About the course
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Mon, May 13 - Sat, May 18, 2019
Contents | Additional Info
Instructor: Erik Van Buggenhout
Course content and labs were fantastic! Very good in identifying malicious actions taken and what to look out for -- great blue team related material.
Jason Thurott, Hyatt
The course content has been carefully crafted to provide students with the best advantages to defeat the advanced adversary.
Dan Parry, Adeptio Solutions
You just got hired to help our virtual organization "SyncTechLabs" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service...We're not even sure where to start!"
Cyber threats are on the rise: ransomware is affecting small, medium and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will provide an in-depth understanding of how current adversaries operate and arm you with the knowledge and expertise you need to detect and respond to today's threats.
SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.
Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked "But how do I prevent this type of attack?" With more than 20 labs plus a full-day "Defend-The-Flag" exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.
Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization "SyncTechLabs" in our Day 1 exercises.
Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:
- How red and blue teams can improve collaboration, forming a true purple team;
- How current advanced adversaries are breaching our defenses;
- Security controls structured around the Kill Chain, including:
- Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
- Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
- Leveraging YARA rules to detect malicious payloads on disk and in memory
- Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
- Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
- Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
- Detecting malware persistence using OSQuery
- Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
- Detecting lateral movement through Sysmon and Windows event monitoring
- Blocking and detecting command and control through network traffic analysis
- Managing, sharing and operationalizing threat intelligence using MISP
- Hunting for compromise in the network by leveraging Loki
In designing the course and its exercises, the authors went the extra mile to ensure that attendees "build" something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.
SEC599 will finish with a bang. During the "Defend-the-Flag" challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren't slowing down, so what are you waiting for?
SEC599.1: Knowing the Adversary, Knowing Yourself
SEC599.2: Averting Payload Delivery
SEC599.3: Preventing Exploitation
SEC599.4: Avoiding Installation, Foiling Command and Control, and Thwarting Lateral Movement
SEC599.5: Thwarting Exfiltration, Cyber Deception, and Incident Response
SEC599.6: Advanced Persistent Threat Defender Capstone
"After writing and teaching many advanced penetration testing and exploit development courses over the past 10 years I started to see a trend developing. Often, over half of the students in each class were not actually penetration testers or those who would be writing 0-days. In fact, they most often work in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they can better defend their networks. This led to our idea to write a course that focused on teaching just enough of the offense to demonstrate the impact, and then focus the majority of the time on implementing controls to break the techniques used by adversaries and red team testers."
- Stephen Sims
"During my InfoSec career, I first focused on penetration testing for five years, then shifted my focus more and more to the world of incident response. It is during my incident response activities that I started observing the need for a structured approach to cyber defense. Single, stand-alone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have a defense-in-depth approach that enables us to implement security controls that counter each and every one of adversaries' attacking moves."
"SEC599 arms defenders with an in-depth understanding of how advanced adversaries are attempting to penetrate organizations. The APT attack cycle will provide in-depth technical insight into how attacks work from start to finish."
"Both Stephen Sims and I have extensive experience in penetration testing and incident response, which ideally positioned us to develop this course. I'm very excited about the course because I believe it fills a gap in the cyber defense curriculum. It is ideal for IT professionals who want to understand how adversaries are currently compromising IT environments and how every one of their moves can be prevented, detected, and even responded to. I strongly believe in learning by applying, so the course was designed to be highly hands-on. Throughout the week, students will complete 20+ labs and exercises, culminating in a full-day 'Defend-the-Flag' exercise on Day 6."
- Erik Van Buggenhout