SEC599 Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses

SGD$11,369.82

hide_responciveBundle AddonPriceAdd to Cart
Sans October Exam BundleSGD$1,272.23
Sans October Netwars BundleSGD$2,247.00
Sans October OnDemand BundleSGD$1,272.23

GIAC Defending Advanced Threats (GDAT)

GIAC Defending Advanced Threats (GDAT)

What You Will Learn

You just got hired to help our virtual organization “SYNCTECHLABS” build out a cyber security capability. On your first day, your manager tells you: “We looked at some recent cyber security trend reports and we feel like we’ve lost the plot. Advanced persistent threats, ransomware, denial of service… We’re not even sure where to start!”

Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today’s threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.

Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: “How do I prevent or detect this type of attack?” Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.

Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization “SYNCTECHLABS” in section one exercises.

In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:

  • Leveraging MITRE ATT&CK as a “common language” in the organization
  • Building your own Cuckoo sandbox solution to analyze payloads
  • Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stopping 0-day exploits using ExploitGuard and application whitelisting
  • Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
  • Detecting and preventing malware persistence
  • Leveraging the Elastic stack as a central log analysis solution
  • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
  • Blocking and detecting command and control through network traffic analysis
  • Leveraging threat intelligence to improve your security posture

SEC599 will finish with a bang. During the Defend-the-Flag challenge in the final course section, you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren’t slowing down, so what are you waiting for?

Purple Team Course FAQ

This Course Will Prepare You To

  • Understand how recent high-profile attacks were delivered and how they could have been stopped
  • Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks

Hands-On Training

SEC599 leverages SANS OnDemand systems, where attendees will be able to complete the 20+ labs in the course in a full-fledged browser environment. This eliminates possible issues with student laptops and increases time spent on actually learning security topics, not configuring virtual machines. The student VMs are provided to allow students to continue learning at home!

Examples of the practical labs and exercises you will complete in this course will enable you to:

  • Use MITRE ATT&CK Navigator to assess different techniques
  • Leverage MITRE ATT&CK as a “common language” in the organization
  • Build your own Cuckoo sandbox solution to analyze payloads
  • Develop effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
  • Highlight key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
  • Stop 0-day exploits using ExploitGuard and application whitelisting
  • Highlight key bypass strategies in application whitelisting (focus on AppLocker), including:
    • Detecting and avoiding malware persistence using Autoruns and OSQuery
    • Leveraging the Elastic stack as a central log analysis solution
    • Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
    • Blocking and detecting command and control through network traffic analysis using Suricata, Zeek, and RITA
    • Leveraging threat intelligence to improve your security posture using MISP, Loki, and Volatility

What You Will Receive

  • MP3 audio files of the complete course lecture
  • Digital Download Package that includes:
    • Virtual machines for training
    • Electronic Courseware
    • Download link to the target VMs

GIAC Defending Advanced Threats

“The GDAT certification is unique in how it covers both offensive and defensive security topics in-depth. Holders of the GDAT certification have demonstrated advanced knowledge of how adversaries are penetrating networks, but also what security controls are effective to stop them. Next to knowing what controls are instrumental to prevent recent attacks, certified GDAT professionals know that prevent-only is not feasible and thus know how to detect and respond to attacks. Combining all these skills, they have the ability to prevent, detect, and respond to both traditional and APT-style attacks!” – Erik Van Buggenhout, Course Author, SANS SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses

  • Advanced persistent threat models and methods
  • Detecting and preventing payload deliveries, exploitation, and post-exploitation activities
  • Using cyber deception to gain intelligence for threat hunting and incident response

 

Prerequisites

  • Experience with Linux and Windows from the command line (including PowerShell)
  • Familiarity with Windows Active Directory concepts
  • A baseline understanding of cyber security topics
  • A solid understanding of TCP/IP and networking concepts

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

As the course leverages the SANS OnDemand platform, the labs will be browser-based. The sections below outline the key requirements for optimal lab experiences.

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
  • For troubleshooting reasons, please ensure you have local administrator privileges on your laptop

Browser

An up-to-date version of the following browser families is supported:

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

Hardware

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • A wireless network adapter
  • 10 GB available hard-drive space

During the course, you will be connecting to a network filled with security experts! As a best practice, do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it during the course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

“After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years, I started to see a trend developing. Often, over half of the students in my classes were not actually penetration testers or those who would be writing zero-days. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers.”

— Stephen Sims

“During my InfoSec career, I focused on penetration testing for the first five years, then shifted my focus more and more to the world of incident response. That’s when I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries’ attacking moves.

“SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish.

“Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I’m very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day ‘Defend-the-Flag’ exercise on Day 6.”

— Erik Van Buggenhout

“SEC599 gave me interesting insight into Exploit Guard that will certainly drive great conversation at work. Best labs of any class I’ve taken.” – Jeremiah Hainly, The Hershey Company