The most trusted source for information security training,

certification, and research

Cybersecurity Training
and Certifications
2019 Catalog

100+
extraordinary
SANS-certified instructors

300+
training events,
plus multiple online options

Curricula
Cyber Defense Ethical Hacking SANS is the best information security training
Detection and Monitoring Management, Audit, Legal you’ll find anywhere. World-class instructors,
Penetration Testing DevSecOps hands-on instruction, actionable information
Incident Response Cyber Threat Intelligence you can really use, and...NetWars!
Digital Forensics ICS/SCADA Security
–Jeff Stebelton, Netjets, Inc.

www.sans.org Summer/Fall
SANS
Institute The most trusted source for information security
training, certification, and research

At the SANS Institute, our mission is to deliver the cutting- GIAC CERTIFICATION
edge information security knowledge and skills that
GIAC certifications are designed to ensure that students can apply their
companies, military organizations, and governments need
knowledge and skills in a real-world setting. More than 30 certifications align
to protect their people and assets.
with SANS training courses, validating student mastery for professional use in
critical, specialized InfoSec domains and job-specific roles. See www.giac.org
for more information.
TRAINING ON THE CUTTING EDGE
SANS offers more than 65 unique courses, all designed
A TRAINING FORMAT FOR EVERY STUDENT
to align with dominant security team roles, duties, and
disciplines. Our courses prepare students to face today’s SANS holds more than 300 live training events around the world each year,
threats and tomorrow’s challenges. so you can find a convenient time and place to take your course. These events
provide an engaging learning environment and multiple opportunities to
The SANS curriculum spans the full range of cybersecurity
network with other security professionals and with SANS instructors and staff.
fields including Cyber Defense, Penetration Testing &
Ethical Hacking, Digital Forensics & Incident Response, SANS training is also offered online, with several convenient options to suit
Threat Hunting, Audit, Management, Critical Infrastructure your learning style. All of our online courses include at least four months
and Control Systems Security, Secure Software of access to the course material, so students can revisit and rewind content
Development, and more. anytime, anywhere.
In SANS courses, students are immersed in hands-on
lab exercises designed to help them practice, hone, RECOGNIZED AS A SUPERIOR INVESTMENT
and perfect what they’ve learned. And we constantly
Information security professionals from every member of the Fortune 100,
update and rewrite our courses to be sure the tools and
and from small and mid-sized firms alike, say they return to SANS training
techniques we’re teaching are always current, and on the
again and again because they trust their training will result in practical and
cutting edge.
high-quality capabilities. SANS training is also embedded in government
and military programs in the United States and allies around the world for
the same reason.
LEARN FROM THE BEST
Customer feedback drives our continuous effort to maintain the quality
The SANS faculty is simply unmatched. All of our instructors and impact of SANS training, so that we continue to deserve your trust.
are active security practitioners, bringing their extensive
knowledge and real-world experiences directly to the
classroom. THE SANS PROMISE

SANS instructors work for high-profile organizations as At the heart of everything we do is the SANS Promise: Students will be able
red team leaders, CISOs, technical directors, and research to use their new skills as soon as they return to work.
fellows. In addition to their respected technical credentials,
they’re also expert teachers. Their passion for the topics REGISTER FOR SANS TRAINING
they teach shines through, making the SANS classroom—
both live and online—dynamic and effective. Learn more about SANS courses, and register online, at www.sans.org

The SANS suite of education resources for information security professionals includes:

Training
Live & Online

EXPERIENCE
Table of Contents
2 The SANS Faculty 60 FOR508 Advanced Incident Response, Threat Hunting, and
Digital Forensics | NEW
3 Build a High-Performing Security Organization
62 FOR572 Advanced Network Forensics: Threat Hunting, Analysis,
4 SANS Training Roadmap
and Incident Response | NEW
6 SANS Training Formats
64 FOR500 Windows Forensic Analysis
7 Securing Approval and Budget for Training
66 FOR518 Mac and iOS Forensic Analysis and Incident Response
8 GIAC Certifications
68 FOR526 Advanced Memory Forensics & Threat Detection
9 SANS Flagship Programs and Free Resources
70 FOR578 Cyber Threat Intelligence
10 SANS Security Awareness
72 FOR585 Smartphone Forensic Analysis In-Depth
11 SANS Technology Institute
74 FOR610 Reverse-Engineering Malware: Malware Analysis Tools
12 SEC401 Security Essentials Bootcamp Style and Techniques

14 SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling 76 MGT414 SANS Training Program for CISSP® Certification
16 MGT512 Security Leadership Essentials for Managers | NEW 78 MGT514 Security Strategic Planning, Policy, and Leadership
18 SEC566 Implementing and Auditing the Critical Security Controls – 80 MGT525 IT Project Management, Effective Communication,
In-Depth and PMP® Exam Prep

20 SEC503 Intrusion Detection In-Depth 82 AUD507 Auditing & Monitoring Networks, Perimeters,
and Systems
22 SEC511 Continuous Monitoring and Security Operations
84 LEG523 Law of Data Security and Investigations
24 SEC301 Introduction to Cyber Security
86 DEV522 Defending Web Applications Security Essentials
26 SEC487 Open-Source Intelligence (OSINT) Gathering
and Analysis | NEW 88 SEC540 Cloud Security and DevOps Automation
28 SEC501 Advanced Security Essentials – Enterprise Defender 90 DEV541 Secure Coding in Java/JEE: Developing Defensible
Applications
30 SEC505 Securing Windows and PowerShell Automation
91 DEV544 Secure Coding in .NET: Developing Defensible
32 SEC506 Securing Linux/Unix Applications
34 SEC530 Defensible Security Architecture and Engineering | NEW 92 ICS410 ICS/SCADA Security Essentials
36 SEC545 Cloud Security Architecture and Operations 94 ICS456 Essentials for NERC Critical Infrastructure Protection
38 SEC555 SIEM with Tactical Analytics 96 ICS515 ICS Active Defense and Incident Response
40 SEC599 Defeating Advanced Adversaries – Purple Team Tactics 98 Cyber Defense 2-Day & Beta Courses
and Kill Chain Defenses
99 Penetration Testing 2-Day Courses
42 SEC560 Network Penetration Testing and Ethical Hacking
100 IR & Forensics Beta Course
44 SEC542 Web App Penetration Testing and Ethical Hacking
100 DevSecOps 2-Day Course
46 SEC460 Enterprise Threat and Vulnerability Assessment | NEW
101 Management 2-Day & Beta Courses
48 SEC573 Automating Information Security with Python
102 Hosted Courses
50 SEC575 Mobile Device Security and Ethical Hacking
103 SANS Voucher Program
52 SEC617 Wireless Penetration Testing and Ethical Hacking
104 SANS NetWars Experience
54 SEC642 Advanced Web App Penetration Testing,
Ethical Hacking, and Exploitation Techniques 105 Upcoming Summit & Training Events

56 SEC660 Advanced Penetration Testing, Exploit Writing,

and Ethical Hacking
58 SEC760 Advanced Exploit Development for Penetration Testers

“SANS courses give you real-world skills that have

an immediate value on the security environment.”
– Eric Kaithula, Symetra

1
 SANS
Faculty

“ SANS instructors are

the best in the game.
Their technical knowledge
combined with presentation
skills and real-world examples
make for an unparalleled training
experience. SANS rocks!
-Chris Gergen, Bank of North Dakota
”

At SANS, our course authors and instructors In addition to their impressive résumés, every member of
are renowned cybersecurity experts who share their the SANS faculty is fully committed to providing the most
knowledge by drawing on their own their own real- comprehensive training possible. Our instructors do more
world examples and top-shelf curriculum. Industry than just stand in front of a classroom—they’re present
professionals choose SANS training again and again, year for their students every step of the way, with follow-ups,
after year, for access to these highly regarded experts. webcasts, mentoring, and more. Their goal is your success,
There are only about 100 individuals in the world and that dedication is what truly sets SANS training apart
currently qualified as SANS Certified Instructors. Each from all the rest.
is selected after proving his or her technical and Whether you train with SANS online or at one of our live
teaching expertise through years of work and success. events, we promise you’ll be able to apply what you learn
The instructors are the founders of international from these top-tier instructors as soon as you return to work.
cybersecurity organizations, authors of best-selling
books, and developers of the world’s most advanced
cyber ranges and Capture-the-Flag challenges. Many
are regularly called upon to share their expertise with
government and commercial organizations around Meet the SANS faculty:
the world. www.sans.org/instructors
2
Build a High-Performing
Security Organization

Based on our global research, SANS has identified effective strategies for building an
information security group:
Use practical organizing principles to Prioritize your efforts within these areas, Determine the number and types of
design your plan. Nearly all of the more using the Center for Internet Security professionals you need to perform the
complex frameworks may be reduced to Critical Controls, as you mature your own hands-on work, then launch an ongoing
a few simpler constructs, such as “Build organization. campaign to develop a team with the
and Maintain Defenses – Monitor and appropriate skills in mind. Cybersecurity is
Detect Intrusion – Proactively Self-Assess – a specialized practice area within IT, and
Respond to Incidents.” demands specialized training.

The job roles and skills required in information People & Skills = Size of Organization, Value at Risk
security grow and change as the organization
scales. While every professional needs a Advanced Skills & Specialized Roles, including:
baseline of knowledge and capabilities in cyber Blue Team Operations | Threat Hunting | ICS-SCADA | Secure Development
defense and incident response, over time you Active Defense | Mobile | Malware Reverse Engineering | Legal & Audit
will develop specialized members of your team
to work together in particular areas.
Value at Risk

Vulnerability Analysis Incident Response & Forensic

Four critical job roles typically emerge: & Pen Testing Investigations
• Security Monitoring & Detection
Professionals – Identifying security anomalies
within your environment requires an Monitoring & Detection Security Managers
increasingly sophisticated set of skills. All
too often, vendor training teaches to the tool,
without explaining how the tool works or how Professionals with Baseline Defensive Security Capabilities
it can be best used. To deploy detection and
monitoring tools and interpret their output, Size of Organization
you need a more robust understanding of
tools, techniques, and analysis.
• Pen Testers & Vulnerability Analysts – A professional who can find weaknesses is often a different breed than one focused exclusively on
building defenses. A basic tenet of red team/blue team deployments is that finding vulnerabilities requires a different set of tools and a
different way of thinking, but it’s still essential in improving defenses.
• Forensic Investigators & Incident Responders – Larger organizations need specialized professionals who can move beyond first-level
incident response. Whether you’re maintaining a trail of evidence or hunting for threats, you need the skills to analyze attacks and
develop appropriate remediation and recovery plans.
• Security Managers – As their staffs of talented technologists grow, organizations require effective leaders to manage them. These
managers won’t necessarily perform hands-on work, but they must understand enough about underlying technologies and frameworks to
help set security strategy, develop appropriate policies, interact with their skilled practitioners, and measure outcomes.
Within (or beyond) these four areas, a high-performing security organization will develop individuals further, with some individual
professionals able to cover more areas, while others go deeper into just one specialty. Along the entire spectrum from active defense
to cloud defense, and from Python for InfoSec professionals to malware reengineering, SANS offers more than 30 courses to train for
specialized roles or learn about more advanced topics, meeting the needs of security professionals at every level.

3
 Training Roadmap | Development Paths
Topic Course Code GIAC Certification
Key: Essentials ICS410 ICS/SCADA Security Essentials | GICSP
Course Title

Baseline Skills Focus Job Roles Crucial Skills, Specialized Roles

SANS's comprehensive course offerings enable professionals to deepen their technical skills in key practice areas. The courses also address other topics and audiences, such as
security training for software developers, industrial control engineers, and non-technical personnel in management, legal, and audit roles.

3 You are a candidate for specialized or advanced training

Cyber Defense Operations Harden Specific Defenses Industrial Control Systems

2 You are experienced in security, preparing for a specialized

job role or focus
Specialized Defensive Area
Advanced Generalist SEC501 Advanced Security Essentials – Enterprise Defender | GCED
ICS Security Professionals Need
Essentials ICS410 ICS/SCADA Security Essentials | GICSP
Monitoring & Detection Intrusion Detection, Monitoring Over Time Cloud Security SEC545 Cloud Security Architecture and Operations ICS Defense & Response ICS515 ICS Active Defense and Incident Response | GRID
Scan Packets & Networks Windows/Powershell SEC505 Securing Windows and PowerShell Automation | GCWN NERC Protection

Intrusion Detection SEC503 Intrusion Detection In-Depth | GCIA Linux/Unix Defense SEC506 Securing Linux/Unix | GCUX NERC Security Essentials ICS456 Essentials for NERC Critical Infrastructure Protection | GCIP

Monitoring & SIEM SEC555 SIEM with Tactical Analytics | GCDA

SEC511 Continuous Monitoring and Security Operations | GMON
Operations
Other Advanced Defense Courses
New to Cyber Security Concepts, Terms, and Skills The detection of what is happening in your environment requires an increasingly sophisticated
set of skills and capabilities. Identifying security anomalies requires increased depth of Security Architecture SEC530 Defensible Security Architecture and Engineering | GDSA
understanding to deploy detection and monitoring tools and to interpret their output.
Security Fundamentals SEC301 Introduction to Cyber Security | GISF Threat Defense
SEC599 Defeating Advanced Adversaries – Purple Team Tactics Development and Secure Coding
and Kill Chain Defenses | GDAT
Every Developer Should Know
Secure Web Apps DEV522 Defending Web Applications Security Essentials | GWEB

Secure DevOps SEC540 Cloud Security and DevOps Automation

Specialized Penetration Testing
1 You are experienced in technology, but need to learn Focused Techniques and Areas
hands-on, essential security skills and techniques Language-Specific Courses
In-Depth Coverage
DEV541 Secure Coding in Java/JEE:
Vulnerability Assessment SEC460 Enterprise Threat and Vulnerability Assessment JAVA/JEE
Developing Defensible Applications
Core Techniques Prevent, Defend, Maintain Penetration Testing Vulnerability Analysis, Ethical Hacking
SEC660 Advanced Penetration Testing, Exploit Writing, DEV544 Secure Coding in .NET:
Every Security Professional Should Know Every Pen Tester Should Know and Ethical Hacking | GXPN .NET
Networks Developing Defensible Applications

Security Essentials SEC401 Security Essentials Bootcamp Style | GSEC Networks SEC560 Network Penetration Testing and Ethical Hacking | GPEN SEC760 Advanced Exploit Development for Penetration Testers
SEC642 Advanced Web App Penetration Testing, Ethical Hacking,
SEC504 Hacker Tools, Techniques, Exploits, Web Apps
Hacker Techniques Web Apps SEC542 Web App Penetration Testing and Ethical Hacking | GWAPT and Exploitation Techniques
and Incident Handling | GCIH
Mobile SEC575 Mobile Device Security and Ethical Hacking | GMOB
All professionals entrusted with hands-on cybersecurity work should be trained to possess The professional who can find weakness is often a different breed than one focused exclusively on
a common set of capabilities enabling them to secure systems, practice defense-in-depth, building defenses. A basic tenet of red team/blue team deployments is that finding vulnerabilities Wireless SEC617 Wireless Penetration Testing and Ethical Hacking | GAWN
understand how attacks work, and manage incidents when they occur. To be secure, you should requires a different way of thinking, and different tools, but is essential for defense specialists to
set a high bar for the baseline set of skills in your security organization. improve their defenses. Python Coding SEC573 Automating Information Security with Python | GPYC

Specialized
Digital Forensics, Malware Analysis, & Threat Intel Investigative Skills
Incident Response & Threat Hunting Host and Network Forensics
Malware Analysis
Every Forensics and IR Professional Should Know FOR610 Reverse-Engineering Malware: Malware Analysis Tools
Malware Analysis
FOR500 Windows Forensic FOR508 Advanced Incident Response, Threat and Techniques | GREM
Endpoint Forensics
Analysis | GCFE Hunting, and Digital Forensics | GCFA Threat Intelligence
FOR572 Advanced Network Forensics: Threat Hunting, Analysis,
Network Forensics Cyber Threat Intelligence FOR578 Cyber Threat Intelligence | GCTI
and Incident Response | GNFA

Whether you’re seeking to maintain a trail of evidence on host or network systems, or hunting Digital Forensics & Media Exploitation
for threats using similar techniques, larger organizations need specialized professionals who
Smartphones FOR585 Smartphone Forensic Analysis In-Depth | GASF
can move beyond first-response incident handling in order to analyze an attack and develop an
appropriate remediation and recovery plan.
Memory Forensics FOR526 Advanced Memory Forensics & Threat Detection

Mac Forensics FOR518 Mac and iOS Forensic Analysis and Incident Response

Security Management Managing Technical Security Operations Advanced Management Advanced Leadership, Audit, Legal
Every Security Manager Should Know Management Skills
Planning, Policy, See in-depth course descriptions
Leadership Essentials MGT512 Security Leadership Essentials for Managers | GSLC MGT514 Security Strategic Planning, Policy, and Leadership | GSTRT and the digital version of this
Leadership
roadmap at:
SEC566 Implementing and Auditing the Critical Security Controls – MGT525 IT Project Management, Effective Communication,
Critical Controls
In-Depth | GCCC
Project Management
and PMP® Exam Prep | GCPM www.sans.org/roadmap
CISSP® Training MGT414 SANS Training Program for CISSP® Certification | GISP Audit & Legal
With an increasing number of talented technologists, organizations require effective leaders to
manage their teams and processes. While managers will not necessarily perform hands-on work, AUD507 Auditing & Monitoring Networks, To learn more about additional SANS
they must know enough about the underlying technologies and frameworks to help set strategy, Audit & Monitoring
Perimeters, and Systems | GSNA courses, go to:
develop appropriate policies, interact with skilled practitioners, and measure outcomes.
Law & Investigations LEG523 Law of Data Security and Investigations | GLEG www.sans.org/courses

4 5
 SANS Training Formats
You can take SANS courses when, where, and how you want—regardless of your training path.
Whether you opt for a live event or one of our many online options, your SANS training experience
will always exceed expectations.

Live Classroom Instruction Online Training

Training Events Summits SANS Online Training features course authors
and top instructors teaching our most popular
Our live events feature SANS SANS Summits take place over one or two days, and courses, delivered via four flexible online
instructors teaching multiple focus on a single topic of particular interest to the platforms:
courses at a single location. community. We curate our presentations and speakers
You’ll get: to ensure that participants get the most relevant and • OnDemand: Learn anytime, anywhere with our
applicable information. custom OnDemand platform
• Focused, immersive learning
without distractions Before or after each Summit we offer SANS courses • vLive: Attend virtual evening sessions with
that are closely aligned with the topic, so you can SANS instructors
• Direct access to SANS Certified
enhance your Summit experience with in-depth • Simulcast: Livestream a daytime SANS course
Instructors
training while you’re there. from a live event
• Opportunities to network
• SelfStudy: Self-paced learning with books
with and learn from other Community SANS Courses and MP3s
cybersecurity professionals
Our Community events offer SANS courses, Our online training platforms include either
• The chance to attend courseware, and labs taught by up-and-coming four or six months of access to your course, as
SANS@Night events, NetWars, instructors in more local, regional areas. well as support from a team of SANS subject-
vendor presentations, industry matter experts. Access to all course labs and
receptions, and many other With smaller classes, you get more direct interaction
the ability to revisit content without limits
activities with your instructor, and the regional location means
ensures that you can master the content at
an easier, less expensive commute.
Our live events in North your own pace.
America serve thousands of
students annually in Orlando, Private Classes Because you can rewind, revisit, and reinforce
the course material, retention is easier and
Washington DC, Las Vegas, New A SANS Certified Instructor can train your staff privately your learning outcome will be the same as
Orleans, and San Diego. Smaller, at your location, incorporating insights, stories, and if you attended live SANS training. Try out
regional events are scheduled questions specific to your business objectives. the OnDemand platform by viewing a course
in most major metropolitan preview at www.sans.org/demo.
areas throughout the year. Private training allows your team to freely discuss
sensitive issues, and spend more time focusing on the
topics most relevant to your organization.

“The decision to take five days away from the office is “I love the material, I love the
never easy, but so rarely have I come to the end of a SANS Online delivery, and I want the
course and had no regret whatsoever. This was one of entire industry to take these courses.”
the most useful weeks of my professional life.” -Nick Sewell, IIT
-Dan Trueman, Novae PLC

6
Securing Approval and
Budget for Training

As a cybersecurity professional, you already know that SANS is the most trusted resource for the training you need. But
getting buy-in from your manager or the C-Suite can be a challenge—especially if they don’t already understand the
benefits that SANS training can bring. By following some simple guidelines, you can show them what they need to see,
and get them to support your training.

Packaging matters
Submit a formal request
• Most successful training requests are made via written document—a short memo or a few Powerpoint slides—justifying the need for
training. Training request templates are available for popular SANS courses. They can be found in the “Justify Your Training” section
of the course page. Most managers will respect and value the effort you put in to provide written justification.
• A formal request is a chance for you to provide all the necessary information in one place. If you include additional SANS resources,
you can give your manager context and present your request as a complete package. Some helpful additions include the Why SANS?
web page, the Training Roadmap, an instructor bio, and a course description.

Clearly state the benefits

Be specific
• How does the course relate to your job? Will it help you establish baseline skills? Transition to a more focused role? Decision-makers
need to understand the plan.
• Highlight specific tasks you’ll be able to do as a result of the training. Each SANS course description includes a section titled “You Will
Be Able To;” include this section in your request to make the benefits clear. Match the training to your job tasks and goals.

Set the context

Establish long-term expectations
• Cybersecurity is a specialized career path within IT. Its practices evolve as attacks change. Because of this, organizations should expect
to spend 6%-10% of team salaries to keep skills current. Training for such a dynamic field is an annual, per-person expense—not a
once-and-done item.
• Sign up for the related GIAC certification, in order to validate that you learned the skills taught in the class. Your employer can be
confident you learned what they paid for, since GIAC exams are psychometrically designed to confirm competency in job-related tasks.
• Consider offering trade-offs for the investment. Many professionals build annual training expenses into their employment
agreements when they’re hired; some offer to stay for a year after they complete the training.
7
 GIAC
The Highest Standard in
Cybersecurity Certification
“Earning 3 GIAC certifications
Job-Specific, Specialized Focus
after I graduated from college
Today’s cyber attacks are highly sophisticated and exploit specific has enabled me to enter the
vulnerabilities. Broad and general InfoSec certifications are no longer
InfoSec field. Not only did
enough. Professionals need the specific skills and specialized knowledge
required to meet multiple and varied threats. That’s why GIAC has more they set me apart from my
than 30 certifications, each focused on specific job skills and each peers, GIAC certs also made
requiring unmatched and distinct knowledge. my resume more appealing
Deep, Real-World Knowledge to recruiters.”
- Kim Ngoc, GuardSight, Inc.
Theoretical knowledge is the ultimate security risk. Deep, real-world
knowledge and hands-on skills are the only reliable means to reduce
security risk. Nothing comes close to a GIAC certification to ensure that
this level of real-world knowledge and skill has been mastered.

Most Trusted Certification Design

The design of a certification exam impacts the quality and integrity of a
certification. GIAC exam content and question design are developed
through a rigorous process led by GIAC’s on-staff psychometrician and
reviewed by experts in each area. More than 78,000 certifications have
been issued since 1999. GIAC certifications meet ANSI standards.
GIAC.ORG

“Attackers are always evolving, and having a GIAC cert prepares you to evolve
with them. It allows you to implement the appropriate methods and best
practices in your company while understanding it’s a continuous fight.”
8 – Jason Sevilla, Cyber Intelligence Analyst
SANS Flagship Programs and
Free Resources

GIAC Certifications SANS Technology Institute

SANS courses are the ideal preparation for a GIAC Certification, Advanced Degrees in Cybersecurity
the highest standard in cybersecurity certification. More More than 500 students are currently earning a Master of Science
than 30 GIAC Certifications allow you to demonstrate your degree in Information Security Engineering, or a graduate
unique expertise in specialized areas of cybersecurity. No certificate in Cybersecurity Engineering (Core), Cyber Defense
other certification program in the world comes close to GIAC Operations, Penetration Testing & Ethical Hacking, Incident
in validating real-world knowledge and skill, due largely to Response, or Industrial Control Systems Security. Corporate
the extensive exam preparation process and team of expert tuition reimbursement or VA education benefits often apply.
contributors. www.sans.edu
www.giac.org

SANS CyberTalent SANS Security Awareness

SANS CyberTalent provides innovative workforce SANS Security Awareness offers a robust suite of computer-based
development and talent management solutions for the security awareness training modules, support materials, and
cybersecurity industry. Our web-based assessment tools online phishing training that is engaging and effective. You can
and Immersion Academies help organizations build, retain, host our training on any learning management system, in many
and motivate a high-performance cybersecurity team as languages, to create a secure culture within your organization.
well as grow the cybersecurity workforce. www.sans.org/awareness
www.sans.org/cybertalent

Join the SANS.org Community

to Gain Access to the Following Free Resources and Much More | www.sans.org/join
Newsletters SANS Webcasts Internet Storm Center
Three SANS e-newsletters, available Live, topical presentations from SANS The Internet’s early warning system
for free experts, instructors, and trusted
20 Critical Controls
vendors
SANS Posters Find supporting courses and case
Tools, tips, and techniques to hang in SANS Reading Room studies related to the Critical Security
your office Constantly updated library of industry Controls
white papers
Blogs Security Policy Templates
Read what SANS instructors are Tip of the Day Build your own security policy using
thinking about in practice-area-specific Learn a new tip each day from the one of the provided templates
blogs SANS Security Awareness team

9
 Security Awareness Is Critical
in Protecting Your Organization
What’s in your training content?

Expert Led
SANS awareness training content is built by
the world’s leading cybersecurity practitioners.
Cognitive experts, design theory animators,
and leading security awareness experts deliver
training content that protects your organization,
and changes human behaviors.

Relevant
Our content is constantly updated to match
current threats. Training is available in multiple
formats, with a variety of supplemental materials,
to reach every audience in any language.

Easy
Modules are created to match important threats,
designed in core and specialized training
module-sets to cover all aspects of training.

World-class training offered from top experts, all available in a variety of

formats, and prepared for a global audience. Let SANS Security Awareness
training help you manage human risk.

Learn more at:

sans.org/security-awareness

Whether for our developers, administrators, or executives,

the SANS Security Awareness training curriculum hits the nail
on the head! I can’t begin to count how many conversations
have been sparked, relevant questions have been asked, light
bulbs of understanding have lit up, and less secure behaviors
have changed as a result of this content.

Jim Raub, CISO and Vice President, EagleDream Technologies

10
“ I was having a hard time getting
a job in information security
due to my lack of hands-on
experience. SANS gave me
extraordinary training and the
opportunity to rise to the top of
the résumé pile.”
– AJ Langlois
Cyber Analyst II, BB&T
 GSEC
SEC401: Security Essentials Bootcamp Style Security Essentials
www.giac.org/gsec

6 46 Laptop Learn the most effective steps to prevent attacks and detect adversaries with actionable
Day Program CPEs Required techniques that you can directly apply when you get back to work. Learn tips and
tricks from the experts so that you can win the battle against the wide range of cyber
adversaries that want to harm your environment.
You Will Be Able To
Is SEC401: Security Essentials Bootcamp Style the right course for you?
▐ Apply what you learned directly to your job
when you go back to work STOP and ask yourself the following questions:
▐ Design and build a network architecture ▐ Do you fully understand why some organizations get compromised and others do not?
using VLANs, NAC, and 802.1x based on
advanced persistent threat indicators of ▐ If there were compromised systems on your network, are you confident that you
compromise would be able to find them?
▐ Run Windows command line tools to analyze ▐ Do you know the effectiveness of each security device and are you certain that they
the system looking for high-risk items are all configured correctly?
▐ Run Linux command line tools (ps, ls,
netstat, etc.) and basic scripting to automate
▐ Are proper security metrics set up and communicated to your executives to drive
the running of programs to perform security decisions?
continuous monitoring of various tools
If you do not know the answers to these questions, then SEC401 will provide the
▐ Install VMWare and create virtual machines information security training you need in a bootcamp-style format that is reinforced with
to create a virtual lab to test and evaluate
the tools/security of systems
hands-on labs.
▐ Create an effective policy that can be Learn to build a security roadmap that can scale today and into the future.
enforced within an organization and design
SEC401: Security Essentials Bootcamp Style is focused on teaching you the essential
a checklist to validate security and create
metrics to tie into training and awareness information security skills and techniques you need to protect and secure your
organization’s critical information assets and business systems. Our course will show
▐ Identify visible weaknesses of a
system using various tools and, once you how to prevent your organization’s security problems from being headline news in
vulnerabilities are discovered, cover ways the Wall Street Journal!
to configure the system to be more secure
Prevention is ideal but detection is a must.
▐ Build a network visibility map that can
be used for hardening of a network – With the rise in advanced persistent threats, it is almost inevitable that organizations will
validating the attack surface and covering be targeted. Whether the attacker is successful in penetrating an organization’s network
ways to reduce that surface by hardening depends on the effectiveness of the organization’s defense. Defending against attacks
and patching
is an ongoing challenge, with new threats emerging all of the time, including the next
▐ Sniff open protocols like telnet and ftp and generation of threats. Organizations need to understand what really works in cybersecurity.
determine the content, passwords, and
vulnerabilities using WireShark
What has worked, and will always work, is taking a risk-based approach to cyber defense.
Before your organization spends a dollar of its IT budget or allocates any resources or
time to anything in the name of cybersecurity, three questions must be answered:
▐ What is the risk?
“SEC401 is a great intro and
▐ Is it the highest priority risk?
overview of network security. It
▐ What is the most cost-effective way to reduce the risk?
covered just enough information
Security is all about making sure you focus on the right areas of defense. In SEC401 you
to get a baseline level of
will learn the language and underlying theory of computer and information security. You
knowledge without going too will gain the essential and effective security knowledge you will need if you are given the
in-depth on any one topic.” responsibility for securing systems and/or organizations. This course meets both of the
key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you
-Josh Winter, Washington County, MN
can put into practice immediately upon returning to work; and (2) You will be taught by
the best security instructors in the industry.

SEC401 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-15 Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19
Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-13 Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30 Santa Monica . . . . . . . . . Santa Monica, CA . . . . . Oct 21-26
Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . Oct 28 - Nov 2
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Houston . . . . . . . . . . . . . . Houston, TX . . . . . Oct 28 - Nov 2
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21 Atlanta Fall . . . . . . . . . . . Atlanta, GA . . . . . . . . . . Nov 18-23
San Francisco . . . . . . . . . San Francisco, CA . . . . . .Jul 22-27 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . Sep 23-28 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23
Boston . . . . . . . . . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 San Francisco Fall . . . . . San Francisco, CA . . . . Sep 23-28 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . .Dec 2-7
Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7
Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
12 San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-17 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12
Course Day
Descriptions

DAY 1: Network Security Essentials DAY 2: Defense-In-Depth and Attacks Who Should Attend
A key way that attackers gain access to a company’s To secure an enterprise network, you must understand ▐ Security professionals who
resources is through a network connected to the Internet. the general principles of network security. On Day 2, we want to fill the gaps in their
A company wants to try to prevent as many attacks look at threats to our systems and take a “big picture” understanding of technical
as possible, but in cases where it cannot prevent an look at how to defend against them. You will learn that information security
attack, it must detect it in a timely manner. Therefore, an protections need to be layered – a principle called ▐ Managers who want to
understanding of and ability to create and identify the defense-in-depth. We explain some principles that will
understand information
goals of building a defensible network architecture are serve you well in protecting your systems. You will also
security beyond simple
critical. It is just as important to know and understand the learn about key areas of network security.
terminology and concepts
architecture of the system, types of designs, communication Topics: Defense-in-Depth; Access Control and Password
flow and how to protect against attacks using devices Management; Security Policies; Critical Controls;
▐ Operations personnel who
such as routers and firewalls. These essentials, and more, Malicious Code and Exploit Mitigations; Advanced do not have security as their
will be covered on this first day in order to provide a firm Persistent Threat (APT) primary job function but need
foundation for the consecutive days of training. an understanding of security
to be effective
Topics: Defensible Network Architecture; Virtualization
and Cloud Security; Network Device Security; Networking ▐ IT engineers and supervisors
and Protocols; Securing Wireless Networks; Securing Web who need to know how to
Communications build a defensible network
against attacks
DAY 3: Threat Management DAY 4: Cryptography, Risk Management, ▐ Administrators responsible
for building and maintaining
Whether targeting a specific system or just searching the and Response
Internet for an easy target, an attacker uses an arsenal systems that are being
There is no silver bullet when it comes to security. targeted by attackers
of tools to automate finding new systems, mapping
However, there is one technology that would help solve
out networks, and probing for specific, exploitable ▐ Forensic specialists,
a lot of security issues, though few companies deploy it
vulnerabilities. This phase of an attack is called penetration testers, and
correctly. This technology is cryptography. Concealing the
reconnaissance, and it can be launched by an attacker auditors who need a solid
meaning of a message can prevent unauthorized parties
any amount of time before exploiting vulnerabilities and foundation of security
from reading sensitive information. This course section
gaining access to systems and networks. In fact, evidence principles to be as effective as
looks at various aspects of encryption and how it can be
of reconnaissance activity can be a clue that a targeted possible at their jobs
used to secure a company’s assets. A related area called
attack is on the horizon.
steganography, or information hiding, is also covered. ▐ Anyone new to information
Topics: Vulnerability Scanning and Penetration Testing; security with some background
Topics: Cryptography; Cryptography Algorithms and
Network Security Devices; Endpoint Security; SIEM/Log in information systems and
Deployment; Applying Cryptography; Incident Handling
Management; Active Defense networking
and Response; Contingency Planning – BCP/DRP; IT Risk
Management

DAY 5: Windows Security DAY 6: Linux Security

Remember when Windows was simple? Windows XP desktops in a little While organizations do not have as many Unix/Linux systems, those that
workgroup…what could be easier? A lot has changed over time. Now, we have they do have are often some of the most critical systems that need to
Windows tablets, Azure, Active Directory, PowerShell, Office 365, Hyper-V, be protected. This final course day provides step-by-step guidance to
Virtual Desktop Infrastructure (VDI), and so on. Microsoft is battling Google, improve the security of any Linux system. The course combines practical
Apple, Amazon.com, and other cloud giants for supremacy. The trick is to do it “how to” instructions with background information for Linux beginners,
securely, of course. Windows is the most widely-used and targeted operating as well as security advice and best practices for administrators of all
system on the planet. At the same time, the complexities of Active Directory, PKI, levels of expertise. This module discusses the foundational items that are
BitLocker, AppLocker, and User Account Control represent both challenges and needed to understand how to configure and secure a Linux system. It also
opportunities. This section will help you quickly master the world of Windows provides an overview of the operating system and mobile markets. To lay
security while showing you the tools that can simplify and automate your work. a foundation, it provides an overview of the different operating systems
You will complete the day with a solid grounding in Windows security by looking that are based on Linux.
at automation, auditing and forensics. Topics: Linux Security: Structure, Permissions and Access; Hardening and
Topics: Windows Security Infrastructure; Service Packs, Hot Fixes, and Backups; Securing Linux Services; Monitoring and Attack Detection; Security Utilities
Windows Access Controls; Enforcing Security Policy; Securing Windows Network
Services; Automation, Auditing, and Forensics

Online Training
Community Events OnDemand Simulcast
Tampa, FL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 10-15 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
Ottawa, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13 own pace, with four months of online access in the Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13
Raleigh, NC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17 OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17
Vancouver, BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sep 23-28 Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
vLive
Mentor Events Online Training . . . . . . . . . . . . . . . . . . . . . . . . .Sep 3 - Oct 10
Austin, TX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 1-29
Private Training
This course is also available through Private Training. 13
 SEC504: Hacker Tools, Techniques, Exploits, GCIH
and Incident Handling
Incident Handler
www.giac.org/gcih

6 37 Laptop The Internet is full of powerful hacking tools and bad guys using them extensively. If your
Day Program CPEs Required organization has an Internet connection and one or two disgruntled employees (and
whose does not!), your computer systems will get attacked. From the five, ten, or even one
hundred daily probes against your Internet infrastructure to the malicious insider slowly
You Will Be Able To creeping through your most vital information assets, attackers are targeting your systems
▐ Apply incident handling processes with increasing viciousness and stealth. As defenders, it is essential we understand these
in-depth, including preparation,
identification, containment, eradication, hacking tools and techniques.
and recovery, to protect enterprise
This course enables you to turn the tables on computer attackers by helping you
environments
understand their tactics and strategies in detail, giving you hands-on experience
▐ Analyze the structure of common attack
techniques in order to evaluate an in finding vulnerabilities and discovering intrusions, and equipping you with a
attacker’s spread through a system and comprehensive incident handling plan. It addresses the latest cutting-edge insidious
network, anticipating and thwarting attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything
further attacker activity
in between. Instead of merely teaching a few hack attack tricks, this course provides a
▐ Utilize tools and evidence to determine time-tested, step-by-step process for responding to computer incidents, and a detailed
the kind of malware used in an attack,
including rootkits, backdoors, and trojan description of how attackers undermine systems so you can prepare for, detect, and
horses, choosing appropriate defenses respond to them. In addition, the course explores the legal issues associated with
and response tactics for each responding to computer attacks, including employee monitoring, working with law
▐ Use built-in command-line tools such as enforcement, and handling evidence. Finally, students will participate in a hands-on
Windows tasklist, wmic, and reg as well
workshop that focuses on scanning, exploiting, and defending systems. This course will
as Linux netstat, ps, and lsof to detect an
attacker’s presence on a machine enable you to discover the holes in your system before the bad guys do!
▐ Analyze router and system ARP tables The course is particularly well-suited to individuals who lead or are a part of an incident
along with switch CAM tables to track an
handling team. General security practitioners, system administrators, and security
attacker’s activity through a network and
identify a suspect architects will benefit by understanding how to design, build, and operate their systems to
▐ Use memory dumps and the Volatility prevent, detect, and respond to attacks.
tool to determine an attacker’s activities
on a machine, the malware installed,
and other machines the attacker used as
pivot points across the network
▐ Gain access to a target machine using
Metasploit, and then detect the artifacts
and impacts of exploitation through “I will almost always recommend SEC504 as a baseline so that
process, file, memory, and log analysis
▐ Analyze a system to see how attackers
everyone is speaking the same language. I want my sys-admins
use the Netcat tool to move files, create to take it, my network admins to take it, even my devs to take
backdoors, and build relays through a
target environment it, regardless of whether they’re going to eventually move into
▐ Run the Nmap port scanner and Nessus an incident handling role. In my opinion it is the most critical,
vulnerability scanner to find openings
on target systems, and apply tools such
foundational class that SANS offers.”
as tcpdump and netstat to detect and -Kevin Wilcox, Information Security Specialist
analyze the impacts of the scanning
activity

SEC504 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-15 Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30 Atlanta Fall . . . . . . . . . . . Atlanta, GA . . . . . . . . . . Nov 18-23
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23
Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-13 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . .Dec 2-7
Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12
San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12 Summit Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19 Security Operations . . . New Orleans, LA . . . Jun 26 - Jul 1
Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7
Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 Santa Monica . . . . . . . . . Santa Monica, CA . . . . . Oct 21-26 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25
Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 Houston . . . . . . . . . . . . . . Houston, TX . . . . . Oct 28 - Nov 2
Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9
14
Course Day
Descriptions

DAY 1: Incident Handling Step-by-Step DAY 2: Computer and Network Hacker Who Should Attend
and Computer Crime Investigation Exploits – Part 1 ▐ Incident handlers
The first part of this section looks at the invaluable Seemingly innocuous data leaking from your network ▐ Leaders of incident handling
Incident Handling Step-by-Step Model, which was created could provide the clue needed by an attacker to blow teams
through a consensus process involving experienced your systems wide open. This day-long course covers the ▐ System administrators who are
incident handlers from corporations, government agencies, details associated with reconnaissance and scanning,
on the front lines defending
and educational institutes, and has been proven effective the first two phases of many computer attacks.
their systems and responding
in hundreds of organizations. This section is designed to Topics: Reconnaissance; Scanning; Intrusion Detection to attacks
provide students a complete introduction to the incident System (IDS) Evasion
handling process, using the six steps (preparation, ▐ Other security personnel who
identification, containment, eradication, recovery, and are first responders when
lessons learned) necessary to prepare for and deal with systems come under attack
a computer incident. The second part of this section
examines from-the-trenches case studies to understand
what does and does not work in identifying computer
attackers. This section provides valuable information on
the steps a systems administrator can take to improve the
chances of catching and prosecuting attackers.
Topics: Preparation; Identification; Containment;
Eradication; Recovery; Special Actions for Responding to
Different Types of Incidents; Incident Record-Keeping;
Incident Follow-Up

DAY 3: Computer and Network Hacker Exploits – Part 2 DAY 4: Computer and Network Hacker Exploits – Part 3
Computer attackers are ripping our networks and systems apart in novel ways This course day starts out by covering one of attackers’ favorite techniques
while constantly improving their techniques. This course day covers the third for compromising systems: worms. We will analyze worm developments over
phase of many hacker attacks – gaining access. Attackers employ a variety of the last two years and project these trends into the future to get a feel for
strategies to take over systems from the network level up to the application the coming Super Worms we will face. Then the course turns to another
level. This section covers the attacks in depth, from the details of buffer vital area often exploited by attackers: web applications. Because most
overflow and format string attack techniques to the latest in session hijacking organizations’ homegrown web applications do not get the security scrutiny
of supposedly secure protocols. of commercial software, attackers exploit these targets using SQL injection,
Topics: Network-Level Attacks; Gathering and Parsing Packets; Operating cross-site scripting, session cloning, and a variety of other mechanisms
System and Application-Level Attacks; Netcat: The Attacker’s Best Friend discussed in detail.
Topics: Password Cracking; Web Application Attacks; Denial of Service Attacks

DAY 5: Computer and Network Hacker Exploits – Part 4 DAY 6: Hacker Tools Workshop
This course day covers the fourth and fifth phases of many hacker attacks: Over the years, the security industry has become smarter and more effective
maintaining access and covering their tracks. Computer attackers install in stopping hackers. Unfortunately, hacker tools are becoming smarter and
backdoors, apply Rootkits, and sometimes even manipulate the underlying more complex. One of the most effective methods to stop the enemy is to
kernel itself to hide their nefarious deeds. Each of these categories of tools actually test the environment with the same tools and tactics an attacker
requires specialized defenses to protect the underlying system. In this course, might use against you. This workshop lets you put what you have learned
we will analyze the most commonly used malicious code specimens, as well over the past week into practice.
as explore future trends in malware, including BIOS-level and combo malware Topics: Hands-on Analysis
possibilities.
Topics: Maintaining Access; Covering the Tracks; Putting It All Together

Online Training
Community Events OnDemand Simulcast
Santa Monica, CA . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 24-29 Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
Complete this course anywhere, anytime, at your
Madison, WI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13 own pace, with four months of online access in the Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13
Colorado Springs, CO . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13 OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
Phoenix, AZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sep 23-28

Mentor Events vLive

Online Training . . . . . . . . . . . . . . . . . . . . . . . .Aug 13 - Sep 19
Santa Monica, CA . . . . . . . . . . . . . . . . . . . . . . . . Jun 5 - Jul 17
Online Training . . . . . . . . . . . . . . . . . . . . . . . . Nov 5 - Dec 19
Austin, TX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 13 - Aug 8

Private Training
This course is also available through Private Training. 15
 MGT512: Security Leadership Essentials GSLC
for Managers NEW
Security Leadership
www.giac.org/gslc

5 30 Laptop Security managers need both technical knowledge and management skills to gain the
Day Program CPEs Required respect of technical team members, understand what technical staff are actually doing,
and appropriately plan and manage security projects and initiatives. This is a big and
important job that requires an understanding of a wide array of security topics.
You Will Be Able To
▐ Become an effective information security This course empowers you to become an effective security manager and get up to speed
manager quickly on information security issues and terminology. You won’t just learn about
▐ Get up to speed quickly on information security, you will learn how to manage security.
security issues and terminology
To accomplish this goal, MGT512 covers a wide range of security topics across the
▐ Establish a minimum standard of security
entire security stack. Data, network, host, application, and user controls are covered in
knowledge, skills, and abilities
conjunction with key management topics that address the overall security lifecycle. This
▐ Speak the same language as technical
security professionals also includes governance and technical controls focused on protecting, detecting, and
responding to security issues.
Who Should Attend This approach prepares you to:
▐ Security Managers ▐ Make sense of different cybersecurity frameworks
• Newly appointed information security
officers ▐ Understand and analyze risk
• Recently promoted security leaders ▐ Understand the pros and cons of different reporting relationships
who want to build a security
foundation for leading and building ▐ Manage technical personnel
teams
▐ Build a vulnerability management program
▐ Security Professionals
• Technically skilled security
▐ Inject security into modern DevOps workflows
administrators who have recently been ▐ Strategically leverage a SIEM
given leadership responsibilities
▐ Managers
▐ Change behavior and build a security-aware culture
• Managers who want to understand ▐ Effectively manage security projects
what technical people are telling them
▐ Enable modern security architectures and the cloud
• Managers who need an understanding
of security from a management MGT512 uses case studies, group discussions, team-based exercises, and in-class games
perspective
to help students absorb both technical and management topics.

Course Author Statement

“I have found that technical professionals
who are taking on management responsibility
need to learn how to convey security
concepts in ways that non-technical people
can understand. At the same time, managers
who are new to security need to learn more “SANS prepared me for the [GSLC] certification and provided
about the different domains of cybersecurity.
In both cases, there is a need to learn about
valuable information that I can use on the job immediately.
the work of managing security. That is why Networking with peers and SANS@NIght provided extra value
this course focuses on the big picture of
securing the enterprise, from governance that’s not normally available at other training sessions.”
all the way to the technical security topics
-Rick Derks, FCS Financial
that serve as the foundation for any security
manager. Ultimately, the goal of the course is
to ensure that you, the advancing manager,
can make informed choices to improve
security at your organization.”
-Frank Kim

MGT512 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 San Francisco Fall . . . . . San Francisco, CA . . . . .Sep 23-27 Summit Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 2 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 4 Security Operations . . . New Orleans, LA . . . . . .Jun 26-30

Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-29 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-18 Security Awareness . . . . San Diego, CA . . . . . . . . .Aug 9-13

New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-29 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . .Oct 28 - Nov 1

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-18
16
Course Day
Descriptions

DAY 1: Building Your Program DAY 2: Protecting Data and Networks

The course starts with a tour of the information and topics that effective Day 2 provides foundational knowledge to protect data and networks. This
security managers and leaders must know to function in the modern includes building an understanding of cryptography concepts, encryption
security environment. This includes an understanding of the different types algorithms, and applications of cryptography. Since encrypting data alone
of cybersecurity frameworks available to structure your security team and is not sufficient, the distinction between privacy and security is discussed
program. Risk is central to effective information security management, and key to give managers a primer on key privacy concepts. Finally, a thorough
risk concepts are discussed to lay the foundation for effective risk assessment discussion of network security is modeled around the various layers of the
and management. Security policy is a key tool that security managers use to network stack. This allows managers to gain a deeper understanding of what
manage risk. We’ll cover approaches to policy to help you plan and manage their teams are talking about, what vendors are selling, and where various
your policy process. Finally, security functions, reporting relationships, and issues and protections lay within the seven layers of the network model.
roles and responsibilities are discussed to give the advancing manager a view Topics: Data Protection; Privacy Primer; Network Security
into effective security team and program structure.
Topics: Security Frameworks; Understanding Risk; Security Policy; Program
Structure

DAY 3: Protecting and Patching Systems DAY 4: Leading Modern Security Initiatives
Day 3 is focused on protecting and patching systems. This includes coverage Day 4 covers what managers need to know about leading modern security
of host security that encompasses endpoint and server security along with initiatives. Security awareness is a huge component of any security
malware and attack examples. Modern infrastructure as code approaches program that is focused on driving activities that lead to changes in human
and tools are also discussed as ways to automate consistent deployment of behavior and creating a more risk-aware and security-aware culture. For
standard configurations. Managers must also be knowledgeable about software any project or initiative, security leaders must also be able to drive effective
development processes, issues, and application vulnerabilities. Coverage project execution. Having a well-grounded understanding of the project
includes an overview of the secure SDLC, OWASP Top Ten, and leading-edge management process makes it easier to move these projects forward. The
development processes built on DevOps. Managers must also understand cloud is a major initiative that many organizations are either tackling now
physical security controls that, when not implemented appropriately, can or planning to undertake. To get ready for these initiatives, an overview
cause technical security controls to fail or be bypassed. All of these issues and of Amazon Web Services (AWS) is provided to serve as a reference, along
corresponding vulnerabilities must be appropriately managed. This leads to a with a discussion of key cloud security issues based on the Cloud Security
discussion on building a vulnerability management program and the associated Alliance guidance. The cloud, the rise of mobile devices, and other factors
process for successfully finding and fixing vulnerabilities. are highlighting weaknesses in traditional, perimeter-oriented security
Topics: Host Security; Application Security; Physical Security; Vulnerability architectures. This leads to a discussion of the Zero Trust Model. To execute
Management such new initiatives security leaders must also develop negotiation skills
and the ability to manage highly technical team members.
Topics: Security Awareness; Project Management; Cloud Security; Modern
DAY 5: Detecting and Responding to Attacks Security Architecture; Management Methods
Day 5 is focused on detection and response capabilities. This includes gaining
appropriate visibility via logging, monitoring, and thinking strategically about
a Security Information and Event Management (SIEM) system. These logs are
a core component of any Security Operations Center (SOC). The key functions
of a SOC are discussed along with how to design, build, operate, and mature
security operations for your organization. The incident response process is
discussed in relation to identifying, containing, eradicating, and recovering from
security incidents. This leads into a discussion of longer-term disaster recovery
and business continuity planning. Finally, the course ends with a war game that
simulates an actual incident. This tabletop simulation contains a number of
injects or points at which students are presented with additional information “MGT512 is valuable because it is relevant/current
to which they can respond. After dealing with the incident itself, the simulation
concludes with a game focused on choosing appropriate security controls to to the security landscape from my management
mitigate future incidents.
vantage point.”
Topics: Logging and Monitoring; Security Operations Center; Incident Response;
Contingency Planning; War Game -Michael Bradley, Prudential Financial

Online Training
Community Events OnDemand
Albany, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-21 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Private Training OnDemand platform.

