About the course
Cert: GCIH GIAC Certified Incident Handler
SEC504 will prepare you to turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still so prevalent, and everything in between. You will learn the most modern, step-by-step processes for incident response; how attackers undermine systems so you can prepare, detect, and respond to them; and how to discover holes in your system before the bad guys do. Instead of merely teaching you a few hack attack tricks, this course will give you hands-on experience, equip you with a comprehensive incident handling plan, and help you understand the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.
What You Will Learn
The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the hundreds to thousands of daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.
This course will enable you to turn the tables on computer attackers by helping you understand their tactics and strategies, providing you with hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process to respond to computer incidents and a detailed description of how attackers undermine systems so you can prevent, detect, and respond to them. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. Applying these skills in your own organization will enable you to discover the flaws in your system before the bad guys do!
The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to thwart attacks.
You will learn:
- How to best prepare for an eventual breach
- The step-by-step approach used by many computer attackers
- Proactive and reactive defenses for each stage of a computer attack
- How to identify active attacks and compromises
- The latest computer attack vectors and how you can stop them
- How to properly contain attacks
- How to ensure that attackers do not return
- How to recover from computer attacks and restore systems for business
- How to understand and use hacking tools and techniques
- Strategies and tools to detect each type of attack
- Application-level vulnerabilities, attacks, and defenses
- How to develop an incident handling process and prepare a team for battle
- Legal issues in incident handling
If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.
We are often asked the differences between SEC504 and SEC560, and what is covered in each course. Please see our FAQ to further clarify the course details.
SEC504 vs. SEC560 FAQ
Syllabus (38 CPEs)
SEC504.1: Incident Response and Computer Crime Investigations
SEC504.2: Recon, Scanning, and Enumeration Attacks
SEC504.3: Password and Access Attacks
SEC504.4: Public-Facing and Drive-By Attacks
SEC504.5: Evasion and Post-Exploitation Attacks
SEC504.6: Capture the Flag Event
GIAC Certified Incident Handler
The GIAC Incident Handler certification validates a practitioner’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.
- Incident Handling and Computer Crime Investigation
- Computer and Network Hacker Exploits
- Hacker Tools (Nmap, Nessus, Metasploit and Netcat)
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
64-bit Intel i5/i7 2.0+ GHz processor
Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.
8 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Hard Drive Free Space
100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Additional Software Requirements
VMware Player Install
VMware Workstation Player 15, VMware Fusion 11, or VMware Workstation 15
Install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.
In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We'll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you'll be better prepared to identify attacks and protect your network from sophisticated adversaries."
"Our instructor Josh was incredible! Engaging, enthusiastic, extremely knowledgeable (especially vim, WOW). His enthusiasm is contagious and really motivating to the material. Keep up the great work Josh!" - Jen F., US Federal Agency
Ways to Learn
Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.
In Person (6 days)
Training events and topical summits feature presentations and courses in classrooms around the world.
Who Should Attend SEC504?
Leaders of incident response teams
System administrators who are on the front lines defending their systems and responding to attacks
Other security personnel who are first responders when systems come under attack
General security practitioners and security architects who want to design, build, and operate their systems to prevent, detect, and respond to attacks
"SEC504 is a great class overall that is perfect for pen testers and defenders alike. It has greatly helped me understand how attackers think, how they gather information, and how they maintain and gain control of systems." - Evan Brunk, Acuity Insurance
There are currently no new dates advertised for this course