GIAC Certified Enterprise Defender (GCED)
What You Will Learn
Have you ever wanted to…
…execute malware (Ransomware) for the sheer thrill of watching it pop up a scary-looking interface demanding you send Bitcoin to decrypt your data before it is deleted? Or even better, delve into the secrets of how Ransomware does what it does and what it needs to function, then find the data needed to defeat it by deceiving it into believing you have met its demands?
…administer actual network devices and learn about the mysterious world of network engineers and the device configuration settings available to them to maintain a secure network? Or even better, launch real-time attacks against network devices by compromising authentication, redundancy, routing protocols, and encrypted credentials, then hardening devices against these same attacks and validating that they fail?
…explore penetration testing by learning about the tools and techniques to scope tests, conduct reconnaissance of target environments, exploit systems, gather credentials, move laterally, and report your findings? Or even better, discover and compromise systems, enumerate accounts, steal credentials, and discover, identify, attack, compromise, and pivot to other systems on the target network using exploitation tools and frameworks exactly as your adversary would do?
…understand how your adversary discovers the vulnerabilities in enterprise and web applications to breach yet another enterprise? Or better yet, detect these vulnerabilities with sniffers, scanners, and proxies, giving you the opportunity to remediate the weaknesses in your systems before the attack begins?
…monitor your network proactively, analyzing log data in real-time, looking for indicators of compromise to identify a new attack? Or better yet, directly consume threat intelligence, identifying signatures of nascent attacks in packets captured from your network and creating and testing new rules for your Network Intrusion Detection System?
If you want to learn the dynamic skills listed above to defend your enterprise, SEC501: Advanced Security Essentialsâ€”Enterprise Defender is the course for you. Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. This course provides a solid foundation of core policies and practices to enable individuals and security teams to defend their enterprise.
It has been said of security that “prevention is ideal, but detection is a must.” However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT – DETECT – RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of where it resides or what paths it travels.
The primary way to PREVENT attacks begins with assuring that your network devices are optimally configured to thwart your adversary. This is done by auditing against established security benchmarks, hardening devices to reduce their attack surface, and validating their increased resilience against attack. Prevention continues with securing hostname resolution (an obvious adversary target for establishing a Machine-in-the-Middle position) and goes even further with securing and defending cloud infrastructure (both public and private) against compromise.
Enterprises need to be able to DETECT attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, monitoring for indications of compromise, and employing active defense techniques to provide early warning of an attack. Of course, despite an enterprise’s best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Performing penetration testing and vulnerability analysis against your enterprise to identify problems and issues before a compromise occurs is an excellent way to reduce overall organizational risk.
Once an attack is identified, you must quickly and effectively RESPOND, activating your incident response team to collect the forensic artifacts needed to identify the tools, tactics, and procedures being used by your adversaries. With this information you can contain their activities, ensure that you have scoped out all systems where they have had an impact, and eventually eradicate them from the network. This can be followed by recovery and remediation to PREVENT their return. Lessons learned through understanding how the network was compromised can then be fed back into more preventive and detective measures, completing the security lifecycle.
It costs enterprises worldwide billions of dollars annually to respond to malware, and particularly Ransomware, attacks. So it is increasingly necessary to understand how such software behaves. Ransomware spreads very quickly and is not stealthy; as soon as your data become inaccessible and your systems unstable, it is clear something is amiss. Beyond detection and response, when prevention has failed, understanding the nature of malware, its functional requirements, and how it achieves its goals is critical to being able to rapidly reduce the damage it can cause and the costs of eradicating it.
You Will Learn
- Core components of building a defensible network infrastructure and properly securing your routers, switches, and other network infrastructure
- Formal methods to perform vulnerability assessment and penetration testing to find weaknesses on your enterprise network
- Methods to detect advanced attacks against your network and indicators of compromise on deployed systems, including the forensically sound collection of artifacts and what you can learn from them
- How to respond to an incident using the six-step process of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
- Approaches to analyzing malware, ranging from fully automated techniques to the manual analysis of static properties, interactive behavior, and code reversing
You Will Be Able To:
- Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks
- Utilize tools to analyze a network to prevent attacks and detect the adversary
- Decode and analyze packets using various tools to identify anomalies and improve network defenses
- Understand how the adversary compromises systems and how to respond to attacks using the six-step incident handling process
- Perform penetration testing against an enterprise to determine vulnerabilities and points of compromise
- Use various tools to identify and remediate malware across your enterprise
SEC501 Features 25 Lab Exercises That Will Show You How To:
- Build a defensible network architecture by auditing router configurations, launching successful attacks against them, hardening devices to withstand those same attacks, and using active defense tools to detect an attack and generate an alert
- Perform detailed analysis of traffic using various sniffers and protocol analyzers, and automate attack detection by creating and testing new rules for detection systems
- Identify and track attacks and anomalies in network packets
- Use various tools to assess systems and web applications for known vulnerabilities, and exploit those vulnerabilities using penetration testing frameworks and toolsets
- Analyze Windows systems during an incident to identify signs of a compromise
- Find, identify, analyze, and clean up malware such as Ransomware using a variety of techniques, including monitoring the malware as it executes and manually reversing its code to discover its secret
GIAC Certified Enterprise Defender
The GIAC Certified Enterprise Defender (GCED) certification builds on the security skills measured by the GIAC Security Essentials certification. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.