This course is also available through Private Training.

17
 SEC566: Implementing and Auditing the Critical GCCC
Security Controls – In-Depth
Critical Controls
www.giac.org/gccc

5 30 Laptop Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult
Day Program CPEs Required than ever to prevent and defend against them. Does your organization have an effective
method in place to detect, thwart, and monitor external and internal threats to prevent
security breaches? This course helps you master specific, proven techniques and tools
You Will Be Able To needed to implement and audit the Critical Security Controls as documented by the
▐ Apply a security framework based Center for Internet Security (CIS).
on actual threats that is measurable,
scalable, and reliable in stopping known As threats evolve, an organization’s security should too. To enable your organization to
attacks and protecting organizations’
stay on top of this ever-changing threat scenario, SANS has designed a comprehensive
important information and systems
course that teaches students the Critical Security Controls, a prioritized, risk-based
▐ Understand the importance of each
control, how it is compromised if ignored, approach to security. Designed by private and public sector experts from around the
and explain the defensive goals that world, the Controls are the best way to block known attacks and mitigate damage from
result in quick wins and increased successful attacks. They have been adopted by the U.S. Department of Homeland Security,
visibility of networks and systems
state governments, universities, and numerous private firms.
▐ Identify and utilize tools that implement
controls through automation The Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and
▐ Learn how to create a scoring tool for information security personnel can use to manage and measure the effectiveness of
measuring the effectiveness of each their defenses. They are designed to complement existing standards, frameworks, and
control compliance schemes by prioritizing the most critical threat and highest payoff defenses,
▐ Employ specific metrics to establish a while providing a common baseline for action against risks that we all face.
baseline and measure the effectiveness
of security controls The Controls are an effective security framework because they are based on actual attacks
▐ Understand how the Critical Controls launched regularly against networks. Priority is given to Controls that (1) mitigate known
map to standards such as NIST 800-53, attacks (2) address a wide variety of attacks, and (3) identify and stop attackers early in
ISO 27002, the Australian Top 35, and
more
the compromise cycle. The British government’s Center for the Protection of National
Infrastructure describes the Controls as the “baseline of high-priority information security
▐ Audit each of the Critical Security
Controls, with specific, proven templates, measures and controls that can be applied across an organisation in order to improve its
checklists, and scripts provided to cyber defense.”
facilitate the audit process
SANS’s in-depth, hands-on training will teach you how to master the specific techniques
and tools needed to implement and audit the Critical Controls. It will help security
practitioners understand not only how to stop a threat, but why the threat exists, and
how to ensure that security measures deployed today will be effective against the next
generation of threats.
The course shows security professionals how to implement the Controls in an existing
network through cost-effective automation. For auditors, CIOs, and risk officers, the course
is the best way to understand how you will measure whether the Controls are effectively
implemented.

“SEC566 provides great tools, explanation, and insight!”

-Ryan LeVan, Trex Company, Inc.

SEC566 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-14 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 Community Events
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-18 Ottawa, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nov 4-8

Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-12 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-22 Private Training
Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-16 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-18 This course is also available through Private Training.
Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-29
18
Course Day
Descriptions

DAY 1: Introduction and Overview of the DAY 2: Critical Controls 3, 4, 5, and 6 Who Should Attend
20 Critical Controls Topics: Critical Control 3: Secure Configurations for ▐ Information assurance
Hardware and Software on Laptops, Workstations, and auditors
Day 1 will introduce you to all of the Critical Controls,
Servers; Critical Control 4: Continuous Vulnerability
laying the foundation for the rest of the class. For each ▐ System implementers or
Assessment and Remediation; Critical Control 5:
Control, we will follow the same outline covering the administrators
Controlled Use of Administrative Privileges; Critical
following information:
Control 6: Maintenance, Monitoring, and Analysis of ▐ Network security engineers
• Overview of the Control Audit Logs ▐ IT administrators
• How It Is Compromised
▐ Department of Defense
• Defensive Goals personnel and contractors
• Quick Wins ▐ Staff and clients of federal
• Visibility & Attribution agencies
• Configuration & Hygiene ▐ Private sector organizations
• Advanced Controls looking to improve information
• Overview of Evaluating the Control DAY 3: Critical Controls 7, 8, 9, 10, assurance processes and
secure their systems
• Core Evaluation Test(s) and 11
▐ Security vendors and
• Testing/Reporting Metrics Topics: Critical Control 7: Email and Web Browser consulting groups looking to
Protections; Critical Control 8: Malware Defenses; Critical stay current with frameworks
• Steps for Root Cause Analysis of Failures
Control 9: Limitation and Control of Network Ports, for information assurance
• Audit/Evaluation Methodologies Protocols, and Services; Critical Control 10: Data Recovery
Capability (validated manually); Critical Control 11: Secure ▐ Alumni of SEC/AUD440, SEC401,
• Evaluation Tools
Configurations for Network Devices such as Firewalls, SEC501, SANS Audit classes,
• Exercise to Illustrate Implementation or Steps for Routers, and Switches and MGT512
Auditing a Control
In addition, Critical Controls 1 and 2 will be covered in
depth.
Topics: Critical Control 1: Inventory of Authorized and
Unauthorized Devices; Critical Control 2: Inventory of
Authorized and Unauthorized Software

DAY 4: Critical Controls 12, 13, 14, DAY 5: Critical Controls 16, 17, 18, 19,
and 15 and 20
Topics: Critical Control 12: Boundary Defense; Critical Topics: Critical Control 16: Account Monitoring and
Control 13: Data Protection; Critical Control 14: Controlled Control; Critical Control 17: Security Skills Assessment and
Access Based on the Need to Know; Critical Control 15: Appropriate Training to Fill Gaps (validated manually); “The training helps me
Wireless Device Control Critical Control 18: Application Software Security;
Critical Control 19: Incident Response and Management
understand why the
(validated manually); Critical Control 20: Penetration Tests Controls are necessary
and Red Team Exercises (validated manually)
for securing systems
at my organization.”
-Brandon McWilliams, SRP

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-21
own pace, with four months of online access in the
OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-16

19
 GCIA
SEC503: Intrusion Detection In-Depth Intrusion Analyst
www.giac.org/gcia

6 46 Laptop Reports of prominent organizations being hacked and suffering irreparable reputational
Day Program CPEs Required damage have become all too common. How can you prevent your company from
becoming the next victim of a major cyber attack?

You Will Be Able To Preserving the security of your site in today’s threat environment is more challenging
▐ Configure and run open-source Snort and than ever before. The security landscape is continually changing from what was once only
write Snort signatures perimeter protection to protecting exposed and mobile systems that are almost always
▐ Configure and run open-source Bro connected and sometimes vulnerable. Security-savvy employees who can help detect and
to provide a hybrid traffic analysis prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection
framework In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your
▐ Understand TCP/IP component layers to networks with insight and awareness. The training will prepare you to put your new skills
identify normal and abnormal traffic
and knowledge to work immediately upon returning to a live environment.
▐ Use open-source traffic analysis tools to
identify signs of an intrusion Mark Twain said, “It is easier to fool people than to convince them that they’ve been
▐ Comprehend the need to employ network fooled.” Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment
forensics to investigate traffic to identify of traffic and too many untrained analysts accept that feedback as the absolute truth.
and investigate a possible intrusion This course emphasizes the theory that a properly trained analyst uses an IDS alert as
▐ Use Wireshark to carve out suspicious file a starting point for examination of traffic, not as a final assessment. SEC503 imparts the
attachments
philosophy that the analyst must have access and the ability to examine the alerts to give
▐ Write tcpdump filters to selectively
them meaning and context. You will learn to investigate and reconstruct activity to deem
examine a particular traffic trait
if it is noteworthy or a false indication.
▐ Craft packets with Scapy
▐ Use the open-source network flow tool This course delivers the technical knowledge, insight, and hands-on training you need
SiLK to find network behavior anomalies to defend your network with confidence. You will learn about the underlying theory of
▐ Use your knowledge of network TCP/IP and the most used application protocols, such as DNS and HTTP, so that you
architecture and hardware to customize can intelligently examine network traffic for signs of an intrusion. You will get plenty of
placement of IDS sensors and sniff traffic
practice learning to master different open-source tools like tcpdump, Wireshark, Snort,
off the wire
Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce
the course book material so that you can transfer knowledge to execution. Basic exercises
include assistive hints while advanced options provide a more challenging experience for
students who may already know the material or who have quickly mastered new material.
A VM is provided with tools of the trade. It is supplemented with demonstration “pcaps,”
which are files that contain network traffic. This allows you to follow along on your laptop
“SEC503 completely changed with the class material and demonstrations. The pcaps also provide a good library of
how I look at networking, how network traffic to use when reviewing the material, especially for certification.
I approach problems, and SEC503 is most appropriate for persons who monitor and defend their network, such as
significantly increased my security analysts, although others may benefit from the course as well. Students range
understanding of intrusion from seasoned analysts to novices with some TCP/IP background. Please note that the
VMware image used in class is a Linux distribution, so we strongly recommend that you
detection.” spend some time getting familiar with a Linux environment that uses the command line
-Arnold Klein, for entry, along with learning some of the core UNIX commands, before coming to class.
Topel Forman Information Services, LLC

SEC503 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . Sep 23-28 Security Operations . . . New Orleans, LA . . . Jun 26 - Jul 1

Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12

Community Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12 Seattle, WA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Aug 19-24
Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 New York, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sep 23-28
20
Course Day
Descriptions

DAY 1: Fundamentals of Traffic Analysis – DAY 2: Fundamentals of Traffic Analysis – Who Should Attend
Part 1 Part 2 ▐ Intrusion detection (all
levels), system, and security
Day 1 provides a refresher or introduction, depending Day 2 continues where the previous day ended in
analysts
on your background, to TCP/IP. It describes the need to understanding the TCP/IP model. Two essential tools,
understand packet structure and content. It covers the Wireshark and tcpdump, are further explored, using their ▐ Network engineers/
essential foundations such as the TCP/IP communication advanced features to give you the skills to analyze your administrators
model, and the theory of bits, bytes, binary and own traffic. The focus of these tools on Day 2 is on filtering ▐ Hands-on security managers
hexadecimal. We introduce the use of open-source traffic of interest in Wireshark using display filters and in
Wireshark and tcpdump for analysis. We begin our tcpdump using Berkeley Packet Filters. We proceed with
exploration of the TCP/IP communication model with the our exploration of the TCP/IP layers covering TCP, UDP,
study of the link layer, the IP layer, both IPv4 and IPv6 and and ICMP. Once again, we describe the layers and analyze
packet fragmentation in both. We describe the layers and traffic not just in theory and function, but from the
analyze traffic not just in theory and function, but from perspective of an attacker and defender.
the perspective of an attacker and defender. All traffic is Topics: Wireshark Display Filters; Writing tcpdump Filters;
discussed and displayed using the two open-source tools, TCP; UDP; ICMP
Wireshark and tcpdump.
Topics: Concepts of TCP/IP; Introduction to Wireshark;
Network Access/Link Layer: Layer 2; IP Layer: Layer 3

DAY 3: Application Protocols and DAY 4: Network Monitoring:

Traffic Analysis Snort and Bro
Day 3 introduces the versatile packet crafting tool Scapy. The fundamental knowledge gained from the first
It is a very powerful Python-based tool that allows for the three days provides a fluid progression into one of the
manipulation, creation, reading, and writing of packets. most popular days of SEC503. Snort and Bro are widely
Scapy can be used to craft packets to test the detection deployed open-source IDS/IPS solutions that have been
capability of an IDS/IPS, especially important when a industry standards for many years. The day begins with a
new user-created IDS rule is added, for instance for a discussion on network architecture, including the features
“I got a deeper
recently announced vulnerability. The examination of of intrusion detection and prevention devices, along with understanding of the
TCP/IP culminates with an exploration of the application a look at options and requirements of devices that can
protocol layer. The concentration is on some of the sniff and capture the traffic for inspection. Next, the topic topics from my class.
most widely used, and sometimes vulnerable, crucial of the analyst’s role in the detection process is examined.
application protocols: DNS, HTTP(S), SMTP, and Microsoft Before Snort and Bro are discussed, the capabilities and
This will help me get
communications. Our focus is on protocol analysis, a key limitations are considered. Snort detection flow, running more data out of my
skill in intrusion detection. IDS/IPS evasions are the bane Snort, and rules are explored with an emphasis on writing
of the analyst, so the theory and possible implications of efficient rules. It is likely that false positives and negatives investigations.”
evasions at different protocol layers are examined. will occur and tips for dealing with them are presented.
-Alphonse Wichrowski,
Topics: Scapy; Advanced Wireshark; Detection Methods for Bro’s unique capability to use its own scripting language
to write code to analyze patterns of event-driven behavior Allegiant Air
Application Protocols; DNS; Microsoft Protocols; HTTP(2)/
TLS; SMTP; IDS/IPS Evasion Theory is one of the most powerful detection tools available to
the analyst. We discuss how this enables monitoring and
correlating activity and demonstrate with examples.
DAY 5: Network Traffic Forensics Topics: Network Architecture; Introduction to IDS/IPS
The penultimate day continues the format of less Analysis; Snort; Bro
instruction and more hands-on training using three
separate incidents that must be analyzed. The three
incident scenarios are introduced with some new material DAY 6: NetWars: IDS Version
to be used in the related hands-on analysis. This material The week culminates with a fun hands-on NetWars:
includes an introduction to network forensics analysis IDS Version challenge. Students compete on teams to
for the first scenario. It continues with using network flow answer many questions that require using tools and
records to assist in analysis of the traffic from the second theory covered in the first five days. This is a great way
scenario. It concludes by examining the third scenario, to end the week because it reinforces what was learned
including Command and Control channels and managing by challenging the student to think analytically and
analysis when very large packet capture files are involved. strengthens confidence to employ what was learned in a
Topics: Introduction to Network Forensics Analysis; Using real-world environment.
Network Flow Records; Examining Command and Control
Traffic; Analysis of Large pcaps

Online Training
Private Training OnDemand Simulcast
All courses are available through Private Training Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 10-15
own pace, with four months of online access in the
OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 15-20

21
 SEC511: Continuous Monitoring and GMON
Security Operations
Continuous Monitoring
www.giac.org/gmon

6 46 Laptop We continue to underestimate the tenacity of our adversaries! Organizations are investing
Day Program CPEs Required a significant amount of time and financial and human resources trying to combat cyber
threats and prevent cyber attacks, but despite this tremendous effort organizations
are still getting compromised. The traditional perimeter-focused, prevention-dominant
You Will Be Able To approach to security architecture has failed to prevent intrusions. No network is
▐ Analyze a security architecture for impenetrable, a reality that business executives and security professionals alike have to
deficiencies
accept. Prevention is crucial, and we can’t lose sight of it as the primary goal. However, a
▐ Apply the principles learned in the new proactive approach to security is needed to enhance the capabilities of organizations
course to design a defensible security
architecture to detect threats that will inevitably slip through their defenses. SEC511 will teach you how
to strengthen your skills to undertake that proactive approach.
▐ Understand the importance of a
detection-dominant security architecture The underlying challenge for organizations victimized by an attack is timely incident
and a Security Operations Center (SOC)
detection. Industry data suggest that most security breaches typically go undiscovered
▐ Identify the key components of Network
for an average of seven months. Attackers simply have to find one way into most
Security Monitoring (NSM)/Continuous
Diagnostics and Mitigation (CDM)/ organizations, because they know that the lack of visibility and internal security controls
Continuous Monitoring (CM) will then allow them to methodically carry out their mission and achieve their goals.
▐ Determine appropriate security The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous
monitoring needs for organizations of
all sizes Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this
course will best position your organization or Security Operations Center (SOC) to analyze
▐ Implement robust Network Security
Monitoring/Continuous Security threats and detect anomalies that could indicate cybercriminal behavior. The payoff for
Monitoring (NSM/CSM) this new proactive approach would be early detection of an intrusion, or successfully
▐ Utilize tools to support implementation thwarting the efforts of attackers altogether. The National Institute of Standards and
of Continuous Monitoring per NIST Technology (NIST) developed guidelines described in NIST SP 800-137 for Continuous
SP 800-137 guidelines Monitoring (CM), and day five of this course will greatly increase your understanding and
▐ Determine requisite monitoring enhance your skills in implementing CM using the NIST framework.
capabilities for a SOC environment
▐ Determine capabilities required to SANS is uniquely qualified to offer this course. Course authors Eric Conrad (GSE #13) and
support continuous monitoring of key Seth Misenar (GSE #28) hold the distinguished GIAC Security Expert Certification, and both
Critical Security Controls are experienced, real-world, practitioners who apply the concepts and techniques they
teach in this course on a daily basis. SEC511 will take you on quite a journey. We start
by exploring traditional security architecture to assess its current state and the attacks
against it. Next, we discuss and discover modern security design that represents a new
proactive approach to such architecture that can be easily understood and defended.
We then transition to how to actually build the network and endpoint security, and then
“SEC511 was a wonderful look carefully navigate our way through automation, NSM/CDM/CSM. For timely detection
into the world of the ‘Blue of potential intrusions, the network and systems must be proactively and continuously
Team.’ The authors really put monitored for any changes in the security posture that might increase the likelihood that
attackers will succeed.
together a robust course full
of great ideas and tactics to Your SEC511 journey will conclude with one last hill to climb! The final day features a
capture-the-flag competition that challenges you to apply the skills and techniques
take on intrusion detection learned in the course to detect and defend the modern security architecture that has
and continuous monitoring.” been designed. The competition has been designed to be fun, engaging, comprehensive,
-Cameron Johns, Tyson Foods, Inc. and challenging. You will not be disappointed!
With your training journey now complete and your skills enhanced and honed, it is time to
go back to work and deliver on the SANS promise that you will be able to apply what you
learn in this course the day you return to the office.

SEC511 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21 Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12 Security Operations . . . New Orleans, LA . . . Jun 26 - Jul 1

Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . Oct 28 - Nov 2

Community Events
Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23
New York, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Aug 5-10
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
22
Course Day
Descriptions

DAY 1: Current State Assessment, SOCs, DAY 2: Network Security Architecture Who Should Attend
and Security Architecture Understanding the problems with the current ▐ Security architects
environment and realizing where we need to get to
We begin with the end in mind by defining the key ▐ Senior security engineers
is far from sufficient; we need a detailed roadmap to
techniques and principles that will allow us to get there.
bridge the gap between the current and desired state. ▐ Technical security managers
An effective modern Security Operations Center (SOC)
Day 2 introduces and details the components of our ▐ Security Operations Center
or security architecture must enable an organization’s
infrastructure that become part of a defensible network (SOC) analysts, engineers, and
ability to rapidly find intrusions to facilitate containment
security architecture and SOC. We are long past the managers
and response. Both significant knowledge and a
days when a perimeter firewall and ubiquitous antivirus
commitment to continuous monitoring are required to ▐ CND analysts
were sufficient security. There are many pieces and
achieve this goal.
moving parts that make up a modern defensible security ▐ Individuals working to
Topics: Current State Assessment, SOCs, and Security architecture. implement Continuous
Architecture; Modern Security Architecture Principles; Diagnostics and Mitigation
Topics: SOCs/Security Architecture – Key Infrastructure
Frameworks and Enterprise Security Architecture; Security (CDM), Continuous Security
Devices; Segmented Internal Networks; Defensible
Architecture – Key Techniques/Practices Monitoring (CSM), or Network
Network Security Architecture Principles Applied
Security Monitoring (NSM)
DAY 3: Network Security Monitoring DAY 4: Endpoint Security Architecture
Designing a SOC or security architecture that enhances One of the hallmarks of modern attacks is an emphasis
visibility and detective capabilities represents a paradigm on client-side exploitation. The days of breaking into
shift for most organizations. However, the design is simply networks via direct frontal assaults on unpatched mail,
the beginning. The most important element of a modern web, or DNS servers are largely behind us. We must
security architecture is the emphasis on detection. The focus on mitigating the risk of compromise of clients.
network security architecture presented in days one Day four details ways in which endpoint systems can be
and two emphasized baking visibility and detective both more resilient to attack and also enhance detective
capabilities into the design. Now we must figure out capabilities.
how to look at the data and continuously monitor the
Topics: Security Architecture – Endpoint Protection;
enterprise for evidence of compromise or changes that
Dangerous Endpoint Applications; Patching
increase the likelihood of compromise.
Topics: Continuous Monitoring Overview; Network Security
Monitoring (NSM); Practical NSM Issues; Cornerstone NSM

DAY 5: Automation and Continuous DAY 6: Capstone: Design, Detect, Defend “SEC511 is a VERY
Security Monitoring The course culminates in a team-based Design, Detect, worthwhile addition
and Defend-the-Flag competition that is a full day
Network Security Monitoring (NSM) is the beginning;
of hands-on work applying the principles taught to the Cyber Defense
we need to not only detect active intrusions and
unauthorized actions, but also to know when our systems,
throughout the week. curriculum for Blue
networks, and applications are at an increased likelihood Topics: Security Architecture; Assessing Provided
for compromise. A strong way to achieve this is through Architecture; Continuous Security Monitoring; Using Teamers.”
Continuous Security Monitoring (CSM) or Continuous Tools/Scripts Assessing the Initial State; Quickly/ -Robert Peden,
Diagnostics and Mitigation (CDM). Rather than waiting for Thoroughly Finding All Changes Made
NextGear Capital
the results of a quarterly scan or an annual penetration
test to determine what needs to be addressed,
continuous monitoring proactively and repeatedly
assesses and reassesses the current security posture for
potential weaknesses that need to be addressed.
Topics: CSM Overview; Industry Best Practices; Winning
CSM Techniques; Maintaining Situational Awareness;
Host, Port and Service Discovery; Vulnerability
Scanning; Monitoring Patching; Monitoring Applications;
Monitoring Service Logs; Monitoring Change to Devices
and Appliances; Leveraging Proxy and Firewall Data;
Configuring Centralized Windows Event Log Collection;
Monitoring Critical Windows Events; Scripting and
Automation

Online Training
Mentor Events OnDemand vLive
Milwaukee, WI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 1-29 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . Sep 4 - Oct 17
own pace, with four months of online access in the
Private Training OnDemand platform. Simulcast
This course is also available through Private Training. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22

23
 GISF
SEC301: Introduction to Cyber Security Information Security
Fundamentals
www.giac.org/gisf

5 30 Laptop To determine if SANS SEC301: Introduction to Cyber Security is right for you, ask yourself
Day Program CPEs Required five simple questions:
▐ Do you have basic computer knowledge, but are new to cybersecurity and in need of
You Will Be Able To an introduction to the fundamentals?
▐ Communicate with confidence regarding ▐ Are you bombarded with complex technical security terms that you don’t understand?
information security topics, terms, and
concepts
▐ Are you a non-IT security manager who lays awake at night worrying that your
company will be the next mega-breach headline story on the 6 o’clock news?
▐ Understand and apply the Principles of
Least Privilege ▐ Do you need to be conversant in basic security concepts, principles, and terms, even if
▐ Understand and apply the you don’t need “deep in the weeds” detail?
Confidentiality, Integrity, and Availability
(CIA) Triad ▐ Have you decided to make a career change to take advantage of the job opportunities
▐ Build better passwords that are more in cybersecurity and need formal training and certification?
secure while also being easier to
If you answer yes to any of these questions, then the SEC301: Introduction to Cyber
remember and type
Security training course is for you. Students with a basic knowledge of computers and
▐ Grasp basic cryptographic principles,
processes, procedures, and applications technology but no prior cybersecurity experience can jump-start their security education
▐ Understand computer network basics
with insight and instruction from real-world security experts in SEC301.
▐ Have a fundamental grasp of any This completely revised and comprehensive five-day course covers a wide range of
number of critical technical networking baseline topics, including terminology, the basics of computer networks, security policies,
acronyms, including TCP/IP, IP, TCP, UDP,
MAC, ARP, NAT, ICMP, and DNS
incident response, passwords, and even an introduction to cryptographic principles.
The hands-on, step-by-step learning format will enable you to grasp all the information
▐ Utilize built-in Windows tools to see
your network settings presented even if some of the topics are new to you. You’ll learn fundamentals of
▐ Recognize and be able to discuss
cybersecurity that will serve as the foundation of your security skills and knowledge for
various security technologies, including years to come.
anti-malware, firewalls, intrusion
detection systems, content filters, Written by a security professional with over 30 years of experience in both the public
sniffers, etc. and private sectors, SEC301 provides uncompromising real-world insight from start to
▐ Build a simple but fully functional finish. The course prepares you for the Global Information Security Fundamentals (GISF)
firewall configuration certification test, as well as for the next SANS course in this progression, SEC401: Security
▐ Secure your browser using a variety of Essentials Bootcamp Style. It also delivers on the SANS promise: You will be able to use
security plug-ins the knowledge and skills you learn in SEC301 as soon as you return to work.
▐ Secure a wireless access point (also
known as a wireless router)
▐ Scan for malware, clean malware from
a system, and whitelist legitimate
software identified by an anti-malware
scanner as “potentially unwanted”
▐ Access a number of websites to better
understand password security, encryption, “SEC301 provided a great foundation for the topic of
phishing, browser security, etc.
security, since I deal with it on a daily basis on a high level.”
-Richard Pollich, Broadridge Financial Solutions Inc.

SEC301 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-14 Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-23 Houston . . . . . . . . . . . . . . Houston, TX . . . . . .Oct 28 - Nov 1
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 San Francisco Winter . . . San Francisco, CA . . . . . . Dec 2-6
Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-12 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 4 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-18
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . . Jul 15-19 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-11
Summit Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 2 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-18
Security Awareness . . . . San Diego, CA . . . . . . . . .Aug 9-13
24 Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-23 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . .Oct 28 - Nov 1
Course Day
Descriptions

DAY 1: Security’s Foundation DAY 2: Computer Functions and Who Should Attend
Every good security practitioner and every good security Networking ▐ Anyone new to cybersecurity
program begins with the same mantra: learn the and in need of an introduction
This course day begins with an explanation of how
fundamentals. SEC301 starts by instilling familiarity with to the fundamentals of
computers handle numbers using decimal, binary, and
core security terms and principles. By the time you leave security
hexadecimal numbering systems. It also provides an
the classroom after the first day, you will fully understand
understanding of how computers encode letters using ▐ Those who feel bombarded
the Principle of Least Privilege and Confidentiality,
the American Standard Code for Information Interchange with complex technical
Integrity, Availability (CIA), and you’ll see why those
(ASCII). We then spend the remainder of the day on security terms they don’t
principles drive all security discussions. You will be
networking. All attacks or exploits have one thing in understand, but want to
conversant in the fundamentals of risk management,
common: they take something that exists for perfectly understand
security policy, and authentication/authorization/
valid reasons and misuse it in malicious ways. Always!
accountability. ▐ Non-IT security managers who
So as security practitioners, to grasp what is invalid
deal with technical issues
we must first understand what is valid – that is, how
and understand them and
things like networks are supposed to work. Only once
who worry their company
we have that understanding can we hope to understand
will be the next mega-breach
the mechanics of malicious misuse of those networks
headline story on the 6 o’clock
– and only with that knowledge can we understand
news
how security devices such as firewalls seek to thwart
DAY 3: An Introduction to Cryptography those attacks. The networking discussion begins ▐ Professionals with basic
with a non-technical explanation of how data move computer and technical
Cryptography is one of the most complex issues faced
across a network. From there we move to fundamental knowledge in all disciplines
by security practitioners. It is not a topic you can
terminology dealing with network types and standards. who need to be conversant
explain in passing, so we will spend some time on
You’ll learn about common network hardware such as in basic security concepts,
it. Not to worry, we won’t take you through the math
switches and routers, and terms like “protocol” and principles, and terms, but
behind cryptography. Instead, we learn basic crypto
“encapsulation.” We’ll give a very basic introduction to who don’t need “deep in the
terminology and processes. What is steganography? What
network addressing and port numbers and then work our weeds” detail
is substitution and transposition? What is a “work factor”
in cryptography and why does it matter? What do we way up the Open Systems Interconnection (OSI) protocol ▐ Those who have decided
mean by symmetric and asymmetric key cryptography stack, introducing more detail only as we proceed to to make a career change to
and “cryptographic hash,” and why do you need to know? the next layer. In other words, we explain networking take advantage of the job
How are those concepts used together in the real world starting in non-technical terms and gradually progress opportunities in cybersecurity
to create cryptographic systems? to more technical detail as students are ready to take and need formal training and
the next step. By the end of our discussions, you’ll have certification
a fundamental grasp of any number of critical technical
networking acronyms that you’ve often heard but never
quite understood, including TCP/IP, IP, TCP, UDP, MAC, ARP,
NAT, ICMP, and DNS.

DAY 4: Cybersecurity Technologies – DAY 5: Cybersecurity Technologies –

Part 1 Part 2
Our fourth day in the classroom begins our exploration The final day of our SEC301 journey continues the “SEC301 is a great
of cybersecurity technologies. We begin with wireless discussion of cybersecurity technologies. The day begins
network security (WiFi and Bluetooth), and mobile device by looking at several security technologies, including class for the individual
security (i.e., cell phones). We follow that with a brief look compartmentalization, firewalls, Intrusion Detection
at some common attacks. We then move into a discussion Systems and Intrusion Prevention Systems (IDS/IPS), who wants to learn an
of malware and anti-malware technologies. We end sniffers, content filters, etc. We then take a good look extensive amount of
the day with an examination of several data protection at browser and web security, and the difficulties of
protocols used for email encryption, secure remote securing the web environment. For example, students material in one week.”
access, secure web access, secure file transfer, and Virtual will understand why and how their browser connects to
Private Network (VPN) technologies. anywhere from 5 to 100 different Internet locations each -Steven Chovanec,
time they load a single web page. We end the day with a Discover Financial Services
look at system security to include hardening operating
systems, patching, virtual machines, cloud computing,
and backup.

Online Training
Community Events Mentor Events OnDemand
Cincinnati, OH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jun 24-28 Daytona Beach, FL . . . . . . . . . . . . . . . . . . . . . .Jun 20 - Aug 8 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Tulsa, OK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-16
Private Training OnDemand platform.
Miami, FL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-16
This course is also available through Private Training. Simulcast
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jul 15-19
25
 SEC487: Open-Source Intelligence (OSINT) Gathering
and Analysis NEW

6 36 Laptop Immeasurable amounts of personal and potentially incriminating data are currently
Day Program CPEs Required stored in the websites, apps, and social media platforms that people access and update
daily via their devices. Those data can become evidence for citizens, governments, and
You Will Be Able To businesses to use in solving real financial, employment, and criminal issues with the help
of a professional information gatherer.
▐ Create an OSINT process
▐ Conduct OSINT investigations in Many people think using their favorite Internet search engine is sufficient to find the data
support of a wide range of customers they need and do not realize that most of the Internet is not indexed by search engines.
▐ Understand the data collection life SEC487 teaches students legitimate and effective ways to find, gather, and analyze these
cycle data from the Internet. You’ll learn about reliable places to harvest data using manual
▐ Create a secure platform for data and automated methods and tools. Once you have the information, we’ll show you how to
collection
ensure that it is sound, how to analyze what you’ve gathered, and how to make sure it is
▐ Analyze customer collection useful to your investigations.
requirements
▐ Capture and record data This is a foundational course in open-source intelligence (OSINT) gathering and, as such,
▐ Create sock puppet accounts will move quickly through many areas of the field. You will learn current, real-world skills,
techniques, and tools that law enforcement, private investigators, cyber attackers, and
▐ Create your own OSINT process
defenders use to scour the massive amount of information across the Internet, analyze
▐ Harvest web data
the results, and pivot on interesting pieces of data to find other areas for investigation.
▐ Perform searches for people
Our goal is to provide the OSINT knowledge base for students to be successful in their
▐ Access social media data fields whether they are cyber defenders, threat intelligence analysts, private investigators,
▐ Assess a remote location using online insurance claims investigators, intelligence analysts, law enforcement personnel, or just
cameras and maps
someone curious about OSINT.
▐ Examine geolocated social media
▐ Research businesses
Throughout the course week, students will participate in numerous hands-on labs using
the tools and techniques that are the basis for gathering free data from the Internet. More
▐ Use government-provided data
than 20 labs in this course use the live Internet and dark web to help students gain real-
▐ Collect data from the dark web
world confidence. You’ll leave the course knowing not just how to use search features on
▐ Leverage international sites and tools
a website, but all of the scenario-based requirements and OSINT techniques needed to
gather truly important OSINT data.

Author Statement
“I recognized that the barrier to performing excellent OSINT was not that there was
no free data on the Internet. It was that there was too much data on the Internet. The
challenge transitioned from ‘how do I find something’ to ‘how do I find only what I need?’
This course was born from this need to help others learn the tools and techniques to
effectively gather and analyze OSINT data from the Internet.”
-Micah Hoffman, SEC487 Author

“Fantastic introduction to a wide spectrum of OSINT techniques

and practices, with great interactive labs and lots of deep dives!”
-Dave Huffman, Rockwell Automation

SEC487 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Atlanta Fall . . . . . . . . . . . Atlanta, GA . . . . . . . . . . Nov 18-23

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . Sep 23-28 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19

Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12
Summit Events
Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19
Security Awareness . . . . San Diego, CA . . . . . . . . .Aug 9-14
Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30 Houston . . . . . . . . . . . . . . Houston, TX . . . . . Oct 28 - Nov 2
26
Course Day
Descriptions

DAY 1: Foundations of OSINT DAY 2: Gathering, Searching, and Who Should Attend
We begin with the basics and answer the questions “what Analyzing OSINT ▐ Cyber incident responders
is OSINT” and “how do people use it.” This first day is about OSINT data collection begins on day two after we get a ▐ Digital Forensics and
level-setting and ensuring that all students understand glimpse of some of the fallacies that could influence our Incident Response (DFIR)
the background behind what we do in the OSINT field. We conclusions and recommendations. From this point in analysts
also establish the foundation for the rest of the week by the class forward, we examine distinct categories of data
learning how to document findings and set up an OSINT ▐ Penetration testers
and think about what it could mean for our investigations.
platform, and we discuss effective research habits for OSINT Retrieving data from the Internet could mean using ▐ Social engineers
analysts. This day is a key component for the success of a web browser to view a page or, as we learn in this
an OSINT analyst because without these concepts and
▐ Law enforcement personnel
section, using command line tools, scripts, and helper
processes in place, researchers can get themselves into applications.
▐ Intelligence personnel
serious trouble during assessments by inadvertently
Topics: Data Analysis Challenges; Creating Your OSINT ▐ Recruiters
alerting their targets or improperly collecting data, making
them less useful when delivered to the customer. Process; Harvesting Web Data; OSINT Frameworks; Basic ▐ Private investigators
Data: Street Addresses; Basic Data: Phone Numbers; Basic
Topics: Understanding OSINT; Goals of OSINT Collection; Data: Email Addresses; User Names; Avatars and Reverse
▐ Insurance investigators
Diving into Collecting; Taking Excellent Notes; Determining Image Searches; Leveraging Search Engines ▐ Human resources personnel
Your Threat Profile; Setting Up an OSINT Platform; Effective
Research Habits; Creating Sock Puppets ▐ Researchers

DAY 3: Social Media and Geolocation DAY 4: Imagery, Networks, Government,

Finding data on people, especially basic content such as and Business
email addresses, home addresses, and phone numbers, can
Day four focuses on many different but related OSINT
be made easier using online people search engines. This is
issues. We begin by looking at how various mapping sites
how day three kicks off, examining free and paid choices in
can assist our assessments with aerial data, distance-
this data aggregator area and understanding how to use the
measuring, and “street view” imagery. Moving beyond
data we receive from them. Some of these engines provide
using just one vendor’s mapping system, students will
social media content in their results. This makes a terrific
work with a variety of free, online mapping resources.
transition for us to move into social media data.
Topics: Remote Location Recon; IP Address and Whois;
Topics: People Searching; Facebook Analysis; LinkedIn Data; IP Address Geolocation; Domain Name System (DNS);
Instagram; Twitter Data; Geolocation; Dating and Adult Wireless Networks; Recon Tool Suites and Frameworks; U.S.
Websites; Web and Traffic Cameras; File Metadata Analysis Government Data; Researching Companies

DAY 5: The Dark Web and International DAY 6: Capstone: Capture (and Present)
Issues the Flag
The entire morning of day five focuses on understanding The capstone for the course is a group event that brings
and using three of the most popular dark web networks together everything that students learned throughout the
for OSINT purposes. Students will learn why people use week. This is not a “canned” Capture the Flag (CTF) event
Freenet, I2P, and Tor. Each network is discussed at length where specific flags are planted and your team must find
so that students don’t just know how and why to use it, but them. It is a competition where each team will collect
also gain an understanding of how those networks work. specific OSINT data about a certain group of people. The
With the Tor network being such a big player in the dark output from this work will be turned in as a “deliverable”
web, the course spends extra time diving into its resources. to the “client” (the instructor), and then the three teams
The first module in the afternoon examines how blue with the most-complete work will present their research
teamers (cyber defenders) can use monitoring to receive to the class for voting. This multi-hour, hands-on event
alerts when data of interest appear on the Internet. We will reinforce what the students practiced in the Solo CTF
then shift our focus to data found on “paste” sites. These the day before and add the complexity of performing
websites sometimes contain content such as user names OSINT assessments under pressure and in a group.
and passwords of compromised user accounts, detailed
network information about our target’s systems, or just
data that our customers need to know.
Topics: The Surface, Deep, and Dark Webs; The Dark Web;
Freenet; I2P – Invisible Internet Project; Tor; Monitoring and
Alerting; International Issues; Vehicle Searches

Online Training
Community Events OnDemand vLive
Ottawa, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 16-21 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . Jun 11 - Jul 18
own pace, with four months of online access in the
OnDemand platform.

27
 SEC501: Advanced Security Essentials – GCED
Enterprise Defender
Enterprise Defender
www.giac.org/gced

6 38 Laptop Effective cybersecurity is more important than ever as attacks become stealthier, have
Day Program CPEs Required a greater financial impact, and cause broad reputational damage. SEC501: Advanced
Security Essentials – Enterprise Defender builds on a solid foundation of core policies and
practices to enable security teams to defend their enterprise.
You Will Be Able To
▐ Identify the threats against network It has been said of security that “prevention is ideal, but detection is a must.” However,
infrastructures and build defensible detection without response has little value. Network security needs to be constantly
networks that minimize the impact of improved to prevent as many attacks as possible and to swiftly detect and respond
attacks
appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy
▐ Access tools that can be used to analyze must be in place both externally and internally. As data become more portable and
a network to prevent attacks and detect
the adversary networks continue to be porous, there needs to be an increased focus on data protection.
▐ Decode and analyze packets using
Critical information must be secured regardless of whether it resides on a server, in a
various tools to identify anomalies and robust network architecture, or on a portable device.
improve network defenses
Despite an organization’s best efforts to prevent network attacks and protect its critical
▐ Understand how the adversary
compromises networks and how to
data, some attacks will still be successful. Therefore, organizations need to be able to
respond to attacks detect attacks in a timely fashion. This is accomplished by understanding the traffic
▐ Perform penetration testing against an that is flowing on your networks, looking for indications of an attack, and performing
organization to determine vulnerabilities penetration testing and vulnerability analysis against your organization to identify
and points of compromise problems and issues before a compromise occurs.
▐ Apply the six-step incident handling
process Finally, once an attack is detected we must react quickly and effectively and perform the
▐ Use various tools to identify and
forensics required. Knowledge gained by understanding how the attacker broke in can be
remediate malware across your fed back into more effective and robust preventive and detective measures, completing
organization the security lifecycle.
▐ Create a data classification program and
deploy data loss prevention solutions at
both a host and network level Author Statement
“I started off working as a network engineer and architect building enterprise networks.
Who Should Attend This role organically transitioned into secure design and engineering. My interest at the
▐ Incident response and penetration time in penetration testing and exploitation allowed me to verify that our designs being
testers put into production were truly hardened. This interest eventually drove me into a career
▐ Security Operations Center engineers and in full-blown reverse engineering and 0-day bug discovery/exploit development. After a
analysts
long history of writing and teaching courses for SANS on advanced penetration testing
▐ Network security professionals and exploit writing, I am excited to take that experience and apply it back into defense. We
▐ Anyone who seeks technical in-depth selected a group of rock star authors to build the SEC501 syllabus and content, including
knowledge about implementing
comprehensive security solutions
Dave Shackleford, Phil Hagen, Matt Bromiley, and Rob Vandenbrink.”
-Stephen Sims

“SEC501 is a very valuable course to a Network/Security

Administrator. The first chapter of Defensible Network
Architecture is worth the price of admission in of itself.”
-Ryan Bast, Subzero Group, Inc.

SEC501 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events Community Events
Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24 Supply Chain New York, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . Jul 29 - Aug 3
Cybersecurity . . . . . . . . . Arlington, VA . . . . . . . . .Aug 14-19
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Private Training
Purple Team . . . . . . . . . . Las Colinas, TX . . . . . . .Oct 23-28
San Francisco Fall . . . . . San Francisco, CA . . . . Sep 23-28 This course is also available through Private Training.
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
28
Course Day
Descriptions

DAY 1: Defensive Network Architecture DAY 2: Penetration Testing

This course day will focus on security in the design and configuration of Security is all about understanding, mitigating, and controlling the risk
various enterprise infrastructures. From a security perspective, proper to an organization’s critical assets. An organization must understand the
design and configuration protects both the components being configured, changing threat landscape and have the capacity to compare it against its
as well as the rest of the organization that depends on that gear to defend own vulnerabilities that could be exploited to compromise the environment.
other components from attacks. In other words, a good house needs a good On day two, students will learn about the variety of tests that can be run
foundation! against an organization and how to perform effective penetration tests
Topics: Security Benchmarks, Standards, and the Role of Audit in Defending to better understand the security posture for network services, operating
Infrastructure; Defense Using Authentication and Authorization, and systems, and applications. In addition, we’ll talk about social engineering
Defending Those Services; The Use of Logging and Security Information and reconnaissance activities to better emulate increasingly prevalent
and Event Management (SIEM) in Defending an Organization from Attack; threats to users.
Attacking and Defending Critical Protocols; Several Man-in-the-Middle Attack Topics: Introduction to Penetration Testing Concepts; Penetration Testing
Methods, and Defenses against Each; Infrastructure Defense Using IPS, Scoping and Rules of Engagement; Online Reconnaissance and Offensive
Next-Generation Firewalls, and Web Application Firewalls; Defense of Critical Counterintelligence; Social Engineering; Network Mapping and Scanning
Servers and Services; Active Defense; Defense of Private and Public Cloud Techniques; Enterprise Vulnerability Scanning; Network Exploitation Tools
Architectures and Techniques; Web Application Exploitation Tools and Techniques; Post-
Exploitation and Pivoting; OS and Application Exploit Mitigations; Reporting
and Debriefing

DAY 3: Network Detection and Packet Analysis DAY 4: Digital Forensics and Incident Response
“Prevention is ideal, but detection is a must” is a critical motto for network In this section, you will learn the core concepts of both “Digital Forensics”
security professionals. While organizations always want to prevent as many and “Incident Response.” We’ll explore some of the hundreds of artifacts
attacks as possible, some adversaries will still sneak into the network. that can give forensic investigators specific insight into what occurred during
In cases where an attack is not successfully prevented, network security an incident. You will also learn how incident response currently operates,
professionals need to analyze network traffic to discover attacks in after years of evolving, in order to address the dynamic procedures used
progress, ideally stopping them before significant damage is done. Packet by attackers to conduct their operations. We’ll look at how to integrate DFIR
analysis and intrusion detection are at the core of such timely detection. practices into a continuous security operations program.
Organizations need to not only detect attacks but also to react in a way that Topics: DFIR Core Concepts: Digital Forensics; DFIR Core Concepts: Incident
ensures those attacks can be prevented in the future. Response; Modern DFIR: A Live and Continuous Process; Widening the Net:
Topics: Network Security Monitoring; IP, TCP, and UDP Refresher; Advanced Scaling the DFIR Process and Scoping a Compromise
Packet Analysis; Introduction to Network Forensics with Security Onion;
Identifying Malicious Content and Streams; Extracting and Repairing Content
from PCAP files; Traffic Visualization Tools; Intrusion Detection and Intrusion
Prevention; Handling Encrypted Network Traffic

DAY 5: Malware Analysis DAY 6: Enterprise Defender Capstone

Malicious software is responsible for many incidents in almost every type The concluding section of the course will serve as a real-world challenge for
of organization. Types of malware vary widely, from Ransomware and students by requiring them to work in teams, use the skills they have learned
Rootkits to Crypto Currency Miners and worms. We will define each of the throughout the course, think outside the box, and solve a range of problems
most popular types of malware and walk through multiple examples. The from simple to complex. A web server scoring system and Capture-the-Flag
four primary phases of malware analysis will be covered: Fully Automated engine will be provided to score students as they submit flags to score points.
Analysis, Static Properties Analysis, Interactive Behavior Analysis, and More difficult challenges will be worth more points. In this defensive exercise,
Manual Code Reversing. You will complete various in-depth labs requiring challenges include packet analysis, routing protocols, scanning, malware
you to fully dissect a live Ransomware specimen from static analysis analysis, and other challenges related to the course material.
through code analysis. You will get hands-on experience with tricking the
malware through behavioral analysis techniques, as well as decrypting
files encrypted by Ransomware by extracting the keys through reverse
engineering. All steps are well defined and tested to ensure that the process
to achieve these goals is actionable and digestible.
Topics: Introduction to Malware Analysis; The Many Types of Malware; ATM/
Cash Machine Malware; Building a Lab Environment for Malware Analysis;
Malware Locations and Footprints; Fully Automated Malware; Cuckoo
Sandbox; Static Properties Analysis; Interactive Behavior Analysis; Manual
Code Reversing; Tools such as IDA, PeStudio, ILSpy, Process Hacker, Process
Monitor, NoFuserEx, etc.

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
own pace, with four months of online access in the
OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 22-27

29
 SEC505: Securing Windows and GCWN
Windows Security

PowerShell Automation Administrator

www.giac.org/gcwn

6 36 Laptop Hackers know how to use PowerShell for evil. Do you know how to use it for good? In
Day Program CPEs Required SEC505 you will learn how to use PowerShell to automate Windows security management
across an Active Directory enterprise. You won’t just learn PowerShell syntax, you’ll learn
how to leverage PowerShell as a platform for security.
You Will Be Able To
▐ Configure mitigations against attacks You’ve run a vulnerability scanner and applied patches – now what? A major theme of
such as pass-the-hash, Kerberos golden this course is defensible architecture: we have to assume that there will be a breach, so
tickets, Remote Desktop Protocol (RDP) we need to build in damage control from the beginning. Whack-a-mole incident response
man-in-the-middle, Security Access
cannot be our only defensive strategy – we’ll never win, and we’ll never get ahead of the
Token abuse, and other attacks discussed
in SEC504 and other SANS hacking game. By the time your monitoring system tells you a Domain Admin account has been
courses compromised, IT’S TOO LATE. We need to prevent pass-the-hash attacks and Kerberos
▐ Execute PowerShell commands on Golden Ticket attacks as much as possible, not just detect them.
remote systems and begin to write your
own PowerShell scripts Perhaps you’ve taken a hacking course at SANS and now you want to learn more Windows
▐ Harden PowerShell itself against abuse, and Active Directory attack mitigations: SEC505 is that course.
and enable transcription logging for your
Learning PowerShell is also useful for another kind of security: job security. Employers are
SIEM
looking for people with these skills. You don’t have to know any PowerShell to attend the
▐ Use Group Policy and PowerShell to grant
administrative privileges in a way that course, we will learn it together. About half the labs during the week are PowerShell, while
reduces the harm if an attack succeeds the rest use graphical security tools. Many of the PowerShell scripts written by the course
(assume breach) author are free in GitHub (go to http://SEC505.com).
▐ Block hacker lateral movement and
malware Command & Control channels If you are an IT manager or CIO, the aim for this course is to have it pay for itself 10
using Windows Defender Firewall, times over within two years, because automation isn’t just good for security, it can save
IPsec, DNS sinkholes, admin credential money too.
protections, and more
▐ Prevent exploitation using AppLocker and SEC505 is designed for the blue team to block the attacks of the red team.
other Windows OS hardening techniques
The focus of this course is on how to automate the NSA Top 10 Mitigations, the CIS Critical
in a scalable way with PowerShell
Security Controls related to Windows, and the MITRE ATT&CK mitigations for Windows,
▐ Configure PowerShell remoting to use
Just Enough Admin (JEA) policies to especially the ones that are the most difficult to implement in large environments.
create a Windows version of Linux sudo
SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN)
and setuid root
certification exam to prove your Windows security expertise. The GCWN certification
▐ Install and manage a full Windows Public
Key Infrastructure (PKI), including smart
counts towards a Master’s Degree in Information Security from the SANS Technology
cards, certificate auto-enrollment, Online Institute (www.sans.edu) and satisfies the Department of Defense 8140 computing
Certificate Status Protocol (OCSP) web environment requirement. The GCWN is also a foundational certification for soldiers in the
responders, and detection of spoofed
U.S. Army’s 255-S Information Protection Program. For DoD students, we will see how to
root Certification Authorities (CAs)
apply the NSA/DISA Secure Host Baseline.
▐ Harden must-have protocols against
exploitation, such as SSL/TLS, RDP, DNS, This is a fun course and a real eye-opener, even for Windows administrators with years of
DNSSEC, PowerShell Remoting, and SMB
experience. We don’t cover patch management, share permissions, or other such basics
▐ Use PowerShell to access the WMI – the aim is to go far beyond that. Come have fun learning PowerShell and Windows
service for remote command execution,
searching event logs, reconnaissance, security at the same time!
and more

SEC505 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Private Training
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 This course is also available through Private Training.

