Sharpen your Skills at SANS San Francisco Winter 2017. Save $200 thru 10/25.

Mentor SEC464 Session

Minneapolis, MN | Sun May 11 - Mon May 12, 2014
This event is over
but there are more training opportunities.

LOCAL Attendees only, please email for more details.

Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education

There are not enough well trained IT administrators and operations staff to meet the daily onslaught of cyber criminal and cyber terrorist activities. Sandia National Labs, NASA, and the State of Texas recently demonstrated that we can address this issue by leveraging the large number of IT admins within an organization to act as a hacker guard to help thwart many of these attacks. The goal is to have IT administrators in an organization serve as the first line of defense as human intrusion detectors.

This is an important challenge for organizations because perimeters are routinely being breached, and attackers often roam through networks for weeks or months on end, often without discovery. This new approach, pioneered by organizations such as Sandia Labs, NASA and the State of Texas, is a unique training program for IT operations and admins that teaches them how to:

  • Discover evidence of intruder activity
  • Demonstrate how to work effectively with their organization's security professionals and
  • Provide tools that they can put to work immediately

It's the first security program that is tuned directly to the interests of IT administrators and establishes a clear entry career path from a system admin to security professional.


  • Why bad things happen to good IT admins: 5 common mis-configurations and mistakes that lead to a system being compromised
  • Security methodology and thought process in daily systems administration activities
  • An IT administrator's view of what matters in systems architectures
  • Security monitoring: Not knowing makes the auditors and hackers happy
  • The hard part - knowing what is normal for Windows and Unix systems
  • The harder part - knowing what is abnormal for Windows and Unix systems
  • Hardening Windows and Unix systems is easier than you thought
  • Command line kung fu for Unix and Windows
  • Understanding network traffic for systems administrators
  • Malware: Why it is still effective in your environment

Here is what other IT administrators and operations staff have to say about the Hacker Guard Training:

I've been waiting for this type of course to come from SANS so I could get task-specific security training for sysadmins. - Tom Siu, Case Western Reserve University

This course fills the gap that all other server administrative courses lack; not only how to set it up securely, but the anomalies related to the insecurities. - Richard Spanfelner, CA Franchise Tax Board

This is an excellent course and should be a requirement for all our IT admins - not to mention at least some of our business partners and higher members of the IT food chain to influence the importance of this work. - Bob Timberlake, University of Kansas

This educational program gives IT admins the tools and techniques to illuminate evidence of potentially malicious activity on their systems and to look deeper to determine whether the problems they see are real. It allows them to become the hacker guards for malicious activity in their organization. It uses hands-on exercises to ensure they are comfortable using the tools.

Attack vectors are constantly changing and, therefore, the program does not stop with the first class. It continues with quarterly Combating Current Threats online training briefings. These show the newest attacks and how the information from the quarterly training, together with the tools and techniques learned in class and in previous quarterly briefings, might be adjusted to target these newest attacks. The introductory two-day class will be updated to reflect the changes highlighted in these quarterly briefings, so systems administrators who enter the Hacker Guard Program later will get the most up-to-date material.

Also, because attackers are increasingly focusing on database and application software, the program will include a growing library of up-to-date modules on Detecting the Wiley Hacker in specific software applications and websites.

Hacker Guard: Security Baseline Training for IT Administrators and Operations - Introductory Two-Day Class

IT operations and administrators are at the front line of any security architecture. They also know the systems that they manage on a daily basis better than anyone else. However, most systems administrators are NOT security professionals. Making the assumption that they are often leads to many of the security related issues organizations face today.

This course is not designed to turn an admin into a security geek. But rather, it will help administrators better understand what security teams and auditors require and turn them into the hacker guards for malicious activity.

The course also focuses strongly on developing the tools and techniques that an IT administrator would need to meet audit and security requirements in as efficient a manner as possible. In summary, this class provides the tools and techniques to bridge the gap and help systems administrator teams meet the needs of security and audit teams - and still do their day jobs.


Course Syllabus

CPE/CMU Credits: 6


Day 1.1 Class Goal:

  • Know our systems better by baselining
  • Know when we have deviations from the baselines
  • Understand how to communicate your findings with the Security team
  • Prepare you to survive an audit/pen test
  • Teach some cool tricks that will help you in your regular job
  • Scare you

Day 1.2 Security Architecture

  • Security Team and Operations Team

Day 1.3 Risk and the 20 Critical Controls

  • #1 Attack vector is your browser

Day 1.4 Know Your Network

Day 1.5 Malware

  • Day 1.5.1 Malware Exploits to By-Pass traditional Defenses
  • Day 1, Lab 1 Malware Lab: mspfayload

Day 1.6 Incident Response

  • Policies and Procedures prior to incidents occuring
  • Knowing What is Normal - Baselining
  • Secure Configurations
  • Open Source Resources
  • Windows Cheat Sheet for securing the Browser
  • Checking Tasks
  • Day 1, Lab 2 Building a Baseline Script

