About the course
Cyber Security Training in Zurich 2019
SANS is recognised around the world as the best place to develop the deep, hands-on cyber security skills most needed right now. Join us for SANS Zurich (February 18-23) for immersion training that will provide you with the skills to defend your organisation against security breaches and prevent future attacks.
All SANS courses are world-class cyber security courses, but every event we like to choose a course and ask the instructors to give a bit more insight into the course.
Take advantage of these opportunities to get the most of your training:
Distinguish yourself as an information security leader by preparing for your GIAC Certification.
Network with like-minded security professionals facing similar challenges.
Attend evening bonus sessions led by SANS instructors and gain insight into the latest cyber security topics.
Extend your SANS course by four months with an OnDemand Bundle.
Our mission at SANS is to deliver cutting-edge information security knowledge and skills to all students in order to protect people and assets. At the heart of everything we do is the SANS Promise: Students will be able to use the new skills they have learned as soon as they return to work. See that promise in action at SANS Zurich 2019.
Instructor: Erik Van Buggenhout
You just got hired to help our virtual organization "SyncTechLabs" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service...We're not even sure where to start!"
Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will provide an in-depth understanding of how current adversaries operate and arm you with the knowledge and expertise you need to detect and respond to today's threats.
SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.
Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked "But how do I prevent this type of attack?" With more than 20 labs plus a full-day "Defend-The-Flag" exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.
Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" in our Day 1 exercises.
Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:
How red and blue teams can improve collaboration, forming a true purple team;
How current advanced adversaries are breaching our defenses;
Security controls structured around the Kill Chain, including:
Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
Leveraging YARA rules to detect malicious payloads on disk and in memory
Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
Detecting malware persistence using OSQuery
Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
Detecting lateral movement through Sysmon and Windows event monitoring
Blocking and detecting command and control through network traffic analysis
Managing, sharing and operationalizing threat intelligence using MISP
Hunting for compromise in the network by leveraging Loki
In designing the course and its exercises, the authors went the extra mile to ensure that attendees "build" something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.
SEC599 will finish with a bang. During the "Defend-the-Flag" challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?
SEC599.1: Knowing the Adversary, Knowing Yourself
SEC599.2: Averting Payload Delivery
SEC599.3: Preventing Exploitation
SEC599.4: Avoiding Installation, Foiling Command and Control, and Thwarting Lateral Movement
SEC599.5: Thwarting Exfiltration, Cyber Deception, and Incident Response
SEC599.6: Advanced Persistent Threat Defender Capstone