SANS OnDemand - 45+ Courses Available Today - View a Demo for an Hour of Free Content

Security West 2018

San Diego, CA | Fri, May 11 - Fri, May 18, 2018
This event is over,
but there are more training opportunities.

Due to high demand for Security training at SANS Security West 2018, the following courses will take place at the Marriott Marquis San Diego Marina: SEC503, SEC505, SEC542, MGT414, MGT512, and MGT517. The hotel neighbors the Manchester Grand Hyatt and is accessible from both Harbor Drive and the Bayfront. Courseware Distribution and Event Check-In for these six courses will take place at the Marriott Marquis San Diego on: Thursday, May 10 from 5:00 p.m. to 7:00 p.m. and Friday, May 11 from 7:00 a.m. to 9:00 a.m. Badge and Courseware Distribution for these classes will only be available at the Marriott Marquis San Diego Marina. We are hosting the "Welcome to SANS Talk" on the morning of Friday, May 11 at each venue but all additional SANS@Night presentations will take place at the Manchester Grand Hyatt. Please check the schedule tab for the bonus sessions. We thank you in advance for your understanding.

SEC564: Red Team Operations and Threat Emulation New

Thu, May 17 - Fri, May 18, 2018

Formalizing the process of red teaming and of automating the testing of defensive security capabilities is an accelerator to any security program.

Michael Machado, Ring Central, Inc.

For a lot of companies red teaming is a new approach, and therefore training in that field is really necessary.

Andreas Hinosaar, Estonian MOD

Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate real-world threats to train and measure the effectiveness of the people, processes, and technology used to defend environments. Built on the fundamentals of penetration testing, Red Teaming uses a comprehensive approach to gain insight into an organization's overall security to test its ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities significantly improve an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.

The Red Team concept requires a different approach from a typical security test and relies heavily on well-defined TTPs, which are critical to successfully emulating a realistic threat or adversary. Red Team results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist.

Whether you support a defensive or offensive role in security, understanding how Red Teams can be used to improve security is extremely valuable. Organizations spend a great deal of time and money on the security of their systems, and it is critical to have professionals who can effectively and efficiently operate them. SEC564 will provide you with the skills to manage and operate a Red Team, conduct Red Team engagements, and understand the role of a Red Team and its importance in security testing. This two-day course will explore Red Team concepts in-depth, provide the fundamentals of threat emulation, and help you reinforce your organization's security posture.

Course Syllabus

Joe Vest
Thu May 17th, 2018
9:00 AM - 5:00 PM


Day 1 begins by introducing Red Team topics, concepts, and ideas. You will learn what Red Teaming is, how it is used, and how it compares to other security testing types, such as vulnerability assessments and penetration tests. Several topics, concepts, and ideas that are specific to Red Teams, and which constitute the critical foundation of Red Teaming, are examined in order to provide a solid base of understanding.

  • Adversarial Mindset Challenge
  • Setting up an Attack Platform
  • Analyzing, Understanding, and Controlling User-Agent IOCs
  • Decomposing a Threat

CPE/CMU Credits: 6

  • Red Teaming Definitions, Assumptions, and Expectations
  • Common Red Teaming Terms
  • Security Misconceptions and Assumptions
  • History and Origin
  • Red Teaming Introductions
  • How Red Teaming Compares to Other Security Tests
  • Red Team's Role in Blue Team Training
  • Live Assessment Example
  • Red Teaming Concepts
  • Red Team Roles and Responsibilities
  • Standard Attack Platform
  • Engagement Planning
  • Understanding and Controlling Tool Indicators
  • Threat Planning
  • Threat Perspective
  • Threat Emulation Scenarios
  • Red Team Goals
  • Social Engineering
  • Other Red Team Engagement Concepts
  • Handling Client Data
  • Engagement Frequency
  • How to Succeed

Joe Vest
Fri May 18th, 2018
9:00 AM - 5:00 PM


Day 2 continues with engagement execution and a focus on Red Team tools and techniques. The day is filled with exercises that walk students through a mock Red Team engagement. Multiple Red Teaming phases are explored that use realistic TTPs to ultimately impact the target organization's supply chain. During the exercises, you manage and control indicators of compromise (IOCs), design custom command and control channels, and use unique command and control tools. You will also learn Red Teaming concepts needed to control and manage a Red Team. These concepts include how to interface with clients, collect and log engagement artifacts, successfully execute an engagement, manage deconfliction, properly end an engagement, and deliver a professional report.

  • Using Web Shells to Support C2
  • C2 Design and Customization - PowerShell Empire
  • Performing an Operational Impact Against an ICS System

CPE/CMU Credits: 6

  • Red Team Engagement Execution
  • Data Collection
  • Tradecraft and TTPs
  • Execution Concepts
  • Tools and Techniques
  • Engagement Background
  • Engagement Culmination
  • Red Team Engagement Reporting

Additional Information

To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.


The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

You will use VMware to run a Linux guest operating system to perform exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you plan to use a Macintosh, please make sure you bring VMware Fusion.

Mandatory Laptop Hardware Requirements:

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 40 GB available hard-drive space
  • An available USB Port

During the course exercises, you will be connecting to a hostile network. Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks during course exercises.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Security professionals interested in expanding their knowledge of Red Teaming
  • Penetration testers
  • Ethical hackers
  • Defenders who want to better understand offensive methodologies, tools, and techniques
  • Auditors who need to build deeper technical skills
  • Red Team members
  • Blue Team members
  • CND/CNE Teams
  • Forensics specialists who want to better understand offensive tactics
  • Information security managers who need to incorporate red team activities into their operations

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Teaming concepts.

Many of the Red Teaming concepts taught in this course are suitable for anyone in the security community, and both technical staff as well as management personnel will be able to gain a deeper understanding of Red Teaming.

  • A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all exercises
  • Details on Red Team use of common tools and their usage
  • A variety of sample documents used in planning, executing, and reporting Red Team engagements
  • Make the best use of a Red Team and apply it to measure and understand an organization's security defenses
  • Learn what Red Teaming is and how it differs from other security testing engagements
  • Understand the unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to its success
  • Design and create threat-specific goals to measure and train organizational defenders (CND/Blue Teams)
  • Learn to use the "Get In, Stay In, and Act" methodology to achieve operational impacts

Authors' Statement

"A great deal of time and money are spent on protecting critical digital assets. Many organizations focus their security testing on compliance or limited scope reviews of a system. These limited tests often leave an organization with a false sense of security. Organizations that open themselves to assessment not only of their technology, but also of their people and processes, can significantly improve their security posture and adjust a limited security budget to protect their most critical assets. Scenario-based testing and Red Team techniques can be used to determine how an organization really stands up to a realistic and determined threat."

- Joe Vest and James Tubberville