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14

CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19

30
Course Day
Descriptions

DAY 1: Learn PowerShell Scripting DAY 2: Host Hardening and Active Who Should Attend
This course section covers what you need to know to Directory Scripting ▐ Security Operations
get started using PowerShell. You don’t need to have personnel
Running a vulnerability scanner is easy, but remediating
any prior scripting or programming experience. We have
vulnerabilities in a large enterprise is hard. Most ▐ Blue Team players who were
PowerShell labs throughout the week, so today is not the
vulnerabilities are fixed by applying patches, but terrified by SEC504
only PowerShell material. We start with the essentials, then
this course does not talk about patch management,
go more in depth as the week progresses. Don’t worry, you ▐ Windows endpoint and
you’re doing that already. What about the other
won’t be left behind, the PowerShell labs walk you through server administrators
vulnerabilities, the ones not fixed by applying patches?
every step. ▐ Anyone who wants to learn
These vulnerabilities are, by definition, remediated by
Topics: Why Is PowerShell So Important and Dangerous?; configuration changes. That’s the hard part. We need a PowerShell automation
Writing Your Own Scripts, Functions, and Modules; secure architecture designed for SecOps/DevOps. ▐ Anyone implementing the
PowerShell Remoting; Getting Up and Running Quickly with NSA Top 10 Mitigations
Topics: Continuous Secure Configuration Enforcement;
PowerShell
Remote PowerShell Script Execution with Group Policy; ▐ Anyone implementing the
Server Hardening Automation; PowerShell for Active CIS Critical Security Controls
Directory
▐ DoD admins applying the
NSA/DISA Secure Host
DAY 3: Smart Tokens and Public Key DAY 4: Protecting Admin Credentials and
Baseline
Infrastructure (PKI) PowerShell JEA ▐ Individuals deploying or
Running a Public Key Infrastructure (PKI) is pretty much Why do submarines have pressure doors to seal off managing a PKI or smart
mandatory for Microsoft security and cloud computing compartments? Because they are designed to assume a cards
today. The best form of multi-factor authentication (MFA) is breach will occur. In a Windows environment, a security
a USB smart token integrated into Active Directory. We need breach will occur, so we must design the architecture
▐ Anyone wanting a more
digital certificates for SSL/TLS, wireless authentication, VPN with an “assume breach” mindset as well. If we assume rugged Windows architecture
gateways, code signing, and much more. This day of the that some day the computers and credentials of our
course is basically one long hands-on lab to install and administrators will be compromised, then how do we build
configure a full Windows Server PKI. This includes a root damage control into the network from the beginning?
Certification Authority (CA), Group Policy certificate auto- This is not about detection and incident response. The
enrollment on endpoints, Online Certificate Status Protocol challenge here is how to design for damage control
(OCSP) revocation checking, private key roaming for users, when we delegate administrative privileges. We need to
smart card/token certificate deployment, and, of course, proactively design damage control into the architecture,
lots of PowerShell examples. not wait until after there is a breach (when it’s too late).
Topics: Why Is a PKI Necessary?; How to Install the Windows Topics: Restricting Unnecessary Admin Privileges;
PKI; How to Manage Your PKI; Deploying Smart Cards Compromise of Administrative Powers; PowerShell Just
Enough Admin (JEA); Active Directory Permissions and
Delegation “This class provided
real-world examples
DAY 5: Thwarting Hackers Inside the DAY 6: Blue Team PowerShell: WMI, DNS,
and sample scripts
Network RDP, and SMB
You are already applying patches and updating anti-virus Hackers love the Windows Management Instrumentation
to make a Windows-
signatures. But endpoint protection is much more than (WMI) service, and so should we. We are the linebackers centric environment
that. Because most advanced malware infections start with on the Blue Team and the WMI service was made to
a compromised endpoint, we want to proactively build benefit us, not hackers. The WMI service is enabled by fundamentally more
defensibility and damage control into our systems using default and accessible over the network. Through WMI we secure.”
a “zero trust” or “assume breach” model. How? AppLocker can do remote command execution (without PowerShell
is an application whitelisting tool built into Windows to being installed at the target), forcibly log off the user, -Nick Boardman, HRSD
control which executables, scripts, DLLs and installer reboot the machine, stop services, search for processes
packages users may run. If hackers or malware attempt to running as Administrator, kill any process, and much more.
launch an unauthorized process post-exploitation, the aim The WMI service is nearly all-powerful and it’s built for
is to block it and log it. In the lab, we’ll use PowerShell and remote administration. PowerShell is tightly integrated
Group Policy to manage AppLocker. Application whitelisting into WMI, and we’ll look at several PowerShell examples.
can be hard to manage if used too aggressively, so we’ll Topics: PowerShell and WMI; Hardening DNS; Dangerous
also talk about how to get started without making the help Protocols We Can’t Live Without
desk phone ring off the hook.
Topics: Anti-Exploitation; TCP/UDP Port Permissions for
Role-Based Access Control; Windows Defender Firewall

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
own pace, with four months of online access in the
OnDemand platform.

31
 GCUX
SEC506: Securing Linux/Unix Unix Security
Administrator
www.giac.org/gcux

6 36 Laptop This course provides in-depth coverage of Linux and Unix security issues that includes
Day Program CPEs Required specific configuration guidance and practical, real-world examples, tips, and tricks.
We examine how to mitigate or eliminate general problems that apply to all Unix-like
operating systems, including vulnerabilities in the password authentication system, file
You Will Be Able To system, virtual memory system, and applications that commonly run on Linux and Unix.
▐ Significantly reduce the number of
vulnerabilities in the average Linux/ The course will teach you the skills to use freely available tools to handle security issues,
Unix system by disabling unnecessary including SSH, AIDE, sudo, lsof, and many others. SANS’s practical approach uses hands-
services
on exercises every day to ensure that you will be able to use these tools as soon as you
▐ Protect your systems from buffer return to work. We will also put these tools to work in a special section that covers simple
overflows, denial-of-service, and
physical access attacks by leveraging OS forensic techniques for investigating compromised systems.
configuration settings
▐ Configure host-based firewalls to block
attacks from outside Topics
▐ Deploy SSH to protect administrative ▐ Memory Attacks, Buffer Overflows ▐ Server Lockdown for Linux and Unix
sessions, and leverage SSH functionality
to securely automate routine
▐ File System Attacks, Race Conditions ▐ Controlling Root Access with sudo
administrative tasks ▐ Trojan Horse Programs and Rootkits ▐ SELinux and chroot() for Application
▐ Use sudo to control and monitor ▐ Monitoring and Alerting Tools Security
administrative access
▐ Unix Logging and Kernel-Level Auditing
▐ DNSSEC Deployment and Automation
▐ Create a centralized logging
infrastructure with Syslog-NG, and ▐ Building a Centralized Logging
▐ mod_security and Web Application
deploy log monitoring tools to scan for Firewalls
significant events Infrastructure
▐ Use SELinux to effectively isolate ▐ Network Security Tools
▐ Secure Configuration of BIND, Sendmail,
compromised applications from and Apache
harming other system services ▐ SSH for Secure Administration
▐ Forensic Investigation of Linux Systems
▐ Securely configure common Internet-
facing applications such as Apache and
BIND Author Statement
▐ Investigate compromised Unix/Linux
“A wise man once said, ‘How are you going to learn anything if you know everything
systems with the Sleuthkit, lsof, and
other open-source tools already?’ And yet there seems to be a quiet arrogance in the Unix community that we
▐ Understand attacker rootkits and how
have figured out all of our security problems, as if to say, ‘Been there, done that.’ All I can
to detect them with AIDE and rkhunter/ say is that what keeps me going in the Unix field, and the security industry in particular,
chkrootkit is that there is always something new to learn, discover, or invent. In 20 plus years on the
job, what I have learned is how much more there is that I can learn. I think this is also
true for the students in my courses. I regularly get comments back from students who say
things like, ‘I have been using Unix for 20 years, and I still learned a lot in this class.’ That
is really rewarding.”
-Hal Pomeranz

“Linux security courses are a rare commodity and a valuable resource

to the security professional.”
-Trevor Sellers, IDA Center for Communications Research

SEC506 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Private Training OnDemand
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Community Events OnDemand platform.

New York, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 15-20

32
Course Day
Descriptions

DAY 1: Hardening Linux/Unix Systems – DAY 2: Hardening Linux/Unix Systems – Who Should Attend
Part 1 Part 2 ▐ Security professionals looking
to learn the basics of securing
This course day tackles some of the most important Continuing our exploration of Linux/Unix security
Unix operating systems
techniques for protecting your Linux/Unix systems from issues, this course day focuses on local exploits and
external attacks, and it also covers what those attacks access control issues. What do attackers do once they ▐ Experienced administrators
are so that you know what you’re defending against. gain access to your systems? How can you detect their looking for in-depth
This is a full-disclosure course with in-class demos of presence? How do you protect against attackers with descriptions of attacks on Unix
actual exploits and hands-on exercises to experiment physical access to your systems? What can you do to systems and how they can be
with various examples of malicious software, as well as protect against mistakes (or malicious activity) by your prevented
different techniques for protecting Linux/Unix systems. own users? ▐ Administrators needing
Topics: Memory Attacks and Overflows; Vulnerability Topics: Rootkits and Malicious Software; File Integrity information on how to secure
Minimization; Boot-Time Configuration; Encrypted Access; Assessment; Physical Attacks and Defenses; User Access common Internet applications
Host-Based Firewalls Controls; Root Access Control with sudo; Warning on the Unix platform
Banners; Kernel Tuning for Security ▐ Auditors, incident responders,
and InfoSec analysts who
DAY 3: Hardening Linux/Unix Systems – DAY 4: Application Security – Part 1 need greater insight into
Part 3 This course day examines common application security Linux and Unix security tools,
tools and techniques. The SCP-Only Shell will be procedures, and best practices
Monitoring your systems is critical for maintaining
presented as an example of using an application under
a secure environment. This course day digs into the
chroot() restriction, and as a more secure alternative to
different logging and monitoring tools available in
file-sharing protocols like anonymous FTP. The SELinux
Linux/Unix, and looks at additional tools for creating a
application whitelisting mechanism will be examined
centralized monitoring infrastructure such as Syslog-NG.
in-depth. Tips for troubleshooting common SELinux
Along the way, the course introduces a number of useful
problems will be covered and students will learn how
SSH tips and tricks for automating tasks and tunneling
to craft new SELinux policies from scratch for new and
different network protocols in a secure fashion.
locally developed applications. Significant hands-on time
Topics: Automating Tasks With SSH; AIDE via SSH; Linux/ will be provided for students to practice these concepts. “This course gave me a
Unix Logging Overview; SSH Tunneling; Centralized Logging
with Syslog-NG
Topics: chroot() for Application Security; The SCP-Only better understanding
Shell; SELinux Basics; SELinux and the Reference Policy
of Linux internals and
DAY 5: Application Security – Part 2 DAY 6: Digital Forensics for
specific threat hunting
This course section is a full day of in-depth analysis on Linux/Unix ideas that I will use in
how to manage some of the most popular application- my environment.”
This hands-on course day is designed to be an
level services securely on a Linux/Unix platform. We will
information-rich introduction to basic forensic
tackle the practical issues involved with securing three of -Shelby Peterson, Adobe
principles and techniques for investigating
the most commonly used Internet servers on Linux and
compromised Linux and Unix systems. At a high level, it
Unix: BIND, Sendmail, and Apache. Beyond basic security
introduces the critical forensic concepts and tools that
configuration information, we will take an in-depth look
every administrator should know and provides a real-
at topics like DNSSec and Web Application Firewalls with
world compromise for students to investigate using the
mod_security and the Core Rules.
tools and strategies discussed in class.
Topics: BIND; DNSSec; Apache; Web Application Firewalls
Topics: Tools Throughout; Forensic Preparation and Best
with mod_security
Practices; Incident Response and Evidence Acquisition;
Media Analysis; Incident Reporting

33
 SEC530: Defensible Security Architecture GDSA
Defensible Security

and Engineering NEW Architecture

www.giac.org/gdsa

6 36 Laptop SEC530: Defensible Security Architecture and Engineering is designed to help students
Day Program CPEs Required establish and maintain a holistic and layered approach to security. Effective security
requires a balance between detection, prevention, and response capabilities, but such a
You Will Be Able To balance demands that controls be implemented on the network, directly on endpoints, and
within cloud environments. The strengths and weaknesses of one solution complement
▐ Analyze a security architecture for
deficiencies another solution through strategic placement, implementation, and fine-tuning.
▐ Implement technologies for enhanced The changing threat landscape requires a change in mindset, as well as a repurposing of
prevention, detection, and response
many devices. Where does this leave our classic perimeter devices such as firewalls? What
capabilities
are the ramifications of the “encrypt everything” mindset for devices such as Network
▐ Comprehend deficiencies in security
solutions and understand how to tune Intrusion Detection Systems?
and operate them
In this course, students will learn the fundamentals of up-to-date defensible security
▐ Apply the principles learned in the architecture and how to engineer it. There will be a heavy focus on leveraging current
course to design a defensible security
architecture
infrastructure (and investment), including switches, routers, and firewalls. Students
will learn how to reconfigure these devices to significantly improve their organizations’
▐ Determine appropriate security
monitoring needs for organizations of prevention capabilities in the face of today’s dynamic threat landscape. The course will
all sizes also delve into the latest technologies and their capabilities, strengths, and weaknesses.
▐ Maximize existing investment in
While this is not a monitoring course, it will dovetail nicely with continuous security
security architecture by reconfiguring
existing assets monitoring, ensuring that security architecture not only supports prevention, but
▐ Determine capabilities required to also provides the critical logs that can be fed into a Security Information and Event
support continuous monitoring of key Management (SIEM) system in a Security Operations Center.
Critical Security Controls
Hands-on labs will reinforce key points in the course and provide actionable skills that
▐ Configure appropriate logging and
monitoring to support a Security students will be able to leverage as soon as they return to work.
Operations Center and continuous
monitoring program
You Will Learn To
▐ Layer security solutions ranging from network to endpoint and cloud-based
technologies
▐ Understand the implications of proper placement of technical controls
▐ Tune, adjust, and implement security techniques, technologies, and capabilities
▐ Think outside the box on using common security solutions in innovative ways
“There are no other courses ▐ Balance detection with prevention while allowing for better response times and
out there that cover capabilities

practical hands-on security ▐ Understand where prevention technologies are likely to fail and how to supplement
them with specific detection technologies
architecture.”
▐ Understand how security infrastructure and solutions work at a technical level and
-Chris Kuhl, Premier Health
how to better implement them

SEC530 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-15 New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 Summit Events
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Security Operations . . . New Orleans, LA . . . Jun 26 - Jul 1

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . Oct 28 - Nov 2
Community Events
Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 Ottawa, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . Oct 28 - Nov 2
Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24
34 11
Course Day
Descriptions

DAY 1: Defensible Security Architecture DAY 2: Network Security Architecture and Who Should Attend
and Engineering Engineering ▐ Security architects
This first section of the course describes hardening Day 2 continues hardening the infrastructure and moves on ▐ Network engineers
systems and networks at every layer, from layer one to layer three: routing. Actionable examples are provided ▐ Network architects
(physical) to layer seven (applications and data). To quote for hardening routers, with specific Cisco IOS commands to
Richard Bejtlich’s The Tao of Network Security Monitoring, perform each step. The section then continues with a deep ▐ Security analysts
defensible networks “encourage, rather than frustrate, dive on IPv6, which currently accounts for 23% of Internet ▐ Senior security engineers
digital self-defense.” backbone traffic, according to Google, while simultaneously
being used and ignored by most organizations. This section
▐ System administrators
Topics: Traditional Security Architecture Deficiencies;
Defensible Security Architecture; Threat, Vulnerability, and will provide deep background on IPv6, discuss common ▐ Technical security managers
Data Flow Analysis; Layer 1 Best Practices; Layer 2 Best mistakes (such as applying an IPv4 mindset to IPv6), and
▐ CND analysts
Practices; NetFlow provide actionable solutions for securing the protocol. The
section wraps up with a discussion of VPN and stateful ▐ Security monitoring
layer three/four firewalls. specialists
Topics: Layer 3: Router Best Practices; Layer 3 Attacks and ▐ Cyber threat investigators
Mitigation; Layer 2 and 3 Benchmarks and Auditing Tools;
Securing SNMP; Securing NTP; Bogon Filtering, Blackholes,
and Darknets; IPv6; Securing IPv6; VPN; Layer 3/4 Stateful
Firewalls; Proxy

DAY 3: Network-Centric Security DAY 4: Data-Centric Security

Organizations own or have access to many network-based Organizations cannot protect something they do not know
security technologies ranging from Next-Generation exists. The problem is that critical and sensitive data exist
Firewalls to web proxies and malware sandboxes. Yet the all over. Complicating this even more is that data are often
effectiveness of these technologies is directly affected controlled by a full application stack involving multiple
by their implementation. Too much reliance on built-in services that may be hosted on-premise or in the cloud.
capabilities like application control, antivirus, intrusion Topics: Application (Reverse) Proxies; Full Stack Security “Every day of SEC530
prevention, data loss prevention, or other automatic evil- Design; Web Application Firewalls; Database Firewalls/
finding deep packet inspection engines leads to a highly Database Activity Monitoring; File Classification; Data has provided
preventative-focused implementation, with huge gaps in
both prevention and detection.
Loss Prevention (DLP); Data Governance; Mobile Device new insight and
Management (MDM) and Mobile Application Management
Topics: NGFW; NIDS/NIPS; Network Security Monitoring; (MAM); Private Cloud Security; Public Cloud Security; information. The
Sandboxing; Encryption; Secure Remote Access; Distributed Container Security
Denial-of-Service (DDOS) labs are great, and I
can’t wait to put it all
DAY 5: Zero Trust Architecture: Addressing DAY 6: Hands-On Secure-the-Flag together. No matter
the Adversaries Already in Our Networks Challenge how experienced a
Today, a common security mantra is “trust but verify.” The course culminates in a team-based Design-and-
But this is a broken concept. Computers are capable of Secure-the-Flag competition. Powered by NetWars, day professional you are,
calculating trust on the fly, so rather than thinking in terms six provides a full day of hands-on work applying the
of “trust but verify” organizations should be implementing principles taught throughout the week. Your team will
SANS always teaches
“verify then trust.” By doing so, access can be constrained progress through multiple levels and missions designed to you something new.”
to appropriate levels at the same time that access can ensure mastery of the modern cyber defense techniques
become more fluid. promoted throughout this course. Teams will assess, -Ron Foupht,
Topics: Zero Trust Architecture; Credential Rotation; design, and secure a variety of computer systems and Sirius Computer Solutions
Compromised Internal Assets; Securing the Network; devices, leveraging all seven layers of the OSI model.
Tripwire and Red Herring Defenses; Patching; Deputizing Topics: Capstone – Design/Detect/Defend
Endpoints as Hardened Security Sensors; Scaling Endpoint
Log Collection/Storage/Analysis

Online Training
Private Training Simulcast
This course is also available through Private Training. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14

35
 SEC545: Cloud Security Architecture and Operations

5 30 Laptop As more organizations move data and infrastructure to the cloud, security is
Day Program CPEs Required becoming a major priority. Operations and development teams are finding
new uses for cloud services, and executives are eager to save money and gain
new capabilities and operational efficiency by using these services. But will
You Will Be Able To information security prove to be an Achilles’ heel? Many cloud providers do not
▐ Revise and build internal policies to ensure cloud provide detailed control information about their internal environments, and quite
security is properly addressed
a few common security controls used internally may not translate directly to the
▐ Understand all major facets of cloud risk, including
threats, vulnerabilities, and impact
public cloud.
▐ Articulate the key security topics and risks SEC545: Cloud Security Architecture and Operations will tackle these issues one
associated with SaaS, PaaS, and IaaS cloud by one. We’ll start with a brief introduction to cloud security fundamentals,
deployment models
then cover the critical concepts of cloud policy and governance for security
▐ Evaluate Cloud Access Security Brokers to better professionals. For the rest of day one and all of day two, we’ll move into technical
protect and monitor SaaS deployments
security principles and controls for all major cloud types (SaaS, PaaS, and IaaS).
▐ Build security for all layers of a hybrid cloud
environment, starting with hypervisors and working
We’ll learn about the Cloud Security Alliance framework for cloud control areas,
to application layer controls then delve into assessing risk for cloud services, looking specifically at technical
▐ Evaluate basic virtualization hypervisor security areas that need to be addressed.
controls
The course then moves into cloud architecture and security design, both for
▐ Design and implement network security access
building new architectures and for adapting tried-and-true security tools
controls and monitoring capabilities in a public
cloud environment and processes to the cloud. This will be a comprehensive discussion that
▐ Design a hybrid cloud network architecture that
encompasses network security (firewalls and network access controls, intrusion
includes IPSec tunnels detection, and more), as well as all the other layers of the cloud security stack.
▐ Integrate cloud identity and access management We’ll visit each layer and the components therein, including building secure
into security architecture instances, data security, identity and account security, and much more. We’ll
▐ Evaluate and implement various cloud encryption devote an entire day to adapting our offense and defense focal areas to the
types and formats cloud. This will involve looking at vulnerability management and pen testing, as
▐ Develop multi-tier cloud architectures in a Virtual well as covering the latest and greatest cloud security research. On the defense
Private Cloud, using subnets, availability zones, side, we’ll delve into incident handling, forensics, event management, and
gateways, and NAT
application security.
▐ Integrate security into DevOps teams, effectively
creating a DevSecOps team structure We wrap up the course by taking a deep dive into SecDevOps and automation,
▐ Build automated deployment workflows using investigating methods of embedding security into orchestration and every facet
Amazon Web Services and native tools of the cloud life cycle. We’ll explore tools and tactics that work, and even walk
▐ Incorporate vulnerability management, scanning, through several cutting-edge use cases where security can be automated entirely
and penetration testing into cloud environments in both deployment and incident detection-and-response scenarios using APIs
and scripting.
Who Should Attend
▐ Security analysts
▐ Security architects
▐ Senior security engineers “SEC545 helped to better align our policies to include
▐ Technical security managers
cloud systems, and it gave me more insight into cloud
▐ Security monitoring analysts
systems and their configurations.”
▐ Cloud security architects
▐ DevOps and DevSecOps engineers -Craig Lunde, Discovery Benefits Inc.
▐ System administrators
▐ Cloud administrators

SEC545 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . . Jul 15-19 San Francisco Fall . . . . . San Francisco, CA . . . . .Sep 23-27 Cloud & DevOps
Security . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Nov 6-10
Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-23 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-11

Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-23 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . .Oct 28 - Nov 1

New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-29 Houston . . . . . . . . . . . . . . Houston, TX . . . . . .Oct 28 - Nov 1
36
Course Day
Descriptions

DAY 1: Cloud Security DAY 2: Core Security Controls for DAY 3: Cloud Security Architecture
Foundations Cloud Computing and Design
The first day of the course starts out with The second day of SEC545 compares traditional in- Instead of focusing on individual layers of our cloud
an introduction to the cloud, including house controls with those in the cloud today. Some stack, we start day three by building the core security
terminology, taxonomy, and basic technical controls are similar and mostly compatible, but components. We’ll break down cloud security
premises. We also examine what is not all of them. Since most cloud environments are architecture best practices and principles that most
happening in the cloud today, and cover the built on virtualization technology, we walk through high-performing teams prioritize when building or
spectrum of guidance available from the a short virtualization security primer, which can adding cloud security controls and processes to
Cloud Security Alliance, including the Cloud help teams building hybrid clouds that integrate their environments. We start with infrastructure and
Controls Matrix, the 14 major themes of cloud with internal virtualized assets, and also help teams core component security – in other words, we need
security, and other research available. Next properly evaluate the controls cloud providers offer to look at properly locking down all the pieces and
we spend time on cloud policy and planning, in this area. We’ll then break down cloud network parts we covered on day two! This then leads to a
delving into the changes an organization security controls and tradeoffs, since this is an area focus on major areas of architecture and security
needs to make for security and IT policy to that is very different from what we’ve traditionally design. The first is building various models of access
properly embrace the cloud. After all the run in-house. For PaaS and IaaS environments, it’s control and compartmentalization. This involves
legwork is done, we’ll start talking about critical to secure virtual machines (instances) and breaking things down into two categories: identity
some of the main technical considerations the images we deploy them from, so we cover this and access management (IAM) and network security.
for the different cloud models. We’ll start by next. At a high level, we’ll also touch on identity We delve into these in significant depth, as they
breaking down Software-as-a-Service (SaaS) and access management for cloud environments can form the backbone of a sound cloud security
and some of the main types of security to help control and monitor who is accessing the strategy. We then look at architecture and design for
controls available. A specialized type of cloud infrastructure, as well as what they’re doing data security, touching on encryption technologies,
Security-as-a-Service (SecaaS) known as there. We also cover data security controls and key management, and what the different options are
Cloud Access Security Brokers (CASBs) will types, including encryption, tokenization, and more. today. We wrap up our third day with another crucial
also be explained, with examples of what to Specific things to look for in application security are topic: availability. Redundant and available design
look for in such a service. We’ll wrap up with laid out as the final category of overall controls. We is as important as ever, but we need to use cloud
an introduction to Platform-as-a-Service then pull it all together to demonstrate how you can provider tools and geography to our advantage. At
(PaaS) and Infrastructure-as-a-Service (IaaS) properly evaluate a cloud provider’s controls and the same time, we need to make sure we evaluate
controls, which will set the stage for the rest security posture. the cloud provider’s disaster recovery and continuity,
of the course. Topics: Cloud Security: In-House versus Cloud; and so this is covered as well.
Topics: Introduction to the Cloud and Cloud A Virtualization Security Primer; Cloud Network Topics: Cloud Security Architecture Overview; Cloud
Security Basics; Cloud Security Alliance Security; Instance and Image Security; Identity and Architecture and Security Principles; Infrastructure
Guidance; Cloud Policy and Planning; SaaS Access Management; Data Security for the Cloud; and Core Component Security; Access Controls and
Security; Cloud Access Security Brokers; Intro Application Security for the Cloud; Provider Security: Compartmentalization; Confidentiality and Data
to PaaS and IaaS Security Controls Cloud Risk Assessment Protection; Availability

DAY 4: Cloud Security – Offense and Defense DAY 5: Cloud Security Automation and Orchestration
There are many threats to our cloud assets, so the fourth day of the course begins On our final day, we’ll focus explicitly on how to automate security in the
with an in-depth breakdown of the types of threats out there. We’ll look at numerous cloud, both with and without scripting techniques. We will use tools like
examples. The class also shows students how to design a proper threat model the AWS CLI and AWS Lambda to illustrate the premises of automation,
focused on the cloud by using several well-known methods such as STRIDE and then turn our attention toward SecDevOps principles. We begin by
attack trees and libraries. Scanning and pen testing the cloud used to be challenging explaining what that really means, and how security teams can best
due to restrictions put in place by the cloud providers themselves. But today it is integrate into DevOps and cloud development and deployment practices.
easier than ever. There are some important points to consider when planning a We’ll cover automation and orchestration tools like Ansible and Chef,
vulnerability management strategy in the cloud, and this class touches on how to as well as how we can develop better and more efficient workflows with
best scan your cloud assets and which tools are available to get the job done. Pen AWS CloudFormation and other tools. Continuing some of the topics from
testing naturally follows this discussion, and we talk about how to work with the day four, we will look at event-driven detection and event management,
cloud providers to coordinate tests, as well as how to perform testing yourself. On the as well as response and defense strategies that work. While we won’t
defensive side, we start with network-based and host-based intrusion detection, and automate everything, some actions and scenarios really lend themselves
how to monitor and automate our processes to better carry out this detection. This to monitoring tools like CloudWatch, tagging assets for identification in
is an area that has definitely changed from what we’re used to in-house, so security security processes, and initiating automated response and remediation
professionals need to know what their best options are and how to get this done. to varying degrees. We wrap up the class with a few more tools and
Our final topics on day four include incident response and forensics (also topics tactics, followed by a sampling of real-world use cases.
that have changed significantly in the cloud). The tools and processes are different, Topics: Scripting and Automation in the Cloud; SecDevOps Principles;
so we need to focus on automation and event-driven defenses more than ever. Creating Secure Cloud Workflows; Building Automated Event Management;
Topics: Threats to Cloud Computing; Vulnerability Management in the Cloud; Cloud Building Automated Defensive Strategies; Tools and Tactics; Real-World
Pen Testing; Intrusion Detection in the Cloud; Cloud IR and Event Management; Use Cases; Class Wrap-Up
Cloud Forensics

Online Training
Community Events OnDemand
Raleigh, NC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 3-7 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Toronto, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 10-14
OnDemand platform.
Sterling, VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-12
Anaheim, CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jul 22-26
Kansas City, KS . . . . . . . . . . . . . . . . . . . . . . . . . Jul 29 - Aug 2 37
 GCDA
SEC555: SIEM with Tactical Analytics Detection Analyst
www.giac.org/gcda

6 46 Laptop Many organizations have logging capabilities but lack the people and processes to
Day Program CPEs Required analyze them. In addition, logging systems collect vast amounts of data from a variety
of data sources that require an understanding of those sources for proper analysis.
This class is designed to provide students with the training, methods, and processes to
You Will Be Able To enhance existing logging solutions. This class will also help you understand the when,
▐ Deploy the SANS SOF-ELK VM in
what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-
production environments
sponsored free Security Information and Event Management (SIEM) solution, to provide
▐ Demonstrate ways most SIEMs commonly
lag current open-source solutions (e.g., hands-on experience and the mindset for large-scale data analysis.
SOF-ELK)
Today, security operations do not suffer from a “Big Data” problem but rather a “Data
▐ Get up to speed on SIEM use,
Analysis” problem. Let’s face it, there are multiple ways to store and process large
architecture, and best practices
amounts of data without any real emphasis on gaining insight into the information
▐ Know what type of data sources to collect
logs from collected. Added to that is the daunting idea of an infinite list of systems from which one
▐ Deploy a scalable logs solution with could collect logs. It is easy to get lost in the perils of data saturation. This class moves
multiple ways to retrieve logs away from the typical churn-and-burn log systems and moves instead towards achieving
▐ Operationalize ordinary logs into tactical actionable intelligence and developing a tactical Security Operations Center (SOC).
data
This course is designed to demystify the SIEM architecture and process by navigating
▐ Develop methods to handle billions of
logs from many disparate data sources the student through the steps of tailoring and deploying a SIEM to full SOC integration.
▐ Understand best practice methods for The material will cover many bases in the “appropriate” use of a SIEM platform to
collecting logs enrich readily available log data in enterprise environments and extract actionable
▐ Dig into log manipulation techniques intelligence. Once the information is collected, the student will be shown how to present
challenging many SIEM solutions the gathered input into usable formats to aid in eventual correlation. Students will then
▐ Build out graphs and tables that can be iterate through the log data and events to analyze key components that will allow them
used to detect adversary activities and
to learn how rich this information is, how to correlate the data, how to start investigating
abnormalities
based on the aggregate data, and finally, how to go hunting with this newly gained
▐ Combine data into active dashboards
that make analyst review more tactical knowledge. They will also learn how to deploy internal post-exploitation tripwires and
▐ Utilize adversary techniques against breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the
them by using frequency analysis in large text and labs will not only show how to manually perform these actions, but also how to
data sets automate many of the processes mentioned so students can employ these tasks the day
▐ Develop baselines of network activity they return to the office.
based on users and devices
▐ Develop baselines of Windows systems The underlying theme is to actively apply Continuous Monitoring and analysis techniques
with the ability to detect changes from by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data
the baseline to provide real-world results and visualizations.
▐ Apply multiple forms of analysis such as
long tail analysis to find abnormalities
▐ Correlate and combine multiple data
sources to achieve more complete
understanding
“This course uses real-world events and hands-on training to allow
▐ Provide context to standard alerts to help
understand and prioritize them me to immediately improve my organization’s security stance.
Day 1 back in the office, I was implementing what I learned.”
-Frank Giachino, Bechtel Corp.

SEC555 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23

Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21
Summit Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5
Security Operations . . . New Orleans, LA . . . Jun 26 - Jul 1
Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12
38
Course Day
Descriptions

DAY 1: SIEM Architecture and SOF-ELK DAY 2: Service Profiling with SIEM Who Should Attend
This section will introduce free logging and analysis tools This section covers how to collect and handle this ▐ Security analysts
and focus on techniques to make sense of and augment massive amount of data. Methods for collecting these
logs through service logs such as from DNS servers
▐ Security architects
traditional logs. It also covers how to handle the big data
problem of handling billions of logs and how advances will be covered, as will be passive ways of pulling the ▐ Senior security engineers
in free tools are starting to give commercial solutions a same data from the network itself. Techniques will be
demonstrated to augment and add valuable context
▐ Technical security managers
run for their money. Day one is designed to get them up
to speed on SIEM concepts and to bring all students to a to the data as they are collected. Finally, analytical ▐ Security Operations Center
principles will be covered for finding the needles analysts, engineers, and managers
base level to carry them through the rest of the class. It
in the stack of needles. We will cover how, even if
is designed to also cover SIEM best practices. During day ▐ CND analysts
we have the problem of searching through billions
one we will be introducing Elasticsearch, Logstash, and of logs, we can surface only meaningful items of ▐ Security monitoring specialists
Kibana within SOF-ELK and immediately go into labs to interest. Active dashboards will be designed to quickly
get students comfortable with ingesting, manipulating, find the logs of interest and to provide analysts with ▐ System administrators
and reporting on log data. additional context for what to do next. ▐ Cyber threat investigators
Topics: State of the SOC/SIEM; Log Monitoring; Logging Topics: Detection Methods and Relevance to Log ▐ Individuals working to implement
Architecture; SIEM Platforms; Planning a SIEM; SIEM Analysis; Analyzing Common Application Logs that Continuous Security Monitoring
Architecture; Ingestion Techniques and Nodes; Data Generate Tremendous Amounts of Data; Applying
Queuing and Resiliency; Storage and Speed; Analytical Threat Intelligence to Generic Network Logs; Active ▐ Individuals working in a hunt team
Reporting Dashboards and Visualizations capacity

DAY 3: Advanced Endpoint Analytics DAY 4: Baselining and User Behavior Monitoring
The value in endpoint logs provides tremendous visibility in detecting attacks. This section focuses on applying techniques to automatically maintain a list
In particular, with regard to finding post-compromise activity, endpoint logs of assets and their configurations as well as methods to distinguish if they
can quickly become second to none. However, logs even on a single desktop are authorized or unauthorized. Key locations to provide high-fidelity data
can range in the tens if not hundreds of thousands of events per day. Multiply will be covered and techniques to correlate and combine multiple sources
this by the number of systems in your environment and it is no surprise of data together will be demonstrated to build a master inventory list.
that organizations get overwhelmed. This section will cover the how and Other forms of knowing thyself will be introduced such as gaining hands-on
more importantly the why behind collecting system logs. Various collection experience in applying network and system baselining techniques. We will
strategies and tools will be used to gain hands-on experience and to provide
monitor network flows and identify abnormal activity such as C2 beaconing
simplification with handling and filtering the seemingly infinite amount of data
as well as look for unusual user activity. Finally, we will apply large data
generated by both servers and workstations. Workstation log strategies will be
covered in depth due to their value in today’s modern attack vectors. After all, analysis techniques to sift through massive amounts of endpoint data. This
modern-day attacks typically start and then spread from workstations. will be used to find things such as unwanted persistence mechanisms, dual-
homed devices, and more.
Topics: Endpoint Logs
Topics: Identifying Authorized and Unauthorized Assets; Identifying
Authorized and Unauthorized Software; Baseline Data

DAY 5: Tactical SIEM Detection and DAY 6: Capstone: Design, Detect, Defend
Post-Mortem Analysis The course culminates in a team-based Design, Detect, and Defend-the-Flag
competition. Powered by NetWars, day six provides a full day of hands-on
This section focuses on combining multiple security logs for central analysis.
work applying the principles taught throughout the week. Your team will
More importantly, we will cover methods for combining multiple sources to progress through multiple levels and missions designed to ensure mastery
provide improved context to analysts. We will also show how providing context of the modern cyber defense techniques promoted all week long. From
with asset data can help prioritize analyst time, saving money and addressing building a logging architecture to augmenting logs, analyzing network logs,
risks that matter. After covering ways to optimize traditional security alerts, we analyzing system logs, and developing dashboards to find attacks, this
will jump into new methods to utilize logging technology to implement virtual challenging exercise will reinforce key principles in a fun, hands-on, team-
tripwires. While it would be ideal to prevent attackers from gaining access to your based challenge.
network, it is a given that at some point you will be compromised. However, Topics: Defend-the-Flag Challenge – Hands-on Experience
preventing compromise is the beginning, not the end goal. Adversaries will
crawl your systems and network to achieve their own ends. Knowing this, we
will implement logging-based tripwires—and if a single one is tripped, we can
quickly detect it and respond to the adversary.
Topics: Centralizing NIDS and HIDS Alerts; Analyzing Endpoint Security Logs;
Augmenting Intrusion Detection Alerts; Analyzing Vulnerability Information;
Correlating Malware Sandbox Logs with Other Systems to Identify Victims Across
the Enterprise; Monitoring Firewall Activity; SIEM Tripwires; Post-Mortem Analysis

Online Training
Mentor Events OnDemand Simulcast
Lessburg, VA . . . . . . . . . . . . . . . . . . . . . . . . . . . Jul 16 - Sep 3 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
own pace, with four months of online access in the
Private Training OnDemand platform. Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17

This course is also available through Private Training.

39
 SEC599: Defeating Advanced Adversaries – GDAT
Purple Team Tactics and Defending Advanced
Threats

Kill Chain Defenses www.giac.org/gdat

6 36 Laptop You just got hired to help our virtual organization “SYNCTECHLABS” build out a cybersecurity
Day Program CPEs Required capability. On your first day, your manager tells you: “We looked at some recent cybersecurity
trend reports and we feel like we’ve lost the plot. Advanced persistent threats, ransomware,
denial of service… We’re not even sure where to start!”
You Will Be Able To
▐ Understand how recent high-
Cyber threats are on the rise: ransomware tactics are affecting small, mid-size, and large
profile attacks were delivered and enterprises alike, while state-sponsored adversaries are attempting to obtain access to your
how they could have been stopped most precious crown jewels. SEC599: Defeating Advanced Adversaries – Purple Team Tactics
▐ Implement security controls & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome
throughout the different phases of today’s threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce
the Cyber Kill Chain and the MITRE
ATT&CK framework to prevent, security controls aimed at stopping, detecting, and responding to your adversaries.
detect, and respond to attacks Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts)
are hands-on practitioners who have built a deep understanding of how cyber attacks work
through penetration testing and incident response. While teaching penetration testing courses,
they were often asked the question: “How do I prevent or detect this type of attack?” Well, this
is it! SEC599 gives students real-world examples of how to prevent attacks. The course features
more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to
defend our virtual organization from different waves of attacks against its environment.
Our six-part journey will start off with an analysis of recent attacks through in-depth case
studies. We will explain what types of attacks are occurring and introduce formal descriptions
of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In
order to understand how attacks work, you will also compromise our virtual organization
“SYNCTECHLABS” in section one exercises.
In sections two, three, four and five we will discuss how effective security controls can be
implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed
“SEC599 gives really
include:
good background ▐ Leveraging MITRE ATT&CK as a “common language” in the organization

about adversary ▐ Building your own Cuckoo sandbox solution to analyze payloads

behavior and the steps ▐ Developing effective group policies to improve script execution (including PowerShell,

needed to detect it.” Windows Script Host, VBA, HTA, etc.)

▐ Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI
-Tarot Wake,
bypasses, etc.)
Halkyn Consulting Ltd
▐ Stopping 0-day exploits using ExploitGuard and application whitelisting

▐ Highlighting key bypass strategies in application whitelisting (focus on AppLocker)

▐ Detecting and preventing malware persistence

▐ Leveraging the Elastic stack as a central log analysis solution

▐ Detecting and preventing lateral movement through Sysmon, Windows event monitoring,

and group policies

▐ Blocking and detecting command and control through network traffic analysis

▐ Leveraging threat intelligence to improve your security posture

SEC599 will finish with a bang. During the Defend-the-Flag challenge in the final course
section, you will be pitted against advanced adversaries in an attempt to keep your network
secure. Can you protect the environment against the different waves of attacks? The
adversaries aren’t slowing down, so what are you waiting for?

SEC599 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 Summit Events
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Enterprise Defense . . . . Redondo Beach, CA . . . . Jun 5-10

Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7

San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-17 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23 Purple Team . . . . . . . . . . Las Colinas, TX . . . . . . .Oct 23-28

Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7
40
Course Day
Descriptions

DAY 1: Introduction and Reconnaissance DAY 2: Payload Delivery and Execution Who Should Attend
Our six-part journey starts with an analysis of recent Section 2 will cover how the attacker attempts to deliver ▐ Security architects and
attacks through in-depth case studies. We will explain and execute payloads in the organization. We will first security engineers
what’s happening in real situations and introduce the cover adversary techniques (e.g., creation of malicious ▐ Red teamers and penetration
Cyber Kill Chain and MITRE ATT&CK framework as a executables and scripts), then focus on how both payload
testers
structured approach to describing adversary tactics and delivery (e.g., phishing mails) and execution (e.g., double-
techniques. We will also explain what purple teaming is, clicking of the attachment) can be hindered. We will ▐ Technical security managers
typical tools associated with it, and how it can be best also introduce YARA as a common payload description ▐ Security Operations Center
organized in your organization. In order to understand language and SIGMA as a vendor-agnostic use-case analysts, engineers, and
how attacks work, students will also compromise our description language. managers
virtual organization “SYNCTECHLABS” during section one Topics: Common Delivery Mechanisms; Hindering Payload
exercises.
▐ Security Operations Center
Delivery; Preventing Payload Execution analysts and engineers
Topics: Course Outline and Lab Setup; Adversary
Emulation and the Purple Team; Reconnaissance ▐ Individuals looking to better
understand how persistent
cyber adversaries operate
DAY 3: Exploitation, Persistence, and DAY 4: Lateral Movement and how the IT environment
Command and Control Section 4 will focus on how adversaries move laterally can be improved to better
throughout an environment. A key focus will be on prevent, detect, and respond
Section 3 will first explain how exploitation can be
Active Directory (AD) structures and protocols (local to incidents.
prevented or detected. We will show how security
credential stealing, NTLMv2, Kerberosm, etc.). We will
should be an integral part of the software development
discuss common attack strategies, including Windows
lifecycle and how this can help prevent the creation
privilege escalation, UAC bypasses, (Over-) Pass-the-Hash,
of vulnerable software. We will also explain how patch
Kerberoasting, Silver Tickets, and others. We’ll also cover
management fits in the overall picture.
how BloodHound can be used to develop attack paths
Next, we will zoom in on exploit mitigation techniques, through the AD environment. Finally, we will discuss how
both at compile-time (e.g., ControlFlowGuard) and at lateral movement can be identified in the environment
run-time (ExploitGuard). We will provide an in-depth and how cyber deception can be used to catch intruders
explanation of what the different exploit mitigation red-handed!
techniques (attempt to) cover and how effective
Topics: Protecting Administrative Access; Key Attack
they are. We’ll then turn to a discussion of typical
Strategies against AD; How Can We Detect Lateral
persistence strategies and how they can be detected
Movement?
using Autoruns and OSQuery. Finally, we will illustrate
how command and control channels are being set up
and what controls are available to the defender for
detection and prevention.
Topics: Protecting Applications from Exploitation;
Avoiding Installation; Foiling Command and Control

DAY 5: Action on Objectives, Threat Hunting, DAY 6: APT Defender Capstone

and Incident Response The course culminates in a team-based Defend-the-Flag competition.
Section six is a full chapter of hands-on work applying the principles
Section five focuses on stopping the adversary during the final stages of the attack:
taught throughout the course. Your team will progress through multiple
• How does the adversary obtain “domain dominance” status? This includes the use levels and missions designed to ensure mastery of the modern cyber
of Golden Tickets, Skeleton Keys, and directory replication attacks such as DCSync security controls promoted all week long. This challenging exercise will
and DCShadow. reinforce key principles in a fun, hands-on, team-based challenge.
• How can data exfiltration be detected and stopped? Note that OnDemand students will enjoy this exercise on an individual
• How can threat intelligence aid defenders in the Cyber Kill Chain? basis. As always, SANS SME’s are available to support every OnDemand
student’s experience.
• How can defenders perform effective incident response?
Topics: Applying Previously Covered Security Controls In-depth;
As always, theoretical concepts will be illustrated during the different exercises
Reconnaissance; Weaponization; Delivery; Exploitation; Installation;
performed throughout the day.
Command and Control; Action on Objectives
Topics: Domain Dominance; Data Exfiltration; Leveraging Threat Intelligence; Threat
Hunting and Incident Response

Online Training
Community Events OnDemand Simulcast
Ottawa, ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Dec 2-7 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17
own pace, with four months of online access in the
OnDemand platform.

vLive
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . Jul 8 - Aug 16
41
 SEC560: Network Penetration Testing and GPEN
Ethical Hacking
Penetration Tester
www.giac.org/gpen

6 37 Laptop As a cybersecurity professional, you have a unique responsibility to find and

Day Program CPEs Required understand your organization’s vulnerabilities, and to work diligently to mitigate
them before the bad guys pounce. Are you ready? SANS SEC560, our flagship
course for penetration testing, fully arms you to address this task head-on.
You Will Be Able To
▐ Develop tailored scoping and rules of engagement SEC560 IS THE MUST-HAVE COURSE FOR EVERY WELL-ROUNDED SECURITY
for penetration testing projects to ensure the work PROFESSIONAL
is focused, well defined, and conducted in a safe
manner With comprehensive coverage of tools, techniques, and methodologies for
▐ Conduct detailed reconnaissance using document network penetration testing, SEC560 truly prepares you to conduct high-value
metadata, search engines, and other publicly penetration testing projects step by step and end to end. Every organization
available information sources to build a technical needs skilled information security personnel who can find vulnerabilities and
and organizational understanding of the target
mitigate their effects, and this entire course is specially designed to get you ready
environment
for that role. The course starts with proper planning, scoping and recon, then
▐ Utilize a scanning tool such as Nmap to conduct
comprehensive network sweeps, port scans, OS dives deep into scanning, target exploitation, password attacks, and web app
fingerprinting, and version scanning to develop a manipulation, with over 30 detailed hands-on labs throughout. The course is chock
map of target environments full of practical, real-world tips from some of the world’s best penetration testers
▐ Choose and properly execute Nmap Scripting to help you do your job safely, efficiently, and with great skill.
Engine scripts to extract detailed information from
target systems LEARN THE BEST WAYS TO TEST YOUR OWN SYSTEMS BEFORE THE BAD GUYS ATTACK
▐ Configure and launch a vulnerability scanner such You’ll learn how to perform detailed reconnaissance, studying a target’s
as Nessus so that it safely discovers vulnerabilities
through both authenticated and unauthenticated infrastructure by mining blogs, search engines, social networking sites, and other
scans, and customize the output from such tools to Internet and intranet infrastructures. Our hands-on labs will equip you to scan
represent the business risk to the organization target networks using best-of-breed tools. We won’t just cover run-of-the-mill
▐ Analyze the output of scanning tools to eliminate options and configurations, we’ll also go over the lesser-known but super-useful
false positive reduction with tools including Netcat capabilities of the best pen test toolsets available today. After scanning, you’ll
and Scapy
learn dozens of methods for exploiting target systems to gain access and measure
▐ Utilize the Windows PowerShell and Linux bash
command lines during post-exploitation to plunder
real business risk. You’ll dive deep into post-exploitation, password attacks, and
target systems for vital information that can web apps, pivoting through the target environment to model the attacks of real-
further overall penetration test progress, establish world bad guys to emphasize the importance of defense in depth.
pivots for deeper compromise, and help determine
business risks EQUIPPING SECURITY ORGANIZATIONS WITH COMPREHENSIVE PENETRATION TESTING
▐ Configure an exploitation tool such as Metasploit AND ETHICAL HACKING KNOW-HOW
to scan, exploit, and then pivot through a target
environment SEC560 is designed to get you ready to conduct a full-scale, high-value
penetration test and at the end of the course you’ll do just that. After building
Who Should Attend your skills in comprehensive and challenging labs, the course culminates with
▐ Security personnel whose job involves assessing
a final real-world penetration test scenario. You’ll conduct an end-to-end pen
networks and systems to find and remediate test, applying knowledge, tools, and principles from throughout the course as
vulnerabilities you discover and exploit vulnerabilities in a realistic sample target organization,
▐ Penetration testers demonstrating the skills you’ve gained in this course.
▐ Ethical hackers
▐ Defenders who want to better understand offensive
methodologies, tools, and techniques
“SEC560 provides practical, how-to material that I can
▐ Auditors who need to build deeper technical skills use daily in my penetration testing activities – not only
▐ Red and blue team members technically, but also from a business perspective.”
▐ Forensics specialists who want to better -Steve Nolan, General Dynamics
understand offensive tactics

SEC560 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-15 Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-24 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19
Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-13 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21
Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 San Francisco Fall . . . . . San Francisco, CA . . . . Sep 23-28
Enterprise Defense . . . . Redondo Beach, CA . . . . Jun 5-10
Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . .Aug 5-10 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5
Oil & Gas Cybersecurity . Houston, TX . . . . . . . . . . Sep 17-22
42 Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12
Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25
Course Day
Descriptions

