaccessible forensic artifacts from computer systems of all types.
• Automate the collection of intelligence information to augment your security from online resources.
• Automate the extraction of signs of compromise and other forensics data from the Windows Registry and other databases.
• Write a backdoor that uses exception handling, sockets, process execution, and encryption to provide you with your initial foothold in a target environment. The backdoor will include features such as a port scanner to find an open outbound port, techniques for evading antivirus software and network monitoring, and the ability to embed a payload from tools such as Metasploit.

• The Python Essentials Workshop labs include work on variables, functions, modules, if/elif/else, for, while, list, dictionaries, sets, and more.
• The pyWars labs constitute a self-paced lab environment that allows students to work through labs and exercise at their own pace. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications, and more.
• Practical application labs: The application of coding concept is applied to build tools for defenders, forensicators, and penetration testers. The labs cover parsing log files to identify hackers, long-tail/short-tail analysis of logs, capturing and parsing network packets, carving forensics artifacts from binary data, retrieving SQL data, interacting with websites, process execution, exception handling, synchronous and asynchronous network communications, and more. The Python modules and concepts covered in these labs include File Operations, Python Sets, Regular Expressions, gzip, collections module, freq.py, Geolite, scapy, reassembler.py, struct, sockets, select, Python Objects, argument packing and unpacking, sqlite3, urllib, urllib2, cookielib, requests, StringIO, and more.
• Capture-the-Flag Challenge: Test your ability to apply your new tools and coding skills.