SEC550: SANS Tokyo January 2023

Provided by

Enquire about this course

What You Will Learn

Traditional defensive controls are failing us. The time it takes for an attacker to go from initial compromise to lateral movement is rapidly decreasing while the time it takes to detect and effectively respond to breaches is measured in weeks or even months. Making the situation worse, studies such as the 2020 Cost of a Data Breach Report by the Ponemon Institute show a direct correlation between the time it takes to detect and respond to a breach and the cost of that breach to an organization; the longer it takes, the more a breach costs. To reduce risk, defenders need better ways to quickly detect adversary activity while also collecting information to facilitate faster and more effective response.

Cyber deception is the solution to reduce this response time and minimizing cost. SEC550: Cyber Deception, Active Defense, and Offensive Countermeasures will give you an understanding of the core principles of cyber deception, allowing you to plan and implement cyber deception campaigns to fit virtually any environment.

Most majority detective controls in use today focus on looking for "evil", but attackers do a great job at appearing harmless or even invisible. Technologies such as anti-virus, application whitelisting, DLP, and firewalls can be circumvented with relative ease. A common solution is to change the detective strategy from looking for "evil" to looking for "abnormal." However, attempting to "normalize" even fairly small computing environments can be both challenging and time-consuming.

Fortunately, there are alternatives. Instead of attempting to normalize a production environment, what if we placed resources in that environment that have no production value or use? These resources could be user accounts, credentials, services, open ports, computers, or even complete networks. Because these resources are not part of normal production operations, "normal" can be defined as no interaction or no use. In other words, since there is no reason for legitimate interaction with these deceptive resources, any interaction is abnormal and there are very few "false positive" alerts. This creates a high-fidelity, low-noise detection solution. Furthermore, because the deceptive resources can be monitored and/or configured to generate logs, defenders can collect significant amounts of actionable threat intelligence and attack attribution information, facilitating faster and more effective response. Better yet, this all occurs while attackers are busy attempting to hack deceptive systems, distracting them from actual production resources.

In this hands-on course, you will not only learn cyber deception theory and concepts, you will play an active role working with deception technology during more than 15 hours of guided exercises. By the end of the course, you will understand the value of cyber deception and have practical experience you can immediately draw on to protect your own computing environment.

  • Why cyber deception completely changes the information security game
  • How to use cyber deception to detect attackers on your network as much as 90% faster than through the use of traditional detection technologies
  • How to collect actionable threat intelligence and attack attribution information through the use of deception technologies
  • How to create an environment where attackers need to be perfect to avoid detection, while you need to be right only once to catch them
  • How to actively engage attackers in real time
  • How to thwart attacks before attackers send a single packet towards your network
  • How to take back the advantage from attackers
  • Design, implement, evaluate, and manage a comprehensive cyber deception program
  • Detect attacker activity on your network more quickly
  • Reduce false positive alerts
  • Respond to attacks more effectively
  • Deter or thwart attacks before they occur


Start date Location / delivery
23 Jan 2023 Tokyo Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...