DAY 1: Comprehensive Pen Test Planning, Scoping, DAY 2: In-Depth Scanning

and Recon We next focus on the vital task of mapping the target environment’s attack
surface by creating a comprehensive inventory of machines, accounts, and
In this section of the course, you will develop the skills needed to conduct a
potential vulnerabilities. We will look at some of the most useful scanning
best-of-breed, high-value penetration test. We will go in-depth on how to build
tools freely available today and run them in numerous hands-on labs to help
penetration testing infrastructure that includes all the hardware, software,
hammer home the most effective way to use each tool. We will also conduct
network infrastructure, and tools you will need to conduct great penetration
a deep dive into some of the most useful tools available to pen testers
tests, with specific low-cost recommendations for your arsenal. We will then
today for formulating packets: Scapy and Netcat. We finish the day covering
cover formulating a pen test scope and rules of engagement that will set you
vital techniques for false-positive reduction so you can focus your findings
up for success, including a role-play exercise. We’ll also dig deep into the
on meaningful results and avoid the sting of a false positive. And we will
reconnaissance portion of a penetration test, covering the latest tools and
examine the best ways to conduct your scans safely and efficiently.
techniques, including hands-on document metadata analysis to pull sensitive
information about a target environment, as well as a lab using Recon-ng to Topics: Tips for Awesome Scanning; Tcpdump for the Pen Tester; Nmap
plunder a target’s DNS infrastructure for information such as the anti-virus In-Depth; Version Scanning with Nmap; Vulnerability Scanning with Nessus;
tools the organization relies on. False-Positive Reduction; Packet Manipulation with Scapy; Enumerating Users;
Netcat for the Pen Tester; Monitoring Services During a Scan
Topics: The Mindset of the Professional Pen Tester; Building a World-Class
Pen Test Infrastructure; Creating Effective Pen Test Scopes and Rules of
Engagement; Detailed Recon Using the Latest Tools; Effective Pen Test DAY 4: Post-Exploitation and Merciless Pivoting
Reporting to Maximize Impact; Mining Search Engine Results; Document
This section of the course zooms in on pillaging target environments and
Metadata Extraction and Analysis
building formidable hands-on command line skills. We’ll cover Windows
command line skills in-depth, including PowerShell’s awesome abilities for
DAY 3: Exploitation post-exploitation. We’ll see how we can leverage malicious services and the
In this section, we look at the many kinds of exploits that penetration testers incredible WMIC toolset to access and pivot through a target organization.
use to compromise target machines, including client-side exploits, service- We’ll then turn our attention to password guessing attacks, discussing
side exploits, and local privilege escalation. We’ll see how these exploits are how to avoid account lockout, as well as numerous options for plundering
packaged in frameworks like Metasploit and its mighty Meterpreter. You’ll learn password hashes from target machines including the great Mimikatz Kiwi tool.
in-depth how to leverage Metasploit and the Meterpreter to compromise target Finally, we’ll look at Metasploit’s fantastic features for pivoting, including the
environments. We’ll also analyze the topic of anti-virus evasion to bypass msfconsole route command.
the target organization’s security measures, as well as methods for pivoting Topics: Windows Command Line Kung Fu for Penetration Testers; PowerShell’s
through target environments, all with a focus on determining the true business Amazing Post-Exploitation Capabilities; Password Attack Tips; Account Lockout
risk of the target organization. and Strategies for Avoiding It; Automated Password Guessing with THC-Hydra;
Topics: Comprehensive Metasploit Coverage with Exploits/Stagers/Stages; Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems;
Strategies and Tactics for Anti-Virus Evasion; In-Depth Meterpreter Analysis, Pivoting through Target Environments; Extracting Hashes and Passwords from
Hands-On; Implementing Port Forwarding Relays for Merciless Pivots; How to Memory with Mimikatz Kiwi
Leverage PowerShell Empire to Plunder a Target Environment

DAY 5: In-Depth Password Attacks and DAY 6: Penetration Test and

Web App Pen Testing Capture-the-Flag Workshop
In this section of the course, we’ll go even deeper in exploiting one of the This lively session represents the culmination of the network penetration
weakest aspects of most computing environments: passwords. You’ll custom- testing and ethical hacking course. You’ll apply all of the skills mastered
compile John the Ripper to optimize its performance in cracking passwords. in the course so far in a full-day, hands-on workshop during which you’ll
You’ll look at the amazingly full-featured Cain tool, running it to crack sniffed conduct an actual penetration test of a sample target environment. We’ll
Windows authentication messages. We’ll see how Rainbow Tables really work provide the scope and rules of engagement, and you’ll work with a team to
to make password cracking much more efficient, all hands-on. And we’ll cover achieve your goal of finding out whether the target organization’s Personally
powerful “pass-the-hash” attacks, leveraging Metasploit, the Meterpreter, and Identifiable Information (PII) is at risk. As a final step in preparing you
more. We then turn our attention to web application pen testing, covering the for conducting penetration tests, you’ll make recommendations about
most powerful and common web app attack techniques with hands-on labs for remediating the risks you identify.
every topic we address. We’ll cover finding and exploiting cross-site scripting Topics: Applying Penetration Testing and Ethical Hacking Practices End-to-End;
(XSS), cross-site request forgery (XSRF), command injection, and SQL injection Detailed Scanning to Find Vulnerabilities and Avenues to Entry; Exploitation to
flaws in applications such as online banking, blog sites, and more. Gain Control of Target Systems; Post-Exploitation to Determine Business Risks;
Topics: Password Cracking with John the Ripper; Sniffing and Cracking Windows Merciless Pivoting; Analyzing Results
Authentication Exchanges Using Cain; Using Rainbow Tables to Maximum
Effectiveness; Pass-the-Hash Attacks with Metasploit and More; Finding and
Exploiting Cross-Site Scripting; Utilizing Cross-Site Request Forgery Flaws; Data
Plundering with SQL Injection; Leveraging SQL Injection to Perform Command
Injection; Maximizing Effectiveness of Command Injection Testing

Online Training
Community Events OnDemand Simulcast
Falls Church, VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 24-29 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13
own pace, with four months of online access in the
Mentor Events OnDemand platform.
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
San Antonio, TX . . . . . . . . . . . . . . . . . . . . . . . . Oct 1 - Nov 19

Private Training
This course is also available through Private Training. 43
 SEC542: Web App Penetration Testing and GWAPT
Web Application

Ethical Hacking Penetration Tester

www.giac.org/gwapt

6 36 Laptop Web applications play a vital role in every modern organization. However, if your
Day Program CPEs Required organization doesn’t properly test and secure its web apps, adversaries can compromise
these applications, damage business functionality, and steal data. Unfortunately, many
organizations operate under the mistaken impression that a web application security
You Will Be Able To scanner will reliably discover flaws in their systems.
▐ Apply a detailed, four-step methodology
to your web application penetration tests: SEC542 helps students move beyond push-button scanning to professional, thorough, and
reconnaissance, mapping, discovery, and high-value web application penetration testing.
exploitation
▐ Analyze the results from automated Customers expect web applications to provide significant functionality and data
web testing tools to validate findings, access. Even beyond the importance of customer-facing web applications, internal web
determine their business impact, and applications increasingly represent the most commonly used business tools within any
eliminate false positives
organization. Unfortunately, there is no “patch Tuesday” for custom web applications,
▐ Manually discover key web application and major industry studies find that web application flaws play a major role in significant
flaws
breaches and intrusions. Adversaries increasingly focus on these high-value targets either
▐ Use Python to create testing and
exploitation scripts during a penetration
by directly abusing public-facing applications or by focusing on web apps as targets after
test an initial break-in.
▐ Discover and exploit SQL Injection flaws Modern cyber defense requires a realistic and thorough understanding of web application
to determine true risk to the victim
security issues. Anyone can learn to sling a few web hacks, but effective web application
organization
penetration testing requires something deeper.
▐ Create configurations and test payloads
within other web attacks SEC542 enables students to assess a web application’s security posture and convincingly
▐ Fuzz potential inputs for injection attacks demonstrate the impact of inadequate security that plagues most organizations.
▐ Explain the impact of exploitation of web
In this course, students will come to understand major web application flaws and their
application flaws
exploitation. Most importantly, they’ll learn a field-tested and repeatable process to
▐ Analyze traffic between the client and
the server application using tools such consistently find these flaws and convey what they have learned to their organizations.
as the Zed Attack Proxy and Burp Suite to Even technically gifted security geeks often struggle with helping organizations
find security issues within the client-side understand risk in terms relatable to business. Much of the art of penetration testing has
application code
less to do with learning how adversaries are breaking in than it does with convincing an
▐ Manually discover and exploit Cross-Site organization to take the risk seriously and employ appropriate countermeasures. The goal
Request Forgery (CSRF) attacks
of SEC542 is to better secure organizations through penetration testing, and not just show
▐ Use the Browser Exploitation Framework
(BeEF) to hook victim browsers, attack
off hacking skills. This course will help you demonstrate the true impact of web application
client software and the network, and flaws through exploitation.
evaluate the potential impact that XSS
flaws have within an application In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on
▐ Perform a complete web penetration test
labs to ensure that students can immediately apply all they learn.
during the Capture-the-Flag exercise to In addition to having more than 30 formal hands-on labs, the course culminates in a
bring techniques and tools together into
a comprehensive test web application pen test tournament, powered by the SANS NetWars Cyber Range. This
Capture-the-Flag event on the final day brings students into teams to apply their newly
acquired command of web application penetration testing techniques in a fun way that
hammers home lessons learned.

“SEC542 shows a hands-on way of doing web app penetration testing –

not just how to use this tool, or that tool.”
-Christopher J. Stover, Infogressive Inc.

SEC542 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21 Supply Chain
Cybersecurity . . . . . . . . . Arlington, VA . . . . . . . . .Aug 14-19
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25
Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24
Community Events
New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 Nashville, TN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-22
44
Course Day
Descriptions

DAY 1: Introduction and Information DAY 2: Configuration, Identity, and Who Should Attend
Gathering Authentication Testing ▐ General security
Practitioners
Understanding the attacker’s perspective is key to successful The second day starts the actual penetration testing
web application penetration testing. The course begins by process, beginning with the reconnaissance and mapping ▐ Penetration testers
thoroughly examining web technology, including protocols, phases. Reconnaissance includes gathering publicly ▐ Ethical hackers
languages, clients and server architectures, from the available information regarding the target application
attacker’s perspective. We will also examine different and organization, identifying the machines that support ▐ Web application
authentication systems, including Basic, Digest, Forms and our target application, and building a profile of each developers
Windows Integrated authentication, and discuss how servers server, including the operating system, specific software ▐ Website developers and
use them and attackers abuse them. and configuration. The discussion is underscored through architects
Topics: Overview of the Web from a Penetration Tester’s several practical, hands-on labs in which we conduct
Perspective; Exploring the Various Servers and Clients; reconnaissance against in-class targets.
Discussion of the Various Web Architectures; Discovering Topics: Scanning with Nmap; Discovering the Infrastructure
How Session State Works; Discussion of the Different Types Within the Application; Identifying the Machines and
of Vulnerabilities; WHOIS and DNS Reconnaissance; The Operating Systems; Exploring Virtual Hosting and its Impact
HTTP Protocol; WebSocket; Secure Sockets Layer (SSL) on Testing; Learning Methods to Identify Load Balancers;
Configurations and Weaknesses; Heartbleed Exploitation; Software Configuration Discovery; Learning Tools to Spider
Utilizing the Burp Suite in Web App Penetration Testing a Website; Brute Forcing Un linked Files and Directories;
Discovering and Exploiting Shellshock; Web Authentication;
Username Harvesting and Password Guessing; Fuzzing; Burp
Intruder

DAY 3: Injection DAY 4: XXE and XSS

This section continues to explore our methodology with On day four, students continue exploring the discovery
the discovery phase. We will build on the information phase of the methodology. We cover methods to discover
started the previous day, exploring methods to find and key vulnerabilities within web applications, such as Cross-
verify vulnerabilities within the application. Students will Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/
also begin to explore the interactions between the various XSRF). Manual discovery methods are employed during
vulnerabilities. hands-on labs.
Topics: Session Tracking; Authentication Bypass Flaws; Topics: XML External Entity (XXE); Cross-Site Scripting (XSS);
Mutillidae; Command Injection; Directory Traversal; Local File Browser Exploitation Framework (BeEF); AJAX; XML and JSON;
Inclusion (LFI); Remote File Inclusion (RFI); SQL Injection; Document Object Model (DOM); Logic Attacks; API Attacks;
Blind SQL Injection; Error-Based SQL Injection; Exploiting SQL Data Attacks
Injection; SQL Injection Tools; sqlmap

DAY 5: CSRF, Logic Flaws, and DAY 6: Capture the Flag

Advanced Tools On day six, students form teams and compete in a web
application penetration testing tournament. This NetWars-
On the fifth day, we launch actual exploits against real-world
powered Capture-the-Flag exercise provides students an
applications, building on the previous three steps, expanding
opportunity to wield their newly developed or further-
our foothold within the application, and extending it to
honed skills to answer questions, complete missions,
the network on which it resides. As penetration testers, we
and exfiltrate data, applying skills gained throughout the
specifically focus on ways to leverage previously discovered
course. The style of challenge and integrated-hint system
vulnerabilities to gain further access, highlighting the
allows students of various skill levels to both enjoy a game
cyclical nature of the four-step attack methodology.
environment and solidify the skills learned in class.
Topics: Cross-Site Request Forgery (CSRF); Python for Web
App Penetration Testing; WPScan; w3af; Metasploit for Web
Penetration Testers; Leveraging Attacks to Gain Access to the
System; How to Pivot Our Attacks Through a Web Application;
Exploiting Applications to Steal Cookies; Executing
Commands Through Web Application Vulnerabilities; When
Tools Fail

Online Training
Private Training OnDemand vLive
This course is also available through Private Training. Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . Jul 9 - Aug 15
own pace, with four months of online access in the
OnDemand platform. Simulcast
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 15-20
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14

45
 SEC460: Enterprise Threat and
Vulnerability Assessment NEW

6 36 Laptop Computer exploitation is on the rise. As advanced adversaries become more numerous,
Day Program CPEs Required more capable, and much more destructive, organizations must become more effective at
mitigating their information security risks at the enterprise scale. SEC460 is the premier
course focused on building technical vulnerability assessment skills and techniques, while
You Will Be Able To highlighting time-tested practical approaches to ensure true value across the enterprise.
▐ Perform end-to-end vulnerability The course covers threat management, introduces the core components of comprehensive
assessments
vulnerability assessment, and provides the hands-on instruction necessary to produce a
▐ Develop customized vulnerability discovery,
management, and remediation plans
vigorous defensive strategy from day one. The course is focused on equipping information
security personnel from mid-sized to large organizations charged with effectively and
▐ Conduct threat intelligence gathering and
analysis to create a tailored cybersecurity efficiently securing 10,000 or more systems.
plan that integrates various attack and
vulnerability modeling frameworks
SEC460 begins with an introduction to information security vulnerability assessment
fundamentals, followed by in-depth coverage of the Vulnerability Assessment
▐ Implement a proven testing methodology
using industry-leading tactics and Framework. It then moves into the structural components of a dynamic and iterative
techniques information security program. Through a detailed, practical analysis of threat
▐ Adapt information security approaches to intelligence, modeling, and automation, students will learn the skills necessary to
target real-world enterprise challenges not only use the tools of the trade, but also to implement a transformational security
▐ Configure and manage vulnerability vulnerability assessment program.
assessment tools to limit risk added to
the environment by the tester SEC460 will teach you how to use real industry-standard security tools for vulnerability
▐ Operate enumeration tools like Nmap, assessment, management, and mitigation. It is the only course that teaches a holistic
Masscan, Recon-ng, and WMI to identify vulnerability assessment methodology while focusing on challenges faced in a large
network nodes, services, configurations, enterprise. You will learn on a full-scale enterprise range chock full of target machines
and vulnerabilities that an attacker could
use as an opportunity for exploitation representative of an enterprise environment, leveraging production-ready tools and a
proven testing methodology.
▐ Conduct infrastructure vulnerability
enumeration at scale across numerous SEC460 takes you beyond the checklist, giving you a tour of the attackers’ perspective that
network segments, in spite of divergent
network infrastructure and nonstandard
is crucial to discovering where they will strike. Operators are more than the scanner they
configurations employ. SEC460 emphasizes this personnel-centric approach by examining the shortfalls
▐ Conduct web application vulnerability of many vulnerability assessment programs in order to provide you with the tactics and
enumeration in enterprise environments techniques required to secure networks against even the most advanced intrusions.
while solving complex challenges
resulting from scale We wrap up the first five days of instruction with a discussion of triage, remediation, and
▐ Perform manual discovery and validation reporting before putting your skills to the test on the final day against an enterprise-
of cybersecurity vulnerabilities that grade cyber range with numerous target systems for you to analyze and explore. The cyber
can be extended to custom and unique range is a large environment of servers, end-users, and networking gear that represents
applications and systems
many of the systems and topologies used by enterprises. By adopting an end-to-end
▐ Manage large vulnerability datasets and
approach to vulnerability assessment, you can be confident that your skills will provide
perform risk calculation and scoring
against organization-specific risks much-needed value in securing your organization.
▐ Implement vulnerability triage and
prioritize mitigation
▐ Use high-end commercial software “SEC460 has provided me the knowledge to build a great
including Acunetix WVS and Rapid7
Nexpose (InsightVM) in the classroom range vulnerability management/vulnerability assessment
program that vendor courses couldn’t provide.”
-Eric Osmus, ConocoPhillips Company

SEC460 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Summit Events
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19 Enterprise Defense . . . . Redondo Beach, CA . . . . Jun 5-10

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25

Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30

46
Course Day
Descriptions

DAY 1: Methodology, Planning, and DAY 2: Discovery Who Should Attend

Threat Modeling Having mastered the structural foundations of ▐ Vulnerability assessors
vulnerability management, we pivot to the realm
In this section of the course, students will develop ▐ IT System administrators
of direct, tactical application. Comprehensive
the skills needed to conduct high-value vulnerability
reconnaissance, enumeration, and discovery techniques ▐ Security auditors
assessments with measurable impact. We will explore
are the prime elements of successful vulnerability ▐ Compliance professionals
the elemental components of successful vulnerability
assessment. While gaining additional familiarity with
assessment programs, deconstruct the logistical ▐ Penetration testers
hands-on enterprise operations, you will systematically
precursors to value-added operations, and integrate
probe the environment in order to discover the relevant ▐ Vulnerability program managers
adversarial threat modeling and intelligence.
host, service, version, and configuration details that will
Topics: Maximizing Value from Vulnerability ▐ Security analysts
drive the remainder of the assessment system.
Assessments and Programs; Setting Up for Success ▐ Security architects
Topics: Active and Passive Reconnaissance; Identification
at Scale: Enterprise Architecture and Strategy;
and Enumeration with DNS; DNS Zone Speculation ▐ Senior security engineers
Developing Transformational Vulnerability
and Dictionary-Enabled Discovery; Port Scanning with
Assessment Strategies; Performing Enterprise ▐ Technical security managers
Nmap and Zenmap; Scanning Large-Scale Environments;
Threat Modeling; Generating Compounding Interest
Commonplace Services; Scanning the Network Perimeter
from Threat Intelligence and Avoiding Information
and Engaging the DMZ; Trade-offs: Speed, Efficiency,
Overload; The Vulnerability Assessment Framework;
Accuracy, and Thoroughness; Introduction to PowerShell
Overview of Comprehensive Network Scanning;
Compliance Standards and Information Security;
Team Operations and Collaboration

DAY 3: Enhanced Vulnerability Scanning and Automation DAY 4: Vulnerability Validation, Triage, and
We begin day three by delving into the next phase of the Vulnerability Assessment Data Management
Framework and charging into the most exciting topic in security testing: automation to
Over the course of this day we will tackle vulnerability validation,
handle scale. We start by breaking vulnerability scanning into its elemental components
which is the next phase of our overarching testing methodology.
and gaining an understanding of vulnerability measurement that can be applied to task
Simultaneously, we will confront and address the biggest
automation. This focus will direct us to the quantitative facets underlying cybersecurity
headaches common to a vulnerability assessment at scale. At
vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed
large scale, vulnerability data can be overwhelming and possibly
will focus on identifying, observing, inciting, or assessing the entry points that threats
even contradictory. We will cover the specific techniques needed
leverage during network attacks.
to wade through and better focus those data. Next, we will
Topics: Assigning a Confidence Value and Validating Exploitative Potential of examine techniques for collaboration and data management
Vulnerabilities: Enhanced Vulnerability Scanning: Risk Assessment Matrices and Rating with the Acheron tool for analyzing vulnerability data across an
Systems: Quantitative Analysis Techniques Applied to Vulnerability Scoring: Performing organization. Later in the day, we will apply our understanding of
Tailored Risk Calculation to Drive Triage: General Purpose vs. Application-Specific the vulnerability concept to evolve our PowerShell skills and take
Vulnerability Scanning: Tuning the Scanner to the Task, the Enterprise, and Tremendous action on an enterprise scale.
Scale: Scan Policies and Compliance Auditing: Performing Vulnerability Discovery with
Topics: Recruiting Disparate Data Sources: Patches, Hotfixes,
Open-Source and Commercial Appliances: Scanning with the Nmap Scripting Engine,
and Configurations; Manual Vulnerability Validation Targeting
Nexpose/InsightVM, and Acunetix: The Windows Domain: Exchange, SharePoint, and
Enterprise Infrastructure; Converting Disparate Datasets into a
Active Directory: Testing for Insecure Cryptographic Implementations Including SSL:
Central, Normalized, and Relational Knowledge Base; Managing
Assessing VOIP Environments: Discovering Vulnerabilities in the Enterprise Backbone:
Large Repositories of Vulnerability Data; Querying the Vulnerability
Active Directory, Exchange, and SharePoint: Minimizing Supplemental Risk while
Knowledge Base; Evaluating Vulnerability Risk in Custom and
Conducting Authenticated Scanning through Purposeful Application of Least Privilege:
Unique Systems, including Web Applications; Triage: Assessing the
Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches,
Relative Importance of Vulnerabilities Against Strategic Risk
and VLANs: Manual Vulnerability Discovery Automated to Attain Maximal Efficacy

DAY 5: Remediation and Reporting DAY 6: Vulnerability Assessment Foundry Hands-On

Many well-intentioned vulnerability assessment programs begin with Challenge
zeal and vitality, but after the discovery of vulnerabilities there is often a
In celebration of your diligence, curiosity, and new vulnerability skills,
tendency to ignore the risk reality and shift back to the status quo. Over the
we welcome you to your final hands-on challenge to hammer home your
previous course modules we focused on knowing the target environment and
capabilities. The guided scenario in this final module is designed to test
uncovering its weak points. Now it’s time for decision and action based on an
your mettle through trial and detailed work in a fun capture-the-flag-style
understanding of the risks the organization faces. Developing an actionable
environment. The challenge is the canvas upon which you can hone your
vulnerability remediation plan with time-based success targets sets the stage
skills and measure your maturing talents. Armed for the fight, you will
for continuous improvement, and that’s exactly what we cover in this section
doubtless rise to the challenge...and triumph! The scenario: The Ellingson
of the course. Developing this plan in conjunction with the Vulnerability
Mineral Company (EMC) has engaged you to perform a vulnerability
Assessment Report is an opportunity to galvanize the team, while enhancing
assessment of its environment. The organization is very aware of your
the vulnerability assessment value proposition.
particular set of vulnerability assessment skills, and treasures the insights
Topics: Domain Password Auditing: Creating and Navigating Vulnerability it is certain you will provide to help secure the organization against its
Prioritization Schemes in Acheron: Developing a Web of Network and Host formidable adversaries, including nefarious cybercrime cartels and jealous
Affiliations: Modeling Account Relationships on Active Directory Forests: nation-state actors. Teams will work together to help squash issues that
Creating Effective Vulnerability Assessment Reports: Transforming Triage would lead to a compromise of EMC’s precious assets.
Listing into the Vulnerability Remediation Plan: Closure: Be a Positive
Topics: Tactical Employment of the Vulnerability Assessment Framework;
Influence in the Context of the Global Information Security Crisis
Threat Modeling; Discovery; Vulnerability Scanning; Validation; Data
Management and Triage

47
 SEC573: Automating Information Security GPYC
with Python
Python Coder
www.giac.org/gpyc

6 36 Laptop All security professionals, including penetration testers, forensic analysts, network
Day Program CPEs Required defenders, security administrators, and incident responders, have one experience in
common: CHANGE. Tools, technologies, and threats change constantly, but Python is a
simple, user-friendly language that can help you keep pace with change, allowing you
You Will Be Able To to write custom tools and automate tasks to effectively manage and respond to your
▐ Modify existing open-source tools to unique threats.
customize them to meet the needs of
your organization Whether you are new to coding or have been coding for years, SEC573: Automating
▐ Manipulate log file formats to make Information Security with Python will have you creating programs that make your job
them compatible with various log easier and your work more efficient. This self-paced course starts from the very beginning,
collectors
assuming you have no prior experience with or knowledge of programming. We cover all
▐ Write new tools to analyze log files
and network packets to identify
of the essentials of the language up front. If you already know the essentials, you will find
attackers in your environment that the pyWars lab environment allows advanced developers to quickly accelerate to more
▐ Develop tools that extract otherwise advanced material in the course.
inaccessible forensics artifacts from
computer systems of all types
Technology, threats, and tools are constantly evolving. If we don’t evolve with them, we’ll
become ineffective and irrelevant, unable to provide the vital defenses our organizations
▐ Automate the collection of
intelligence information to augment increasingly require. Maybe your chosen Operating System has a new feature that creates
your security from online resources interesting forensic artifacts that would be invaluable for your investigation, if only you
▐ Automate the extraction of signs of had a tool to access it. Often for new features and forensic artifacts, no such tool has yet
compromise and other forensics data been released. You could try moving your case forward without that evidence or hope that
from the Windows Registry and other
someone creates a tool before the case goes cold...or you can write a tool yourself.
databases
▐ Write a backdoor that uses exception Or perhaps an attacker bypassed your defenses and owned your network months ago. If
handling, sockets, process execution, existing tools were able to find the attack, you wouldn’t be in this situation. You are bleeding
and encryption to provide you with
sensitive data and the time-consuming manual process of finding and eradicating the
your initial foothold in a target
environment attacker is costing you money and hurting your organization. The answer is simple if you
have the skills: Write tools to automate various aspects of your defenses.
Or, as a penetration tester, you need to evolve as quickly as the threats you are paid to
emulate. What do you do when “off-the-shelf” tools and exploits fall short? If you’re good,
you write your own tool or modify existing capabilities to make them perform as you need
them to.
SEC573 is designed to give you the skills you need for tweaking, customizing, or
outright developing your own tools. We put you on the path of creating your own tools,
empowering you to better automate the daily routine of today’s information security
professional and to achieve more value in less time. Again and again, organizations
serious about security emphasize their need for skilled tool builders. There is a huge
demand for people who can understand a problem and then rapidly develop prototype
code to attack or defend against it. Learn Python in-depth with us to become fully
weaponized.

SEC573 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events Private Training
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1 This course is also available through Private Training.

Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25

48
Course Day
Descriptions

DAY 1: Essentials Workshop DAY 2: Essentials Workshop with MORE Who Should Attend
with pyWars pyWars ▐ Security professionals
who benefit from
The course begins with a brief introduction to Python and You will never learn to program by staring at PowerPoint
automating routine tasks
the pyWars Capture-the-Flag game. We set the stage for slides. The second day continues the hands-on, lab-centric
so they can focus on
students to learn at their own pace in the 100% hands-on approach established on day one. This section covers data
what’s most important
pyWars lab environment. As more advanced students take structures and more detailed programming concepts. Next,
on Python-based Capture-the-Flag challenges, students we focus on invaluable tips and tricks to make you a better ▐ Forensic analysts who
who are new to programming will start from the very Python programmer and on how to debug your code. can no longer wait on
beginning with Python essentials. Topics: Lists; Loops; Tuples; Dictionaries; The Python someone else to develop
Topics: Syntax; Variables; Math Operators; Strings; Debugger; Coding Tips, Tricks, and Shortcuts; System a commercial tool to
Functions; Modules; Control Statements; Introspection Arguments; ArgParser Module analyze artifacts
▐ Network defenders who
sift through mountains
DAY 3: Defensive Python DAY 4: Forensics Python
of logs and packets to
In this section we take on the role of a network defender On day four we will play the role of a forensics analyst who find evil-doers in their
with more logs to examine than there is time in the day. has to carve evidence from artifacts when no tool exists networks
Attackers have penetrated the network and you will have to do so. Even if you don’t do forensics you will find that
to analyze the logs and packet captures to find them. these skills covered on day four are foundational to every
▐ Penetration testers who
We will discuss how to analyze network logs and packets security role. We will discuss the process required to carve are ready to advance
to discover where the attackers are coming from and binary images, find appropriate data of interest in them, from script kiddie to
what they are doing. We will build scripts to empower and extract those data. Once you have the artifact isolated, professional offensive
continuous monitoring and disrupt the attackers before there is more analysis to be done. You will learn how to computer operations
they exfiltrate your data. Forensicators and offensive extract metadata from image files. Then we will discuss operator
security professional won’t be left out because reading techniques for finding artifacts in other locations such as ▐ Security professionals
and writing files and parsing data are also essential skills SQL databases and interacting with web pages. who want to evolve from
they will apply to their craft. Topics: Acquiring Images from Disk, Memory, and the security tool consumer to
Topics: File Operations; Python Sets; Regular Expressions; Network; File Carving; The STRUCT Module; Raw Network security solution provider
Log Parsing; Data Analysis Tools and Techniques; Long Tail/ Sockets and Protocols; Image Forensics and PIL; SQL
Short Tail Analysis; Geolocation Acquisition; Blacklists and Queries; HTTP Communications with Python Built-In
Whitelists; Packet Analysis; Packet Reassembly; Payload Libraries; Web Communications with the Requests Module You Will Receive
Extraction ▐ A USB containing a virtual
machine filled with
sample code and working
DAY 5: Offensive Python DAY 6: Capture the Flag
examples
On day five we play the role of penetration testers whose In this final section, you will be placed on a team with
normal tricks have failed. Their attempts to establish other students. You will apply the skills you have mastered
▐ A copy of The Python
a foothold have been stopped by modern defenses. To in a series of programming challenges. Participants will Pocket Reference
bypass these defenses, you will build an agent to give you exercise the new skills and the code they have developed published by O’Reilly
access to a remote system. Similar agents can be used for throughout the course in a series of challenges. You will Press
incident response or systems administration, but our focus solve programming challenges, exploit vulnerable systems, ▐ MP3 audio files of the
will be on offensive operations. analyze packets, parse logs, and automate code execution complete course lecture
Topics: Network Socket Operations; Exception Handling; on remote systems. Test your skills! Prove your might!
Process Execution; Blocking and Non-blocking Sockets;
Using the Select Module for Asynchronous Operations
Python Objects; Argument Packing and Unpacking

“SEC573 is excellent. I went from having almost no Python coding

ability to being able to write functional and useful programs.”
-Caleb Jaren, Microsoft

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
own pace, with four months of online access in the
OnDemand platform.

49
 SEC575: Mobile Device Security and GMOB
Mobile Device

Ethical Hacking Security Analyst

www.giac.org/gmob

6 36 Laptop Imagine an attack surface that is spread across your organization and in the hands of
Day Program CPEs Required every user. It moves from place to place regularly, stores highly sensitive and critical data,
and sports numerous different wireless technologies all ripe for attack. Such a surface
already exists today: mobile devices. These devices are the biggest attack surface in most
You Will Be Able To organizations, yet these same organizations often don’t have the skills needed to assess them.
▐ Use jailbreak tools for Apple iOS and
Android systems SEC575 is designed to give you the skills you need to understand the security strengths and
▐ Conduct an analysis of iOS and weaknesses in Apple iOS and Android devices. Mobile devices are no longer a convenience
Android filesystem data to plunder technology: they are an essential tool carried or worn by users worldwide, often displacing
compromised devices and extract conventional computers for everyday enterprise data needs. You can see this trend in
sensitive mobile device use
information corporations, hospitals, banks, schools, and retail stores throughout the world. Users rely
▐ Analyze Apple iOS and Android
on mobile devices more today than ever before – we know it, and the bad guys do too. The
applications with reverse-engineering SEC575 course examines the full gamut of these devices.
tools
With the skills you learn in SEC575, you will be able to evaluate the security weaknesses
▐ Change the functionality of Android
and iOS apps to defeat anti-
of built-in and third-party applications. You’ll learn how to bypass platform encryption
jailbreaking or circumvent in-app and how to manipulate apps to circumvent client-side security techniques. You’ll leverage
purchase requirements automated and manual mobile application analysis tools to identify deficiencies in mobile
▐ Conduct an automated security app network traffic, file system storage, and inter-app communication channels. You’ll safely
assessment of mobile applications work with mobile malware samples to understand the data exposure and access threats
▐ Use wireless network analysis tools to affecting Android and iOS, and you’ll bypass lock screen to exploit lost or stolen devices.
identify and exploit wireless networks
used by mobile devices Understanding and identifying vulnerabilities and threats to mobile devices is a valuable
▐ Intercept and manipulate mobile skill, but it must be paired with the ability to communicate the associated risks. Throughout
device network activity the course, you’ll review ways to effectively communicate threats to key stakeholders. You’ll
▐ Leverage mobile-device-specific leverage tools, including Mobile App Report Cards, to characterize threats for managers and
exploit frameworks to gain decision-makers, while also identifying sample code and libraries that developers can use to
unauthorized access to target devices
address risks for in-house applications.
▐ Manipulate the behavior of mobile
applications to bypass security In employing your newly learned skills, you’ll apply a step-by-step mobile device
restrictions deployment penetration test. Starting with gaining access to wireless networks to implement
man-in-the-middle attacks and finishing with mobile device exploits and data harvesting,
Who Should Attend you’ll examine each step of the test with hands-on exercises, detailed instructions, and tips
▐ Penetration testers and tricks learned from hundreds of successful penetration tests. By building these skills,
▐ Ethical hackers
you’ll return to work prepared to conduct your own test, or better informed on what to look
for and how to review an outsourced penetration test.
▐ Auditors who need to build deeper
technical skills Mobile device deployments introduce new threats to organizations, including advanced
▐ Security personnel whose job involves malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual
assessing, deploying or securing property, and personally identifiable information assets. Further complicating matters,
mobile phones and tablets
there simply are not enough people with the security skills needed to identify and manage
▐ Network and system administrators
supporting mobile phones and tablets
secure mobile phone and tablet deployments. By completing this course, you’ll be able
to differentiate yourself as having prepared to evaluate the security of mobile devices,
effectively assess and identify flaws in mobile applications, and conduct a mobile device
penetration test – all critical skills to protect and defend mobile device deployments.

SEC575 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events OnDemand
San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-17 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14
Private Training OnDemand platform.
Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19 This course is also available through Private Training.
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
50
Course Day
Descriptions

DAY 1: Device Architecture and Common Mobile Threats DAY 2: Mobile Platform Access and Application Analysis
The first module of SEC575 quickly looks at the significant threats affecting With an understanding of the threats, architectural components and desired
mobile device deployments, highlighted by a hands-on exercise evaluating security methods, we dig deeper into iOS and Android mobile platforms
network traffic from a vulnerable mobile banking application. As a critical focusing on sandboxing and data isolation models, and on the evaluation of
component of a secure deployment, we will examine the architectural and mobile applications. This module is designed to help build skills in analyzing
implementation differences and similarities between Android (including mobile device data and applications through rooting and jailbreaking Android
Android Pie), Apple iOS 12, and the Apple Watch and Google Wear platforms. and iOS devices and using that access to evaluate file system artifacts. We
We will also look at the specific implementation details of popular platform will also start to evaluate the security of mobile applications, using network
features such as iBeacon, AirDrop, App Verification, and more. Hands-on capture analysis tools to identify weak network protocol use and sensitive
exercises will be used to interact with mobile devices running in a virtualized data disclosure over the network. Finally, we’ll wrap up the module with an
environment, including low-level access to installed application services and introduction to reverse engineering of iOS and Android applications using
application data. We’ll examine the tools used to evaluate mobile devices decompilers, disassemblers, and by manual analysis techniques.
as part of establishing a lab environment for mobile device assessments,
Topics: Unlocking, Rooting, and Jailbreaking Mobile Devices; Mobile Phone
including the analysis of mobile malware affecting Android and non-jailbroken
Data Storage and File System Architecture; Network Activity Monitoring; Static
iOS devices. Finally, we will address the threats of lost and stolen devices (and
Application Analysis
opportunities for a pen tester), including techniques to bypass mobile device
lock screens.
Topics: Mobile Problems and Opportunities; Mobile Device Platform
Analysis; Wearable Platforms; Mobile Device Lab Analysis Tools; Mobile
Device Malware Threats

DAY 3: Mobile Application Reverse Engineering DAY 4: Penetration Testing Mobile Devices – Part 1
One of the core skills you need as a mobile security analyst is the ability to An essential component of developing a secure mobile device deployment
evaluate the risks and threats a mobile app introduces to your organization. is to perform or outsource a penetration test. Through ethical hacking and
Through lecture and hands-on exercises in this module, with some analysis penetration testing, we examine the mobile devices and infrastructure from
skills, you will be able to evaluate critical mobile applications to determine the perspective of an attacker, identifying and exploiting flaws that deliver
the type of access threats and information disclosure threats they represent. unauthorized access to data or supporting networks. By identifying these
In this module we will use automated and manual application assessment flaws we can evaluate the mobile phone deployment risk to the organization
tools to evaluate iOS and Android apps. We’ll build upon the static with practical and useful risk metrics. Whether your role is to implement the
application analysis skills covered in Module 2 to manipulate application penetration test, or to source and evaluate the penetration tests of others,
components, including Android Intents and iOS URL extensions. We’ll also understanding these techniques will help your organization identify and
learn and practice techniques for manipulating iOS and Android applications, resolve vulnerabilities before they become incidents.
such as method swizzling on iOS, and disassembly, modification, and Topics: Manipulating Application Behavior; Using Mobile Device Remote
reassembly of Android apps. The module ends with a look at a consistent Access Trojans; Wireless Network Probe Mapping; Weak Wireless Attacks;
system for evaluating and grading the security of mobile applications using Enterprise Wireless Security Attacks
the Application Report Card Project.
Topics: Automated Application Analysis Systems; Reverse Engineering
Obfuscated Applications; Application Report Cards

DAY 5: Penetration Testing Mobile Devices – Part 2 DAY 6: Capture-the-Flag Event

Continuing our look at ethical hacking and penetration testing, we turn our In the final module of SEC575 we will pull together all the concepts and
focus to exploiting weaknesses on iOS and Android devices. We will also technology covered during the week in a comprehensive Capture-the-Flag event.
examine platform-specific application weaknesses and look at the growing In this hands-on exercise, you will have the option to participate in multiple
use of web framework attacks in mobile application exploitation. Hands-on roles, including designing a secure infrastructure for the deployment of mobile
exercises are used throughout the module to practice these attacks, exploiting phones, monitoring network activity to identify attacks against mobile devices,
both vulnerable mobile applications and the supporting back-end servers. extracting sensitive data from a compromised iPad, and attacking a variety of
Topics: Network Manipulation Attacks; Sidejacking Attacks; SSL/TLS Attacks; mobile phones and related network infrastructure components. During this
Client-Side Injection Attacks; Web Framework Attacks; Back-end Application mobile security event you will put into practice the skills you have learned in
Support Attacks order to evaluate systems and defend against attackers, simulating the realistic
environment you will be prepared to protect when you get back to the office.

“SEC575 provides an incredible amount of information,

Simulcast and the hands-on labs are awesome. It is a must-have
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17
for mobile penetration testers.”
vLive -Richard Takacs, Integrity360
Online Training . . . . . . . . . . . . . . . . . . . . . . . . .Oct 22 - Dec 5

51
 SEC617: Wireless Penetration Testing and GAWN
Assessing & Auditing

Ethical Hacking Wireless Networks

www.giac.org/gawn

6 36 Laptop This course is designed for professionals seeking a comprehensive technical ability to
Day Program CPEs Required understand, analyze, and defend the various wireless technologies that have become
ubiquitous in our environments and, increasingly, key entrance points for attackers.
The authors of SEC617, as penetration testers themselves, know that many organizations
You Will Be Able To overlook wireless security as an attack surface, and therefore fail to establish required
▐ Identify and locate malicious rogue defenses and monitoring, even though wireless technologies are now commonplace in
access points using free and low-cost executive suites, financial departments, government offices, manufacturing production lines,
tools
retail networks, medical devices, and air traffic control systems. Given the known risks of
▐ Conduct a penetration test against insecure wireless technologies and the attacks used against them, SEC617 was designed to
low-power wireless devices to identify
help people build the vital skills needed to identify, evaluate, assess, and defend against these
control system and related wireless
vulnerabilities threats. These skills are “must-haves” for any high-performing security organization.
▐ Identify vulnerabilities and bypass For many analysts, “wireless” was once synonymous with “WiFi,” the ever-present networking
authentication mechanisms in technology, and many organizations deployed complex security systems to protect these networks.
Bluetooth networks Today, wireless takes on a much broader meaning – not only encompassing the security of WiFi
▐ Utilize wireless capture tools to extract systems, but also the security of Bluetooth, ZigBee, Z-Wave, DECT, RFID, NFC, contactless smart
audio conversations and network cards, and even proprietary wireless systems. To effectively evaluate the security of wireless
traffic from DECT wireless phones systems, your skill set needs to expand to include many different types of wireless technologies.
▐ Implement a WPA2 Enterprise
SEC617 will give you the skills you need to understand the security strengths and weaknesses of
penetration test to exploit vulnerable
wireless client systems for credential wireless systems. You will learn how to evaluate the ever-present cacophony of WiFi networks
harvesting and identify the WiFi access points (APs) and client devices that threaten your organization.
▐ Utilize Scapy to force custom packets
You will learn how to assess, attack, and exploit deficiencies in modern WiFi deployments using
to manipulate wireless networks WPA2 technology, including sophisticated WPA2 Enterprise networks. You will gain a strong,
in new ways, quickly building practical understanding of the many weaknesses in WiFi protocols and how to apply that
custom attack tools to meet specific understanding to modern wireless systems. Along with identifying and attacking WiFi access
penetration test requirements points, you will learn to identify and exploit the behavioral differences in how client devices
▐ Identify WiFi attacks using network scan for, identify, and select APs, with deep insight into the behavior of the Windows 10, macOS,
packet captures traces and freely Apple iOS, and Android WiFi stacks.
available analysis tools
A significant portion of the course focuses on Bluetooth and Bluetooth Low Energy (BLE)
▐ Identify and exploit shortcomings
in the security of proximity key card
attacks, targeting a variety of devices, including wireless keyboards, smart light bulbs, mobile
systems devices, audio streaming devices, and more. You will learn to assess a target Bluetooth device,
identify the present (or absent) security controls, and apply a solid checklist to certify a
▐ Decode proprietary radio signals using
Software-Defined Radio device’s security for use within your organization.
▐ Mount a penetration test against Beyond analyzing WiFi and Bluetooth security threats, analysts must also understand many
numerous standards-based or other wireless technologies that are widely utilized in complex systems. SEC617 provides insight
proprietary wireless technologies and hands-on training to help analysts identify and assess the use of ZigBee and Z-Wave
wireless systems used for automation, control, and smart home systems. The course also
investigates the security of cordless telephony systems in the worldwide Digital Enhanced
Cordless Telephony (DECT) standard, including audio eavesdropping and recording attacks.
Radio frequency identification (RFID), near field communication (NFC), and contactless smart
card systems are more popular than ever in countless applications such as point of sale
systems and data center access control systems. You will learn how to assess and evaluate
these deployments using hands-on exercises to exploit the same kinds of flaws discovered in
mass transit smart card systems, hotel guest room access systems, and more.
In addition to standards-based wireless systems, we also dig deeper into the radio spectrum
using software-defined radio (SDR) systems to scour for signals. Using SDR, you will gain
new insight into how widely pervasive wireless systems are deployed. With your skills in
identifying, decoding, and evaluating the data these systems transmit, you will be able to spot
vulnerabilities even in custom wireless infrastructures.

SEC617 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events OnDemand
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19
Private Training OnDemand platform.
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 This course is also available through Private Training.

52
Course Day
Descriptions

DAY 1: WiFi Data Collection and Analysis DAY 2: WiFi Attack and Exploitation Who Should Attend
The first section of the course quickly looks at wireless Techniques ▐ Ethical hackers and
threats and attack surfaces and analyzes where you will penetration testers
After developing skills needed to capture and evaluate WiFi
likely see non-WiFi systems deployed in modern networks.
activity, we start our look at exploiting WiFi, targeting AP ▐ Network security staff
We start off with a look at fundamental analysis techniques
and client devices. We cover techniques that apply to any
for evaluating WiFi networks, including the identification ▐ Network and system
WiFi products, from consumer to enterprise-class devices,
and analysis of rogue devices, and finish with a dive into administrators
focusing on understanding protocol-level deficiencies that
remote penetration testing techniques using compromised ▐ Incident response teams
will continue to be applied throughout the course on non-
Windows 10 and macOS devices to pivot.
WiFi wireless systems as well. ▐ Information security
Topics: Characterize the Wireless Threat; Sniffing WiFi; Rogue policy decision-makers
Topics: Exploiting WiFi Hotspots; WiFi Client Attacks;
Access Point (AP) Analysis
Exploiting WEP; Denial of Service (DoS) Attacks; WiFi Fuzzing ▐ Technical auditors
for Bug Discovery
▐ Information security
consultants
DAY 3: Enterprise WiFi, DECT, and ZigBee DAY 4: Bluetooth and Software-Defined
▐ Wireless system engineers
Attacks Radio Attacks ▐ Embedded wireless
We finish our look at WiFi attack techniques with a Bluetooth technology is nearly as pervasive as WiFi, with system developers
detailed look at assessing and exploiting WPA2 networks. widespread adoption in smart phones, fitness trackers,
Starting with WPA2 consumer networks, we investigate the wireless keyboard, smart watches, and more. In this module,
flaws associated with pre-shared key networks and WiFi we dig into the Bluetooth Classic, Enhanced Data Rate,
Protected Setup (WPS) deployments, continuing with a and Low Energy protocols, including tools and techniques
look at exploiting WPA2 Enterprise networks using various to evaluate target devices for vulnerabilities. Immediately
Extensible Authentication Protocol (EAP) methods. We following our look at Bluetooth technology, we jump into
continue to investigate the security of wireless networks the practical application of Software-Defined Radio (SDR)
on day 3, switching to non-WiFi analysis with a look technology to identify, decode, and assess proprietary
at exploiting the worldwide Digital Enhanced Cordless wireless systems. We investigate the hardware and software
Telephony (DECT) standard to capture and export audio available for SDR systems, and look at the tools and
conversations from cordless headsets and phones. We techniques to start exploring this exciting area of wireless
also investigate the security of ZigBee and IEEE 802.15.4 security assessment.
networks, looking at cryptographic flaws, key management Topics: Bluetooth Introduction and Attack Techniques;
failures, and hardware attacks. Bluetooth Low Energy Introduction and Attack Techniques;
Topics: Attacking WPA2 Pre-Shared Key Networks; Attacking Practical Application of Software-Defined Radio (SDR)
WPA2 Enterprise Networks; Attacking Digital Enhanced
Cordless Telephony Deployments; Attacking ZigBee
Deployments

DAY 5: RFID, Smart Cards, and NFC Hacking DAY 6: Capture-the-Flag Event
On day 5, we evaluate RFID technology in its multiple On the last day of class, we will pull together all the
forms to identify the risks associated with privacy loss concepts and technology we have covered during the
and tracking, while also building an understanding of both week in a comprehensive Capture-the-Flag event. In this
low-frequency and high-frequency RFID systems and NFC. hands-on exercise, you will have the option to participate
We examine the security associated with contactless Point in multiple roles: identifying unauthorized/rogue WiFi
of Sale (PoS) terminals, including Apple Pay and Google access points, attacking live and recorded WiFi networks,
Wallet, and proximity lock access systems from HID and decoding proprietary wireless signals, exploiting smart
other vendors. We also examine generalized techniques for card deficiencies, and more. During this wireless security
attacking smart card systems, including critical data analysis event you will put into practice the skills you have learned
skills needed to bypass the intended security of smart card in order to evaluate systems and defend against attackers,
systems used for mass transit systems, concert venues, bike simulating the realistic environment you will be prepared to
rentals, and more. protect when you get back to the office.
Topics: RFID Overview; RFID Tracking and Privacy Attacks;
Low-Frequency RFID Attacks; Exploiting Contactless RFID
Smart Cards; Attacking NFC

“SEC617 is great for someone looking for a

top-to-bottom rundown in wireless attacks.”
-Garret Picchioni, Salesforce

53
 SEC642: Advanced Web App Penetration Testing,
Ethical Hacking, and Exploitation Techniques

6 36 Laptop Can your web apps withstand the onslaught of modern advanced attack techniques?
Day Program CPEs Required
Modern web applications are growing more sophisticated and complex as they utilize
exciting new technologies and support ever more critical operations. Long gone are
You Will Be Able To the days of basic HTML requests and responses. Even in the age of Web 2.0 and AJAX,
▐ Perform advanced Local File Include the complexity of HTTP and modern web applications is progressing at breathtaking
(LFI)/Remote File Include (RFI), Blind SQL speed. With the demands of highly available web clusters and cloud deployments,
injection (SQLi), and Cross-Site Scripting web applications are looking to deliver more functionality in smaller packets, with a
(XSS) combined with Cross-Site Request
decreased strain on backend infrastructure. Welcome to an era that includes tricked-
Forger (XSRF) discovery and exploitation
out cryptography, WebSockets, HTTP/2, and a whole lot more. Are your web application
▐ Exploit advanced vulnerabilities common
to most backend language like Mass assessment and penetration testing skills ready to evaluate these impressive new
Assignments, Type Juggling, and Object technologies and make them more secure?
Serialization
Are you ready to put your web apps to the test with cutting-edge skills?
▐ Perform JavaScript-based injection
against ExpressJS, Node.js, and NoSQL This pen testing course is designed to teach you the advanced skills and techniques
▐ Understand the special testing methods required to test modern web applications and next-generation technologies. The
for content management systems such as course uses a combination of lecture, real-world experiences, and hands-on exercises
SharePoint and WordPress
to teach you the techniques to test the security of tried-and-true internal enterprise
▐ Identify and exploit encryption
web technologies, as well as cutting-edge Internet-facing applications. The final course
implementations within web applications
and frameworks day culminates in a Capture-the-Flag competition, where you will apply the knowledge
▐ Discover XML Entity and XPath you acquired during the previous five days in a fun environment based on real-world
vulnerabilities in SOAP or REST web technologies.
services and other datastores
This course offers hands-on learning of advanced web app exploitation skills.
▐ Use tools and techniques to work with
and exploit HTTP/2 and Web Sockets We begin by exploring advanced techniques and attacks to which all modern-day
▐ Identify and bypass Web Application complex applications may be vulnerable. We’ll learn about new web frameworks and
Firewalls and application filtering web backends, then explore encryption as it relates to web applications, digging deep
techniques to exploit the system
into practical cryptography used by the web, including techniques to identify the type
of encryption in use within the application and methods for exploiting or abusing it.
Who Should Attend We’ll look at alternative front ends to web applications and web services such as mobile
▐ Web and network penetration testers applications, and examine new protocols such as HTTP/2 and WebSockets. The final
▐ Red team members portion of the class will focus on how to identify and bypass web application firewalls,
▐ Vulnerability assessment personnel filtering, and other protection techniques.
▐ Security consultants
▐ Developers, QA testers
▐ System administrators and IT managers
▐ System architects

“SEC642 is quality content for senior penetration testers –

a nice extension of standard WAPT courses!”
-Caleb Jaren, Microsoft

SEC642 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events OnDemand
San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-17 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14
Private Training OnDemand platform.

