Due to high demand for Security training at SANS Security West 2018, the following courses will take place at the Marriott Marquis San Diego Marina: SEC503, SEC505, SEC542, MGT414, MGT512, and MGT517. The hotel neighbors the Manchester Grand Hyatt and is accessible from both Harbor Drive and the Bayfront. Courseware Distribution and Event Check-In for these six courses will take place at the Marriott Marquis San Diego on: Thursday, May 10 from 5:00 p.m. to 7:00 p.m. and Friday, May 11 from 7:00 a.m. to 9:00 a.m. Badge and Courseware Distribution for these classes will only be available at the Marriott Marquis San Diego Marina. We are hosting the "Welcome to SANS Talk" on the morning of Friday, May 11 at each venue but all additional SANS@Night presentations will take place at the Manchester Grand Hyatt. Please check the schedule tab for the bonus sessions. We thank you in advance for your understanding.
Highly recommended. SEC573 truly gives you the power to forensicate at scale - or hunt adversaries.
SEC573 is a course every cyber analyst needs! The instruction and course material is the best I have seen in the 500+ hours of training I have received.
All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common. CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.
Maybe your chosen Operating Systems has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.
Or, perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.
Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.
Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly language that is designed to make automating tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573 Automating Information Security with Python will have you creating programs to make your job easier and make you more efficient. This self-paced class starts from the very beginning assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the class. The self-paced style of the class will meet you where you are to let you get the most out of the class you can. Beyond the essentials we discuss file analysis, packet analysis, forensics artifact carving, networking, database access, website access, process execution, exception handling, object oriented coding and more.
This course is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you in automating the daily routine of today's information security professional, achieving more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.
You Will Learn:
The course begins with a brief introduction to Python and the pyWars capture the flag game. We set the stage for students to learn at their own pace in the 100% hands-on pyWars lab environment. As more advanced students take on Python-based Capture The Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including:
CPE/CMU Credits: 6
You will never learn to program by staring at PowerPoint slides. The second day continues the hands-on, lab-centric approach established on day one. This section covers data structures and more detailed programming concepts. Next, we focus on invaluable tips and trick to make you a better Python programmer and how to debug your code. Day two includes topics such as:
CPE/CMU Credits: 6
Day 3-5 Automating Information Security: The next three days are focused on expanding your Python skills, leveraging modules and performing important operations used by all information security professionals. You will learn about file operations, log analysis, database operations, low-level network operations such as Raw sockets and packet parsing, high-level network operations such as HTTP and authentication, object oriented coding, regular expressions, subprocess execution and automation and much more. We demonstrate that these skills are common to every security profession and useful to everyone regardless of your discipline by giving each of the three days their own theme.
Day three includes in-depth coverage about how defenders can use Python automation as we cover Python modules and techniques that everyone can use. Forensicators and offensive security professionals will also learn essential skills they will apply to their craft. We will play the role of a network defender who needs to find the attackers on their network. We will discuss how to analyses network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltration your data. Day 3 topics include:
CPE/CMU Credits: 6
On day four we will play the role of a forensics analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics you will find these skills covered on day four are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract that data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then we will discuss techniques for finding artifacts in other locations such as SQL databases and interacting with web pages. Day 4 subjects include:
CPE/CMU Credits: 6
On day five we play the role of penetration tester whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.Today's subjects include:
CPE/CMU Credits: 6
In this final section you will be placed on a team with other students. Working as a team, you will apply the skills you have mastered in a series of programming challenges. Participants will exercise the skills and code they have developed over the previous five days as they exploit vulnerable systems, break encryption cyphers, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!
CPE/CMU Credits: 6
Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.
Windows
You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.
IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.
The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
VMware
You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0.
Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.
Linux
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.
Mandatory Laptop Hardware Requirements
During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
A basic understanding of any programming or scripting language is highly recommended but not required for this class.
The Python Essentials Workshop labs - Variables, functions, modules, if/elif/else, for, while, list, dictionaries, sets and more
pyWars labs - An online programming competition that runs the first five days of class with additional hands on labs for beginners and expert challenges. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications and more.
Practical application labs - The application of coding concept are applied to build tools for defenders, forensicators and penetration testers. The labs cover Parsing logs files to identify hackers, Long Tail/Short Tail analysis of logs, Capturing and Parsing Network Packets, Carving forensics artifacts from binary data, Retrieving SQL data, Interacting with Websites, Process execution, Exception handling, synchronous and asynchronous network communications and more. The Python modules and concepts covered in these labs include: File Operations, Python Sets, Regular Expressions, gzip, collections module, freq.py, Geolite, scapy, reassembler.py, struct, sockets, select, Python Objects, argument packing and unpacking, sqlite3 , urllib,urllib2, cookielib, requests, StringIO, and more.
Capture the flag - Test your ability to apply your new tools and coding skills
"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions
"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation
Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.
- Mark Baggett