About the course
SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.
What You Will Learn
SEC503 is one of the most important courses that you will take in your information security career. While past students describe it as the most difficult class they have ever taken, they also tell us it was the most rewarding. This course isn't for people who are simply looking to understand alerts generated by an out-of-the-box Intrusion Detection System (IDS). It's for people who want to deeply understand what is happening on their network today, and who suspect that there are very serious things happening right now that none of their tools are telling them about. If you want to be able to find zero-day activities on your network before disclosure, this is definitely the class for you.
What sets this course apart from any other training is that we take a bottom-up approach to teaching network intrusion detection and network forensics. Rather than starting with a tool and teaching you how to use that tool in different situations, this course teaches you how and why TCP/IP protocols work the way they do. After spending the first two days examining what we call "Packets as a Second Language," we add in common application protocols and a general approach to researching and understanding new protocols. With this deep understanding of how network protocols work, we turn our attention to the most widely used tools in the industry to apply this deep knowledge. The result is that you will leave this class with a clear understanding of how to instrument your network and the ability to perform detailed incident analysis and reconstruction.
These benefits alone make this training completely worthwhile. What makes the course as important as we believe it is (and students tell us it is), is that we force you to develop your critical thinking skills and apply them to these deep fundamentals. This results in a much deeper understanding of practically every security technology used today.
Preserving the security of your site in today's threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks with insight and awareness. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.
Mark Twain said, "It is easier to fool people than to convince them that they've been fooled." Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic, and too many untrained analysts accept that feedback as the absolute truth. This course emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the analyst must have access and the ability to examine the alerts to give them meaning and context. You will learn to investigate and reconstruct activity to deem if it is noteworthy or a false indication.
This course delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Zeek, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Evening Bootcamp sessions and exercises force you to take the theory taught during the day and apply it to real-world problems immediately. Basic exercises include assistive hints, while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.
A Virtual machine (VM) is provided with tools of the trade. It is supplemented with demonstration PCAPs containing network traffic. This allows you to follow along on your laptop with the course material and demonstrations. The PCAPs also provide a good library of network traffic to use when reviewing the material, especially for the GCIA certification associated with this course.
SEC503 is most appropriate for students who monitor and defend their network, such as security analysts, although others may benefit from the course as well. Students range from seasoned analysts to novices with some TCP/IP background. Please note that the VMware image used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.
You Will Learn
How to analyze traffic traversing your site to avoid becoming another "Hacked!" headline
How to identify potentially malicious activities for which no IDS has published signatures
How to place, customize, and tune your IDS/IPS for maximum detection
Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools
TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection
You Will Be Able To
Configure and run open-source Snort and write Snort signatures
Configure and run open-source Bro to provide a hybrid traffic analysis framework
Understand TCP/IP component layers to identify normal and abnormal traffic
Use open-source traffic analysis tools to identify signs of an intrusion
Comprehend the need to employ network forensics to investigate traffic to identify a possible intrusion
Use Wireshark to carve out suspicious file attachments
Write tcpdump filters to selectively examine a particular traffic trait
Craft packets with Scapy
Use the open-source network flow tool SiLK to find network behavior anomalies
Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire
The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:
Day 1: Hands-On: Introduction to Wireshark
Day 2: Hands-On: Writing tcpdump filters
Day 3: Hands-On: IDS/IPS evasion theory
Day 4: Hands-On: Snort rules
Day 5: Hands-On: Analysis of three separate incident scenarios
Day 6: Hands-On: The entire day is spent engaged in the NetWars: IDS Version challenge
What You Will Receive
Electronic Courseware with each section's material
Electronic Workbook with hands-on exercises and questions
TCP/IP electronic cheat sheet
MP3 audio files of the complete course lecture
Syllabus (46 CPEs)
SEC503.1: Fundamentals of Traffic Analysis: Part I
SEC503.2: Fundamentals of Traffic Analysis: Part II
SEC503.3: Signature Based Detection
SEC503.4: Anomalies and Behaviors
SEC503.5: Modern and Future Monitoring: Forensics, Analytics, and Machine Learning
SEC503.6: IDS Capstone Challenge
GIAC Certified Intrusion Analyst
The GIAC Intrusion Analyst certification validates a practitioner’s knowledge of network and host monitoring, traffic analysis, and intrusion detection. GCIA certification holders have the skills needed to configure and monitor intrusion detection systems, and to read, interpret, and analyze network traffic and related log files.
Fundamentals of Traffic Analysis and Application Protocols
Open-Source IDS: Snort and Bro
Network Traffic Forensics and Monitoring
Students must have at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP and Hex Quizzes.
Familiarity and comfort with the use of Linux commands such as cd, sudo, pwd, ls, more, less
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 60 gigabytes of free hard disk space.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
Mandatory Laptop Hardware Requirements
x86- or x64-compatible 2.4 GHz CPU minimum or higher
8GB RAM or higher
60 GB free hard drive space
Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
VMWare Workstation, Fusion, or Player, as stated above
Wireless Ethernet 802.11 B/G/N/AC
Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.