This course is also available through Private Training. Simulcast

Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
54
Course Day
Descriptions

DAY 1: Advanced Attacks DAY 2: Web Frameworks DAY 3: Web Cryptography

As applications and their vulnerabilities become We’ll continue exploring advanced discovery Cryptographic weaknesses are common, yet few
more complex, penetration testers have to be able and exploitation techniques for today’s complex penetration testers have the skill to investigate,
to handle advanced targets. We’ll start the course web applications. We’ll look at vulnerabilities attack and exploit these flaws. When we
with a warm-up pen test of a small application. that could affect web applications written in investigate web application crypto attacks, we
After our review of this exercise, we will explore any backend language, then examine how logic typically target the implementation and use
some of the more advanced techniques for LFI/ flaws in applications, especially in Mass Object of cryptography in modern web applications.
RFI and SQLi server-based flaws. We will then take Assignments, can have devastating effects on Many popular web programming languages
a stab at combined XSS and XSRF attacks, where security. We’ll also dig into assumptions made by or development frameworks make encryption
we leverage the two vulnerabilities together for core development teams of backend programming services available to the developer, but do
even greater effect. After discovering the flaws, languages and learn how even something as not inherently protect encrypted data from
we will then work through various ways to exploit simple as handling the data types in variables can being attacked, or only permit the developer
these flaws beyond the typical means exhibited be leveraged through the web with Type Juggling to use cryptography in a weak manner. These
today. These advanced techniques will help and Object Serialization. Next we’ll explore implementation mistakes are going to be
penetration testers find ways to demonstrate various popular applications and frameworks and our focus in this section, as opposed to the
these vulnerabilities to their organization through how they change the discovery techniques within exploitation of deficiencies in the cryptographic
advanced and custom exploitation. a web penetration test. Part of this discussion algorithms themselves. We will also explore the
Topics: Review of the Testing Methodology; will lead us to cutting-edge technologies like the various ways applications use encryption and
Using Burp Suite in a Web Penetration Test; MEAN stack, where JavaScript is leveraged from hashing insecurely. Students will learn techniques
Exploiting Local and Remote File Inclusions; the browser, web server, and backend NoSQL ranging from identifying what the encryption
Exploring Advanced Discovery Techniques for storage. The final section of the class examines technique is to exploiting various flaws within the
SQL Injection and Other Server-Based Flaws; applications in content management systems encryption or hashing.
Exploring Advanced Exploitation of XSS and such as SharePoint and WordPress, which have Topics: Identifying the Cryptography Used in
XSRF in a Combined Attack; Learning Advanced unique needs and features that make testing the Web Application; Analyzing and Attacking
Exploitation Techniques them both more complex and more fruitful for the Encryption Keys; Exploiting Stream Cipher IV
the tester. Sollisions; Exploiting Electronic Codebook (ECB)
Topics: Web Architectures; Web Design Patterns; Mode Ciphers with Block Shuffling; Exploiting
Languages and Frameworks; Java and Struts; Cipher Block Chaining (CBC) Mode with Bit
PHP-Type Juggling; Logic Flaws; Attacking Flipping; Vulnerabilities in PKCS#7 Padding
Object Serialization; The MEAN Stack; Content Implementations
Management Systems; SharePoint; WordPress

DAY 4: Alternative Web Interfaces DAY 5: Web Application Firewall and DAY 6: Capture the Flag
Web applications are no longer limited to Filter Bypass On this final course day you will be placed on a
the traditional HTML-based interfaces. Web network and given the opportunity to complete an
Applications today are using more security
services and mobile applications have become entire penetration test. The goal of this exercise
controls to help prevent attacks. These
more common and are regularly being used is for you to explore the techniques, tools, and
controls, such as Web Application Firewalls and
to attack clients and organizations. As such, it methodology you will have learned over the
filtering techniques, make it more difficult for
has become very important that penetration last five days. You’ll be able to use these skills
penetration testers during their testing. The
testers understand how to evaluate the security against a realistic extranet and intranet. At the
controls block many of the automated tools and
of these systems. We will examine Flash, Java, end of the day, you will provide a verbal report
simple techniques used to discover flaws. On
Active X, and Silverlight flaws. We will explore of the findings and methodology you followed to
this day we’ll explore techniques used to map
various techniques to discover flaws within complete the test. Students will be provided with
the control and how that control is configured
the applications and backend systems. These a virtual machine that contains the Samurai Web
to block attacks. You’ll be able to map out the
techniques will make use of tools such as Burp Testing Framework (SamuraiWTF). You will be able
rule sets and determine the specifics of how the
Suite and other automated toolsets. We’ll use to use this both in the class and after leaving and
Web Application Firewall detects attacks. This
lab exercises to explore the newer protocols of returning to your job.
mapping will then be used to determine attacks
HTTP/2 and WebSockets, exploiting flaws exposed
that will bypass the control. You’ll use HTML5,
within each of them.
UNICODE, and other encodings that will enable
Topics: Intercepting Traffic to Web Services and your discovery techniques to work within the
from Mobile Applications; Flash, Java, ActiveX, protected application.
and Silverlight Vulnerabilities; SOAP and REST
Topics: Understanding Web Application
Web Services; Penetration Testing Web Services;
Firewalling and Filtering Techniques;
WebSocket Protocol Issues and Vulnerabilities;
Determining the Rule Sets Protecting the
New HTTP/2 Protocol Issues and Penetration
Application; Fingerprinting the Defense
Testing
Techniques Used; Learning How HTML5 Injections
Work; Using UNICODE, CTYPEs, and Data URIs to
Bypass Restrictions; Bypassing a Web Application
Firewall’s Best-Defended Vulnerabilities, XSS
and SQLi

55
 SEC660: Advanced Penetration Testing, GXPN
Exploit Researcher &

Exploit Writing, and Ethical Hacking Advanced Pen Tester

www.giac.org/gxpn

6 46 Laptop This course is designed as a logical progression point for those who have completed
Day Program CPEs Required SEC560: Network Penetration Testing and Ethical Hacking, or for those with existing
penetration testing experience. Students with the prerequisite knowledge to take this
course will walk through dozens of real-world attacks used by the most seasoned
You Will Be Able To penetration testers. The methodology of a given attack is discussed, followed by
▐ Perform fuzz testing to enhance your exercises in a real-world lab environment to solidify advanced concepts and allow for
company’s SDL process
the immediate application of techniques in the workplace. Each day includes a two-
▐ Exploit network devices and assess
network application protocols
hour evening bootcamp to allow for additional mastery of the techniques discussed
and even more hands-on exercises. A sample of topics covered includes weaponizing
▐ Escape from restricted environments on
Linux and Windows Python for penetration testers, attacks against network access control (NAC) and VLAN
▐ Test cryptographic implementations
manipulation, network device exploitation, breaking out of Linux and Windows restricted
environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic
▐ Model the techniques used by attackers
to perform 0-day vulnerability discovery implementations, fuzzing, defeating modern OS controls such as ASLR and DEP, return-
and exploit development oriented programming (ROP), Windows exploit-writing, and much more!
▐ Develop more accurate quantitative and
Attackers are becoming more clever and their attacks more complex. In order to keep up
qualitative risk assessments through
validation with the latest attack methods, you need a strong desire to learn, the support of others,
▐ Demonstrate the needs and effects of and the opportunity to practice and build experience. SEC660 provides attendees with in-
leveraging modern exploit mitigation depth knowledge of the most prominent and powerful attack vectors and an environment
controls to perform these attacks in numerous hands-on scenarios. This course goes far beyond
▐ Reverse-engineer vulnerable code to simple scanning for low-hanging fruit, and shows penetration testers how to model the
write custom exploits abilities of an advanced attacker to find significant flaws in a target environment and
demonstrate the business risk associated with these flaws.
Who Should Attend SEC660 starts off by introducing the advanced penetration concept, and provides an
▐ Network and systems penetration testers overview to help prepare students for what lies ahead. The focus of day one is on network
▐ Incident handlers attacks, an area often left untouched by testers. Topics include accessing, manipulating,
▐ Application developers and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP,
▐ IDS engineers IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts off with a technical module on
performing penetration testing against various cryptographic implementations. The rest
of the day is spent on network booting attacks, escaping Linux restricted environments
such as chroot, and escaping Windows restricted desktop environments. Day three jumps
into an introduction of Python for penetration testing, Scapy for packet crafting, product
security testing, network and application fuzzing, and code coverage techniques. Days four
and five are spent exploiting programs on the Linux and Windows operating systems. You
will learn to identify privileged programs, redirect the execution of code, reverse-engineer
programs to locate vulnerable code, obtain code execution for administrative shell access,
and defeat modern operating system controls such as ASLR, canaries, and DEP using
ROP and other techniques. Local and remote exploits, as well as client-side exploitation
techniques, are covered. The final course day is dedicated to numerous penetration
testing challenges requiring you to solve complex problems and capture flags.
Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided
through the labs and the additional time allotted each evening to reinforce daytime
material and master the exercises.

SEC660 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events OnDemand
Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Purple Team . . . . . . . . . . Las Colinas, TX . . . . . . .Oct 23-28 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25 OnDemand platform.
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14
Private Training
Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 This course is also available through Private Training.
56
Course Day
Descriptions

DAY 1: Network Attacks for DAY 2: Crypto and Post-Exploitation DAY 3: Python, Scapy, and Fuzzing
Penetration Testers Day two starts by taking a tactical look at Day three starts with a focus on how to leverage
techniques penetration testers can use to Python as a penetration tester. It is designed
Day one serves as an advanced network attack
investigate and exploit common cryptography to help people unfamiliar with Python start
module, building on knowledge gained from
mistakes. We finish the module with lab exercises modifying scripts to add to their own functionality
SEC560. The focus will be on obtaining access to
that allow you to practice your new-found crypto while helping seasoned Python scripters improve
the network; manipulating the network to gain
attack skill set against reproduced real-world their skills. Once we leverage the Python skills in
an attack position for eavesdropping and attacks,
application vulnerabilities. creative lab exercises, we move on to leveraging
and for exploiting network devices; leveraging
Topics: Pen Testing Cryptographic Scapy for custom network targeting and
weaknesses in network infrastructure; and taking
Implementations; Exploiting CBC Bit Flipping protocol manipulation. Using Scapy, we examine
advantage of client frailty.
Vulnerabilities; Exploiting Hash Length Extension techniques for transmitting and receiving network
Topics: Bypassing Network Admission Control; traffic beyond what canned tools can accomplish,
Vulnerabilities; PowerShell Essentials; Enterprise
Impersonating Devices with Admission including IPv6.
PowerShell; Post-Exploitation with PowerShell and
Control Policy Exceptions; Exploiting EAP-MD5
Metasploit; Escaping Software Restrictions; Two- Topics: Becoming Familiar with Python Types;
Authentication; Custom Network Protocol
hour Evening Capture-the-Flag Exercise Using PXE, Leveraging Python Modules for Real-World Pen
Manipulation with Ettercap and Custom
Network Attacks, and Local Privilege Escalation Tester Tasks; Manipulating Stateful Protocols with
Filters; Multiple Techniques for Gaining Man-
Scapy; Using Scapy to Create a Custom Wireless
in-the-Middle Network Access; Exploiting
Data Leakage Tool; Product Security Testing;
OSPF Authentication to Inject Malicious
Using Taof for Quick Protocol Mutation Fuzzing;
Routing Updates; Using Evilgrade to Attack
Optimizing Your Fuzzing Time with Smart Target
Software Updates; Overcoming SSL Transport
Selection; Automating Target Monitoring While
Encryption Security with Sslstrip; Remote Cisco
Fuzzing with Sulley; Leveraging Microsoft Word
Router Configuration File Retrieval; IPv6 for
Macros for Fuzzing .docx files; Block-Based Code
Penetration Testers
Coverage Techniques Using Paimei

DAY 4: Exploiting Linux for DAY 5: Exploiting Windows for DAY 6: Capture-the-Flag Challenge
Penetration Testers Penetration Testers This day will serve as a real-world challenge for
students by requiring them to utilize skills they
Day four begins by walking through memory from On day five we start with covering the OS security
have learned throughout the course, think outside
an exploitation perspective as well as introducing features (ALSR, DEP, etc.) added to the Windows
the box, and solve a range of problems from
x86 assembler and linking and loading. Processor OS over the years, as well as Windows-specific
simple to complex. A web server scoring system
registers are directly manipulated by testers and constructs, such as the process environment
and Capture-the-Flag engine will be provided
must be intimately understood. Disassembly block (PEB), structured exception handling (SEH),
to score students as they capture flags. More
is a critical piece of testing and will be used thread information block (TIB), and the Windows
difficult challenges will be worth more points.
throughout the remainder of the course. We will API. Differences between Linux and Windows will
In this offensive exercise, challenges range from
take a look at the Linux OS from an exploitation be covered. These topics are critical in assessing
local privilege escalation to remote exploitation
perspective and discuss the topic of privilege Windows-based applications. We then focus on
on both Linux and Windows systems, as well as
escalation. stack-based attacks against programs running on
networking attacks and other challenges related
Topics: Stack and Dynamic Memory Management the Windows OS.
to the course material.
and Allocation on the Linux OS; Disassembling Topics: The State of Windows OS Protections
a Binary and Analyzing x86 Assembly Code; on Windows 7, 8, 10, Server 2008 and 2012;
Performing Symbol Resolution on the Linux OS; Understanding Common Windows Constructs;
Identifying Vulnerable Programs; Code Execution Stack Exploitation on Windows; Defeating OS
Redirection and Memory Leaks; Return-Oriented Protections Added to Windows; Creating a
Programming (ROP); Identifying and Analyzing Metasploit Module; Advanced Stack-Smashing
Stack-Based Overflows on the Linux OS; on Windows; Using ROP; Building ROP Chains
Performing Return-to-libc (ret2libc) Attacks on the to Defeat DEP and Bypass ASLR; Windows 7
Stack; Defeating Stack Protection on the Linux OS; and 8; Porting Metasploit Modules; Client-side
Defeating ASLR on the Linux OS Exploitation; Windows Shellcode

“SEC660 is the right balance between theory and practice;

it’s hands-on, not too hard, but also not too easy.”
-Anton Ebertzeder, Siemens AG

57
 SEC760: Advanced Exploit Development for
Penetration Testers

6 46 Laptop Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server
Day Program CPEs Required 2012, and the latest Linux distributions are often very complex and subtle. Yet these
vulnerabilities could expose organizations to significant attacks, undermining their
defenses when attacked by very skilled adversaries. Few security professionals have
You Will Be Able To the skill set to discover let alone even understand at a fundamental level why the
▐ Discover zero-day vulnerabilities in vulnerability exists and how to write an exploit to compromise it. Conversely, attackers
programs running on fully-patched
modern operating systems must maintain this skill set regardless of the increased complexity. SEC760: Advanced
▐ Create exploits to take advantage of
Exploit Development for Penetration Testers, the SANS Institute’s only 700-level course,
vulnerabilities through a detailed teaches the skills required to reverse-engineer 32- and 64-bit applications, perform
penetration testing process remote user application and kernel debugging, analyze patches for one-day exploits,
▐ Use the advanced features of IDA Pro and write complex exploits, such as use-after-free attacks, against modern software and
and write your own IDC and IDA Python operating systems.
scripts
▐ Perform remote debugging of Linux and Some of the skills you will learn in SEC760 include:
Windows applications ▐ How to write modern exploits against the Windows 7/8/10 operating systems
▐ Understand and exploit Linux heap
overflows ▐ How to perform complex attacks such as use-after-free, Kernel exploit techniques,
▐ Write Return-Oriented Shellcode
one-day exploitation through patch analysis, and other advanced topics
▐ Perform patch diffing against programs, ▐ How to utilize a Security Development Lifecycle (SDL) or Secure SDLC, along with
libraries, and drivers to find patched Threat Modeling
vulnerabilities
▐ How to effectively utilize various debuggers and plug-ins to improve vulnerability
▐ Perform Windows heap overflows and
use-after-free attacks research and speed
▐ Use precision heap sprays to improve ▐ How to deal with modern exploit mitigation controls aimed at thwarting success and
exploitability defeating determination
▐ Perform Windows Kernel debugging up
through Windows 8 64-bit
▐ Jump into Windows kernel exploitation
Course Author Statement
“As a perpetual student of information security, I am excited to offer SEC760: Advanced
Exploit Writing for Penetration Testers. Exploit development is a hot topic as of late and
will continue to increase in importance moving forward. With all of the modern exploit
mitigation controls offered by operating systems such as Windows 7 and 8, the number
of experts with the skills to produce working exploits is highly limited. More and more
companies are looking to hire professionals with the ability to conduct a Secure-SDLC
process, perform threat modeling, determine if vulnerabilities are exploitable, and carry
out security research. This course was written to help you get into these highly sought-
after positions and to teach you cutting-edge tricks to thoroughly evaluate a target,
providing you with the skills to improve your exploit development.”
-Stephen Sims

SEC760 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Purple Team . . . . . . . . . . Las Colinas, TX . . . . . . .Oct 23-28

Pen Test HackFest . . . . . Bethesda, MD . . . . . . . Nov 20-25

Private Training
This course is also available through Private Training.
58
Course Day
Descriptions

DAY 1: Threat Modeling, Reversing and DAY 2: Advanced Linux Exploitation Who Should Attend
Debugging with IDA The ability to progress into more advanced reversing and ▐ Senior network and
exploitation requires an expert-level understanding of basic system penetration
Many penetration testers, incident handlers, developers,
software vulnerabilities, such as those covered in SEC660. testers
and other related professionals lack reverse-engineering
Heap overflows serve as a rite of passage into modern
and debugging skills. These are different skills than ▐ Secure application
exploitation techniques. This day is aimed at bridging this
reverse-engineering malicious software. As part of the developers (C and C++)
gap of knowledge in order to inspire thinking in a more
Security Development Lifecycle (SDL) and Secure-SDLC,
abstract manner, necessary for continuing further with the ▐ Reverse-engineering
developers and exploit writers should have experience
course. Linux can sometimes be an easier operating system professionals
using IDA Pro to debug and reverse their code when
to learn these techniques, serving as a productive gateway ▐ Senior incident handlers
finding bugs or when identifying potential risks after static
into Windows.
code analysis or fuzzing. ▐ Senior threat analysts
Topics: Linux Heap Management, Constructs, and
Topics: Security Development Lifecycle; Threat Modeling; ▐ Vulnerability researchers
Environment; Navigating the Heap; Abusing Macros such as
Why IDA Is the #1 Tool for Reverse Engineering; IDA
unlink() and frontlink(); Function Pointer Overwrites; Format ▐ Security researchers
Navigation; IDA Python and the IDA IDC; IDA Plug-ins and
String Exploitation; Abusing Custom Doubly-Linked Lists;
Extensibility; Local Application Debugging with IDA; Remote
Defeating Linux Exploit Mitigation Controls; Using IDA for
Application Debugging with IDA
Linux Application Exploitation; Using Format String Bugs for
ASLR Bypass

DAY 3: Patch Diffing, One-Day Exploits, and Return-Oriented Shellcode

Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly
patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to
more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched
vulnerability. Attackers are well aware of this and quickly work to find the patched vulnerability in order to take control of
unpatched systems. This technique is also used by incident handlers, IDS administrators and vendors, vulnerability and
penetration testing framework companies, government entities, and others. You will use the material covered in this day to
identify bugs patched by vendors and take them through to exploitation.
Topics: The Microsoft Patch Management Process and Patch Tuesday; Obtaining Patches and Patch Extraction; Binary Diffing
with BinDiff, patchdiff2, turbodiff, and DarunGrim4; Visualizing Code Changes and Identifying Fixes; Reversing 32-bit and
64-bit Applications and Modules; Triggering Patched Vulnerabilities; Writing One-Day Exploits; Handling Modern Exploit
Mitigation Controls; Using ROP to Compiled Shellcode on the Fly (Return-Oriented Shellcode)
“SEC760 is the
DAY 4: Windows Kernel Debugging and DAY 5: Windows Heap Overflows and challenge I am
Exploitation Client-Side Exploitation looking for. It will be
The Windows Kernel is very complex and intimidating. The focus of this section is primarily on Windows browser
This course day aims to help you understand the Windows and client-side exploitation. You will learn to analyze C++
overwhelming, but
Kernel and the various exploit mitigations added into vftable overflows, one of the most common mechanisms well worth it.”
recent versions. You will perform Kernel debugging on used to compromise a modern Windows system. Many
various versions of the Windows OS, such as Windows 7 of these vulnerabilities are discovered in the browser, so -William Stott, Raytheon
and 8, and learn to deal with its inherent complexities. browser techniques will also be taught, including modern
Exercises will be performed to analyze vulnerabilities, look heap spraying to deal with Internet Explorer 8/9/10 and
at exploitation techniques, and get a working exploit. other browsers such as FireFox and Chrome. You will work
Topics: Understanding the Windows Kernel; Navigating the towards writing exploits in the Use-After-Free/Dangling
Windows Kernel; Modern Kernel Protections; Debugging Pointer vulnerability class.
the Windows 7/8 Kernels and Drivers; WinDbg; Analyzing Topics: Windows Heap Management, Constructs, and
Kernel Vulnerabilities and Kernel Vulnerability Types; Kernel Environment; Understanding the Low Fragmentation Heap
Exploitation Techniques; Token Stealing and HAL Dispatch (LFH); Browser-based and Client-side Exploitation; Remedial
Table Overwrites Heap Spraying; Understanding C++ vftable/vtable Behavior;
Modern Heap Spraying to Determine Address Predictability;
Use-after-free Attacks and Dangling Pointers; Using Custom
DAY 6: Capture-the-Flag Challenge Flash Objects to Bypass ASLR; Defeating ASLR, DEP, and
Day 6 will feature a Capture-the-Flag event with different Other Common Exploit Mitigation Controls
types of challenges taken from material taught throughout
the week.

“SEC760 is a kind of training we could not get

anywhere else. It is not a theory, we got to
implement and to exploit everything we learned.”
-Jenny Kitaichit, Intel

59
 FOR508: Advanced Incident Response, Threat GCFA
Hunting, and Digital Forensics NEW
Forensic Analyst
www.giac.org/gcfa

6 36 Laptop ADVANCED THREATS ARE IN YOUR NETWORK – IT’S TIME TO GO HUNTING!

Day Program CPEs Required
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
will help you to:
You Will Be Able To ▐ Detect how and when a breach occurred
▐ Learn and master the tools, techniques, ▐ Identify compromised and affected systems
and procedures necessary to effectively
hunt, detect, and contain a variety of ▐ Determine what attackers took or changed
adversaries and to remediate incidents
▐ Contain and remediate incidents
▐ Detect and hunt unknown live, dormant,
and custom malware in memory ▐ Develop key sources of threat intelligence
across multiple Windows systems in an
enterprise environment ▐ Hunt down additional breaches using knowledge of the adversary
▐ Hunt through and perform incident DAY 0: A 3-letter government agency contacts you to say an advanced threat group is
response across hundreds of unique
systems simultaneously using targeting organizations like yours, and that your organization is likely a target. They won’t
F-Response Enterprise and the SIFT tell how they know, but they suspect that there are already several breached systems
Workstation within your enterprise. An advanced persistent threat, aka an APT, is likely involved. This
▐ Identify and track malware beaconing is the most sophisticated threat that you are likely to face in your efforts to defend your
outbound to its command and control systems and data, and these adversaries may have been actively rummaging through your
(C2) channel via memory forensics,
registry analysis, and network connection network undetected for months or even years.
residue
This is a hypothetical situation, but the chances are very high that hidden threats already
▐ Determine how the breach occurred by exist inside your organization’s networks. Organizations can’t afford to believe that their
identifying the beachhead and spear
phishing attack mechanisms security measures are perfect and impenetrable, no matter how thorough their security
precautions might be. Prevention systems alone are insufficient to counter focused
▐ Target advanced adversary anti-forensics
techniques like hidden and time- human adversaries who know how to get around most security and monitoring tools.
stomped malware, along with utility-
ware used to move in the network and The key is to constantly look for attacks that get past security systems, and to catch
maintain an attacker’s presence intrusions in progress, rather than after attackers have completed their objectives and
▐ Use memory analysis, incident response, done significant damage to the organization. For the incident responder, this process is
and threat hunting tools in the SIFT known as “threat hunting,” which uses known adversary behaviors to proactively examine
Workstation to detect hidden processes, the network and endpoints in order to identify new data breaches.
malware, attacker command lines,
rootkits, network connections, and more Threat hunting and Incident response tactics and procedures have evolved rapidly
▐ Track user and attacker activity second- over the past several years. Your team can no longer afford to use antiquated incident
by-second on the system you are response and threat hunting techniques that fail to properly identify compromised
analyzing through in-depth timeline and
super-timeline analysis systems, provide ineffective containment of the breach, and ultimately fail to rapidly
▐ Recover data cleared using anti-forensics
remediate the incident. Incident response and threat hunting teams are the keys to
techniques via Volume Shadow Copy and identifying and observing malware indicators and patterns of activity in order to generate
Restore Point analysis accurate threat intelligence that can be used to detect current and future intrusions.
▐ Identify lateral movement and pivots GATHER YOUR INCIDENT RESPONSE TEAM – IT’S TIME TO GO HUNTING!
within your enterprise, showing how
attackers transition from system to
system without detection
“FOR508 analyzes Advanced Persistent Threat samples that are
affecting our industry today. This training can’t get any better!”
-Neel Mehta, Chevron

FOR508 is available via (subject to change):

Live Training
Kansas City . . . . . . . . . . . Kansas City, MO . . . . . . Jun 10-15 New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 Atlanta Fall . . . . . . . . . . . Atlanta, GA . . . . . . . . . . Nov 18-23

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23

Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7

Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-19 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19

Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9
60
Course Day
Descriptions
DAY 1: Advanced Incident Response DAY 2: Intrusion Analysis Who Should Attend
and Threat Hunting Cyber defenders have a wide variety of tools and artifacts ▐ Incident response team
available to identify, hunt, and track adversary activity in a members
Incident responders and threat hunters should
network. Each attacker action leaves a corresponding artifact, and
be armed with the latest tools, memory analysis ▐ Threat hunters
understanding what is left behind as footprints can be critical to
techniques, and enterprise methodologies to identify,
both red and blue team members. Attacks follow a predictable ▐ Security Operations
track, and contain advanced adversaries and to
pattern, and we focus our detective efforts on immutable Center analysts
remediate incidents. Incident response and threat
portions of that pattern. As an example, at some point attackers ▐ Experienced digital
hunting analysts must be able to scale their analysis
will need to run code to accomplish their objectives. We can forensic analysts
across thousands of systems in their enterprise. This
identify this activity via application execution artifacts. Attackers
section examines the six-step incident response ▐ Information security
will also need one or more accounts to run code. Consequently,
methodology as it applies to incident response for professionals
account auditing is a powerful means of identifying malicious
advanced threat groups. We will show the importance
actions. Attackers also need a means to move throughout the ▐ Federal agents and law
of developing cyber threat intelligence to impact the
network, so we look for artifacts left by the relatively small enforcement personnel
adversaries’ “kill chain” and demonstrate live response
number of ways there are to accomplish this part of their
techniques and tactics that can be applied to a single ▐ Red team members,
mission. In this section, we cover common attacker tradecraft and
system and across the entire enterprise. penetration testers, and
discuss the various data sources and forensic tools you can use
Topics: Real Incident Response Tactics; Threat Hunting; exploit developers
to identify malicious activity in the enterprise.
Threat Hunting in the Enterprise; Incident Response ▐ SANS FOR500 and
Topics: Stealing and Utilization of Legitimate Credentials;
and Hunting across Endpoints; Malware Defense SEC504 graduates
Advanced Evidence of Execution Detection; Lateral Movement
Evasion and Identification; Malware Persistence
Adversary Tactics, Techniques, and Procedures (TTPs); Log Analysis
Identification; Investigating WMI-Based Attacks
for Incident Responders and Hunters

DAY 3: Memory Forensics in Incident Response DAY 4: Timeline Analysis

and Threat Hunting Learn advanced incident response and hunting techniques uncovered
via timeline analysis directly from the authors who pioneered
Now a critical component of many incident response and threat hunting teams
timeline analysis tradecraft. Temporal data are located everywhere
that regularly detect advanced adversaries in their organization, memory forensics
on a computer system. Filesystem modified/access/creation/change
has come a long way in just a few years. Memory forensics can be extraordinarily
times, log files, network data, registry data, and Internet history files
effective at finding evidence of worms, rootkits, PowerShell, and advanced malware
all contain time data that can be correlated into critical analysis
used by APT attackers. In fact, some attacks may be nearly impossible to unravel
to successfully solve cases. Pioneered by Rob Lee in 2001, timeline
without memory analysis. Memory analysis was traditionally the domain of Windows
analysis has become a critical incident response, hunting, and
internals experts, but the recent development of new tools and techniques makes it
forensics technique. New timeline analysis frameworks provide the
accessible today to all investigators, incident responders, and threat hunters. Better
means to conduct simultaneous examinations of a multitude of time-
tools, interfaces and detection heuristics have greatly leveled the playing field.
based artifacts. The analysis that once took days now takes minutes.
Understanding attack patterns in memory is a core analyst skill applicable across
This section will step you through the two primary methods of building
a wide range of endpoint detection and response products. This extremely popular
and analyzing timelines created during advanced incident response,
section will cover many of the most powerful memory analysis capabilities available
threat hunting, and forensic cases. Exercises will show analysts how to
and give you a solid foundation of advanced memory forensic skills to super-charge
create a timeline and also how to introduce the key methods to help
investigations, regardless of the toolset employed.
you use those timelines effectively in your cases.
Topics: Remote and Enterprise Incident Response; Triage and Enpoint Detection and
Topics: Timeline Analysis Overview; Memory Analysis Timeline Creation;
Reponse; Memory Acquisition; Memory Forensics Analysis Process for Response and
Filesystem Timeline Creation and Analysis; Super Timeline Creation
Hunting; Memory Forensics Examinations; Memory Analysis Tools
and Analysis

DAY 5: Incident Response & Hunting Across DAY 6: The APT Threat Group Incident Response Challenge
the Enterprise – Advanced Adversary and This incredibly rich and realistic enterprise intrusion exercise is based on a
real-world advanced persistent threat (APT) group. It brings together techniques
Anti-Forensics Detection learned earlier in the week and tests your newly acquired skills in a case that
Over the years, we have observed that many incident responders and threat simulates an attack by an advanced adversary. The challenge brings it all together
hunters have a challenging time finding threats without pre-built indicators of using a real intrusion into a complete Windows enterprise environment. You will
compromise or threat intelligence gathered before a breach. This is especially be asked to uncover how the systems were compromised in the initial intrusion,
true in APT adversary intrusions. This advanced session will demonstrate find other systems the adversary moved to laterally, and identify intellectual
techniques used by first responders to identify malware or forensic artifacts property stolen via data exfiltration. You will walk out of the course with hands-
when very little information exists about their capabilities or hidden on experience investigating realistic attacks, curated by a cadre of instructors
locations. We will discuss techniques to help funnel possibilities down to with decades of experience fighting advanced threats from attackers ranging from
the candidates most likely to be evil malware trying to hide on the system. nation-states to financial crime syndicates and hactivist groups.
Topics: Cyber Threat Intelligence; Malware and Anti-Forensic Detection; Anti- Topics: Identification and Scoping; Containment and Threat Intelligence
Forensic Detection Methodologies; Identifying Compromised Hosts without Gathering; Remediation and Recovery
Active Malware

Online Training
Summit Events Private Training OnDemand
Enterprise Defense . . . . Redondo Beach, CA . . . . Jun 5-10 This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1 OnDemand platform.
THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7 Simulcast
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
61
 FOR572: Advanced Network Forensics: GNFA
Threat Hunting, Analysis, and Network Forensic
Analyst

Incident Response NEW www.giac.org/gnfa

6 36 Laptop Take your system-based forensic knowledge onto the wire. Incorporate network evidence
Day Program CPEs Required into your investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn’t have a network
You Will Be Able To component. Endpoint forensics will always be a critical and foundational skill for this career,
▐ Extract files from network packet but overlooking a perpetrator’s network communications is akin to ignoring security camera
captures and proxy cache files, footage of a crime as it was committed. Whether you handle an intrusion incident, data
allowing for follow-on malware theft case, or employee misuse scenario, or are engaged in proactive adversary discovery,
analysis or definitive data loss
the network often provides an unparalleled view of the incident. Its evidence can provide
determination
the proof necessary to show intent, uncover attackers that have been active for months or
▐ Use historical NetFlow data to identify
relevant past network occurrences, longer, or even prove useful in definitively proving a crime actually occurred.
allowing for accurate incident scoping
FOR572 was designed to cover the most critical skills needed for the increased focus on
▐ Reverse-engineer custom network network communications and artifacts in today’s investigative work, including numerous
protocols to identify an attacker’s
command-and-control abilities and use cases. Many investigative teams are incorporating proactive threat hunting into their
actions skills. This involves using existing evidence along with newly-acquired threat intelligence to
▐ Decrypt captured SSL traffic to identify uncover evidence of previously-unidentified incidents. Other teams focus on post-incident
attackers’ actions and what data they investigations and reporting. Still others engage with an adversary in real time, seeking to
extracted from the victim contain and eradicate the attacker from the victim’s environment. In these situations and
▐ Use data from typical network more, the artifacts left behind from attackers’ communications can provide an invaluable
protocols to increase the fidelity of the
investigation’s findings
view into their intent, capabilities, successes, and failures.
▐ Identify opportunities to collect In FOR572, we focus on the knowledge necessary to examine and characterize
additional evidence based on the communications that have occurred in the past or continue to occur. Even if the most skilled
existing systems and platforms within
a network architecture
remote attacker compromised a system with an undetectable exploit, the system still has
to communicate over the network. Without command-and-control and data extraction
▐ Examine traffic using common network
protocols to identify patterns of activity channels, the value of a compromised computer system drops to almost zero. Put another
or specific actions that warrant further way: Bad guys are talking – we’ll teach you to listen.
investigation
This course covers the tools, technology, and processes required to integrate network
▐ Incorporate log data into a
comprehensive analytic process, filling evidence sources into your investigations, with a focus on efficiency and effectiveness. You
knowledge gaps that may be far in the will leave this week with a well-stocked toolbox and the knowledge to use it on your first day
past back on the job. We will cover the full spectrum of network evidence, including high-level
▐ Learn how attackers leverage man-in- NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and
the-middle tools to intercept seemingly
more. We cover how to leverage existing infrastructure devices that may contain months
secure communications
or years of valuable evidence as well as how to place new collection platforms while an
▐ Examine proprietary network protocols
to determine what actions occurred on incident is under way.
the endpoint systems
FOR572 is truly an advanced course – we hit the ground running on day one. Bring your
▐ Analyze wireless network traffic to find entire bag of skills: forensic techniques and methodologies, full-stake networking knowledge
evidence of malicious activity
(from the wire all the way up to user-facing services), Linux shell utilities, and everything in
▐ Learn how to modify configuration
between. They will all benefit you throughout the course material as you fight crime.
on typical network devices such as
firewalls and intrusion detection UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.
systems to increase the intelligence
value of their logs and alerts during an
investigation

FOR572 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Raleigh . . . . . . . . . . . . . . . Raleigh, NC . . . . . . . . . .Sep 16-21 Summit Events
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5 DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7

Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7
Private Training
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 This course is also available through Private Training.
62
Course Day
Descriptions

DAY 1: Off the Disk and Onto the Wire DAY 2: Core Protocols & Log Aggregation/ Who Should Attend
Although many fundamental network forensic Analysis ▐ Incident response
concepts align with those of any other digital team members and
There are countless network protocols that may be in use in a
forensic investigation, the network presents many forensicators
production network environment. We will cover those that are
nuances that require special attention. Today you
most likely to benefit the forensicator in typical casework, as well ▐ Hunt team members
will learn how to apply what you already know
as several that help demonstrate analysis methods useful when
about digital forensics and incident response to ▐ Law enforcement officers,
facing new, undocumented, or proprietary protocols. By learning
network-based evidence. You will also become federal agents, and
the “typical” behaviors of these protocols, we can more readily
acclimated to the basic tools of the trade. detectives
identify anomalies that may suggest misuse of the protocol for
Topics: Web Proxy Server Examination; Foundational nefarious purposes. These protocol artifacts and anomalies can ▐ Information security
Network Forensics Tools: tcpdump and Wireshark; be profiled through direct traffic analysis as well as through the managers
Network Evidence Acquisition; Network Architectural log evidence created by systems that have control or visibility ▐ Network defenders
Challenges and Opportunities of that traffic. While this affords the investigator with vast
opportunities to analyze the network traffic, efficient analysis
▐ IT professionals
of large quantities of source data generally requires tools and ▐ Network engineers
methods designed to scale.
▐ Anyone interested in
Topics: Hypertext Transfer Protocol (HTTP): Protocol and Logs; computer network
Domain Name Service (DNS): Protocol and Logs; Firewall, Intrusion intrusions and
Detection System, and Network Security Monitoring Logs; Logging investigations
Protocol and Aggregation; Elastic Stack and the SOF-ELK Platform
▐ Security Operations
Center personnel and
DAY 3: NetFlow and File Access Protocols DAY 4: Commercial Tools, Wireless, information security
Network connection logging, commonly called NetFlow, may and Full-Packet Hunting practitioners
be the single most valuable source of evidence in network
Commercial tools are a mainstay in the network
investigations. Many organizations have extensive archives
forensicator’s toolkit. We’ll explore the various roles that
of flow data due to its minimal storage requirements. Since
commercial tools generally fill, as well as how they can be
NetFlow does not capture any content of the transmission,
best integrated into an investigative workflow. With the
many legal issues with long-term retention are mitigated.
runaway adoption of wireless networking, investigators
Even without content, NetFlow provides an excellent means
must also be prepared to address the unique challenges
of guiding an investigation and characterizing an adversary’s
this technology brings to the table. However, regardless of
activities from pre-attack through operations. Whether
the protocol being examined or the budget used to perform
within a victim’s environment or for data exfiltration,
the analysis, having a means of exploring full-packet
“I love how this
adversaries must move their quarry around through the
use of various file access protocols. By knowing some of
capture is a necessity, and having a toolkit to perform this course is very well
at scale is critical.
the more common file access and transfer protocols, a
Topics: Simple Mail Transfer Protocol (SMTP); Commercial
organized, and how
forensicator can quickly identify an attacker’s theft actions.
Topics: NetFlow Collection and Analysis; Open-Source Flow
Network Forensics; Wireless Network Forensics; Automated the step-by-step
Tools and Libraries; Full-Packet Hunting with Moloch
Tools; File Transfer Protocol (FTP); Microsoft Protocols walk-through of
the lab allows even
DAY 5: Encryption, Protocol Reversing, DAY 6: Network Forensics Capstone
OPSEC, and Intel Challenge someone new to
Advancements in common technology have made it This section will combine all of what you have learned network forensics
easier to be a bad guy and harder for us to track them. prior to and during this week. In groups, you will examine
Strong encryption methods are readily available and network evidence from a real-world compromise by an
to get started
custom protocols are easy to develop and employ. advanced attacker. Each group will independently analyze right away.”
Despite this, there are still weaknesses even in the most data, form and develop hypotheses, and present findings.
advanced adversaries’ methods. As we learn what the No evidence from endpoint systems is available – only the -Paul Kim, PWC
attackers have deliberately hidden from us, we must network and its infrastructure.
operate carefully to avoid tipping our hats regarding Topics: Network Forensic Case
the investigative progress – otherwise the attacker can
quickly pivot, nullifying our progress.
Topics: Encoding, Encryption, and SSL/TLS; Meddler-
in-the-Middle; Network Protocol Reverse Engineering;
Investigation OPSEC and Threat Intel

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
own pace, with four months of online access in the
OnDemand platform.

63
 GCFE
FOR500: Windows Forensic Analysis Forensic Examiner
www.giac.org/gcfe

6 36 Laptop MASTER WINDOWS FORENSICS – YOU CAN’T PROTECT WHAT YOU DON’T KNOW ABOUT
Day Program CPEs Required
FOR500: Windows Forensic Analysis will teach you to:
▐ Conduct in-depth forensic analysis of Windows operating systems and media
You Will Be Able To exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server
▐ Perform proper Windows forensic 2008/2012/2016
analysis by applying key techniques ▐ Identify artifact and evidence locations to answer critical questions, including
focusing on Windows 7/8/10
application execution, file access, data theft, external device usage, cloud services,
▐ Use full-scale forensic tools and analysis geolocation, file download, anti-forensics, and detailed system usage
methods to detail nearly every action
a suspect accomplished on a Windows ▐ Focus your capabilities on analysis instead of on how to use a particular tool
system, including who placed an artifact ▐ Extract critical answers and build an in-house forensic capability via a variety of
on the system and how, program
execution, file/folder opening, geo- free, open-source, and commercial tools provided within the SANS Windows SIFT
location, browser history, profile USB Workstation
device usage, and more
All organizations must prepare for cyber-crime occurring on their computer systems
▐ Uncover the exact time a specific user
and within their networks. Demand has never been greater for analysts who can
last executed a program through Registry
and Windows artifact analysis, and investigate crimes such as fraud, insider threats, industrial espionage, employee misuse,
understand how this information can and computer intrusions. Government agencies increasingly require trained media
be used to prove intent in cases such exploitation specialists to recover vital intelligence from Windows systems. To help solve
as intellectual property theft, hacker-
breached systems, and traditional crimes these cases, SANS is training a new cadre of the world’s best digital forensic professionals,
incident responders, and media exploitation experts capable of piecing together what
▐ Determine the number of times files
have been opened by a suspect through happened on computer systems second by second.
browser forensics, shortcut file analysis
(LNK), e-mail analysis, and Windows FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics
Registry parsing knowledge of Microsoft Windows operating systems. You can’t protect what you don’t
▐ Identify keywords searched by a specific know about, and understanding forensic capabilities and artifacts is a core component
user on a Windows system in order of information security. You will learn how to recover, analyze, and authenticate forensic
to pinpoint the files and information data on Windows systems, track particular user activity on your network, and organize
the suspect was interested in finding
and accomplish detailed damage findings for use in incident response, internal investigations, and civil/criminal litigation.
assessments You will be able to use your new skills to validate security tools, enhance vulnerability
▐ Use Windows shellbags analysis tools to assessments, identify insider threats, track hackers, and improve security policies.
articulate every folder and directory that Whether you know it or not, Windows is silently recording an unbelievable amount of data
a user opened up while browsing local,
about you and your users. FOR500 teaches you how to mine this mountain of data.
removable, and network drives
▐ Determine each time a unique and Proper analysis requires real data for students to examine. The completely updated
specific USB device was attached to the FOR500 course trains digital forensic analysts through a series of new hands-on
Windows system, the files and folders laboratory exercises that incorporate evidence found on the latest Microsoft technologies
that were accessed on it, and who
plugged it in by parsing key Windows (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint,
artifacts such as the Registry and log files Exchange, Outlook). Students leave the course armed with the latest tools and techniques
▐ Use event log analysis techniques to and prepared to investigate even the most complicated systems they might encounter.
determine when and how users logged Nothing is left out – attendees learn to analyze everything from legacy Windows 7 systems
into a Windows system, whether via
to just-discovered Windows 10 artifacts.
a remote session, at the keyboard, or
simply by unlocking a screensaver
“I have gained so much insight taking this course
and can’t wait to apply these skills!”
-Dylan Ong, Stroz Friedberg

FOR500 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 Santa Monica . . . . . . . . . Santa Monica, CA . . . . . Oct 21-26

Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . Oct 28 - Nov 2

San Francisco Summer . San Francisco, CA . . . . . .Jul 22-27 San Francisco Fall . . . . . San Francisco, CA . . . . Sep 23-28 Houston . . . . . . . . . . . . . . Houston, TX . . . . . Oct 28 - Nov 2

Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-24 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9

Tampa-Clearwater . . . . . Clearwater, FL . . . . . . . Aug 25-30 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
64
Course Day
Descriptions

DAY 1: Windows Digital Forensics and DAY 2: Core Windows Forensics Who Should Attend
Advanced Data Triage Part 1 – Windows Registry Forensics and ▐ Information security
professionals
The Windows forensics course starts with an examination of Analysis
digital forensics in today’s interconnected environments and ▐ Incident response team
Our journey continues with the Windows Registry, where
discusses challenges associated with mobile devices, tablets, members
the digital forensic investigator will learn how to discover
cloud storage, and modern Windows operating systems. We
critical user and system information pertinent to almost any ▐ Law enforcement officers,
will discuss how modern hard drives, such as Solid State
investigation. Each examiner will learn how to navigate and federal agents, and
Devices (SSD), can affect the digital forensics acquisition
examine the Registry to obtain user-profile data and system detectives
process and how analysts need to adapt to overcome the
data. The course teaches forensic investigators how to
introduction of these new technologies. ▐ Media exploitation
prove that a specific user performed key word searches, ran
analysts
Topics: Windows Operating System Components; Core specific programs, opened and saved files, perused folders,
Forensic Principles; Live Response and Triage-Based and used removable devices. Throughout the section, ▐ Anyone interested in a
Acquisition Techniques; Acquisition Review with Write Blocker; investigators will use their skills in a real hands-on case, deep understanding of
Advanced Acquisition Challenges; Windows Image Mounting exploring and analyzing the evidence. Windows forensics
and Examination; NTFS File System Overview; Document Topics: Registry Basics; Profile Users and Groups; Core
and File Metadata; File Carving; Custom Carving Signatures; System Information; User Forensic Data; Tools Utilized
Memory, Pagefile, and Unallocated Space Analysis

DAY 3: Core Windows Forensics DAY 4: Core Windows Forensics

Part 2 – USB Devices and Shell Items Part 3 – Email, Key Additional Artifacts,
Being able to show the first and last time a file or folder and Event Logs
was opened is a critical analysis skill. Utilizing shortcut
Depending on the type of investigation and authorization,
(LNK), jump list, and Shellbag databases through the
a wealth of evidence can be unearthed through the
examination of Shell Items, we can quickly pinpoint which
analysis of email files. Recovered email can bring excellent
file or folder was opened and when. The knowledge obtained
corroborating information to an investigation, and its
by examining Shell Items, is crucial in tracking user activity
informality often provides very incriminating evidence. It
in intellectual property theft cases internally or in tracking “Anyone involved in
is common for users to have an email that exists locally
hackers. Removable storage device investigations are often
on their workstation, on their company email server, in a
an essential part of performing digital forensics. We will
private cloud, and in multiple webmail accounts. Windows digital investigations
show you how to perform in-depth USB device examinations
on Windows 7, 8/8.1, and 10. You will learn how to determine
event log analysis has solved more cases than possibly needs to take this
any other type of analysis. Understanding the locations
when a storage device was first and last plugged in, its
and content of these files is crucial to the success of any class! It covers or
vendor/make/model, and even the unique serial number of
investigator. Many researchers overlook these records
the device used.
because they do not have adequate knowledge or tools
touches upon almost
Topics: Shell Item Forensics; USB and Bring Your Own Device to get the job done efficiently. This section arms each every aspect of
(BYOD) Forensic Examinations investigator with the core knowledge and capability to
maintain this crucial skill for many years to come. Windows forensic
Topics: Email Forensics; Forensicating Additional Windows investigations in a
OS Artifacts; Windows Event Log Analysis
very short period of
DAY 5: Core Windows Forensics Part 4 – Web Browser DAY 6: Windows Forensic time.”
Forensics: Firefox, Internet Explorer, and Chrome Challenge -Cy Bleistine, NJSP
With the increasing use of the web and the shift toward web-based This complex case will involve an
applications and cloud computing, browser forensic analysis has become investigation into one of the most recent
a critical skill. During this section, the investigator will comprehensively versions of the Windows Operating
explore web browser evidence created during the use of Internet Explorer, System. The evidence is real and
Edge, Firefox, and Google Chrome. The analyst will learn how to examine provides the most realistic training
every significant artifact stored by the browser and how to analyze some of opportunity currently available. Solving
the more obscure (and powerful) browser artifacts, such as session restore, the case will require that students use
tracking cookies, zoom levels, predictive site prefetching, and private all of the skills gained from each of the
browsing remnants. previous sections.
Topics: Browser Forensics: History, Cache, Searches, Downloads, Topics: Digital Forensic Case; Windows 10
Understanding Browser Timestamps, Internet Explorer; Edge; Firefox; Forensic Challenge
Chrome; Examining of Browser Artifacts; Tools Used

Online Training
Summit Events Mentor Events OnDemand
Complete this course anywhere, anytime, at your
DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1 Seattle, WA . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jun 18 - Aug 6
own pace, with four months of online access in the
OnDemand platform.
Community Events Private Training
This course is also available through Private Training.
Simulcast
Minneapolis, MN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jun 3-8
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
Tempe, AZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 22-27 65
 FOR518: Mac and iOS Forensic Analysis
and Incident Response