Day 1.7 Windows Management with SMS and SCCM

  • Discussion of powerful functionality from Microsoft

Day 1.8 The 20 Critical Controls: Inventory of Authorized and Unauthorized Software

  • The 20 Cricial Controls: Inventory of Authorized and Unauthroized Devices
  • Day 1, Lab 3 Evil - Not Evil

Day 1.9 Windows Logging

  • The 20 Critical Controls: Maintenance, Monitoring and Analysis of Audit Logs
  • Critical Logs

Day 1.10 Controlled Access Based on "Need to Know"

Day 1.11 The 20 Critical Controls: Data Loss Prevention

  • Day 1.11.1 Unauthorized Changes to User Groups and Services

Day 1.12 Windows Log Management

Day 1.13 Command Line in Depth - WMIC

Day 1.3.1 Importance of the Windows Command Line Interface (CLI)

Day 1, Lab 4 WMIC and netsh Lab

Summary of Day 1 Your Turn to Think Like a Hacker

Day 1, Lab 5

  • Conclusions for Day 1

CPE/CMU Credits: 6


Day 2.1System Monitoring

  • Nagios
  • Why are these tools valuable to System Administrators
  • Day 2, Lab 1 Monitoring Lab

Day 2.2Linux

  • Day 2.2.1 Establish what is Normal, Just like Day 1 Windows
  • Day 2.2.2 DISA Security Readiness Review
  • Day 2.2.3 Linux Cheat Sheet
  • Day 2.2.4 Looking for the unusual

Day 2.3The 20 Critical Controls: Unauthorized Changes to Users, Groups and Services

  • Day 2.3.1 Splunk

Day 2, Lab 2: Linux Cheat Sheet and Logs

Day 2.4What is a Honeypot

  • Day 2.4.1 Why do we use Honeypots?
  • Day 2.4.2 Open Source Tools for setting up Honeypots
  • Day 2, Lab 3 LAB: HoneyPorts

Day 2.5Network Traffic

  • Day 2.5.1 Special Note re: Permission to use these tools on your network
  • Day 2.5.2 Network Monitoring tools: Snort, Ntop, Wireshark
  • Day 2, Lab 4: LAB: Network Baseline

Day 2.6 Understanding what is normal network traffic behavior

  • Day 2.5.1 Knowing what is Abnormal
  • Day 2: Lab 5 The Not_Normal Lab

Day 2. 7Communicate with the Incident Response Team

Day 2.8Scenario: Kobayashi Maru -- A starfleet exercise

Day 2: Lab 6 Kobayashi Maru Team Lab

Day 2 Conclusions

Date Time Instructor
Sun May 11th, 20149:00 AM - 5:00 PM
Matthew J. Harmon
Mon May 12th, 20149:00 AM - 5:00 PM
Matthew J. Harmon

Additional Information

Very useful for me as a systems administrator. Some of the information I have seen in another SANS class (SEC504), but this is more focused on what I encounter day-to-day - Dustin Odya, Indiana University



To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 7 (Professional or Ultimate), Windows Vista (Business or Ultimate), Windows XP Pro, or Windows 2003 or 2008 Server, either a real system or a virtual machine. Windows 7 Home, Windows Vista Home, Windows XP Home, and Windows 2000 (all versions) will NOT work for the class as they do not include all of the built-in capabilities we need for comprehensive analysis of the system.

The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free at

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 Ghz CPU Minimum or higher
  • DVD Drive (not a CD drive)
  • 2 GigaByte RAM minimum with 4 GB or higher recommended
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • 10 GigaByte available hard drive space
  • Any Service Pack level is acceptable for Windows XP Pro, 2003, Vista, or Win7 .

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • IT administrators who interact on a regular basis with their security team or with an auditor.
  • Any IT operations staff or administrators who are curious about the things security teams require.

Our contributing customers have told us that good training needs to be continuous and current. This is the core-learning objective of the introductory two-day class. Students will be able to leverage and apply what they have learned to real-life situations as they arise. Therefore, the introductory two-day class will be followed by a minimum of four Quarterly Combating Current Threats webinars, which are included in the initial training fee.

SANS has always promised that what you learn in class today can be applied in your job tomorrow. With this continuous education approach, our instructors will actually show students how to apply the key learning objectives at a minimum of once every three months. This is hands-on training that is fresh and relevant. These updates will be delivered via live Webcast by course author John Strand. It is highly recommended that students utilize this continuing education option to ensure their knowledge is constantly updated to the latest threat vectors.

Students who have entered the Hacker Guard Program will have the option to continue the Quarterly Threat briefings through payment of an annual fee once they have completed their first four quarterly briefings.

Author Statement

Throughout the course of my career I have worked with many organizations where systems administrators feel that they are forced to take action on behalf of security or a compliance requirement. They have expressed concerns to me that they don't understand why they have to do certain security hardening activities. Worse, they feel like their own security team doesn't have a full understanding of why they do what they do on behalf of security.

This class is designed to help the systems and network administrators of an environment understand what it is that they need to do to meet security and audit requirements so they can get back to doing their job of keeping the environment running.

- John Strand

Venue Information