- Incident handling and computer crime investigation
- Computer and network hacker exploits
- Hacker tools (Nmap, Nessus, Metasploit and Netcat)
While not required, it is recommended that students take SANS’ SEC401: Security Essentials: Network, Endpoint, and Cloud course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.
Important! Bring your own laptop configured according to these instructions!
A properly configured laptop is required to participate in SEC501: Advanced Security Essentials-Enterprise Defender. Students must be able to obtain elevated privileges (”Administrator” or “root”). Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.
For simplicity, the following checklists are provided. You must be able to confirm every item on these checklists. If there is any item that you are uncertain about, please show these checklists to your local technology support staff or reach out to SANS Support (email@example.com) before the start of the course.
My laptop meets these ten criteria:
- It has an Intel/AMD processor (a macOS M* will not run the VMs)
- It has at least 16 GB of RAM (more is better, less is insufficient to run all of the lab exercises)
- It has a 64-bit processor (a 32-bit processor will neither run the VMs nor meet RAM requirements)
- It has at least 125 GB of free storage available (more is better; the VMs are a 20 GB download and grow four to five times as large after importing and making snapshotsyou must be able to have all of this installed simultaneously)
- It is running a 64-bit operating system (OS) (32-bit will neither run the VMs nor meet RAM requirements)
- It is running, when booted (i.e., as a host OS), one of the following:
- Windows 10 version 20H1 or later (earlier versions may work, but Hyper-V must be disabled)
- macOS 10.15 (Catalina) or later
- Linux (this is highly discouraged unless you are fully competent to perform your own troubleshooting and provide your own support)
- It is pre-installed with one of the following:
- VMware Workstation Pro v15.5.5 or later [Windows/Linux] (VMware Player is insufficient; you must be able to create and restore VM snapshots, which Player does not support)
- VMware Fusion 11.5 or later [macOS]
- Links for obtaining free trial copies of VMware are below; alternate hypervisors are not supported!
- It is properly licensed to run VMware through the end of the course (a trial copy is fine, but it must not expire prematurely)
- It can access the Internet via Wi-Fi (WLAN) (you cannot fully complete all Lab Exercises, nor easily participate in the Capstone Capture-the-Flags challenge without Internet access)
- Optional: It is pre-installed with Microsoft Excel (this may be helpful with one of the Lab Exercises)
- While not required if Wi-Fi (WLAN) Internet access is available, a trial version of Microsoft Excel can be obtained from https://www.microsoft.com/en-us/microsoft-365/try.
I have all of the credentials necessary to perform these five tasks:
- Power-on my system
- Boot my host OS (i.e., you must have all necessary UEFI/BIOS and drive encryption passwords)
- Login with an account with (access to) elevated privileges (i.e. “Administrator” or “root”)
- Download files from the Internet
- Launch VMware Workstation Pro [Windows/Linux] or VMware Fusion [macOS]
These three items are re-stated to emphasize their importance:
- VMware Workstation or Fusion are mandatory. You must have the ability to take VM snapshots, and you cannot do this with VMware Player.
- You will use the VMware hypervisor to simultaneously run multiple VMs when performing hands-on exercises, therefore you must have VMware installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website:
- If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course
- No other hypervisors are supported (e.g., VirtualBox, Hyper-V, etc.)
- Students opting to bring Linux as their host OS are expected to manage any/all support issues that might arise.
- Apple systems using the M1 processor cannot be used for this course.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
COURSE MEDIA AND BOOKS
Your course media and printed materials (PDFs) will need to be downloaded. The media files for this course are 20 GB in size, so you need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need to install your VMs from course media before the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS now provides printed materials in PDF form. In addition, this course uses an Electronic Workbook, designed to be viewed from within any of the provided VMs, containing step-by-step instructions for all lab exercises. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
“My introduction to cybersecurity began in the early 1990s as a neuroscience Ph.D. student on the day after our lab was attacked, when I discovered that our UNIX workstations had known vulnerabilities for which patches had to be downloaded and installed. Entirely self-taught, I learned to patch and rebuild kernels, compile, deploy, configure and use tools like Tripwire, SATAN, and TCP Wrappers. Later, as a full-time enterprise administrator, I learned about switches, routers, and firewalls; RSA SecurID, IPSec VPN, and proxy gateways; hardening Windows endpoints; automating the auditing of Active Directory and the dynamic population of security groups; administering Nexpose; and wrangling IPTables. My own multifaceted technology background makes me particularly enthusiastic about being the lead author for SEC501, as the course reflects my own experience as a jack of all trades and provides the perfect opportunity to share that excitement with you! In addition, a group of rock star authors built and maintain this syllabus and content, including Stephen Sims, Dave Shackleford, Phil Hagen, Matt Bromiley, and Rob Vandenbrink.”
– Ross Bergman