6 36 Laptop Digital forensic and incident response investigators have traditionally dealt with Windows
Day Program CPEs Required machines, but what if they find themselves in front of a new Apple Mac or iDevice? The
increasing popularity of Apple devices can be seen everywhere, from coffee shops to
corporate boardrooms. Dealing with these devices as an investigator is no longer a niche
You Will Be Able To skill – every analyst must have the core skills necessary to investigate the Apple devices
▐ Parse the HFS+ file system by hand, they encounter.
using only a cheat sheet and a hex
editor Times and trends change and forensic investigators and analysts need to change with
▐ Determine the importance of each file them. The new FOR518: Mac Forensic Analysis course provides the tools and techniques
system domain necessary to take on any Mac case without hesitation. The intense, hands-on forensic
▐ Conduct temporal analysis of a system analysis skills taught in the course will enable Windows-based investigators to broaden
by correlating data files and log analysis
their analysis capabilities and have the confidence and knowledge to comfortably
▐ Profile individuals’ usage of the system, analyze any Mac or iOS system.
including how often they used it, what
applications they frequented, and their This course will teach you:
personal system preferences
▐ Determine remote or local data
▐ Mac and iOS Fundamentals: How to analyze and parse the Hierarchical File System
backups, disk images, or other attached (HFS+) and Apple File System (APFS) by hand and recognize the specific domains of
devices the logical file system and Mac-specific file types.
▐ Find encrypted containers and FileVault ▐ User Activity: How to understand and profile users through their data files and
volumes, understand keychain data, and
crack Mac passwords preference configurations.
▐ Analyze and understand Mac metadata ▐ Advanced Intrusion Analysis and Correlation: How to determine how a system has
and their importance in the Spotlight been used or compromised by using the system and user data files in correlation
database, Time Machine, and Extended
Attributes
with system log files.
▐ Develop a thorough knowledge of the ▐ Apple Technologies: How to understand and analyze many Mac and iOS-specific
Safari Web Browser and Apple Mail technologies, including Time Machine, Spotlight, iCloud, Document Versions,
applications
FileVault, Continuity, and FaceTime.
▐ Identify communication with other users
and systems through iChat, Messages, FOR518: Mac and iOS Forensic Analysis and Incident Response aims to train a well-
FaceTime, Remote Login, Screen Sharing, rounded investigator by diving deep into forensic and intrusion analysis of Mac and
and AirDrop
iOS. The course focuses on topics such as the HFS+ and APFS file systems, Mac-specific
▐ Conduct an intrusion analysis of a Mac data files, tracking of user activity, system configuration, analysis and correlation of Mac
for signs of compromise or malware
infection logs, Mac applications, and Mac-exclusive technologies. A computer forensic analyst who
completes this course will have the skills needed to take on a Mac or iOS forensics case.
▐ Acquire and analyze memory from Mac
systems FORENSICATE DIFFERENTLY!
▐ Acquire iOS and analyze devices in-
depth

SEC518 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Summit Events OnDemand
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.
Private Training
This course is also available through Private Training.
66
Course Day
Descriptions

DAY 1: Mac and iOS Essentials DAY 2: File Systems & System Triage Who Should Attend
This section introduces the student to Mac and iOS The building blocks of Mac and iOS forensics start with a ▐ Experienced digital
essentials such as acquisition, timestamps, logical file thorough understanding of the HFS+. Utilizing a hex editor, forensic analysts
system, and disk structure. Acquisition fundamentals students will learn the basic principles of the primary file who want to solidify
are the same with Mac and iOS devices, but there are a system implemented on MacOS systems. The students and expand their
few tips and tricks that can be used to successfully and will then use that information to look at a variety of great understanding of file
easily collect Mac and iOS systems for analysis. Students artifacts that use the file system and that are different from system forensics and
comfortable with Windows forensic analysis can easily other operating systems students have seen in the past. advanced Mac analysis
learn the slight differences on a Mac system – the data are Rounding out the day, students will review Mac and iOS ▐ Law enforcement officers,
the same, only the format differs. triage data.
federal agents, and
Topics: Apple Essentials; Mac Essentials and Acquisition; Topics: File System; Extended Attributes; File System Events detectives who want
Disks & Partitions; iOS Essentials and iOS Acquisition Store Database; Spotlight; Mac and iOS Triage; Most Recently to master advanced
Used (MRU) computer forensics and
expand their investigative
skill set
DAY 3: User Data, System Configuration, DAY 4: Application Data Analysis
Media exploitation
and Log Analysis In addition to all the configuration and preference
▐
analysts who need to
information found in the User Domain, the user can interact
This section contains a wide array of information that can know where to find the
with a variety of native Apple applications, including the
be used to profile and understand how individuals use critical data they need
Internet, email, communication, photos, locational data, etc.
their computers. The logical Mac file system is made up from a Mac system
These data can provide analysts with the who, what, where,
of four domains: User, Local, System, and Network. The
why, and how for any investigation. This section will explore ▐ Incident response team
User Domain contains most of the user-related items of
the various databases and other files where data are being members who are
forensic interest. This domain consists of user preferences
stored. The student will be able to parse this information by responding to complex
and configurations. The System and Local Domains
hand without the help of a commercial tool parser. security incidents and/
contain system-specific information such as application
installation, system settings and preferences, and system Topics: Application Permissions; Native Application or intrusions from
logs. This section details basic system information, GUI Fundamentals; Safari Browser; Apple Mail; Communication; sophisticated adversaries
preferences, and system application data. A basic analysis Calendar and Reminders; Contacts; Notes; Photos; Maps; and need to know what
of system logs can give a good understanding of how a Location Data; Apple Watch; Third-Party Apps; Apple Pay, to do when examining a
system was used or abused. Timeline analysis tells the Wallet, Passes compromised system
story of how the system was used. Each entry in a log file ▐ Information security
has a specific meaning and may be able to tell how the professionals who want
user interacted with the computer. The log entries can be to become knowledgeable
correlated with other data found on the system to create with Mac OS X and iOS
an in-depth timeline that can be used to solve cases system internals
quickly and efficiently. Analysis tools and techniques will ▐ SANS FOR500, FOR508,
be used to correlate the data and help the student put the
FOR526, FOR585, and
story back together in a coherent and meaningful way.
FOR610 alumni looking to
Topics: User Data and System Configuration; Log Parsing round out their forensic
and Analysis; Timeline Analysis and Data Correlation skills

DAY 5: Advanced Analysis Topics DAY 6: Mac Forensics & Incident Response
Mac systems implement some technologies that are Challenge
available only to those with Mac and iOS devices. These
Students will put their new Mac forensics skills to the test
include data backup with Time Machine, Document
by running through a real-life scenario with team members.
Versions, and iCloud; and disk encryption with FileVault.
Other advanced topics include data hidden in encrypted Topics: In-Depth File System Examination; File System
containers, live response, Mac intrusion and malware Timeline Analysis; Advanced Computer Forensics
analysis, and Mac memory analysis. Methodology; Mac Memory Analysis; File System Data
Analysis; Metadata Analysis; Recovering Key Mac Files;
Topics: Live Response; Time Machine; OS X Malware and
Volume and Disk Image Analysis; Analysis of Mac
Intrusion Analysis; iCloud; Versions; Memory Acquisitions
Technologies including Time Machine, Spotlight, and
and Analysis; Password Cracking and Encrypted Containers
FileVault; Advanced Log Analysis and Correlation; iDevice
Analysis and iOS Artifacts

“We have a primarily Mac OS environment and I don’t think I could

find a tenth of this information through my own research.”
-Kevin Neely, Pure Storage

67
 FOR526: Advanced Memory Forensics & Threat Detection

6 45 Laptop Digital Forensics and Incident Response (DFIR) professionals need Windows memory
Day Program CPEs Required forensics training to be at the top of their game. Investigators who do not look at volatile
memory are leaving evidence at the crime scene. RAM content holds evidence of user
actions, as well as evil processes and furtive behaviors implemented by malicious code.
What You Will Receive It is this evidence that often proves to be the smoking gun that unravels the story of what
▐ SIFT Workstation 3 happened on a system.
This course extensively uses the
SIFT Workstation 3 to teach incident FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital
responders and forensic analysts how to
forensics examiners and incident responders to successfully perform live system memory
respond to and investigate sophisticated
attacks. SIFT contains hundreds of free triage and analyze captured memory images. The course uses the most effective freeware
and open-source tools, easily matching and open-source tools in the industry today and provides an in-depth understanding of
any modern forensic and incident how these tools work. FOR526 is a critical course for any serious DFIR investigator who
response commercial tool suite.
wants to tackle advanced forensics, trusted insider, and incident response cases.
- Ubuntu LTS base
- 64 bit-based system In today’s forensics cases, it is just as critical to understand memory structures as it is to
- Better memory utilization understand disk and registry structures. Having in-depth knowledge of Windows memory
- Auto-DFIR package update and internals allows the examiner to access target data specific to the needs of the case at
customizations hand. For those investigating platforms other than Windows, this course also introduces
- Latest forensic tools and techniques OSX and Linux memory forensics acquisition and analysis using hands-on lab exercises.
- VMware Appliance ready to tackle
forensics There is an arms race between analysts and attackers. Modern malware and post-
- Cross-compatibility between Linux exploitation modules increasingly employ self-defense techniques that include more
and Windows sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert
- Expanded filesystem support (NTFS, volatile data. Examiners must have a deeper understanding of memory internals in order
HFS, EXFAT, and more)
to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best
▐ Windows 8.1 Workstation with license
practices and recommendations from experts in the field to guide DFIR professionals
- 64 bit-based system
through acquisition, validation, and memory analysis with real-world and malware-laden
- A licensed virtual machine loaded
with the latest forensic tools
memory images.
- VMware Appliance ready to tackle FOR526:Memory Forensics In-Depth will teach you:
forensics
▐ Proper Memory Acquisition: Demonstrate targeted memory capture ensuring data
▐ 32 GB Course USB 3.0
integrity and overcoming obstacles to acquisition/anti-acquisition behaviors
- USB loaded with memory captures,
SIFT Workstation 3, tools, and ▐ How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level
documentation rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated
▐ SANS Memory Forensics Exercise persistence mechanisms
Workbook ▐ Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-
- Exercise book is over 200 pages low level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot
long with detailed step-by-step
anomalous behavior
instructions and examples to help
you become a master incident ▐ Best Practice Techniques: Learn when to implement triage, live system analysis, and
responder alternative acquisition techniques and how to devise custom parsing scripts for
▐ SANS DFIR cheat sheets to help use the targeted memory analysis
tools
MALWARE CAN HIDE, BUT IT MUST RUN
▐ MP3 audio files of the complete course
lecture

FOR526 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Private Training OnDemand
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Summit Events OnDemand platform.

DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1 Simulcast

Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
68 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7
Course Day
Descriptions

DAY 1: Foundations in Memory Analysis DAY 2: Unstructured Analysis and Process Who Should Attend
and Acquisition Exploration ▐ Incident response team
members
Simply put, memory analysis has become a required skill Structured memory analysis using tools that identify and
for all incident responders and digital forensics examiners. interpret operating system structures is certainly powerful. ▐ Experienced digital
Regardless of the type of investigation, system memory and However, many remnants of previously allocated memory forensic analysts
its contents often expose the first piece of the evidential remain available for analysis, and they cannot be parsed ▐ Red team members,
thread that, when pulled, unravels the whole picture through structure identification. What tools are best
penetration testers, and
of what happened on the target system. Where is the for processing fragmented data? Unstructured analysis
exploit developers
malware? How did the machine get infected? Where did tools! They neither know nor care about operating system
the attacker move laterally? Or what did the disgruntled structures. Instead, they examine data, extracting findings ▐ Law enforcement officers,
employee do on the system? What lies in physical memory using pattern matching. You will learn how to use Bulk federal agents, and
can provide answers to all of these questions and more. Extractor to parse memory images and extract investigative detectives
Topics: Why Memory Forensics?; Investigative leads such as email addresses, network packets, and more. ▐ SANS FOR508 and SEC504
Methodologies; The Ubuntu SIFT and Windows 10 Topics: Unstructured Memory Analysis; Page File Analysis; graduates
Workstations; The Volatility Framework; System Exploring Process Structures; List Walking and Scanning; ▐ Forensics investigators
Architectures; Triage versus Full Memory Acquisition; Pool Memory; Exploring Process Relationships; Exploring
Physical Memory Acquisition DLLs; Kernel Objects

DAY 3: Investigating the User via Memory DAY 4: Internal Memory Structures
Artifacts Day 4 focuses on introducing some internal memory
structures (such as drivers), Windows memory table
An incident responder (IR) is often asked to triage a system
structures, and extraction techniques for portable
because of a network intrusion detection system alert. The
executables. As we come to the final steps in our
Security Operations Center makes the call and requires
investigative methodology, “Spotting Rootkit Behaviors”
more information due to outbound network traffic from
and “Extracting Suspicious Binaries,” it is important to
an endpoint and the IR team is asked to respond. In this
emphasize again the rootkit paradox. The more malicious
section, we cover how to enumerate active and terminated
code attempts to hide itself, the more abnormal and
TCP connections – selecting the right plugin for the job
seemingly suspicious it appears. We will use this concept to
based on the OS version.
evaluate some of the most common structures in Windows
Topics: Network Connections; Virtual Address Descriptors;
Detecting Injected Code; Analyzing the Registry via Memory
memory for hooking, the IDTs and SSDTs. “FOR526 is the best
Topics: Interrupt Descriptor Tables; System Service
Analysis; User Artifacts in Memory
Descriptor Tables; Drivers; Direct Kernel Object
training I’ve had in
Manipulation; Module Extraction; Hibernation Files; Crash years. I’m learning
Dump Files
many new tools and
DAY 5: Memory Analysis on Platforms DAY 6: Memory Analysis Challenges methodologies and
Other than Windows This final course section provides students with a direct using them in labs
memory forensics challenge that makes use of the DFIR
Windows systems may be the most prevalent platform
encountered by forensic examiners today, but most
NetWars Tournament platform. Your memory analysis skills immediately.”
are put to the test with a variety of hands-on scenarios
enterprises are not homogeneous. Forensic examiners and -Josh Burbank,
involving hibernation files, Crash Dump files, and raw
incident responders are best served by having the skills to Northrop Grumman
memory images, reinforcing techniques covered in the first
analyze the memory of multiple platforms, including Linux
five sections of the course. These challenges strengthen
and Mac—that is, platforms other than Windows.
students’ ability to respond to typical and atypical
Topics: Linux Memory Acquisition and Analysis; Mac memory forensics challenges from all types of cases, from
Memory Acquisition and Analysis investigating the user to isolating the malware. By applying
the techniques learned earlier in the course, students
consolidate their knowledge and can shore up skill areas
where they feel they need additional practice.
Topics: Malware and Rootkit Behavior Detection; Persistence
Mechanism Identification; Code Injection Analysis; User
Activity Reconstruction; Linux Memory Image Parsing; Mac
OSX Memory Image Parsing; Windows Hibernation File
Conversion and Analysis; Windows Crash Dump Analysis
(Using Windows Debugger)

“This training is a must for learning the foundations of memory

forensics and becoming efficient at it. Highly recommended.”
-Hugo Gabignon, Amazon

69
 GCTI
FOR578: Cyber Threat Intelligence Cyber Threat
Intelligence
www.giac.org/gcti

5 30 Laptop Every security practitioner should attend FOR578: Cyber Threat Intelligence course. This course
Day Program CPEs Required is unlike any other technical training you have experienced. It focuses on structured analysis in
order to establish a solid foundation for any security skillset and to amplify existing skills. The
course will help practitioners from across the security spectrum to:
Who Should Attend ▐ Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
▐ Security practitioners
▐ Identify and create intelligence requirements through practices such as threat modeling
▐ Incident response team members
▐ Threat hunters
▐ Understand and develop skills in tactical, operational, and strategic-level threat intelligence
▐ Security Operations Center personnel ▐ Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
and information security practitioners ▐ Learn the different sources to collect adversary data and how to exploit and pivot off of it
▐ Digital forensic analysts and malware
analysts
▐ Validate information received externally to minimize the costs of bad intelligence
▐ Federal agents and law enforcement ▐ Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX
officials ▐ Move security maturity past IOCs into understanding and countering the behavioral
▐ Technical managers tradecraft of threats
▐ SANS alumni looking to take their ▐ Establish structured analytical techniques to be successful in any security role
analytical skills to the next level
It is common for security practitioners to call themselves analysts. But how many of us have
taken structured analysis training instead of simply attending technical training? Both are
important, but very rarely do analysts focus on training on analytical ways of thinking. This
course exposes analysts to new mindsets, methodologies, and techniques that will complement
their existing knowledge as well as establish new best practices for their security teams. Proper
analysis skills are key to the complex world that defenders are exposed to on a daily basis.
The analysis of an adversary’s intent, opportunity, and capability to do harm is known as
cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from
a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or
requirement of an organization. This collection, classification, and exploitation of knowledge
about adversaries gives defenders an upper hand against adversaries and forces defenders to
“This course provides learn and evolve with each subsequent intrusion they face.

great value as it focuses Cyber threat intelligence thus represents a force multiplier for organizations looking to
establish or update their response and detection programs to deal with increasingly
on collection of data and sophisticated threats. Malware is an adversary’s tool, but the real threat is the human one, and
modeling and how to use cyber threat intelligence focuses on countering those flexible and persistent human threats
frameworks to build out with empowered and trained human defenders.

capabilities.” Knowledge about the adversary is core to all security teams. The red team needs to understand
adversaries’ methods in order to emulate their tradecraft. The Security Operations Center
-Aaron Bostwick, General Atomics
needs to know how to prioritize intrusions and quickly deal with those that need immediate
attention. The incident response team needs actionable information on how to quickly scope
and respond to targeted intrusions. The vulnerability management group needs to understand
which vulnerabilities matter most for prioritization and the risk that each one presents. The
threat hunting team needs to understand adversary behaviors to search out new threats.
In other words, cyber threat intelligence informs all security practices that deal with
adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your
organization with the tactical, operational, and strategic-level cyber threat intelligence skills
and tradecraft required to better understand the evolving threat landscape and to accurately
and effectively counter those threats.

FOR578 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . .Sep 23-27 Summit Events
Chicago . . . . . . . . . . . . . . Chicago, IL . . . . . . . . . . .Aug 19-23 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-8 DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . . . Jul 27-31

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 San Francisco Winter . . San Francisco, CA . . . . . . Dec 2-6 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . .Oct 2-6

Private Training
This course is also available through Private Training.
70
Course Day
Descriptions

DAY 1: Cyber Threat Intelligence and DAY 2: The Fundamental Skill Set: DAY 3: Collection Sources
Requirements Intrusion Analysis Cyber Threat Intelligence analysts must be
able to interrogate and fully understand their
Cyber threat intelligence is a rapidly growing Intrusion analysis is at the heart of threat
collection sources. Analysts do not have to be
field. However, intelligence was a profession intelligence. It is a fundamental skill set for any
malware reverse engineers, as an example, but
long before the word “cyber” entered the security practitioner who wants to use a more
they must at least understand that work and
lexicon. Understanding the key points regarding complete approach to addressing security. Two of
know what data can be sought. This section
intelligence terminology, tradecraft, and impact the most commonly used models for assessing
continues from the previous one in identifying
is vital to understanding and using cyber adversary intrusions are the “kill chain” and
key collection sources for analysts. There is also a
threat intelligence. This section introduces the “Diamond Model.” These models serve as a
lot of available information on what is commonly
students to the most important concepts of framework and structured scheme for analyzing
referred to as open-source intelligence (OSINT).
intelligence, analysis tradecraft, and levels of intrusions and extracting patterns such as
In this course section students will learn to seek
threat intelligence, and the value they can add adversary behaviors and malicious indicators.
and exploit information from Domains, External
to organizations. It also focuses on getting In this section students will participate in and
Datasets, Transport Layer Security/Secure Sockets
your intelligence program off to the right start be walked through multi-phase intrusions from
Layer (TLS/SSL) Certificates, and more while also
with planning, direction, and the generation of initial notification of adversary activity to the
structuring the data to be exploited for purposes
intelligence requirements. As with all sections, the completion of analysis of the event. The section
of sharing internally and externally.
day includes immersive hands-on labs to ensure also highlights the importance of this process
that students have the ability to turn theory into in terms of structuring and defining adversary Topics: Case Study: Axiom; Collection Source:
practice. campaigns. Domains; Case Study: GlassRAT; Collection
Source: External Datasets; Collection Source: TLS
Topics: Case Study: Carbanak, The Great Topics: Primary Collection Source: Intrusion
Certificates; Case Study: Trickbots; Exploitation:
Bank Robbery; Understanding Intelligence; Analysis; Kill Chain Courses of Action; Kill
Storing and Structuring Data
Understanding Cyber Threat Intelligence; Threat Chain Deep Dive; Handling Multiple Kill Chains;
Intelligence Consumption; Positioning the Team Collection Source: Malware
to Generate Intelligence; Planning and Direction
(Developing Requirements)

DAY 4: Analysis and Dissemination DAY 5: Higher-Order Analysis and

of Intelligence Attribution
Many organizations seek to share intelligence A core component of intelligence analysis at any
but often fail to understand its value, its level is the ability to defeat biases and analyze
limitations, and the right formats to choose information. The skills required to think critically
for each audience. Additionally, indicators and are exceptionally important and can have an
information shared without analysis are not organization-wide or national-level impact. In
intelligence. Structured analytical techniques this course section, students will learn about “This course gives a very
such as the Analysis of Competing Hypotheses logical fallacies and cognitive biases as well as
can help add considerable value to intelligence how to defeat them. They will also learn about smart and structured
before it is disseminated. This section will focus nation-state attribution, including when it can
on identifying both open-source and professional be of value and when it is merely a distraction.
approach to Cyber Threat
tools that are available for students as well as Students will also learn about nation-state-level Intelligence, something that
on sharing standards for each level of cyber attribution from previously identified campaigns
threat intelligence both internally and externally. and take away a more holistic view of the cyber the global community has
Students will learn about YARA and generate threat intelligence industry to date. The class been lacking to date.”
YARA rules to help incident responders, security will finish with a discussion on consuming
operations personnel, and malware analysts. threat intelligence and actionable takeaways for -John Geary, Citigroup
Students will gain hands-on experience with STIX students to make significant changes in their
and understand the CybOX and TAXII frameworks organizations once they complete the course.
for sharing information between organizations. Topics: Logical Fallacies and Cognitive Biases;
Finally, the section will focus on building the Dissemination: Strategic Case Study: Stuxnet; Fine-
singular intrusions into campaigns and being able Tuning Analysis; Case Study: Sofacy; Attribution
to communicate about those campaigns.
Topics: Analysis: Exploring Hypotheses; Analysis:
Building Campaigns; Dissemination: Tactical; Case
Study: Sony Attack; Dissemination: Operational

Online Training
OnDemand vLive
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . .Jul 16 - Aug 15
own pace, with four months of online access in the
OnDemand platform.

71
 FOR585: Smartphone Forensic Analysis GASF
Advanced Smartphone

In-Depth Forensics
www.giac.org/gasf

6 36 Laptop FOR585: Smartphone Forensic Analysis In-Depth will help you understand:
Day Program CPEs Required ▐ Where key evidence is located on a smartphone

▐ How the data got onto the smartphone

▐ How to recover deleted mobile device data that forensic tools miss
You Will Be Able To ▐ How to decode evidence stored in third-party applications
▐ Select the most effective forensic tools, ▐ How to detect, decompile, and analyze mobile malware and spyware
techniques, and procedures for critical
▐ Advanced acquisition terminology and free techniques to gain access to data on smartphones
analysis of smartphone data
▐ How to handle locked or encrypted devices, applications, and containers
▐ Reconstruct events surrounding a crime
using information from smartphones, SMARTPHONES HAVE MINDS OF THEIR OWN. DON’T MAKE THE MISTAKE OF REPORTING
including timeline development and link
analysis (e.g., who communicated with SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY.
whom, where, and when) IT’S TIME TO GET SMARTER!
▐ Understand how smartphone file systems A smartphone lands on your desk and you are tasked with determining if the user was
store data, how they differ, and how the at a specific location at a specific date and time. You rely on your forensic tools to dump
evidence will be stored on each device
and parse the data. The tools show location information tying the device to the place of
▐ Interpret file systems on smartphones interest. Are you ready to prove the user was at that location? Do you know how to take
and locate information that is not
generally accessible to users this further to place the subject at the location of interest at that specific date and time?
Tread carefully, because the user may not have done what the tools are showing!
▐ Identify how the evidence got onto the
mobile device – we’ll teach you how to Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security
know if the user created the data, which threats, accident reconstruction, and more. Understanding how to leverage the data from
will help you avoid the critical mistake of
reporting false evidence obtained from the device in a correct manner can make or break your case and your future as an expert.
tools FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.
▐ Incorporate manual decoding techniques Every time the smartphone thinks or makes a suggestion, the data are saved. It’s easy to
to recover deleted data stored on get mixed up in what the forensic tools are reporting. Smartphone forensics is more than
smartphones and mobile devices
pressing the find evidence button and getting answers. Your team cannot afford to rely
▐ Tie a user to a smartphone at a specific
solely on the tools in your lab. You have to understand how to use them correctly to guide
date/time and at various locations
your investigation, instead of just letting the tool report what it believes happened on the
▐ Recover hidden or obfuscated
communication from applications on
device. It is impossible for commercial tools to parse everything from smartphones and
smartphones understand how the data were put on the device. Examination and interpretation of the
▐ Decrypt or decode application data that data is your job and this course will provide you and your organization with the capability
are not parsed by your forensic tools to find and extract the correct evidence from smartphones with confidence.
▐ Detect smartphones compromised by This in-depth smartphone forensic course provides examiners and investigators with
malware and spyware using forensic advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered
methods
from mobile devices. The course features 27 hands-on labs, a forensic challenge, and
▐ Decompile and analyze mobile malware a bonus take-home case that allow students to analyze different datasets from smart
using open-source tools
devices and leverage the best forensic tools, methods, and custom scripts to learn how
▐ Handle encryption on smartphones and
smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is
bypass, crack, and/or decode lock codes
manually recovered from smartphones, designed to teach you a lesson that can be applied to other smartphones. You will gain
including cracking iOS backup files that experience with the different data formats on multiple platforms and learn how the data
were encrypted with iTunes are stored and encoded on each type of smart device. The labs will open your eyes to
what you are missing by relying 100% on your forensic tools.
Smartphone technologies are constantly changing, and most forensic professionals are
unfamiliar with the data formats for each technology. Take your skills to the next level: it’s
time for the good guys to get smarter and for the bad guys to know that their smartphone
activity can and will be used against them!
SMARTPHONE DATA CAN’T HIDE FOREVER – IT’S TIME TO OUTSMART THE MOBILE DEVICE!

FOR585 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9 Mentor Events
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . .Jul 15-20 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 Mexico City, Mexico . . . . . . . . . . . . . . . . . . . . . Jun 15 - Jul 20

Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30

Summit Events Private Training
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 This course is also available through Private Training.
DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1
Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . Sep 23-28
72
Course Day
Descriptions

DAY 1: Smartphone Overview, Misfit Devices, DAY 2: Android Forensics Who Should Attend
SQLite Introduction, and Android Forensics Android devices are among the most ▐ Experienced digital forensic analysts
widely used smartphones in the world,
Overview which means they will surely be part of
▐ Media exploitation analysts
Although smartphone forensic concepts are similar to those of an investigation that will come across ▐ Information security professionals
digital forensics, smartphone file system structures differ and your desk. Unfortunately, gaining access ▐ Incident response teams
require specialized decoding skills to correctly interpret the data to these devices isn’t as easy as it used to
acquired from the device. On this first course day, students will be. Android devices contain substantial
▐ Law enforcement officers, federal
apply what they know to smartphone forensic handling, device amounts of data that can be decoded agents, and detectives
capabilities, acquisition methods, misfit devices, SQLite database and interpreted into useful information. ▐ Accident reconstruction investigators
examination, and query development. They’ll also gain an However, without honing the appropriate
overview of Android devices and manually crack locked Androids. ▐ IT auditors
skills to bypass locked Androids and
Students will become familiar with the forensic tools required correctly interpret the data stored on them, ▐ Graduates of SANS SEC575, SEC563,
to complete comprehensive examinations of smartphone data you will be unprepared for the rapidly FOR500, FOR508, FOR572, FOR526,
structures. We realize that not everyone examines BlackBerry evolving world of smartphone forensics. FOR610, or FOR518 who want to take
and knock-off devices, which is why we offer “choose your own Android backups can be created for their skills to the next level
adventure” labs, meaning that students can select the labs most forensic analysis or by a user. Smartphone
relevant to them. BlackBerry 10 smartphones are designed to examiners need to understand the file
protect user privacy, but techniques taught on this course day will
enable the investigator to go beyond what the tools decode and
structures and how to parse these data. “Really useful to know the
Additionally, Android and Google cloud data
manually recover data residing in database files of BlackBerry 10 store tons of valuable information. You will differences in the tools
device file systems. Knock-off devices are another outlier than can find Google artifacts from iOS users as well.
be parsed and decoded once you become familiar with the file used and how to explore
Topics: Android Acquisition Considerations;
system structures. and analyze the data in a
Android File System Structures; Android
Topics: The SIFT Workstation; Introduction to Smartphones; Evidentiary Locations; Traces of User
Smartphone Handling; Forensic Acquisition Concepts of Activity on Android Devices; Android Backup
safe environment.”
Smartphones; Smartphone Components; Smartphone Forensic Files; Google Cloud Data and Extractions -Nageen Mirza, Deloitte
Tool Overview; Blackberry 10 Forensics, Introduction to SQLite;
Android Forensic Overview; Handling Locked Android Devices

DAY 3: iOS Device Forensics DAY 4: iOS Backups, Malware and Spyware Forensics, and
Apple iOS devices contain substantial amounts of data (including deleted Detecting Evidence Destruction
records) that can be decoded and interpreted into useful information.
iOS backups are extremely common and are found in the cloud and on hard
Proper handling and parsing skills are needed for bypassing locked iOS
drives. Users create backups, and we often find that our best data can be derived
devices and correctly interpreting the data. Without iOS instruction, you
from creating an iOS backup for forensic investigation. This section will cover
will be unprepared to deal with the iOS device that will likely be a major
methodologies to extract backups and cloud data and analyze the artifacts for
component in a forensic investigation.
each. Malware affects a plethora of smartphone devices. We will examine various
Topics: iOS Forensic Overview and Acquisition; iOS File System Structures; types of malware, how it exists on smartphones, and how to identify and analyze
iOS Evidentiary Locations; Handling Locked iOS Devices; Traces of User it. Most commercial smartphone tools help you identify malware, but none of
Activity on iOS Devices them will allow you to tear down the malware to the level we cover in class. Up
to five labs will be conducted on this day alone! The day ends with the students
challenging themselves using tools and methods learned throughout the week to
DAY 5: Third-Party Application Analysis
recover user data from a wiped smartphone.
This day starts with third-party applications across all smartphones and
Topics: iOS Backup File Forensics; Locked iOS Backup Files; iCloud Data Extraction
is designed to teach students how to leverage third-party application
and Analysis; Malware and Spyware Forensics; Detecting Evidence Destruction
data and preference files to support an investigation. The rest of the
day focuses heavily on secure chat applications, recovery of deleted
application data and attachments, mobile browser artifacts, and knock-off DAY 6: Smartphone Forensics Capstone Exercise
phone forensics. The skills learned in this section will provide you with This final course day will test all that you have learned during the course.
advanced methods for decoding data stored in third-party applications Working in small groups, students will examine three smartphone devices and
across all smartphones. We will show you what the commercial tools miss solve a scenario relating to a real-world smartphone forensic investigation. Each
and teach you how to recover these artifacts yourself. group will independently analyze the three smartphones, manually decode data,
Topics: Third-Party Applications Overview; Third-Party Application Artifacts; answer specific questions, form an investigation hypothesis, develop a report,
Messaging Applications and Recovering Attachments; Mobile Browsers; and present findings.
Secure Chat Applications Topics: Identification and Scoping; Forensic Examination; Forensic Reconstruction

Online Training
OnDemand Simulcast
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
own pace, with four months of online access in the
OnDemand platform.

73
 FOR610: Reverse-Engineering Malware: GREM
Reverse Engineering

Malware Analysis Tools and Techniques Malware

www.giac.org/grem

6 36 Laptop Learn to turn malware inside out! This popular course explores malware analysis
Day Program CPEs Required tools and techniques in depth. FOR610 training has helped forensic investigators,
incident responders, security engineers, and IT administrators acquire the practical
skills to examine malicious programs that target and infect Windows systems.
You Will Be Able To
Understanding the capabilities of malware is critical to an organization’s ability
▐ Build an isolated, controlled laboratory to derive threat intelligence, respond to information security incidents, and fortify
environment for analyzing code and
behavior of malicious programs
defenses. This course builds a strong foundation for reverse-engineering malicious
software using a variety of system and network monitoring utilities, a disassembler, a
▐ Employ network and system-monitoring
tools to examine how malware interacts with
debugger, and many other freely available tools.
the file system, registry, network, and other The course begins by establishing the foundation for analyzing malware in a way
processes in a Windows environment
that dramatically expands upon the findings of automated analysis tools. You will
▐ Uncover and analyze malicious JavaScript learn how to set up a flexible laboratory to examine the inner workings of malicious
and other components of web pages, which software, and how to use the lab to uncover characteristics of real-world malware
are often used by exploit kits for drive-by
attacks
samples. You will also learn how to redirect and intercept network traffic in the lab to
explore the specimen’s capabilities by interacting with the malicious program.
▐ Control relevant aspects of the malicious
program’s behavior through network traffic The course continues by discussing essential assembly language concepts relevant
interception and code patching to perform to reverse engineering. You will learn to examine malicious code with the help of
effective malware analysis
a disassembler and a debugger in order to understand its key components and
▐ Use a disassembler and a debugger to execution flow. In addition, you will learn to identify common malware characteristics
examine the inner workings of malicious by looking at suspicious Windows API patterns employed by malicious programs.
Windows executables
▐ Bypass a variety of packers and other Next, you will dive into the world of malware that thrives in the web ecosystem,
defensive mechanisms designed by malware exploring methods for assessing suspicious websites and de-obfuscating malicious
authors to misdirect, confuse and otherwise JavaScript to understand the nature of the attack. You will also learn how to analyze
slow down the analyst malicious Microsoft Office, RTF, and PDF files. Such documents act as a common
▐ Recognize and understand common infection vector as a part of mainstream and targeted attacks. You will also learn how
assembly-level patterns in malicious code, to examine “file-less” malware and malicious PowerShell scripts.
such as DLL injection and anti-analysis
measures Malware is often obfuscated to hinder analysis efforts, so the course will equip you
▐ Assess the threat associated with malicious with the skills to unpack executable files. You will learn how to dump such programs
documents, such as PDF and Microsoft Office from memory with the help of a debugger and additional specialized tools, and how
files to rebuild the files’ structure to bypass the packer’s protection. You will also learn
▐ Derive Indicators of Compromise (IOCs) from how to examine malware that exhibits rootkit functionality to conceal its presence on
malicious executables to strengthen incident the system, employing code analysis and memory forensics approaches to examining
response and threat intelligence efforts these characteristics.
FOR610 malware analysis training also teaches how to handle malicious software that
Who Should Attend attempts to safeguard itself from analysis. You will learn how to recognize and bypass
▐ Individuals who have dealt with incidents common self-defensive measures, including code injection, sandbox evasion, flow
involving malware and want to learn how misdirection, and other measures.
to understand key aspects of malicious
programs The course culminates with a series of Capture-the-Flag challenges designed to
reinforce the techniques learned in class and provide additional opportunities to
▐ Technologists who have informally
experimented with aspects of malware learn practical, hands-on malware analysis skills in a fun setting.
analysis and are looking to formalize and Hands-on workshop exercises are a critical aspect of this course. They enable you to
expand their expertise in this area
apply malware analysis techniques by examining malicious software in a controlled
▐ Forensic investigators and IT practitioners and systemic manner. When performing the exercises, you will study the supplied
looking to expand their skill sets and learn
specimens’ behavioral patterns and examine key portions of their code. To support
how to play a pivotal role in the incident
response process these activities, you will receive pre-built Windows and Linux virtual machines that
include tools for examining and interacting with malware.

FOR610 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 Summit Events
New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-30 DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9 DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19 THIR . . . . . . . . . . . . . . . . . New Orleans, LA . . . . . . . . Oct 2-7

N. VA Fall – Reston . . . . . Reston, VA . . . . . . Sep 30 - Oct 5

Private Training
This course is also available through Private Training.
74
Course Day
Descriptions

DAY 1: Malware Analysis DAY 2: Reversing Malicious Code DAY 3: Malicious Web and
Fundamentals Section two focuses on examining malicious Document Files
Windows executables at the assembly level.
Section one lays the groundwork for malware Section three focuses on examining malicious
You will discover approaches for studying inner
analysis by presenting the key tools and techniques web pages and documents, which adversaries
workings of a specimen by looking at it through
useful for examining malicious programs. You can use to directly perform malicious actions on
a disassembler and, at times, with the help of a
will learn how to save time by exploring Windows the infected system and launch attacks that lead
debugger. The section begins with an overview
malware in two phases. Behavioral analysis to the installation of malicious executable files.
of key code-reversing concepts and presents a
focuses on the program’s interactions with its The section begins by discussing how to examine
primer on essential x86 Intel assembly concepts,
environment, such as the registry, the network, suspicious websites that might host client-side
such as instructions, function calls, variables,
and the file system. Code analysis focuses exploits. Next, you will learn how to de-obfuscate
and jumps. You will also learn how to examine
on the specimen’s code and makes use of a malicious scripts with the help of script debuggers
common assembly constructs, such as functions,
disassembler and debugger tools such as IDA and interpreters, examine Microsoft Office macros,
loops, and conditional statements. The material
Pro and OllyDbg. You will learn how to set up a and assess the threats associated with PDF and
will then build on this foundation and expand
flexible laboratory to perform such analysis in a RTF files using several techniques.
your understanding to incorporate 64-bit
controlled manner, and set up such a lab on your Topics: Interacting with Malicious Websites to
malware, given its growing popularity. Throughout
laptop using the supplied Windows and Linux Assess the Nature of Their Threats; De-obfuscating
the discussion, you will learn to recognize
(REMnux) virtual machines. You will then learn Malicious JavaScript Using Debuggers and
common characteristics at a code level, including
how to use the key analysis tools by examining a Interpreters; Analyzing Suspicious PDF Files;
HTTP command and control, keylogging, and
malware sample in your lab—with guidance and Examining Malicious Microsoft Office Documents,
command execution.
explanations from the instructor—to reinforce the Including Files with Macros; Analyzing Malicious
concepts discussed throughout the day. Topics: Understanding Core x86 Assembly Concepts RTF Document Files
Topics: Assembling a Toolkit for Effective to Perform Malicious Code Analysis; Identifying Key
Malware Analysis; Examining Static Properties Assembly Logic Structures with a Disassembler;
of Suspicious Programs; Performing Behavioral Following Program Control Flow to Understand
Analysis of Malicious Windows Executables; Decision Points During Execution; Recognizing
Performing Static and Dynamic Code Analysis of Common Malware Characteristics at the Windows
Malicious Windows Executables; Interacting with API Level (Registry Manipulation, Keylogging, HTTP
Malware in a Lab to Derive Additional Behavioral Communications, Droppers); Extending Assembly
Characteristics Knowledge to Include x64 Code Analysis

DAY 4: In-Depth Malware Analysis DAY 5: Examining Self-Defending DAY 6: Malware Analysis Tournament
Section four builds on the approaches to Malware Section six assigns students to the role of a
behavioral and code analysis introduced malware analyst working as a member of an
Section five takes a close look at the techniques
earlier in the course, exploring techniques for incident response or forensics team. Students are
malware authors commonly employ to protect
uncovering additional aspects of the functionality presented with a variety of hands-on challenges
malicious software from being examined. You
of malicious programs. The section begins by involving real-world malware in the context of a fun
will learn how to recognize and bypass anti-
discussing how to handle packed malware. We tournament. These challenges further a student’s
analysis measures designed to slow you down
will examine ways to identify packers and strip ability to respond to typical malware-reversing
or misdirect you. In the process, you will gain
away their protection with the help of a debugger tasks in an instructor-led lab environment and offer
more experience performing static and dynamic
and other utilities. We will also walk through additional learning opportunities. Moreover, the
analysis of malware that is able to unpack or
the analysis of malware that employs multiple challenges are designed to reinforce skills covered
inject itself into other processes. You will also
technologies to conceal its true nature, including in the first five sections of the course, making use
expand your understanding of how malware
the use of registry, obfuscated JavaScript and of the hugely popular DFIR NetWars tournament
authors safeguard the data that they embed
PowerShell scripts, and shellcode. Finally, we will platform. By applying the techniques learned earlier
inside malicious executables. As with the other
learn how malware implements Usermode rootkit in the course, students solidify their knowledge and
topics covered throughout the course, you will be
functionality to perform code injection and API can shore up skill areas where they feel they need
able to experiment with such techniques during
hooking, examining this functionality from both additional practice. Students who score the highest
hands-on exercises.
code and memory forensics perspectives. in the malware analysis challenge will be awarded
Topics: How Malware Detects Debuggers and the coveted SANS Lethal Forensicator coin.
Topics: Recognizing Packed Malware; Getting
Protects Embedded Data; Unpacking Malicious
Started with Unpacking; Using Debuggers Topics: Behavioral Malware Analysis; Dynamic
Software that Employs Process Hollowing;
for Dumping Packed Malware from Memory; Malware Analysis (Using a Debugger); Static
Bypassing the Attempts by Malware to Detect
Analyzing Multi-Technology and Fileless Malware; Malware Analysis (Using a Disassembler);
and Evade the Analysis Toolkit; Handling Code
Code Injection and API Hooking; Using Memory JavaScript De-obfuscation; PDF Document Analysis;
Misdirection Techniques, including SEH and TLS
Forensics for Malware Analysis Office Document Analysis; Memory Analysis
Callbacks; Unpacking Malicious Executable by
Anticipating the Packer’s Actions

“The theory of this course in

Online Training
combination with the labs is
OnDemand Simulcast
a great introduction to the
Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 27 - Aug 1
own pace, with four months of online access in the possibilities and approaches one
OnDemand platform.
can take when fighting malware.”
-Max de Bruijn, Fox-IT
75
 MGT414: SANS Training Program for GISP
Information Security

CISSP® Certification Professional

www.giac.org/gisp

6 46 Laptop SANS MGT414: SANS Training Program for CISSP® Certification is an accelerated
Day Program CPEs Not Needed review course that is specifically designed to prepare students to successfully pass
the CISSP® exam.

You Will Be Able To MGT414 focuses solely on the eight domains of knowledge as determined by (ISC)2 that
form a critical part of the CISSP® exam. Each domain of knowledge is dissected into
▐ Understand the eight domains of
knowledge that are covered on the its critical components, and those components are then discussed in terms of their
CISSP® exam relationship with one another and with other areas of information security.
▐ Analyze questions on the exam and be
able to select the correct answer
After completing the course students will have:
▐ Apply the knowledge and testing skills
learned in class to pass the CISSP® exam ▐ Detailed coverage of the eight domains of knowledge
▐ Understand and explain all of the ▐ The analytical skills required to pass the CISSP® exam
concepts covered in the eight domains of
knowledge
▐ The technical skills required to understand each question
▐ Apply the skills learned across the eight ▐ The foundational information needed to become a Certified Information Systems
domains to solve security problems when Security Professional (CISSP®)
you return to work

External Product Notice:

The CISSP® exam itself is not hosted by SANS. You will need to make separate
arrangements to take the CISSP® exam. Please note as well that the GISP exam offered by
GIAC is NOT the same as the CISSP® exam offered by (ISC)2.

Author Statement
“The CISSP® certification has been around for nearly 25 years. The exam is designed to
“This training was a
test your understanding of the Common Body of Knowledge, which may be thought of as
comprehensive overview the universal language of information security professionals. It is often said to be a mile
of all topics covered in wide and two inches deep. The CISSP® exam covers a lot of theoretical information that
the CISSP® exam. All in is critical for a security professional to understand. However, this material can be dry, and
since most students do not see the direct applicability to their jobs, they find it boring.
attendance were there for
The goal of this course is to bring the 8 domains of knowledge of the CISSP® to life. The
a common goal, including practical workings of this information can be discovered by explaining important topics
the instructor. It was easy with stories, examples, and case studies. We challenge you to attend the SANS CISSP®
to follow, and the real- training course and find the exciting aspect of the 8 domains of knowledge!”
-Eric Conrad and Seth Misenar
world examples given
were priceless.”
-Ron Pinnock,
Navy Exchange Service Command

MGT414 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-22 Virginia Beach . . . . . . . . Virginia Beach, VA . . . Aug 25-30 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-19

Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . .Jul 15-20 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-23

Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 3 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . Sep 23-28 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . .Dec 2-7

San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-17 San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-12 San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7

Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-17 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
76
Course Day
Descriptions

DAY 1: Introduction; Security and Risk DAY 2: Asset Security and Security Who Should Attend
Management Engineering – Part 1 ▐ Security professionals
who are interested
On the first day of training for the CISSP® exam, MGT414 Understanding asset security is critical to building a solid
in understanding the
introduces the specific requirements needed to obtain information security program. The Asset Security domain,
concepts covered on
certification. The exam update will be discussed in detail. the initial focus of today’s course section, describes data
the CISSP® exam as
We will cover the general security principles needed to classification programs, including those used by both
determined by (ISC)2
understand the eight domains of knowledge, with specific governments and the military as well as the private sector.
examples for each domain. The first of the eight domains, We will also discuss ownership ranging from business/ ▐ Managers who want to
Security and Risk Management, is discussed using real- mission owners to data and system owners. We will examine understand the critical
world scenarios to illustrate the critical points. data retention and destruction in detail, including secure areas of information
Topics: Overview of CISSP® Certification; Introductory methods for purging data from electronic media. We then security
Material; Overview of the Eight Domains; Domain 1: Security turn to the first part of the Security Engineering domain, ▐ System, security, and
and Risk Management including new topics for the 2019 exam such as the Internet
network administrators
of Things, Trusted Platform Modules, Cloud Security, and
who want to understand
much more.
the pragmatic
Topics: Domain 2: Asset Security; Domain 3: Security applications of the CISSP®
Engineering (Part 1) eight domains
▐ Security professionals
DAY 3: Security Engineering – Part 2; DAY 4: Identity and Access Management and managers looking for
practical ways the eight
Communication and Network Security Controlling access to data and systems is one of the primary
domains of knowledge
objectives of information security. Domain 5, Identity
This course section continues the discussion of the can be applied to their
and Access Management, strikes at the heart of access
Security Engineering domain, including a deep dive into current job
control by focusing on identification, authentication, and
cryptography. The focus is on real-world implementation
authorization of accounts. Password-based authentication
of core cryptographic concepts, including the three types
represents a continued weakness, so Domain 5 stresses
of cryptography: symmetric, asymmetric, and hashing.
multi-factor authentication, biometrics, and secure
Salts are discussed, as well as rainbow tables. We will
credential management. The CISSP® exam underscores
round out Domain 3 with a look at physical security
the increased role of external users and service providers,
before turning to Domain 4, Communication and Network
and mastery of Domain 5 requires an understanding of
Security. The discussion will cover a range of protocols and
federated identity, SSO, SAML, and third-party identity and
technologies, from the Open Systems Interconnection (OSI)
authorization services like Oauth and OpenID.
model to storage area networks.
Topics: Domain 5: Identity and Access Management
Topics: Domain 3: Security Engineering (Part 2); Domain 4:
Communication and Network Security

“Great discussions
DAY 5: Security Assessment and Testing; DAY 6: Software Development Security
Security Operations Domain 8 (Software Development Security) describes and examples that
This course section covers Domain 6 (Security Assessment)
the requirements for secure software. Security should provide a clear
be “baked in” as part of network design from day one,
and Domain 7 (Security Operations). Security Assessment
covers types of security tests, testing strategies,
since it is always less effective when it is added later to a understanding and
poor design. We will discuss classic development models,
and security processes. Security Operations covers
including waterfall and spiral methodologies. We will then relate material to
investigatory issues, including eDiscovery, logging and
monitoring, and provisioning. We will discuss cutting-edge
turn to more modern models, including agile software examples.”
development methodologies. New content for the CISSP®
technologies such as the cloud, and we’ll wrap up day five
with a deep dive into disaster recovery.
exam update will be discussed, including DevOps. We -Kelley ONeil, Wells Fargo
will wrap up this course section by discussing security
Topics: Domain 6: Security Assessment; Domain 7: vulnerabilities, secure coding strategies, and testing
Security Operations methodologies.
Topics: Domain 8: Software Development Security

Online Training
Community Events Private Training OnDemand
Austin, TX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13 This course is also available through Private Training. Complete this course anywhere, anytime, at your
Atlanta, GA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 22-27 own pace, with four months of online access in the
OnDemand platform.
Chicago, IL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-17
St. Louis, MO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Aug 19-24 Simulcast
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 15-20
77
 MGT514: Security Strategic Planning, Policy, GSTRT
Strategic Planning,

and Leadership Policy & Leadership

www.giac.org/gstrt

5 30 Laptop As security professionals we have seen the landscape change. Cybersecurity is now
Day Program CPEs Not Needed more vital and relevant to the growth of your organization than ever before. As a result,
information security teams have more visibility, more budget, and more opportunity.
However, with this increased responsibility comes more scrutiny.
You Will Be Able To
▐ Develop security strategic plans This course gives you tools to become a security business leader who can build and
that incorporate business and execute strategic plans that resonate with other business executives, create effective
organizational drivers information security policy, and develop management and leadership skills to better lead,
▐ Develop and assess information inspire, and motivate your teams.
security policy
▐ Develop Strategic Plans
▐ Use management and leadership
techniques to motivate and inspire Strategic planning is hard for IT and IT security professionals because we spend so
your teams much time responding and reacting. We almost never do strategic planning until we
get promoted to a senior position and then we are not equipped with the skills we
need to run with the pack. MGT514 will teach you how to develop strategic plans that
resonate with other IT and business leaders.
▐ Create Effective Information Security Policy
Policy is a manager’s opportunity to express expectations for the workforce, set the
boundaries of acceptable behavior, and empower people to do what they ought to be
doing. It is easy to get wrong. Have you ever seen a policy and your response was, “No
way, I am not going to do that!” Policy must be aligned with an organization’s culture.
We will break down the steps to policy development so that you have the ability to
design and assess policy to successfully guide your organization.
▐ Develop Management and Leadership Skills
Leadership is a skill that must be learned, exercised and developed to better ensure
organizational success. Strong leadership is brought about primarily through selfless
devotion to the organization and staff, tireless effort in setting the example, and the
“This course provided a full
vision to see and effectively use available resources toward the end goal.
scope of leadership and
Effective leadership entails persuading team members to accomplish their objectives,
security that can immediately removing the obstacles preventing them from doing it, and maintaining the well-being
be applied to your job.” of the team in support of the organization’s mission. MGT514 will teach you to use
-Jerry Butler, NAVSEA OOI management tools and frameworks to better lead, inspire, and motivate your teams.

How the Course Works

MGT514 uses case studies from Harvard Business School, case scenarios, team-based
exercises, and discussions that put students in real-world situations. You will be able to
use these same activities with your own team members at work.
The next generation of security leadership must bridge the gap between security staff
and senior leadership by strategically planning how to build and run effective security
programs. After taking this course you will have the fundamental skills to create strategic
plans that protect your company, enable key innovations, and facilitate working effectively
with your business partners.

MGT514 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-18

Charlotte . . . . . . . . . . . . . Charlotte, NC . . . . . . . . . . .Jul 8-12 Dallas Fall . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . .Sep 23-27 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-22

Rocky Mountain . . . . . . . Denver, CO . . . . . . . . . . . . Jul 15-19 San Francisco Fall . . . . . San Francisco, CA . . . . .Sep 23-27 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . Dec 2-6

Minneapolis . . . . . . . . . . Minneapolis, MN . . . . . Aug 12-16 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-11 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19

Virginia Beach . . . . . . . . Virginia Beach, VA . . . .Aug 19-23 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-18
78
Course Day
Descriptions

DAY 1: Strategic Planning Foundations DAY 2: Strategic Roadmap Development Who Should Attend
Creating security-strategic plans requires a fundamental With a firm understanding of business drivers as well as the ▐ CISOs
understanding of the business, and a deep understanding threats facing the organization, you will develop a plan to ▐ Information security
of the threat landscape. analyze the current situation, identify the target situation,
officers
Topics: Vision and Mission Statements; Stakeholder perform gap analysis, and develop a prioritized roadmap. In
other words, you will be able to determine (1) what you do ▐ Security directors
Management; PEST Analysis; Porter’s Five Forces; Threat
Actors; Asset Analysis; Threat Analysis today, (2) what you should be doing in the future, (3) what ▐ Security managers
you don’t do, and (4) what you should do first. With this
plan in place you will learn how to build and execute your
▐ Aspiring security leaders
plan by developing a business case, defining metrics for ▐ Other security personnel
success, and effectively marketing your security program. who have team lead
Topics: Historical Analysis; Values and Culture; SWOT or management
Analysis; Vision and Innovation; Security Framework; responsibilities
Gap Analysis; Roadmap Development; Business Case
Development; Metrics and Dashboards; Marketing and
Executive Communications

DAY 3: Security Policy Development and DAY 4: Leadership and Management

Assessment Competencies
Policy is one of the key tools that security leaders have to This course section will teach the critical skills you need
influence and guide the organization. Security managers to lead, motivate, and inspire your teams to achieve your
must understand how to review, write, assess, and support organization’s goals. By establishing a minimum standard
security policy and procedures. Using an instructional for the knowledge, skills, and abilities required to develop
delivery methodology that balances lecture, exercises, leadership, you will understand how to motivate employees,
and in-class discussion, this course section will teach the and how to develop from a manager into a leader.
techniques to create successful policy that employees will Topics: Leadership Building Blocks; Creating and Developing
read and follow, and that will be accepted by business Teams; Coaching and Mentoring; Customer Service Focus;
units. Students will learn key elements of policy, including Conflict Resolution; Effective Communication; Leading
“This course
positive and negative tone, consistency of policy bullets,
how to balance the level of specificity to the problem at
Through Change; Relationship Building; Motivation and Self- provides invaluable
Direction; Teamwork; Leadership Development
hand, the role of policy, awareness and training, and the info with specific
SMART approach to policy development and assessment.
Topics: Purpose of Policy; Policy Gap Analysis; Policy
guidance on how to
Development; Policy Review; Awareness and Training perform leadership
tasks, and it also
DAY 5: Strategic Planning Workshop
Using case studies, students will work through real-world
provides links
scenarios by applying the skills and knowledge learned to useful info...
throughout the course. The case studies are taken directly
from Harvard Business School, which pioneered the Outstanding.”
case study method. The case studies focus specifically
-Jeff Haynes, NELO
on information security management and leadership
competencies. The Strategic Planning Workshop serves as
a capstone exercise for the course, enabling students to
synthesize and apply concepts, management tools, and
methodologies learned in class.
Topics: Creating a Security Plan for the CEO; Understanding
Business Priorities; Enabling Business Innovation;
Working with BYOD; Effective Communication; Stakeholder
Management

Online Training
Private Training OnDemand
This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

79
 MGT525: IT Project Management, Effective GCPM
Communication, and PMP® Exam Prep
Project Manager
www.giac.org/gcpm

6 36 Laptop This course is offered by the SANS Institute as a PMI® Registered Education Provider
Day Program CPEs Not Needed (R.E.P.). R.E.P.s provide the training necessary to earn and maintain the Project
Management Professional (PMP)® and other professional credentials. PMP® is a
registered trademark of Project Management Institute, Inc.
You Will Be Able To
▐ Recognize the top failure mechanisms This course has recently been updated to fully prepare you for changes in the 2019 PMP®
related to IT and InfoSec projects, so exam. During this class you will learn how to improve your project planning methodology
that your projects can avoid common and project task scheduling to get the most out of your critical IT resources. We will
pitfalls
utilize project case studies that highlight information technology services as deliverables.
▐ Create a project charter that defines MGT525 follows the basic project management structure from the PMBOK® Guide – Sixth
the project sponsor and stakeholder
involvement Edition and also provides specific techniques for success with information assurance
▐ Document project requirements and
initiatives. Throughout the week, we will cover all aspects of IT project management from
create a requirements traceability initiating and planning projects through managing cost, time, and quality while your
matrix to track changes throughout the project is active, and to completing, closing, and documenting as your project finishes.
project life cycle A copy of the PMBOK® Guide – Sixth Edition is provided to all participants. You can
▐ Clearly define the scope of a project in reference the PMBOK® Guide and use your course material along with the knowledge you
terms of cost, schedule and technical
deliverables
gain in class to prepare for the updated 2019 Project Management Professional (PMP)®
Exam and the GIAC Certified Project Manager Exam.
▐ Create a work breakdown structure
defining work packages, project The project management process is broken down into core process groups that can be
deliverables and acceptance criteria
applied across multiple areas of any project, in any industry. Although our primary focus
▐ Develop a detailed project schedule,
is the application to the InfoSec industry, our approach is transferable to any projects
including critical path tasks and
milestones that create and maintain services as well as general product development. We cover in-
▐ Develop a detailed project budget, depth how cost, time, quality, and risks affect the services we provide to others. We will
including cost baselines and tracking also address practical human resource management as well as effective communication
mechanisms and conflict resolution. You will learn specific tools to bridge the communications gap
▐ Develop planned and earned value between managers and technical staff.
metrics for your project deliverables
and automate reporting functions PMP®, PMBOK®, and the PMI Registered Education Provider® logo are registered trademarks of the
▐ Effectively manage conflict situations Project Management Institute, Inc.
and build communication skills with
your project team
Author Statement
▐ Document project risks in terms
of probability and impact, and “Managing projects to completion, with an alert eye on quality, cost, and time, is
assign triggers and risk response
responsibilities
something most of us need to do on an ongoing basis. In this course, we break down
project management into its fundamental components and galvanize your understanding
▐ Create project earned value baselines
and project schedule and cost of the key concepts with an emphasis on practical application and execution of service-
forecasts based IT and InfoSec projects. Since project managers spend the vast majority of their
time communicating with others, throughout the week we focus on traits and techniques
that enable effective technical communication. As people are the most critical asset in
the project management process, effective and thorough communication is essential.”
-Jeff Frisk

MGT525 is available via (subject to change):

Live Training
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Private Training
Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-12 This course is also available through Private Training.

80
Course Day
Descriptions

DAY 1: Project Management Structure DAY 2: Project Charter and Scope Management Who Should Attend
and Framework During day two, we will go over techniques used to develop the ▐ Individuals interested
project charter and formally initiate a project. The scope portion in preparing for the
This course day offers insight and specific techniques
defines the important input parameters of project management Project Management
that both beginner and experienced project managers
and gives you the tools to ensure that your project is well defined Professional (PMP)®
can utilize. The structure and framework section lays
from the outset. We cover tools and techniques that will help Exam
out the basic architecture and organization of project
you define your project’s deliverables and develop milestones to
management. We will cover the common project ▐ Security professionals
gauge performance and manage change requests.
management group processes, the difference between who are interested
projects and operations, project life cycles, and managing Topics: Formally Initiating Projects; Project Charters; Project in understanding the
project stakeholders. Scope Development; Work Breakdown Structures; Scope concepts of IT project
Verification and Control management
Topics: Definition of Terms and Process Concepts;
Group Processes; Project Life Cycle; Types of ▐ Managers who want
Organizations; PDCA Cycle to understand the
critical areas of
making projects
DAY 3: Schedule and Cost Management DAY 4: Communications and Project Resources
successful
Our third day details the schedule and cost aspects During day four, we move into project and human resource
of managing a project. We will cover the importance management and building effective communications skills.
▐ Individuals working
of correctly defining project activities, project People are the most valuable asset of any project and we cover with time, cost,
activity sequence, and resource constraints. We will methods for identifying, acquiring, developing and managing quality, and risk-
use milestones to set project timelines and task your project team. Performance appraisal tools are offered sensitive projects and
dependencies along with learning methods of resource as well as conflict management techniques. You will learn applications
allocation and scheduling. We introduce the difference management methods to help keep people motivated and ▐ Anyone who would
between resource and product-related costs and go into provide great leadership. The effective communication portion like to utilize effective
detail on estimating, budgeting, and controlling costs. of the day covers identifying and developing key interpersonal communication
You will learn techniques for estimating project cost and skills. We cover organizational communication and the different techniques and
rates as well as budgeting and the process for developing levels of communication as well as common communication proven methods
a project cost baseline. barriers and tools to overcome these barriers. to relate better to
Topics: Process Flow; Task Lead and Lag Dependencies; Topics: Acquiring and Developing Your Project Team; Organizational people
Resource Breakdown Structures; Task Duration Dependencies and Charts; Roles and Responsibilities; Team ▐ Anyone in a key or
Estimating; Critical Path Scheduling; Cost Estimating Building; Conflict Management; Interpersonal Communication lead engineering/
Tools; Cost vs. Quality; Cost Baselining; Earned Value Skills; Communication Models and Effective Listening design position who
Analysis and Forecasting works regularly with
project management
staff
DAY 5: Quality and Risk Management DAY 6: Procurement, Stakeholder
On day five you will become familiar with quality Management, and Project Integration
planning, assurance, and control methodologies, as well
We close out the week with the procurement aspects of project
as learn the cost-of-quality concept and its parameters.
and stakeholder management, and then integrate all of the
We define quality metrics and cover tools for establishing
concepts presented into a solid, broad-reaching approach. We
and benchmarking quality control programs. We go
cover different types of contracts and then the make-versus-buy
into quality assurance and auditing as well as how to
decision process. We go over ways to initiate strong requests for
understand and use quality control charts. The risk
quotations (RFQ) and develop evaluation criteria, then qualify
section goes over known versus unknown risks and
and select the best partners for your project. Stakeholder
how to identify, assess, and categorize risk. We use
communication and management strategies are reinforced. The
quantitative risk analysis and modeling techniques so
final session integrates everything we have learned by bringing
that you can fully understand how specific risks affect
all the topics together with the common process groups. Using
your project. You will learn ways to plan for and mitigate
a detailed project management methodology, we learn how to
risk by reducing your exposure as well as how to take
finalize the project management plan and then execute and
advantage of risks that could have a positive effect on
monitor the progress of your project to ensure success.
your project.
Topics: Contract Types; Make vs. Buy Analysis; Vendor Weighting
Topics: Cost of Quality; Quality Metrics; Continual Process
Systems; Contract Negotiations; Stakeholder Communication and
Improvement; Quality Baselines; Quality Control; Change
Stakeholder Management Strategies; Project Execution; Monitoring
Control; Risk Identification; Risk Assessment; Time and
Your Project’s Progress; Finalizing Deliverables; Forecasting and
Cost Risks; Risk Probability and Impact Matrices; Risk
Integrated Change Control
Modeling and Response

“MGT525 offers tools and techniques that will directly improve

the planning, execution, and closing of your projects.”
-Michael Long, ARCYBER

81
 AUD507: Auditing & Monitoring Networks, GSNA
Systems and

Perimeters, and Systems Networking Auditor

www.giac.org/gsna

6 36 Laptop One of the most significant obstacles facing many auditors today is how exactly to go
Day Program CPEs Required about auditing the security of an enterprise. What systems really matter? How should
the firewall and routers be configured? What settings should be checked on the various
You Will Be Able To systems under scrutiny? Is there a set of processes that can be put into place to allow an
auditor to focus on the business processes rather than the security settings? How do we
▐ Understand the different types of
controls (e.g., technical vs. non- turn this into a continuous monitoring process? All of these questions and more will be
technical) essential to perform a answered by the material covered in this course.
successful audit
This course is specifically organized to provide a risk-driven method for tackling the
▐ Conduct a proper risk assessment of a
network to identify vulnerabilities and enormous task of designing an enterprise security validation program. After covering a
prioritize what will be audited variety of high-level audit issues and general audit best practices, the students will have
▐ Establish a well-secured baseline for the opportunity to dive deep into the technical how-to for determining the key controls
computers and networks, constituting that can be used to provide a level of assurance to an organization. Tips on how to
a standard against which one can
repeatedly verify these controls and techniques for automatic compliance validation are
conduct audits
taken from real-world examples.
▐ Perform a network and perimeter audit
using a seven-step process One of the struggles that IT auditors face today is helping management understand the
▐ Audit firewalls to validate that rules/ relationship between the technical controls and the risks to the business that these
settings are working as designed, controls address. In this course these threats and vulnerabilities are explained based
blocking traffic as required
on validated information from real-world situations. The instructor will take the time to
▐ Utilize vulnerability assessment tools
explain how this can be used to raise the awareness of management and others within
effectively to provide management
with the continuous remediation the organization to build an understanding of why these controls specifically and auditing
information necessary to make in general are important. From these threats and vulnerabilities, we will explain how to
informed decisions about risk and build the ongoing compliance monitoring systems and automatically validate defenses
resources
through instrumentation and automation of audit checklists.
▐ Audit web application configuration,
authentication, and session You’ll be able to use what you learn immediately. Five of the six days in the course will
management to identify vulnerabilities help you produce your own checklist, or provide you with a general checklist that can be
attackers can exploit
customized for your audit practice. Each of these days includes hands-on exercises with
▐ Utilize scripting to build a system to
baseline and automatically audit Active
a variety of tools discussed during the lecture sections so that you will leave knowing
Directory and all systems in a Windows how to verify each and every control described in the class. Each of the six hands-on
domain days gives you the chance to perform a thorough technical audit of the technology being
considered by applying the checklists provided in class to sample audit problems in a
virtualized environment.
A great audit is more than marks on a checklist; it is the understanding of what the
underlying controls are, what the best practices are, and why. Sign up for this course and
gain the mix of theoretical, hands-on, and practical knowledge to conduct a great audit.

“AUD507 provides insight on different aspects related

to system configurations and associated risks.”
-Yosra Al-Basha, Yemen LNG Co.

AUD507 is available via (subject to change):

Live Training Online Training

Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-13 Summit Events OnDemand
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Supply Chain Complete this course anywhere, anytime, at your
Cybersecurity . . . . . . . . . Arlington, VA . . . . . . . . .Aug 14-19 own pace, with four months of online access in the
San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7 OnDemand platform.
Private Training
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-19
Simulcast
This course is also available through Private Training.
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-13
82
Course Day
Descriptions

DAY 1: Effective Auditing, Risk DAY 2: Effective Network & Perimeter Who Should Attend
Assessment & Reporting Auditing/Monitoring ▐ Auditors seeking to identify key controls in
IT systems
After laying the foundation for the role and Enterprise networks are under constant assault. A
function of an auditor in the information key foundation in the security of our enterprise is ▐ Audit professionals looking for technical
security field, this day’s material will give created by ensuring that we have a validated secure details on auditing
you two extremely useful risk assessment perimeter. As easy as this is to say, organizations ▐ Managers responsible for overseeing the
methods that are particularly effective for struggle with this constantly. Forces such as wireless
work of an audit or security team
measuring the security of enterprise systems, technologies, enterprise VPNs, business partner
identifying control gaps and risks, and help connections, BYOD policies and more can all erode ▐ Security professionals newly tasked with
you to recommend additional compensating the security of our perimeter networks. On this audit responsibilities
controls to address the risk. Nearly a third day we will build from the ground up, dealing with ▐ System and network administrators looking
of the day is spent covering important audit security controls, proper deployment, effective to better understand what an auditor is
considerations and questions when dealing auditing continuous monitoring of configuration from trying to achieve, how auditors think, and
with virtualization and cloud computing. Layer 2 all the way up the stack. Students will learn how to better prepare for an audit
Topics: Auditor’s Role; Basic Auditing and how to identify insecurely configured VLANs, how to
determine perimeter firewall requirements, how to
▐ System and network administrators seeking
Assessing Strategies; Risk Assessment; to create strong change control management
The Six-Step Audit Process; Virtualization examine enterprise routers and much more.
and detection systems for the enterprise
& Cloud Computing Topics: Secure Layer 2 Configurations; Router &
Switch Configuration Security; Firewall Auditing, ▐ Anyone looking to implement effective
Validation & Monitoring; Wireless; Network continuous monitoring processes within the
Population Monitoring; Vulnerability Scanning enterprise

DAY 3: Web Application Auditing DAY 4: Advanced Windows Auditing & Monitoring
A portion of the morning will cover all of the underlying principles of web During the course of this day, attendees will have the opportunity to perform
technology and introduce a set of tools that can be used to validate the a thorough hands on audit of Active Directory servers in class, in addition to
security of these applications. Throughout the day, all of the OWASP Top the laptop that they bring to class. In addition to covering all of the major
Ten issues will be addressed, abstracted into five practical principles of audit points in a stand-alone Windows system, the course will scale these
web application design and deployment. The majority of the day will be methods for use within a domain. One of the primary goals of the material
spent building and working through a checklist for validating the existence presented is to allow the auditor to get away from checking registry settings,
and proper implementation of controls to mitigate the primary threats helping administrators to create a comprehensive management process
found in web applications through the use of cutting-edge techniques and that automatically verifies settings. With this type of system in place, the
advanced testing methods. Throughout the day, time is spent identifying key auditor can step back and begin auditing the management processes which
development requirements, allowing you to provide meaningful feedback into generally helps us to be far more effective.
your organization’s coding standards. Topics: Progressive Construction of a Comprehensive Audit Program;
Topics: Identifying Controls Against Information Gathering Attacks; Processing Automating the Audit Process; Windows Security Tips and Tricks; Maintaining a
Controls to Prevent Hidden Information Disclosures; Controlling Validation of Secure Enterprise
the User Sign-on Process; Examining Controls Against User Name Harvesting;
Validating Protections Against Password Harvesting; Best Practices for OS and
Web Server Configuration; How to Verify Session Tracking and Management
Controls; Identifying of Controls to Handle Unexpected User Input; Server-side
Techniques for Protecting Your Customers and Their Sensitive Data

DAY 5: Advanced UNIX Auditing & Monitoring DAY 6: Audit the Flag: A NetWars Experience
Students will gain a deeper understanding of the inner workings and This final day of the course presents a capstone experience with additional
fundamentals of the Unix operating system as applied to the major Unix learning opportunities. Leveraging the NetWars engine, students have the
environments in use in business today. Students will have the opportunity opportunity to connect to a simulated enterprise network environment. Building
to explore, assess and audit Unix systems hands-on. Lectures describe the on the tools and techniques learned throughout the week, each student is
different audit controls that are available on standard Unix systems, as well challenged to answer a series of questions about the enterprise network,
as access controls and security models. Most of the day will be spent working working through various technologies explored during the course. This allows
hands-on with the instructor to create a comprehensive set of auditing students to immediately put the knowledge gained into practice with these
scripts that can be used on virtually any Unix system. This set of scripts can guided challenges. At the conclusion of the day, students are asked to identify
be used to either check the security of a system, report on the compliance of the most serious findings within the enterprise environment and to suggest
the system to a baseline or be used in a change control process to validate a possible root causes and potential mitigations.
system before patching and subsequently re-generate the system baseline. Topics: Network Devices; Servers; Applications; Workstations
Topics: Auditing to Create a Secure Configuration; Auditing to Maintain a
Secure Configuration; Auditing to Determine What Went Wrong

83
 GLEG
LEG523: Law of Data Security and Investigations Law of Data Security
& Investigation
www.giac.org/gleg

5 30 Laptop LEG523 is constantly updated to address changing trends and current events. Here’s a
Day Program CPEs Not Needed sampling of what’s new:
▐ The global imperative for organizations to demonstrate a culture of data privacy
You Will Be Able To ▐ Invoking attorney-client privilege to maintain confidentiality of security assessments such
▐ Work better with other professionals at as pen tests
your organization who make decisions
about the law of data security and
▐ Court decision shows how to improve an official investigation using artificial intelligence
investigations ▐ Unique and indispensable training for General Data Protection Regulation (GDPR) Data
▐ Exercise better judgment on how to Protection Officers
comply with technology regulations, ▐ Form contract for inviting outside incident responders - including police, contractors,
both in the United States and in other
countries National Guard, or civil defense agency anywhere in the world - to help with a cyber crisis
▐ Evaluate the role and meaning of ▐ The EU’s new GDPR and its impact around the world
contracts for technology, including
services, software and outsourcing New law on privacy, e-discovery and data security is creating an urgent need for
▐ Help your organization better explain
professionals who can bridge the gap between the legal department and the IT department.
its conduct to the public and to legal SANS LEG523 provides this unique professional training, including skills in the analysis and
authorities use of contracts, policies, and records management procedures.
▐ Anticipate technology law risks before
they get out of control
This course covers the law of fraud, crime, policy, contracts, liability, IT security and active
defense—all with a focus on electronically stored and transmitted records. It also teaches
▐ Implement practical steps to cope with
technology law risk investigators how to prepare credible, defensible reports, whether for cyber crimes,
▐ Better explain to executives what your
forensics, incident response, human resource issues or other investigations.
organization should do to comply with Each successive day of this five-day course builds upon lessons from the earlier days in order
information security and privacy law
to comprehensively strengthen your ability to help your enterprise (public or private sector)
▐ Better evaluate technologies, such as
digital signatures, to comply with the
cope with illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial
law and serve as evidence spies, rogue or uncooperative employees, or bad publicity connected with IT security.
▐ Make better use of electronic Recent updates to the course address hot topics such as legal tips on confiscating and
contracting techniques to get the best
terms and conditions
interrogating mobile devices, the retention of business records connected with cloud
computing and social networks like Facebook and Twitter, and analysis and response to the
▐ Exercise critical thinking to understand
the practical implications of technology risks and opportunities surrounding open-source intelligence gathering.
laws and industry standards (such
as the Payment Card Industry Data
Over the years this course has adopted an increasingly global perspective. Non-U.S.
Security Standard) professionals attend LEG523 because there is no training like it anywhere else in the world.
For example, a lawyer from the national tax authority in an African country took the course
because electronic filings, evidence and investigations have become so important to her
work. International students help the instructor, U.S. attorney Benjamin Wright, constantly
revise the course and include more content that crosses borders.
“I wish I’d taken LEG523 four
Who Should Attend
years ago, so that our policy ▐ Investigators ▐ Technology managers ▐ Cyber incident and emergency
and governance could have ▐ Security and IT professionals ▐ Vendors responders from around the
world (including the private
been enhanced sooner.” ▐ Lawyers ▐ Compliance officers sector, law enforcement,
▐ Paralegals ▐ Law enforcement personnel national guard, civil defense
-Tom Siu,
▐ Auditors ▐ Privacy officers and the like)
Case Western Reserve University
▐ Accountants ▐ Penetration testers

LEG523 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 OnDemand vLive
Crystal City . . . . . . . . . . . Arlington, VA . . . . . . . . . . Aug 5-9 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . Jun 25 - Aug 1
own pace, with four months of online access in the
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 OnDemand platform. Simulcast
Private Training Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-13

This course is also available through Private Training.

84
Course Day
Descriptions

DAY 1: Fundamentals of Data DAY 2: E-Records, E-Discovery and DAY 3: Contracting for Data
Security Law and Policy Business Law Security and Other Technology
The first day is an introduction to law IT professionals can advance their careers by upgrading Day three focuses on the essentials of
and IT that serves as the foundation their expertise in the hot fields of e-discovery and cyber contract law sensitive to the current legislative
for discussions during the rest of the investigations. Critical facets of those fields come forward requirements for security. Compliance with
course. We survey the general legal in course day two. We will focus on the use of computer many of the new data security laws requires
issues that must be addressed in records in disputes and litigation, with a view to teaching contracts. Because IT pulls together the
establishing best information security students how to manage requests to turn over e-records to products and services of many vendors,
practices, then canvass the many new adversaries (i.e., e-discovery), manage implementation of a consultants, and outsourcers, enterprises need
laws on data security and evaluate “legal hold” over some records to prevent their destruction, appropriate contracts to comply with Gramm-
information security as a field of growing and coordinate with legal counsel to develop workable Leach-Bliley, HIPAA, GDPR, PCI-DSS, data breach
legal controversy. We will cover computer strategies to legal challenges. Transactions that used to notice laws and other regulations. The section
crime and intellectual property laws be conducted on paper are now done electronically, so provides practical steps and tools that students
when a network is compromised, as well commercial law now applies to computer security. The IT can apply to their enterprises and includes a lab
as emerging topics such as honeypots. function within an enterprise has become the custodian on writing contract-related documents relevant
We will look at the impact of future of an enterprise’s business records. You will learn how to the students’ professional responsibilities.
technologies on law and investigations to craft sound policy for the retention and destruction of (The lab is an optional, informal “office hours”
in order to help students factor in legal electronic records like email, text messages, and social discussion with the instructor at the end of
concerns when they draft enterprise networking interactions. We will provide methods for the day when the course is delivered live.) You
IT security policies. For example, balancing the competing interests in electronic records will learn the language of common technology
students will debate what the words management, including costs, risks, security, regulations and contract clauses and the issues surrounding
of an enterprise policy would mean user cooperation. Law and technology are changing quickly, those clauses, and become familiar with specific
in a courtroom. The course also dives and it is impossible for professionals to comprehend all legal cases that show how different disputes
deep into the legal question of what the laws that apply to their work. But they can comprehend have been resolved in litigation. Recognizing
constitutes a “breach of data security” overarching trends in law, and they can possess a mindset that enterprises today operate increasingly
for purposes of notifying others about for finding solutions to legal problems. A key goal of this on a global basis, the course teaches cases
it or for other purposes. The course course day is to equip students with the analytical skills and contract drafting styles applicable to
includes a case study on the drafting and tools to address technology law issues as they arise, a multinational setting. Contracts covered
of policy to comply with the Payment both in the United States and around the world. Special include agreements for software, consulting,
Card Industry Data Security Standard attention is devoted to European data protection laws (see nondisclosure, outsourced services, penetration
(PCI). Students learn how to choose the white paper by Mr. Wright on the European Union’s new testing, and private investigation services (such
words more carefully and accurately General Data Protection Regulation). The course is chock full as cyber incident response). Special emphasis is
when responding to cybersecurity of actual court case studies dealing with privacy, computer applied to cloud computing issues. Students will
questionnaires from regulators, cyber records, digital evidence, electronic contracts, regulatory also learn how to exploit the surprising power of
insurers and corporate customers. investigations, and liability for shortfalls in security. The informal contract records and communications,
purpose of the case studies is to draw practical lessons that including cybersecurity questionnaires and
students can take back to their jobs. requests for InfoSec assurances.

DAY 4: The Law of Data Compliance: DAY 5: Applying Law to Emerging Dangers:
How to Conduct Investigations Cyber Defense
Information security professionals and cyber investigators operate in a world of Knowing some rules of law is not the same as knowing how to
ambiguity, rapid change, and legal uncertainty. To address these challenges, this deal strategically with real-world legal problems. This day is
course day presents methods to analyze a situation and then act in a way that is organized around extended case studies in security law: break-
ethical and defensible and reduces risk. Lessons will be invaluable to the effective and ins, investigations, piracy, extortion, rootkits, phishing, botnets,
credible execution of any kind of investigation, be it internal, government, consultant, espionage and defamation. The studies lay out the chronology
security incident, or any other. The lessons also include methods and justifications for of events and critique what the good guys did right and what
maintaining the confidentiality of an investigation. The course surveys white-collar fraud they did wrong. The goal is to learn to apply principles and
and other misbehaviors with an emphasis on the role of technology in the commission skills to address incidents in your day-to-day work. The course
and prevention of that fraud. It teaches IT managers practical and case-study-driven includes an in-depth review of legal responses to the major
lessons about the monitoring of employees and employee privacy. IT is often expected to security breaches at TJX, Target, and Home Depot, and looks at
“comply” with many mandates, whether stated in regulations, contracts, internal policies how to develop a Bring Your Own Device (BYOD) policy for an
or industry standards (such as PCI-DSS). This course teaches many broadly applicable enterprise and its employees. The skills learned are a form of
techniques to help technical professionals establish that they and their organizations are crisis management, with a focus on how your enterprise will be
in fact in compliance, or to reduce risk if they are not in perfect compliance. The course judged in a courtroom, by a regulatory agency, or in a contract
draws lessons from models such as the Sarbanes-Oxley Act. As IT security professionals relationship. Emphasis will be on how to present your side of a
take on more responsibility for controls throughout an enterprise, it is natural that they story to others, such as law enforcement, Internet gatekeepers, or
worry about fraud, which becomes a new part of their domain. This day covers what fraud the public at large, so that a security incident does not turn into
is, where it occurs, what the law says about it and how it can be avoided and remedied. a legal fiasco. In addition to case studies, the core material will
Indeed, the primary objective of Sarbanes-Oxley is not to keep hackers out; it is to snuff include tutorials on relevant legislation and judicial decisions
out fraud inside the enterprise. Scattered through the course are numerous descriptions in such areas as privacy, negligence, contracts, e-investigations,
of actual fraud cases involving technology. The purpose is to acquaint the student with computer crime and offensive countermeasures. LEG523 is
the range of modern business crimes, whether committed by executives, employees, increasingly global in its coverage, so although this course day
suppliers or whole companies. More importantly, the course draws on the law of fraud centers around U.S. law, non-U.S. law and the roles of government
and corporate misconduct to teach larger and broader lessons about legal compliance, authorities outside the United States will be examined, as well.
ethical hacking and proper professional conduct in difficult case scenarios. Further, the At the end of this course section, the instructor will discuss a few
course teaches how to conduct forensics investigations involving social, mobile and other sample questions to help students prepare for the GIAC exam
electronic media. Students learn how to improve the assessment and interpretation of associated with this course (GLEG).
digital evidence, such as evidence of a breach or other cyber event.

85
 DEV522: Defending Web Applications GWEB
Web Application

Security Essentials Defender

www.giac.org/gweb

6 36 Laptop This is the course to take if you have to defend web applications!
Day Program CPEs Required
The quantity and importance of data entrusted to web applications is growing, and
defenders need to learn how to secure them. Traditional network defenses, such as
You Will Be Able To firewalls, fail to secure web applications. DEV522 covers the OWASP Top 10 Risks and will
▐ Understand the major risks and help you better understand web application vulnerabilities, thus enabling you to properly
common vulnerabilities related to defend your organization’s web assets.
web applications through real-world
examples Mitigation strategies from an infrastructure, architecture, and coding perspective will be
▐ Mitigate common security discussed alongside real-world applications that have been proven to work. The testing
vulnerabilities in web applications aspect of vulnerabilities will also be covered so that you can ensure your application is
using proper coding techniques, tested for the vulnerabilities discussed in class.
software components, configurations,
and defensive architecture To maximize the benefit for a wider range of audiences, the discussions in this course will
▐ Understand the best practices in be programming language agnostic. Focus will be maintained on security strategies rather
various domains of web application than coding-level implementation.
security such as authentication, access
control, and input validation DEV522: Defending Web Applications Security Essentials is intended for anyone tasked
▐ Fulfill the training requirement as with implementing, managing, or protecting web applications. It is particularly well
stated in PCI DSS 6.5 suited to application security analysts, developers, application architects, pen testers,
▐ Deploy and consume web services auditors who are interested in recommending proper mitigations for web security issues,
(SOAP and REST) in a more secure and infrastructure security professionals who have an interest in better defending their
fashion
web applications.
▐ Proactively deploy cutting-edge
defensive mechanisms such as the The course will also cover additional issues the authors have found to be important
defensive HTTP response headers and in their day-to-day web application development practices. The topics that will be
Content Security Policy to improve the
security of web applications covered include:
▐ Strategically roll out a web application ▐ Infrastructure security
security program in a large
environment
▐ Server configuration
▐ Incorporate advanced web technologies ▐ Authentication mechanisms
such as HTML5 and AJAX cross-domain
requests into applications in a safe and
▐ Application language configuration
secure manner ▐ Application coding errors like SQL injection and cross-site scripting
▐ Develop strategies to assess the
security posture of multiple web
▐ Cross-site request forging
applications ▐ Authentication bypass
▐ Web services and related flaws
▐ Web 2.0 and its use of web services
▐ XPATH and XQUERY languages and injection
▐ Business logic flaws
▐ Protective HTTP headers
The course will make heavy use of hands-on exercises and conclude with a large
defensive exercise that reinforces the lessons learned throughout the week.

DEV522 is available via (subject to change):

Live Training
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-14 Community Events Private Training
San Francisco Winter . . San Francisco, CA . . . . . . .Dec 2-7 New York, NY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 10-15 This course is also available through Private Training.

Summit Events Mentor Events

Supply Chain Novi, MI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sep 16 - Nov 18
Cybersecurity . . . . . . . . . Arlington, VA . . . . . . . . .Aug 14-19
86
Course Day
Descriptions

DAY 1: Web Basics and Authentication DAY 2: Web Application Common Who Should Attend
Security Vulnerabilities & Mitigations ▐ Application
developers
We begin day one with an overview of recent web Since the Internet does not guarantee the secrecy of
application attack and security trends, then follow up by information being transferred, encryption is commonly used ▐ Application security
examining the essential technologies that are at play in to protect the integrity and secrecy of information on the web. analysts or managers
web applications. You cannot win the battle if you do not This course day covers the security of data in transit or on disk ▐ Application architects
understand what you are trying to defend. We arm you and how encryption can help with securing that information in
with the right information so you can understand how the context of web application security. ▐ Penetration testers
web applications work and the security concepts related who are interested
Topics: SSL Vulnerabilities and Testing; Proper Encryption
to them. in learning about
Use in Web Application; Session Vulnerabilities and Testing;
defensive strategies
Topics: HTTP Basics; Overview of Web Technologies; Cross-site Request Forgery; Business Logic Flaws; Concurrency;
Web Application Architecture; Recent Attack Trends; Input-related Flaws and Related Defenses; SQL Injection ▐ Security professionals
Authentication Vulnerabilities and Defense; Authorization Vulnerabilities, Testing, and Defense who are interested in
Vulnerabilities and Defense learning about web
application security
DAY 3: Proactive Defense and Operation DAY 4: AJAX and Web Services Security ▐ Auditors who need to
understand defensive
Security Day four is dedicated to the security of asynchronous JavaScript
mechanisms in web
and XML (AJAX) and web services, which are currently the
Day three begins with a detailed discussion on cross-site applications
most active areas in web application development. Security
scripting and related mitigation and testing strategies, as
issues continue to arise as organizations dive head first into ▐ Employees of
well as HTTP response splitting. The code in an application
insecurely implementing new web technologies without first PCI-compliant
may be totally locked down, but if the server setting is
understanding them. We will cover security issues, mitigation organizations who
insecure, the server running the application can be easily
strategies, and general best practices for implementing AJAX need to be trained
compromised. Locking down the web environment is
and web services. We will also examine real-world attacks and to comply with those
essential, so we cover this basic concept of defending the
trends to give you a better understanding of exactly what you requirements
platform and host. To enable any detection of intrusion,
are protecting against. Discussion focuses on the web services
logging and error handling must be done correctly. We will
in the morning and AJAX technologies in the afternoon.
discuss the correct approach to handling incidents and
logs, then dive even further to cover the intrusion detection Topics: Web Services Overview; Security in Parsing of XML; XML
aspect of web application security. In the afternoon we turn Security; AJAX Technologies Overview; AJAX Attack Trends and
our focus to the proactive defense mechanism so that we Common Attacks; AJAX Defense
are ahead of the bad guys in the game of hack and defend.
Topics: Cross-site Scripting Vulnerability and Defenses; Web DAY 6: Capture-and-Defend-the-Flag Exercise
Environment Configuration Security; Intrusion Detection in
Day six starts with an introduction to the secure software
Web Applications; Incident Handling; Honeytoken
development life cycle and how to apply it to web development.
But the focus is a large lab that will tie together the lessons
DAY 5: Cutting-Edge Web Security learned during the week and reinforce them with hands-on
Day five focuses on cutting-edge web application applications. Students will be provided with a virtual machine
technologies and current research areas. Topics such to implement a complete database-driven dynamic website.
as clickjacking and DNS rebinding are covered. These In addition, they will use a custom tool to enumerate security
vulnerabilities are difficult to defend and multiple defense vulnerabilities and simulate a vulnerability assessment of the
strategies are needed for their defense to be successful. website. Students will then have to decide which vulnerabilities
Another topic of discussion is the new generation of are real and which are false positives, and then mitigate
single-sign-on solutions such as OpenID. We cover the the vulnerabilities. The scanner will score the student as
implications of using these authentication systems and the vulnerabilities are eliminated or checked off as false positives.
common “gotchas” to avoid. With the adoption of Web2.0, Advanced students will be able to extend this exercise and
the use of Java applet, Flash, ActiveX, and Silverlight is on find vulnerabilities not presented by the scanner. Students will
the increase. The security strategies of defending these learn through these hands-on exercises how to secure the web
technologies are discussed so that these client-side application, starting with the operating system, the web server,
technologies can be locked down properly. finding configuration problems in the application language
setup, and finding and fixing coding problems in the site.
Topics: Clickjacking; DNS Rebinding; Flash Security; Java
Applet Security; Single-Sign-On Solution and Security; IPv6 Topics: Mitigation of Server Configuration Errors; Discovering
Impact on Web Security and Mitigating Coding Problems; Testing Business Logic Issues
and Fixing Problems; Web Services Testing and Security Problem
Mitigation

Online Training
OnDemand “Brilliant! The combination of hands-on exercises
Complete this course anywhere, anytime, at your and Q&A streamlines learning like nothing else.”
own pace, with four months of online access in the
OnDemand platform. -McKell Gomm, Henry Schein

Simulcast
Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 9-14
87
 SEC540: Cloud Security and DevOps
Automation

5 30 Laptop SEC540 provides development, operations, and security professionals with a methodology
Day Program CPEs Required to build and deliver secure infrastructure and software using DevOps and cloud services.
Students will explore how the principles, practices, and tools of DevOps can improve the
reliability, integrity, and security of on-premise and cloud-hosted applications.
You Will Be Able To
▐ Understand the core principles and Starting with on-premise deployments, the first two days of the course examine the
patterns behind DevOps Secure DevOps methodology and its implementation using lessons from successful
▐ Map where security controls and DevOps security programs. Students will gain hands-on experience using popular open-
checks can be added in Continuous source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate
Delivery and Continuous Deployment Configuration Management (“infrastructure as Code”), Continuous Integration (CI),
▐ Integrate security into production Continuous Delivery (CD), containerization, micro-segmentation, automated compliance
operations
(“Compliance as Code”), and Continuous Monitoring. The lab environment starts with a CI/
▐ Create a plan for introducing – or CD pipeline that automatically builds, tests, and deploys infrastructure and applications.
improving – security in a DevOps
environment Leveraging the Secure DevOps toolchain, students perform a series of labs injecting
▐ Move your DevOps workflows to the
security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.
cloud After laying the DevSecOps foundation, the final three days move DevOps workloads
▐ Consume cloud services to secure to the cloud, build secure cloud infrastructure, and deliver secure software. DEV540
cloud applications
provides in-depth analysis of the Amazon Web Services (AWS) toolchain, while lightly
▐ Map and implement a Continuous
covering comparable services in Microsoft Azure. Using the CI/CD toolchain, students
Delivery/Deployment pipeline
build a cloud infrastructure that can host containerized applications and microservices.
Hands-on exercises analyze and fix cloud infrastructure and application vulnerabilities
using security services and tools such as API Gateway, Identity and Access Management
(IAM), CloudFront Signing, Security Token Service (STS), Key Management Service (KMS),
managed WAF services, serverless functions, CloudFormation, AWS Security Benchmark,
and much more.

Authors’ Statement
“DevOps and the cloud are radically changing the way that organizations design, build,
deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able
“SEC540 opened my eyes to to deploy hundreds or even thousands of changes every day, continuously learning,
a new way of thinking about improving, and growing—and leaving their competitors far behind. Now DevOps and the
cloud are making their way from Internet ‘Unicorns’ and cloud providers into enterprises.
operations and security
“Traditional approaches to security can’t come close to keeping up with this rate of
unlike anything since SEC401:
accelerated change. Engineering and operations teams that have broken down the ‘walls
Security Essentials.” of confusion’ in their organizations are increasingly leveraging new kinds of automation,
-Todd Anderson, OBE including Infrastructure as Code, Continuous Delivery and Continuous Deployment,
microservices, containers, and cloud service platforms. The question is: can security take
advantage of the tools and automation to better secure its systems?
“Security must be reinvented in a DevOps and cloud world.”
-Ben Allen, Jim Bird, Eric Johnson, and Frank Kim

DEV540 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Baltimore Fall . . . . . . . . . Baltimore, MD . . . . . . . . . Oct 7-11 Summit Events
San Francisco Summer . San Francisco, CA . . . . . Jul 22-26 Seattle Fall . . . . . . . . . . . Seattle, WA . . . . . . . . . . Oct 14-18 Cloud & DevOps
Security . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Nov 6-10
Boston Summer . . . . . . . Boston, MA . . . . . . Jul 29 - Aug 2 Austin . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . Nov 18-22

San Jose . . . . . . . . . . . . . . San Jose, CA . . . . . . . . . Aug 12-16 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . Dec 2-6

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-18
88
Course Day
Descriptions

DAY 1: Introduction to Secure DevOps DAY 2: Moving to Production Who Should Attend
The first day is an introduction to DevOps practices, Building on the ideas and frameworks developed in the first ▐ Anyone working in the
principles and tooling, how DevOps works, and how work course section, you will learn how secure Infrastructure as DevOps environment
is done in DevOps. We’ll look at the importance of culture, code, using modern automated configuration management or transitioning to a
collaboration, and automation in DevOps. Using case tools like Puppet, Chef and Ansible, allows you to quickly DevOps environment
studies of DevOps “Unicorns” – the Internet tech leaders and consistently deploy new infrastructure and manage ▐ Anyone who wants to
who have created the DNA for DevOps – we’ll show you how configurations. Because the automated CD pipeline is so
understand where to
and why they succeeded. This includes the keys to their critically important to DevOps, you’ll also learn to secure
add security checks,
DevOps security programs. Then you’ll learn Continuous the pipeline, including RASP and other run-time defense
testing, and other
Delivery – the automation engine in DevOps – and how to technologies. As the infrastructure and application code
controls to DevOps and
build up a Continuous Delivery or Continuous Deployment moves to production, we’ll spend the second half of the day
Continuous Delivery
pipeline. This includes how security controls can be folded exploring container security issues associated with tools
into or wired into the CD pipeline, and how to automate such as Docker and Kubernetes, as well as how to protect ▐ Anyone interested in
security checks and tests in CD. secrets using Vault and how to build continuous security learning how to migrate
monitoring using Graphana, Graphite, and StatsD. Finally, DevOps workflows to
Topics: Introduction to DevOps; Case Studies on DevOps
we’ll discuss how to build compliance into Continuous the cloud, specifically
Unicorns; Working in DevOps; Security Challenges in
Delivery, using the security controls and guardrails that have Amazon Web Services
DevOps; Building a CD Pipeline; DevOps Deployment Data;
been built in the DevOps toolchain. (AWS)
Secure Continuous Delivery; Security in Pre-Commit;
Security in Commit; Security in Acceptance Topics: Secure Infrastructure as Code; Security with Puppet ▐ Anyone interested
Lab; Securing Your CD Pipeline; Threat Modeling and Locking in learning how
Down Your Build and Deployment Environment; Run- to leverage cloud
Time Defense; Container Security; Security in Monitoring; application security
Red Teaming, Bug Bounties and Blameless Postmortems; services provided by
Managing Secrets; Compliance as Code AWS
▐ Developers
DAY 3: Moving to the Cloud DAY 4: Cloud Application Security ▐ Software architects
Observing DevOps principles, you’ll learn to deploy In this section, you’ll learn to leverage cloud application ▐ Operations engineers
infrastructure, applications, and the CI/CD toolchain into security services to ensure that applications have
the cloud. This section provides an overview of Amazon appropriate encryption, authentication, authorization, and ▐ System administrators
Web Services (AWS) and introduces the foundational access control, while also maintaining functional and high- ▐ Security analysts
tools and practices you’ll need to securely deploy your availability systems.
▐ Security engineers
applications in the cloud. Topics: Data Protection; Secure Content Delivery;
Topics: Introduction to the Cloud; Cloud Architecture Microservice Security; Serverless Security
▐ Auditors
Overview; Secure Cloud Deployment; Security Scanning ▐ Risk managers
in CI/CD ▐ Security consultants

DAY 5: Cloud Security Automation

Expanding on the foundation of the previous sections,
we’ll now focus on leveraging cloud services to automate
security tasks such as deploying application patches to
blue/green environments, deploying and configuring
cloud web application firewalls, enabling cloud security
monitoring, and automating cloud compliance scanning.
Topics: Blue/Green Deployment Options; Security
Automation; Security Monitoring; Cloud Compliance

Online Training
Community Events OnDemand Simulcast
Atlanta, GA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 3-7 Complete this course anywhere, anytime, at your Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-21
own pace, with four months of online access in the
Vancouver, BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 10-14 Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aug 12-16
OnDemand platform.
Seattle, WA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 17-21
Chicago, IL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jul 8-12
Portland, OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sep 23-27 89
 DEV541: Secure Coding in Java/JEE:
Developing Defensible Applications

4 24 Laptop This secure coding course will teach students how to build secure Java applications and
Day Program CPEs Required gain the knowledge and skills to keep a website from getting hacked, counter a wide range
of application attacks, prevent critical security vulnerabilities that can lead to data loss, and
understand the mindset of attackers.
You Will Be Able To
The course teaches you the art of modern web defense for Java applications by focusing on
▐ Use a web application proxy to view and
manipulate HTTP requests and responses
foundational defensive techniques, cutting-edge protection, and Java EE security features you
can use in your applications as soon as you return to work. This includes learning how to:
▐ Review and perform basic exploits of
common web application vulnerabilities, ▐ Identify security defects in your code
such as those found among the SANS/ ▐ Fix security bugs using secure coding techniques
CWE Top 25 Most Dangerous Software
Errors and the OWASP Top 10: ▐ Utilize secure HTTP headers to prevent attacks
• Cross-site scripting (XSS) ▐ Secure your sensitive representational state transfer (REST) services
• Cross-site request forgery (CSRF)
▐ Incorporate security into your development process
• SQL injection
• Parameter manipulation ▐ Use freely available security tools to test your applications
• Open redirect Great developers have traditionally distinguished themselves by the elegance, effectiveness
• Session hijacking and reliability of their code. That is still true, but the security of the code now needs to be
• Clickjacking added to those other qualities. This unique SANS course allows you to hone the skills and
• Authentication and access control knowledge required to prevent your applications from getting hacked.
bypass DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive
▐ Mitigate common web application course covering a wide set of skills and knowledge. It is not a high-level theory course – it
vulnerabilities using secure coding is about real-world, hands-on programming. You will examine actual code, work with real
practices and Java libraries, including: tools, build applications and gain confidence in the resources you need to improve the
• Input validation security of Java applications.
• Blacklist and whitelist validation
Rather than teaching students to use a given set of tools, the course covers concepts of
• Regular expressions secure programming. This involves looking at a specific piece of code, identifying a security
• Output encoding flaw and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25
• Content Security Policy Most Dangerous Programming Errors.
• Client-side security headers
The course culminates in a Secure Development Challenge in which students perform a
▐ Build applications using: security review of a real-world open-source application. You will conduct a code review,
• Java Enterprise Edition authentication perform security testing to actually exploit real vulnerabilities, and implement fixes for
• Basic and form-based authentication these issues using the secure coding techniques that you have learned in course.
• Client certificates
• Secure Sockets Layer/Transport Layer PCI Compliance
Security (SSL/TLS)
Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs
• Java Secure Sockets Extension
auditors to verify processes that require training in secure coding techniques for
• Secure password storage techniques developers. This is the course for you if your application processes cardholder data and you
• Java Cryptography Architecture are required to meet PCI compliance.
• Security Manager
▐ Implement a secure software Who Should Attend
development lifecycle, including code ▐ Developers who want to build more secure ▐ Application security auditors
review, static analysis and dynamic
applications
analysis techniques. ▐ Technical project managers
▐ Java Enterprise Edition programmers ▐ Senior software QA specialists
▐ Software engineers ▐ Penetration testers who want a deeper
▐ Software architects understanding of target applications or who
want to provide more detailed vulnerability
▐ Developers who need to be trained in secure
remediation options
coding techniques to meet PCI compliance

DEV541 is available via (subject to change):

Live Training Online Training

Private Training OnDemand
This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

90
DEV544: Secure Coding in .NET:
Developing Defensible Applications

4 24 Laptop ASP.NET and the .NET framework have provided web developers with tools that allow them
Day Program CPEs Required an unprecedented degree of flexibility and productivity. However, these sophisticated tools
make it easier than ever to miss the little details that allow security vulnerabilities to creep
into an application. Since ASP.NET 2.0, Microsoft has done a fantastic job of integrating
You Will Be Able To security into the ASP.NET framework, but the responsibility is still on application developers
▐ Use a web application proxy to view HTTP to understand the limitations of the framework and ensure that their own code is secure.
requests and responses.
▐ Review and perform basic exploits Have you ever wondered if the built-in ASP.NET validation is effective? Have you been
of common .NET web application concerned that Windows Communication Foundation (WCF) services might be introducing
vulnerabilities, such as those found in the unexamined security issues into your application? Should you feel uneasy relying solely on
SANS/CWE Top 25 and the OWASP Top 10: the security controls built into the ASP.NET framework?
• Cross-Site Scripting
This comprehensive course covers a huge set of skills and knowledge. It is not a high-level
• Parameter Manipulation
theory course. It is about real programming. Students examine actual code, work with real
• Open Redirect
• Unvalidated Forwards
tools, build applications, and gain confidence in the resources they need to improve the
• SQL Injection security of .NET applications.
• Session Hijacking Rather than teaching students to use a set of tools, the course teaches students concepts
• Clickjacking of secure programming. This involves looking at a specific piece of code, identifying a
• Cross-Site Request Forgery security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS
• Man-in-the-middle (MITM) Top 25 Most Dangerous Programming Errors.
▐ Mitigate common web application
The class culminates with a security review of a real-world open-source application.
vulnerabilities using industry best practices
in the .NET framework, including the Students will conduct a code review, review a penetration test report, perform security
following: testing to actually exploit real vulnerabilities, and finally, using the secure coding
• Input Validation techniques that they have learned in class, implement fixes for these issues.
• Blacklist & Whitelist Validation
• Regular Expressions
• Command Encoding PCI Compliance
• Output Encoding Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs
• Content Security Policy auditors to verify processes that require training in secure coding techniques for
• Client-side Security Headers developers. This is the course for you if your application processes cardholder data and
▐ Understand built-in ASP .NET security you are required to meet PCI compliance.
mechanisms, including the following:
• AntiForgeryToken
• Data Annotations Who Should Attend
• Event Validation ▐ ASP.NET developers who want to build more secure web applications
• Request Validation
▐ .NET framework developers
• View State
• Entity Framework ▐ Software engineers
• ASP.NET Identity ▐ Software architects
• Forms Authentication ▐ Developers who need to be trained in secure coding techniques to meet PCI compliance
• Membership Provider
• WCF
▐ Application security auditors
• Web API ▐ Technical project managers
• Roslyn Diagnostic Analyzers ▐ Senior software QA specialists
▐ Apply industry best practices (NIST, PCI) ▐ Penetration testers
for cryptography and hashing in the .NET
framework
▐ Implementing a secure software
development lifecycle (SDLC) that includes “Very important course to learn how to avoid hacks!”
threat modeling, static analysis, and
dynamic analysis -Ahmed Zakaria, Thiqah

DEV544 is available via (subject to change):

Live Training Online Training

Private Training OnDemand
This course is also available through Private Training. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

91
 GICSP
ICS410: ICS/SCADA Security Essentials Industrial Cyber
Security Professional
www.giac.org/gicsp

5 30 Laptop SANS has joined forces with industry leaders to equip security professionals and control
Day Program CPEs Required system engineers with the cybersecurity skills they need to defend national critical
infrastructure. ICS410: ICS/SCADA Security Essentials provides a foundational set of
standardized skills and knowledge for industrial cybersecurity professionals. The course
You Will Be Able To is designed to ensure that the workforce involved in supporting and defending industrial
▐ Better understand various industrial control systems (ICS) is trained to keep the operational environment safe, secure, and
control systems and their purpose,
application, function, and dependencies resilient against current and emerging cyber threats.
on network IP and industrial The course will provide you with:
communications
▐ Work with control network infrastructure
▐ An understanding of ICS components, purposes, deployments, significant drivers, and
design (network architecture concepts, constraints
including topology, protocols, and
components) and their relation to IEC
▐ Hands-on lab learning experiences to control system attack surfaces, methods, and tools
62443 and the Purdue Model. ▐ Control system approaches to system and network defense architectures and techniques
▐ Run Windows command line tools to
analyze the system looking for high-risk
▐ Incident-response skills in a control system environment
items ▐ Governance models and resources for industrial cybersecurity professionals
▐ Run Linux command line tools (ps,
ls, netstat, ect) and basic scripting to
When examining the greatest risks and needs in critical infrastructure sectors, the course
automate the running of programs authors looked carefully at the core security principles necessary for the range of tasks
to perform continuous monitoring of involved in supporting control systems on a daily basis. While other courses are available
various tools
for higher-level security practitioners who need to develop specific skills such as ICS
▐ Work with operating systems (system penetration testing, vulnerability analysis, malware analysis, forensics, secure coding,
administration concepts for Unix/Linux
and/or Windows operating systems) and red team training, most of these courses do not focus on the people who operate,
manage, design, implement, monitor, and integrate critical infrastructure production
▐ Better understand the systems’ security
lifecycle control systems.
▐ Better understand information assurance With the dynamic nature of ICS, many engineers do not fully understand the features
principles and tenets (confidentiality, and risks of many devices. For their part, IT support personnel who provide the
integrity, availability, authentication, non-
repudiation)
communications paths and network defenses do not always grasp the systems’ operational
drivers and constraints. This course is designed to help traditional IT personnel fully
▐ Use your skills in computer network
defense (detecting host- and network- understand the design principles underlying control systems and how to support those
based intrusions via intrusion detection systems in a manner that ensures availability and integrity. In parallel, the course
technologies) addresses the need for control system engineers and operators to better understand the
▐ Implement incident response and important role they play in cybersecurity. This starts by ensuring that a control system is
handling methodologies
designed and engineered with cybersecurity built into it, and that cybersecurity has the
▐ Map different ICS technologies, attacks, same level of focus as system reliability throughout the system lifecycle.
and defenses to various cybersecurity
standards including the NIST Cyber When these different groups of professionals complete this course, they will have
Security Framework, ISA/IEC 62443, developed an appreciation, understanding, and common language that will enable them
ISO/IEC 27001, NIST SP 800-53, Center
for Internet Security Critical Security
to work together to secure their ICS environments. The course will help develop cyber-
Controls, and COBIT 5 secure-aware engineering practices and real-time control system IT/OT support carried
out by professionals who understand the physical effects of actions in the cyber world.

“The course is informative and relevant to anyone working with

or alongside industrial control systems.”
-Abrael Delgado, Compuquip Technologies

ICS410 is available via (subject to change):

Live Training
SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Denver . . . . . . . . . . . . . . . Denver, CO . . . . . . . . . . . Oct 14-18 Summit Events
Pittsburgh . . . . . . . . . . . . Pittsburgh, PA . . . . . . . . . .Jul 8-12 Orlando . . . . . . . . . . . . . . Orlando, FL . . . . . .Oct 28 - Nov 1 Oil & Gas Cybersecurity . Houston, TX . . . . . . . . . . Sep 17-21

San Francisco Summer . San Francisco, CA . . . . . Jul 22-26 Nashville . . . . . . . . . . . . . Nashville, TN . . . . . . . . . . Dec 2-6

Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13 CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 14-18 Private Training
San Diego . . . . . . . . . . . . San Diego, CA . . . . . . . . . Oct 7-11 This course is also available through Private Training.
92
Course Day
Descriptions

DAY 1: ICS Overview DAY 2: Field Devices and Controllers Who Should Attend
Students will develop and reinforce a common language If you know the adversary’s approaches to attacking The course is designed for
and understanding of industrial control system (ICS) an ICS environment, you will be better prepared to the range of individuals who
cybersecurity as well as the important considerations defend that environment. Numerous attack vectors work in, interact with, or can
that come with cyber-to-physical operations within these exist within an ICS environment. Some are similar to affect industrial control system
environments. Each student will receive programmable logic traditional IT systems, while others are more specific environments, including asset
controller (PLC) hardware to keep. The PLC contains physical to ICS. During day 2, students will develop a better owners, vendors, integrators,
inputs and outputs that will be programmed in class and understanding of where these specific attack vectors and other third parties. These
mapped to an operator interface, or HMI, also created in exist and how to block them, starting at the lowest personnel primarily come from
class. This improved hardware-enabled approach provides levels of the control network. Students will look at four domains:
the necessary cyber-to-physical knowledge that allows different technologies and communications used in ▐ IT (includes operational
students to better understand important ICS operational Purdue Levels 0 and 1, the levels that are the most
technology support)
drivers and constraints that require specific safety different from an IT network. Students will capture
protection, communications needs, system management fieldbus traffic from the PLCs they programmed in day ▐ IT security (includes
approaches, and cybersecurity implementations. Essential 1 and look at what other fieldbus protocols are used operational technology
terms, architectures, methodologies, and devices are all in the industry. Later in the day, students will analyze security)
covered to build a common language for students from a network captures containing other control protocols ▐ Engineering
variety of different roles. that traverse Ethernet-only networks and TCP/IP
networks, set up a simulated controller, and interact
▐ Corporate, industry, and
Topics: Global Industrial Cybersecurity Professional (GICSP) professional standards
Overview; Purdue Levels 0 and 1; Purdue Levels 2 and 3; DCS with it through a control protocol.
and SCADA; IT & ICS Differences; Physical and Cybersecurity; Topics: ICS Attack Surface; Purdue Levels 0 and 1;
Secure ICS Network Architectures Ethernet and TCP/IP

DAY 3: Supervisory Systems DAY 4: Workstations and DAY 5: ICS Security Governance
Day 3 will take students through the middle Servers Students will learn about the various models,
layers of control networks. Students will learn methodologies, and industry-specific regulations that
Students will learn essential ICS-related
about different methods to segment and control are used to govern what must be done to protect
server and workstation operating system
the flow of traffic through the control network. critical ICS systems. Key business processes that
capabilities, implementation approaches,
Students will explore cryptographic concepts consider risk assessments, disaster recovery, business
and system management practices.
and how they can be applied to communications impact analysis, and contingency planning will be
Students will receive and work with both
protocols and on devices that store sensitive data. examined from the perspective of ICS environments. On
Windows- and Linux-based virtual machines
Students will learn about the risks of using wireless this final course day, students will work together on an
in order to understand how to monitor and
communications in control networks, which incident response exercise that places them squarely in
harden these hosts from attack. Students
wireless technologies are commonly used, and an ICS environment that is under attack. This exercise
will examine concepts that benefit ICS
available defenses for each. After a hands-on ties together key aspects of what has been learned
systems such as system hardening, log
network forensics exercise where students follow throughout the course and presents students with a
management, monitoring, alerting, and
an attacker from phishing campaign to HMI scenario to review with their peers. Specific incident-
audit approaches, then look at some of the
breach, students will look at HMI, historian, and response roles and responsibilities are considered, and
more common applications and databases
user interface technologies used in the middle to actions available to defenders throughout the incident
used in ICS environments across multiple
upper levels of the control network, namely Purdue response cycle are explored. Students will leave with a
industries. Finally, students will explore
Levels 2 and 3, while performing attacks on HMI variety of resources for multiple industries and will be
attacks and defenses on remote access for
web technologies and interfaces susceptible to well prepared to pursue the GICSP, an important ICS-
control systems.
password brute force attacks. focused professional certification.
Topics: Patching ICS Systems; Defending
Topics: Enforcement Zone Devices; Understanding Topics: Building an ICS Cybersecurity Program; Creating
Microsoft Windows; Defending Unix and
Basic Cryptography; Wireless Technologies; Wireless ICS Cybersecurity Policy; Disaster Recovery; Measuring
Linux; Endpoint Security Software; Event
Attacks and Defenses; Exercise: Network Forensics Cybersecurity Risk; Incident Response; Exercise:
Logging and Analysis; Remote Access Attacks
of an Attack; Purdue Level 2 and 3 Attacks Incident Response Tabletop Exercise; Final Thoughts
and Next Steps

Online Training
OnDemand
Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

93
 ICS456: Essentials for NERC Critical GCIP
Critical Infrastructure

Infrastructure Protection Protection

www.giac.org/gcip

5 31 Laptop This five-day course empowers students with knowledge of the “what” and the “how”
Day Program CPEs Required of the version 5/6 standards. The course addresses the role of the Federal Energy
Regulatory Commission (FERC), North American Reliability Corporation (NERC), and
the Regional Entities, provides multiple approaches for identifying and categorizing
You Will Be Able To Bulk Electric System (BES) cyber systems, and helps asset owners determine the
▐ Understand the cybersecurity objectives requirements applicable to specific implementations. Additionally, the course
of the NERC Critical Infrastructure
Protection (CIP) standards covers implementation strategies for the version 5/6 requirements with a balanced
▐ Understand the NERC regulatory
practitioner approach to both cybersecurity benefits, as well as regulatory compliance.
framework, its source of authority, and The course features 25 hands-on labs range from securing workstations to digital
the process for developing CIP standards,
as well as their relationship to the other forensics and lock picking.
Bulk Electric System (BES) reliability
The SANS ICS456: NERC Critical Infrastructure Protection Essentials course was
standards
developed by SANS ICS team members with extensive electric industry experience,
▐ Speak fluent NERC CIP and understand
how seemingly similar terms can have including former Registered Entity Primary Contacts, a former NERC officer, and a
significantly different meanings and Co-Chair of the NERC Critical Infrastructure Protection (CIP) Interpretation Drafting
impacts on your compliance program Team. Together the authors bring real-world, practitioner experience gained from
▐ Break down the complexity to more easily developing and maintaining NERC CIP and NERC 693 compliance programs and actively
identify and categorize BES cyber assets participating in the standards development process.
and systems
▐ Develop better security management
controls by understanding what makes You Will Learn:
for effective cybersecurity policies and
procedures ▐ BES cyber system identification and strategies for lowering their impact rating
▐ Understand physical and logical controls ▐ Nuances of NERC-defined terms and the applicability of CIP standards and how subtle
and monitoring requirements changes in definitions can have a big impact on your program
▐ Make sense of the CIP-007 system
management requirements and their
▐ The significance of properly determining cyber system impact ratings and strategies
relationship to CIP-010 configuration for minimizing compliance exposure
management requirements, and
understand the multiple timelines
▐ Strategic implementation approaches for supporting technologies
for assessment and remediation of ▐ How to manage recurring tasks and strategies for CIP program maintenance
vulnerabilities
▐ Determine what makes for a sustainable
▐ Effective implementations for cyber and physical access controls
personnel training and risk assessment ▐ How to break down the complexity of NERC CIP in order to communicate with your
program
leadership
▐ Develop strategies to protect and recover
BES cyber system information ▐ What to expect in your next CIP audit, how to prepare supporting evidence, and how to
▐ Know the keys to developing and avoid common pitfalls
maintaining evidence that demonstrates
compliance and be prepared to be an
▐ How to understand the most recent Standards Development Team’s efforts and how
active member of the audit support team. that may impact your current CIP program
▐ Sharpen your CIP Ninja!

“This is best-in-class NERC CIP training. The courseware

provides valuable compliance approaches and software tools
for peer collaboration to build consent on implementation.”
-Jeff Mantong, WAPA

ICS456 is available via (subject to change):

Live Training
New York City . . . . . . . . . New York, NY . . . . . . . . Aug 25-29 Summit Events
Santa Monica . . . . . . . . . Santa Monica, CA . . . . . Oct 21-25 Oil & Gas Cybersecurity . Houston, TX . . . . . . . . . . Sep 17-21

94
Course Day
Descriptions

DAY 1: Asset Identification and Governance DAY 2: Access Control and Monitoring Who Should Attend
A transition is under way from NERC CIP programs that Strong physical and cyber access controls are ▐ IT and OT (ICS) cybersecurity
are well defined and understood to a new CIP paradigm at the heart of any good cybersecurity program. ▐ Field support personnel
that expands its scope into additional environments and During day 2 we move beyond the “what” of CIP
adds significantly more complexity. On day 1 students compliance to understanding the “why” and the ▐ Security operations personnel
will develop an understanding of the electricity sector “how.” Firewalls, proxies, gateways, IDS and more – ▐ Incident response personnel
regulatory structure and history as well as an appreciation learn where and when they help and learn practical
for how the CIP standards fit into the overall framework of implementations to consider and designs to avoid.
▐ Compliance staff
the reliability standards. Key NERC terms and definitions Physical protections include more than fences and ▐ Team leaders
related to NERC CIP are reviewed using realistic concepts you’ll learn about the strengths and weaknesses of
▐ Persons involved in
and examples that prepare students to better understand common physical controls and monitoring schemes.
governance
their meaning. We will explore multiple approaches to Labs will reinforce the learnings throughout the day
BES cyber asset identification and learn the critical role of and will introduce architecture review and analysis, ▐ Vendors/Integrators
strong management and governance controls. The day will firewall rules, IDS rules, compliance evidence ▐ Auditors
examine a series of architectures, strategies, and difficult demonstration, and physical security control reviews.
compliance questions in a way that highlights the reliability Topics: CIP-005: Electronic Security Perimeter(s);
and cybersecurity strengths of particular approaches. Interactive Remote Access; External Routable
Unique labs will include a scenario-based competition that Communication and Electronic Access Points;
helps bring the concepts to life and highlights the important CIP-006: Physical Security of BES Cyber Systems;
role we play in defending the grid. Physical Security Plan; Visitor Control Programs; PACS
Topics: Regulatory History and Overview; NERC Functional Maintenance and Testing; CIP-014: Physical Security
Model; NERC Reliability Standards; CIP History; Terms and
Definitions; CIP-002: BES Cyber System Categorization; CIP-
003: Security Management Controls

DAY 3: System Management DAY 4: Information Protection and Response

CIP-007 has consistently been one of the most violated standards going back Education is key to every organization’s success with NERC CIP and the
to CIP version 1. With the CIP standards moving to a systematic approach with students in ICS 456 will be knowledgeable advocates for CIP when they
varying requirement applicability based on system impact rating, the industry return to their place of work. Regardless of their role, all students can be a
now has new ways to design and architect system management approaches. valued resource to their organization’s CIP-004 training program, the CIP-011
Throughout day 3, students will dive into CIP-007. We’ll examine various information protection program. Students will be ready with resources for
Systems Security Management requirements with a focus on implementation building and running strong awareness programs that reinforce the need for
examples and the associated compliance challenges. This day will also information protection and cybersecurity training. On day 4 we’ll examine
cover the CIP-010 requirements for configuration change management and CIP-008 and CIP-009 covering identification, classification, communication of
vulnerability assessments that ensure systems are in a known state and under incidents, and the various roles and responsibilities needed in an incident
effective change control. We’ll move through a series of labs that reinforce response or a disaster recovery event. Labs on day 4 will introduce tools for
the topics covered from the perspective of the CIP practitioner responsible for ensuring file integrity and sanitization of files to be distributed, how to best
implementation and testing. utilize and communicate with the E-ISAC, and how to preserve incident data
Topics: CIP-007: System Management; Physical and Logical Ports; Patch for future analysis.
Management; Malicious Code Prevention; Account Management; CIP-010: Topics: CIP-004: Personnel & Training; Security Awareness Program; CIP
Configuration Change Management and Vulnerability Assessments; Change Training Program; PRA Evaluation Process; CIP-011: Information Protection;
Management Program; Baseline Configuration Methodology; Change Information Protection Program; Data Sanitization; CIP-008: Incident
Management Alerting/Prevention Reporting and Response Planning; Incident Response Plan/Testing; Reporting
Requirements; CIP-009: Recovery Plans for BES Cyber Systems; Recovery
Plans; System Backup
DAY 5: CIP Process
On the final day students will learn the key components for running an
effective CIP compliance program. We will review the NERC processes for
standards development, violation penalty determination, Requests For
Interpretation, and recent changes stemming from the Reliability Assurance
Initiative. Additionally we’ll identify recurring and audit-related processes
that keep a CIP compliance program on track: culture of compliance, annual
assessments, gap analysis, TFEs, and self-reporting. We’ll also look at the
challenge of preparing for NERC audits and provide tips to be prepared to
demonstrate the awesome work your team is doing. Finally, we’ll look at some
real-life CIP violations and discuss what happened and the lessons we can
take away. At the end of day 5 students will have a strong call to action to
participate in the ongoing development of CIP within their organization and
in the industry overall as well as a sense that CIP is doable! Labs on day 5 will
cover DOE C2M2, audit tools, and an audit-focused take on a blue team-red
team exercise.
Topics: Scenario One:
CIP Processes for Maintaining Compliance; Preparing for an Audit; Audit
Follow-Up; CIP Industry Activities; Standards Process; CIP of the Future

95
 ICS515: ICS Active Defense and GRID
Response and

Incident Response Industrial Defense

www.giac.org/grid

5 30 Laptop ICS515: ICS Active Defense and Incident Response will help you deconstruct industrial
Day Program CPEs Required control system (ICS) cyber attacks, leverage an active defense to identify and counter
threats in your ICS, and use incident response procedures to maintain the safety and
reliability of operations.
You Will Be Able To
▐ Perform industrial control system (ICS) This course will empower students to understand their networked ICS environment,
incident response focusing on security monitor it for threats, perform incident response against identified threats, and learn
operations and prioritizing the safety from interactions with the adversary to enhance network security. This process of
and reliability of operations
monitoring, responding to, and learning from threats internal to the network is known
▐ Determine how ICS threat intelligence as active defense. An active defense is the approach needed to counter advanced
is generated and how to use what is
available in the community to support adversaries targeting an ICS, as has been seen with malware such as Stuxnet, Havex,
ICS environments. The analysis skills and BlackEnergy2. Students can expect to come out of this course with the ability to
you learn will enable you to critically deconstruct targeted ICS attacks and fight these adversaries and others. The course uses
analyze and apply information from ICS
threat intelligence reports on a regular
a hands-on approach and real-world malware to break down cyber attacks on ICS from
basis. start to finish. Students will gain a practical and technical understanding of leveraging
▐ Identify ICS assets and their network active defense concepts such as using threat intelligence, performing network security
topologies and how to monitor ICS monitoring, and utilizing malware analysis and incident response to ensure the safety
hotspots for abnormalities and threats. and reliability of operations. The strategy and technical skills presented in this course
Methodologies such as ICS network
security monitoring and approaches
serve as a basis for ICS organizations looking to show that defense is do-able.
to reducing the control system threat This course will prepare you to:
landscape will be introduced and
reinforced ▐ Examine ICS networks and identify the assets and their data flows in order to
▐ Analyze ICS malware and extract the understand the network baseline information needed to identify advanced threats
most important information needed
to quickly scope the environment and ▐ Use active defense concepts such as threat intelligence consumption, network
understand the nature of the threat security monitoring, malware analysis, and incident response to safeguard the ICS
▐ Operate through an attack and gain ▐ Build your own Programmable Logic Controller using a CYBATIworks Kit and keep it
the information necessary to instruct
teams and decision-makers on when after the class ends
operations must shut down, or if it ▐ Gain hands-on experience with samples of Havex, BlackEnergy2, and Stuxnet by
is safe to respond to the threat and
continue operations participating in labs and de-constructing these threats and others
▐ Use multiple security disciplines in ▐ Leverage technical tools such as Shodan, Security Onion, TCPDump, NetworkMiner,
conjunction with each other to leverage Foremost, Wireshark, Snort, Bro, SGUIL, ELSA, Volatility, Redline, FTK Imager, PDF
an active defense and safeguard the
analyzers, malware sandboxes, and more
ICS, all reinforced with hands-on labs
and technical concepts ▐ Create indicators of compromise (IOCs) in OpenIOC and YARA while understanding
sharing standards such as STIX and TAXII
▐ Take advantage of models such as the Sliding Scale of Cybersecurity, the Active Cyber
Defense Cycle, and the ICS Cyber Kill Chain to extract information from threats and
use it to encourage the long-term success of ICS network security.

ICS515 is available via (subject to change):

Live Training Online Training

SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 17-21 Summit Events OnDemand
Columbia . . . . . . . . . . . . . Columbia, MD . . . . . . . . . Jul 15-19 Oil & Gas Cybersecurity . Houston, TX . . . . . . . . . . Sep 17-21 Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
Network Security . . . . . Las Vegas, NV . . . . . . . . Sep 9-13
Private Training OnDemand platform.
San Francisco Winter . . San Francisco, CA . . . . . . Dec 2-6 This course is also available through Private Training.

96
Course Day
Descriptions

DAY 1: Threat Intelligence DAY 2: Asset Identification and Network Who Should Attend
Industrial control system (ICS) security professionals Security Monitoring ▐ ICS incident response team
must be able to leverage internal and external threat leads and members
Understanding the networked environment is the only
intelligence to critically analyze threats, extract indicators
way to fully defend it: you cannot defend what you do ▐ ICS and operations technology
of compromise (IOCs), and guide security teams to find
not know. This course section will teach students to security personnel
threats in the environment. Today you will learn how
use tools such as Wireshark, TCPdump, SGUIL, ELSA,
threat intelligence is generated, how to critically analyze ▐ IT security professionals
CyberLens, Bro, NetworkMiner, and Snort to map their ICS
reports, and the basic tenets of active defense functions. ▐ Security Operations Center
network, collect data, detect threats, and analyze threats
Students will become better analysts and critical thinkers team leads and analysts
to drive incident response procedures. During this
by learning skills useful in day-to-day operations,
section, students will be introduced to the lab network ▐ ICS red team and penetration
regardless of their jobs and roles. This day features four
and an advanced persistent threat (APT) that is present testers
hands-on labs that include building a Programmable Logic
on it. Drawing on threat intelligence from the previous
Controller (PLC), identifying information available about ▐ Active defenders
course section, students will have to discover, identify,
assets online through Shodan, completing an analysis of
and analyze the threat using their new active defense
competing hypotheses, and ingesting threat intelligence
skills to guide incident responders to the affected
reports. This will guide the practices of students during
Human Machine Interface (HMI).
the rest of the labs in the course
Topics: Case Study: BlackEnergy2; ICS Asset and Network
Topics: Case Study: Havex; Introduction to ICS Active Visibility; Identifying and Reducing the Threat Landscape;
Defense and Incident Response; Intelligence Life Cycle and ICS Network Security Monitoring – Collection; ICS Network
Threat Intelligence; ICS Information Attack Surface; External Security Monitoring – Detection; ICS Network Security
ICS Threat Intelligence; Internal ICS Threat Intelligence; Monitoring – Analysis
Sharing and Consuming ICS Threat Intelligence

DAY 3: Incident Response DAY 4: Threat and Environment

The ability to prepare for and perform ICS incident Manipulation
response is vital to the safety and reliability of control
Understanding the threat is key to discovering its
systems. ICS incident response is a core concept in an ICS
capabilities and its potential to affect the ICS. The
active defense and requires that analysts safely acquire
information extracted from threats through processes
digital evidence while scoping the environment for threats
such as malware analysis is also critical to being able
and their impact on operations. ICS incident response is
to make the necessary changes to the environment to
a young field with many challenges, but students in this
reduce the effectiveness of the threat. The information
section will learn effective tactics and tools to collect
obtained is vital to an ICS active defense, which requires
and preserve forensic-quality data. Students will then
internal data collection to create and share threat
use these data to perform timely forensic analysis and
create IOCs. In the previous section’s labs, APT malware
intelligence. In this section, students will learn how to “ICS515 integrated the
analyze initial attack vectors such as spearphishing
was identified in the network. In this section, the labs
emails, perform timely malware analysis techniques, OT/ICS side of security
will focus on identifying which system is impacted and
gathering a sample of the threat that can be analyzed.
analyze memory images, and create Indicators of into the course well,
Compromise in YARA. The previous section’s labs
Topics: Case Study: Stuxnet; Incident Response and Digital identified the infected HMI and gathered a sample of the not like other courses
Forensics Overview; Preparing an ICS Incident Response APT malware. In this section’s labs, students will analyze
Team; Evidence Acquisition; Sources of Forensic Data in the malware, extract information, and develop YARA rules I’ve taken that taught
ICS Networks; Time-Critical Analysis; Maintaining and to complete the active defense model introduced in the general IT security
Restoring Operations class and maintain operations.
Topics: Case Study: German Steelworks; ICS Threat and with OT added as an
DAY 5: Active Defense and Incident Environment Manipulation Goals and Considerations; afterthought.”
Establishing a Safe Working Environment; Analyzing
Response Challenge Acquired Evidence; Memory Forensics; Malware Analysis -Josh Tanski, Morton Salt
This section focuses on reinforcing the strategy, Methodologies; Case Study: BlackEnergy2 Automated
methodologies, skillsets, and tools introduced in the first Analysis; Indicators of Compromise; Environment
four sections of the course. This entirely hands-on section Manipulation
will present students with two different scenarios. The first
involves data collected from an intrusion into SANS Cyber
City. The second involves data collected from a Distributed
Control System (DCS) infected with malware. This section
will truly challenge students to utilize their ICS active
defense and incident response skills and test themselves.
Topics:
Scenario One:
Identify the Assets and Map the ICS Networks; Perform ICS
Network Security Monitoring to Identify the Abnormalities;
Execute ICS Incident Response Procedures Into the SANS
Cyber City Data Files; Analyze the Malicious Capability and
Determine if the Threat Is an Insider Threat or a Targeted
External Threat
Scenario Two:
Identify the Software and Information Present on the DCS;
Leverage ICS Active Defense Concepts to Identify the Real-
World Malware; Determine the Impact on Operations and
Remediation Needs
97
 Cyber Defense | 2-Day & Beta Courses
SEC402: The Secrets to Successful Cybersecurity Writing: Hack the Reader BETA 2 12 Laptop
Day Course CPEs Not Needed
Want to write better? Learn to hack the reader! Discover how to find an opening, break down
your readers’ defenses, and capture their attention to deliver your message—even if they’re
too busy or indifferent to others’ writing. This unique course, built exclusively for cybersecurity Live Training
professionals, will strengthen your writing skills and boost your security career. Security Writing NYC:
SEC402 Beta 2 . . . . . . . . . New York, NY . . . . . . . . . . . Jun 1-2
The course builds upon the author’s two decades of cybersecurity experience. You’ll learn
from examples relevant to security professionals, whether they’re experts or beginners,
managers or individual team members. The course focuses on common writing problems
you’ll learn to avoid, instead of presenting tedious grammar rules or theoretical explanations.
You’ll advance your writing by reviewing and improving real-world cybersecurity samples.
Master the writing secrets that’ll make you stand out in the eyes of your peers, colleagues,
managers, and clients. Learn to communicate your insights, requests, and recommendations
persuasively and professionally. Make your cybersecurity writing remarkable.

SEC440: Critical Security Controls: Planning, Implementing, and Auditing 2 12 Laptop

Day Course CPEs Not Needed
This course helps you master specific, proven techniques and tools needed to implement
and audit the Critical Security Controls as documented by the Center for Internet Security
(CIS). These Critical Security Controls are rapidly becoming accepted as the highest priority Live Training*
list of what must be done and proven before anything else at nearly all serious and sensitive SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 15-16
organizations. These controls were selected and defined by the U.S. military and other
Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
government and private organizations (including the NSA, DHS, GAO, and many others) that
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
are the most respected experts on how attacks actually work and what can be done to stop
them. They defined these controls as their consensus for the best way to block known attacks Summit Events
and help find and mitigate damage from the attacks that get through.
Security Awareness . . . . San Diego, CA . . . . . . . . . Aug 5-6

Online Training*
OnDemand
Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

SEC450: Blue Team Fundamentals: Security Operations and Analysis BETA 6 36 Laptop
Day Program CPEs Required
SEC450 is designed to be an accelerated on-ramp for new cyber defense team members.
Developed by an author with years of experience as a lead analyst and Security Operations
Center manager, this course packs in all the essential explanations of tools, process, and data
Live Training
flow that every blue team member needs to know. Given the current shortage of cybersecurity SEC450 Security
professionals and a hiring gap that is only widening, organizations need a quick way to Ops-Analysis Beta 1. . . . Crystal City, VA . . . . . . . . .Jul 8-13
onboard new defenders. By providing a detailed explanation of the mission and mindset of a
modern cyber defense operation, SEC450 squarely addresses that challenge by jumpstarting
and empowering those on their way to becoming the next generation of blue teamers.

SEC455: SIEM Design & Implementation 2 12 Laptop

Day Course CPEs Required
Security Information and Event Management (SIEM) can be an extraordinary benefit to an
organization’s security posture, but understanding and maintaining it can be difficult. Many
solutions require complex infrastructure and software that necessitate professional services Live Training
for installation. The use of professional services can leave security teams feeling as if they do SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 15-16
not truly own or understand how their SIEM operates. Combine this situation of complicated
Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
solutions with a shortage of available skills, a lack of simple documentation, and the high
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
costs of software and labor, and it is not surprising that deployments often fail to meet
expectations. A SIEM can be the most powerful tool a cyber defense team can wield, but only
when it is used to its fullest potential. This course is designed to address this problem by Online Training*
demystifying SIEMs and simplifying the process of implementing a solution that is usable, OnDemand
scalable, and simple to maintain. Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

*Private Training
98 This course is also available through Private Training.
Penetration Testing | 2-Day Courses
SEC564: Red Team Operations and Threat Emulation 2 12 Laptop
Day Course CPEs Required
Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate
real-world threats in order to train and measure the effectiveness of the people, processes,
and technology used to defend environments. Built on the fundamentals of penetration Live Training*
testing, Red Teaming uses a comprehensive approach to gain insight into an organization’s Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
overall security in order to test its ability to detect, respond to, and recover from an attack.
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
When properly conducted, Red Team activities significantly improve an organization’s
security controls, hone its defensive capabilities, and measure the effectiveness of its
security operations. The Red Team concept requires a different approach from a typical
security test and relies heavily on well-defined TTPs, which are critical to successfully
emulate a realistic threat or adversary. Red Team results exceed a typical list of penetration
test vulnerabilities, provide a deeper understanding of how an organization would perform “The content from SEC564
against an actual threat, and identify where security strengths and weaknesses exist. is great and I will be able
Whether you support a defensive or offensive role in security, understanding how Red to implement it in my
Teams can be used to improve security is extremely valuable. Organizations spend a
great deal of time and money on the security of their systems, and it is critical to have organization right away!”
professionals who can effectively and efficiently operate those systems. SEC564 will provide -Kirk Hayes, Rapid 7
you with the skills to manage and operate a Red Team, conduct Red Team engagements,
and understand the role of a Red Team and its importance in security testing. This two-
day course will explore Red Team concepts in-depth, provide the fundamentals of threat
emulation, and help you reinforce your organization’s security posture.

SEC580: Metasploit Kung Fu for Enterprise Pen Testing 2 12 Laptop

Day Course CPEs Required
Many enterprises today face regulatory or compliance requirements that mandate regular
penetration testing and vulnerability assessments. Commercial tools and services for
performing such tests can be expensive. While really solid free tools such as Metasploit are Live Training*
available, many testers do not understand the comprehensive feature sets of such tools and Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
how to apply them in a professional-grade testing methodology. Metasploit was designed
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
to help testers with confirming vulnerabilities using an open-source and easy-to-use
framework. This course will help students get the most out of this free tool.
This class will show students how to apply the incredible capabilities of the Metasploit
Framework in a comprehensive penetration testing and vulnerability assessment regimen,
according to a thorough methodology for performing effective tests. Students who complete the “SEC580 is a great course –
course will have a firm understanding of how Metasploit can fit into their penetration testing right audience size, right
and day-to-day assessment activities. The course will provide an in-depth understanding
pace, good labs, and excellent
of the Metasploit Framework far beyond simply showing attendees how to exploit a
remote system. The class will cover exploitation, post-exploitation reconnaissance, token instruction.”
manipulation, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized -Robert Lockwood, Fusion Cell Consulting
shell environment specially created for exploiting and analyzing security flaws. The course
will also cover many of the pitfalls that a tester may encounter when using the Metasploit
Framework and how to avoid or work around them, making tests more efficient and safe.

*Private Training
This course is also available through Private Training. 99
 IR & Forensics | Beta Course
FOR498: Battlefield Forensics & Data Acquisition BETA 6 36 Laptop
Day Program CPEs Required
THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING.
LET US SHOW YOU HOW.
Live Training
The first step in any investigation is the gathering of evidence. Digital forensic investigations
are no different. The evidence used in this type of investigation is data, and these data can DFIRCON Miami . . . . . . . Coral Gables, FL . . . . . . . Nov 4-9

live in many varied formats and locations. You must be able to first identify the data that you Summit Events
might need, determine where those data reside, and, finally, formulate a plan and procedures
DFIR . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . .Jul 27 - Aug 1
for collecting those data.
With digital forensic acquisitions, you will typically have only one chance to collect data
properly. If you manage the acquisition incorrectly, you run the risk of not only damaging
the investigation, but more importantly, destroying the very data that could have been used
as evidence. With the wide range of storage media in the marketplace today, any kind of
standardized methodology for all media is simply untenable. Many mistakes are being made
in digital evidence collection, and this can cause the guilty to go free and, more importantly,
the innocent to be incarcerated. The disposition of millions and millions of dollars can rest
within the bits and bytes that you are tasked with properly collecting and interpreting.
An examiner can no longer rely on “dead box” imaging of a single hard drive. In today’s cyber
sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of
a normal day. Compounding this issue is the expanding use of cloud storage and providers,
and the proper collection of data from all these domains can become quite overwhelming.
This in-depth digital acquisition and data handling course will provide first responders and
investigators alike with the advanced skills necessary to properly identify, collect, preserve,
and respond to data from a wide range of storage devices and repositories, ensuring that the
integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today’s
need for widespread knowledge and understanding of the challenges and techniques that
investigators require when addressing real-world cases.
Numerous hands-on labs throughout the course will give first responders, investigators, and
digital forensics teams the practical experience needed when performing digital acquisition
from hard drives, memory sticks, cellular phones, network storage areas, and everything in
between. During a digital forensics response and investigation, an organization needs the
most skilled responders possible, lest the investigation end before it has begun. FOR498:
Battlefield Forensics & Acquisition will train you and your team identify, collect, preserve, and
respond to data not matter where those data hide or reside.

DevSecOps | 2-Day Courses

SEC534: Secure DevOps: A Practical Introduction 2 12 Laptop
Day Course CPEs Required
This course explains the fundamentals of DevOps and how DevOps teams can build and
deliver secure software. You will learn DevOps principles, practices, and tools and how
they can be leveraged to improve the reliability, integrity, and security of systems. Students Online Training*
will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, OnDemand
GitlLab, Vault, Grafana, and Docker to automate Configuration Management (“Infrastructure Complete this course anywhere, anytime, at your
as Code”), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro- own pace, with four months of online access in the
segmentation, automated compliance (“Compliance as Code”) and Continuous Monitoring. OnDemand platform.

Leveraging the Secure DevOps toolchain, students perform a series of labs injecting
security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.

*Private Training
100 This course is also available through Private Training.
Management | 2-Day & Beta Courses
MGT415: A Practical Introduction to Cyber Security Risk Management 2 12 Laptop
Day Course CPEs Required
In this course students will learn the practical skills necessary to perform regular risk
assessments for their organizations. The ability to perform risk management is crucial
for organizations hoping to defend their systems. There are simply too many threats, too Live Training
many potential vulnerabilities that could exist, and not enough resources to create an SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 15-16
impregnable security infrastructure. Therefore every organization, whether it does so in an
Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
organized manner or not, will make priority decisions on how best to defend its valuable
data assets. Risk management should be the foundational tool used to facilitate thoughtful CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
and purposeful defense strategies.

MGT433: SANS Security Awareness: How to Build, Maintain, and Measure 2 12 Laptop
a Mature Awareness Program Day Course CPEs Not Needed

Organizations have invested a tremendous amount of money and resources into securing
technology, but little if anything into securing their workforce. As a result, people, not Live Training*
technology, have become the most common target for cyber attackers. The most effective SANSFIRE . . . . . . . . . . . . . Washington, DC . . . . . . Jun 15-16
way to secure the human element is to establish a mature security awareness program that
Network Security . . . . . Las Vegas, NV . . . . . . . Sep 15-16
goes beyond just compliance, changes people’s behaviors and ultimately creates a secure
CDI . . . . . . . . . . . . . . . . . . Washington, DC . . . . . Dec 12-13
culture. This intense two-day course will teach you the key concepts and skills needed to
do just that, and is designed for those establishing a new program or wanting to improve Summit Events
an existing one. The course content is based on lessons learned from hundreds of security
Security Awareness . . . . San Diego, CA . . . Aug 5-6 & 9-10
awareness programs from around the world. In addition, you will learn not only from your
instructor, but from extensive interaction with your peers. Finally, through a series of labs
and exercises, you will develop your own custom security awareness plan that you can Online Training*
implement as soon as you return to your organization. OnDemand
Complete this course anywhere, anytime, at your
own pace, with four months of online access in the
OnDemand platform.

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud BETA 5 30 Laptop

Day Program CPEs Required
Vulnerabilities are everywhere. There are new reports of problems within our systems and
software every time we turn around. Directly related to this is an increase in the quantity and
severity of successful attacks that seem to happen daily. Managing vulnerabilities in any size
organization is challenging. Enterprise environments add scale and diversity that overwhelms
many IT security and operation’s teams. Now add in the cloud and the increasing speed with
which all organizations must deliver systems, applications, and features to both their internal
and external customers, and security may seem unachievable.
The primary goal of this course is to equip those responsible for managing the infrastructure
and application vulnerabilities within their organization with strategies and solutions that
overcome the challenges and stumbling blocks they may encounter. In addition, the course
provides participants a better understanding of how to manage vulnerabilities in the cloud
and leverage new and exciting technologies and development patterns to increase the
effectiveness of their program.
By understanding the problem and potential solutions, participants will be better prepared
to meet this challenge and determine what might work for their organization. Through course
discussions and other exercises participants will also be encouraged to share what is working
and not working in their organizations.
Knowing that our environments are adopting cloud services and becoming more tightly
integrated with them, we look at both cloud and non-cloud environments simultaneously
throughout the course, highlighting the tools, processes, and procedures that can be
leveraged in each environment and presenting new and emerging trends.
A capstone exercise performed on the final course day of MGT516 features a business
scenario that includes both enterprise and cloud-based environments. The exercise allows
students to analyze and discuss how best to implement and maintain a vulnerability
management program and leverage some of the information they have learned throughout
the course. The group solutions are then reviewed in class so participants can learn what
others outside their group have determined would best help this organization succeed.

*Private Training
This course is also available through Private Training. 101
 Hosted Courses
HOSTED: Assessing and Exploiting Control Systems 6 36 Laptop
Day Course CPEs Required
This course teaches hands-on penetration testing techniques used to test individual
components of a control system, including embedded electronic field devices, network
protocols, RF communications, Human Machine Interfaces (HMIs), and various forms Live Training
of master servers and their ICS applications. Skills you will learn in this course will
apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building
Summit Events
management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, Oil & Gas Cybersecurity . Houston, TX . . . . . . . . . . Sep 17-22

substation automation, and synchrophasors.

HOSTED: Physical Security Specialist – Full Comprehensive Edition 6 36 Laptop

Day Course CPEs Required
This course is taught by the CORE Group, a firm with divisions that focus on penetration
testing, physical defense, personal protection details, and law enforcement training.
This training is ideal for anyone tasked with making physical security decisions for
existing or new facilities. Students will be prepared to make educated and fiscally-
responsible security decisions not only for their respective organizations but also for
themselves. Participants will be able to approach any target, site-unseen, and then
either conduct a walk-through assessment highlighting attack vectors, or proceed
directly with an attack, gaining physical access to critical areas and infrastructure.
Additionally, these newly-minted professionals will also be able to provide sound
documentation while making recommendations to management or to their insurance
providers, saving money for their companies.

HOSTED: Critical Infrastructure and Control System Cybersecurity 5 30 Laptop

Day Course CPEs Required
This is an intermediate to advanced course covering control system cybersecurity
vulnerabilities, threats and mitigating controls. This course will provide hands-
on analysis of control system environments allowing students to understand the
environmental, operational and economic impacts of attacks like Stuxnet and
supporting mitigating controls. The course features:
▐ A hands-on environment (PLC, HMI, Network Communications, Backtrack)
▐ Coverage of operational, cyber, and physical protective solutions
▐ Kits provided and used by pods of two attendees (Laptop, Customized I/O Trainer,
PLC, HMI, communications infrastructure, CYBATIFIED Backtrack)

HOSTED: Physical Penetration Testing 2 12 Laptop

Day Course CPEs Not Needed
Those who attend this session will leave with a full awareness of how to best protect
buildings and grounds from unauthorized access, as well as how to compromise most
existing physical security in order to gain access themselves. Attendees will not only Live Training
learn how to distinguish good locks and access control from poor ones, but will also
become well-versed in picking and bypassing many of the most common locks used in Private Training
This course is also available through Private Training.
North America in order to assess their own company’s security posture or to augment
their career as a penetration tester.

HOSTED: Health Care Security Essentials 2 12 Laptop

Day Course CPEs Required
This course is designed to provide attendees with an introduction to current and
emerging issues in health care information security and regulatory compliance. The
class provides a foundational set of skills and knowledge for students through the
integration of case studies, hands-on labs, and defensible control considerations for
securing and monitoring electronic protected health information (ePHI). Students will
learn about actual attacks and incidents that have affected health care organizations
and what can be done to mitigate the damage to prevent your organization from
suffering a similar outcome.

102
Voucher Program
The SANS Voucher Program is a
cybersecurity workforce training
management system that allows you
to easily procure and manage your
organization’s training needs.

As a SANS Voucher Program participant, you will be able to:

• Provide your cybersecurity team with the highest standard of skill training and certification available
• Give employees a simple way to select and procure the training they need, when they need it
• Easily approve and manage student enrollment
• Monitor employee training progress and exam scores to ensure satisfactory completion
• Track investments, debits, and account balance for optimal budgeting

Voucher Funds purchased can be applied to any live and online SANS training courses, SANS Summit events,
GIAC Certifications, or certification renewals.* Voucher Funds must be used within 12 months, but the term can
be extended with additional investments.

Get Started
Visit www.sans.org/vouchers and submit the contact request form to have a SANS representative
in your region call or email you within 24 business hours. Within as little time as one week, your
eligible team members can begin their training.

*Current exceptions from the SANS Voucher Program are the Partnership program, Security Awareness training, and SANS workshops hosted at events run by other organizations.

www.sans.org/vouchers
103
 EXPERIENCE
Hands-On Information Security Challenges

Experience NetWars Choose from:

Core NetWars | DFIR NetWars | Cyber Defense NetWars
ICS NetWars | Grid NetWars
Play solo or on a team of up to five players Develop skills in:
• Cyber Defense
• Penetration Testing
• Digital Forensics & Incident Response
• Industrial Control Systems & SCADA
Participation in NetWars is free for students taking 4-, 5-,
or 6-day courses.
NetWars takes place in the evening, after class, and gives you
“ NetWars takes the concepts in the class and
gives you an opportunity to put them into action.
an immediate opportunity to apply what you’ve learned in a
fun, competitive, hands-on, and educational environment!

– Kyle McDaniel, Lenovo ”

Highly recommended!
Seating is limited, so add NetWars when you register for
your course.

104 www.sans.org/netwars 15
Advancing
Cybersecurity
Through Collaboration
“I was impressed by the expertise of the speakers and more impressed by
the quality of attendees. Both the information presented in the conference
and after-hours discussions were engaging and productive.”
- Doug Short, Trinity River Authority

Upcoming Summit & Training Events

Enterprise Defense Supply Chain Cybersecurity Purple Team
Redondo Beach, CA | June 3-10 Washington, DC | Aug 12-19 Dallas, TX | Oct 21-28

Security Operations Oil & Gas Cybersecurity Cloud & DevOps Security
New Orleans, LA | June 24 – July 1 Houston, TX | Sep 16-22 Denver, CO | Nov 4-11

DFIR Threat Hunting & Pen Test HackFest

Austin, TX | July 25 – Aug 1 Incident Response Washington, DC | Nov 18-25
New Orleans, LA | Sep 30 – Oct 7
Security Awareness
San Diego, CA | Aug 5-14 SIEM
Chicago, IL | Oct 7-14

sans.org/summit19
105
 5705 Salem Run Blvd.
Suite 105
Fredericksburg, VA 22407

Join the SANS.org community today to enjoy

these free resources at www.sans.org/join
Newsletters
NewsBites @RISK: The Consensus Security Alert
Twice-weekly, high-level executive summary of the most A reliable weekly summary of newly discovered attack vectors,
important news relevant to cybersecurity professionals. vulnerabilities with active new exploits, how recent attacks
worked, and other valuable information.
OUCH!
The world’s leading monthly, free security awareness newsletter
designed for the common computer user.

Webcasts
Ask the Experts Webcasts WhatWorks Webcasts
SANS experts bring current and timely information on relevant The SANS WhatWorks webcasts bring powerful customer
topics in IT Security. experiences showing how end users resolved specific IT
Security issues.
Analyst Webcasts
A follow-on to the SANS Analyst Program, Analyst Webcasts Tool Talks
provide key information from our whitepapers and surveys. Tool Talks are designed to give you a solid understanding of
a problem and how a vendor’s commercial tool can be used
to solve or mitigate that problem.

Other Free Resources (SANS.org account is not necessary)

• InfoSec Reading Room • Security Posters
• Top 25 Software Errors • Thought Leaders
• 20 Critical Controls • 20 Coolest Careers
• Security Policies • Security Glossary
• Intrusion Detection FAQs • SCORE (Security Consensus Operational
• Tip of the Day Readiness Evaluation)

Free Course Demos

With your SANS.org account, you can test drive many of our most
popular courses. Simply click on “Free Course Demo” at the top
of your selected course page on the website, and watch up to an
hour of that course via the SANS OnDemand platform.
www.sans.org/demos

As the leading provider of information

defense, security, and intelligence
training to military, government, and
industry groups, the SANS Institute is
proud to be a Corporate Member of the
AFCEA community.

www.sans.org