About the course
SEC562 will prepare you to analyse and assess the security of control systems and related infrastructure and find vulnerabilities that could result in significant kinetic impact. In this innovative, cutting-edge course based on the SANS CyberCity kinetic range, you will learn how to analyse, control, and defend countless control systems, protocols, and other kinetic infrastructure you will face in the future. The course is chock full of practical skills you will be able to use in your own practice, including how to conduct penetration tests and assessments associated with kinetic infrastructure, how to rapidly prototype computer attack tools against specific vulnerabilities, and many more.
What You Will Learn
Computers, networks, and programmable logic controllers operate most of the physical infrastructure of our modern world, ranging from electrical power grids, water systems, and traffic systems all the way down to HVAC systems and industrial automation. Increasingly, security professionals need the skills to assess and defend these important infrastructures. In this innovative and cutting-edge course based on the SANS CyberCity kinetic range, you will learn how to analyze and assess the security of control systems and related infrastructures, finding vulnerabilities that could result in significant kinetic impact.
Syllabus (36 CPEs)
SEC562.1: Team Building, Visualizing the Battlespace, Recon, and HMIs
SEC562.2: Protocol Manipulation, Data Integrity, and Operator Interface Terminals
SEC562.3: Malware Analysis, Privilege Escalation, Incident Response, Passwords Guessing, and Networking Equipment
SEC562.4: Cryptography and ICS Protocols
SEC562.5: Power Grid, Weapons Systems, and Network Manipulation
SEC562.6: Force-On-Force Attack and Defend
At least one of the following courses: 560, 561, 542, or 575
IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS
To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.
IMPORTANT NOTE:You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to install and run VMware virtualization products described above.
Mandatory Laptop Hardware Requirements
x86- or x64-compatible 1.5 GHz CPU Minimum or higher
DVD Drive (not a CD drive)
8 GigaByte RAM minimum
Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
60 GigaByte available hard drive space
Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described above.
During the workshop, you will be connecting to one of the most hostile networks on planet Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
The world faces a critical shortage of individuals with the skills needed to defend the computer systems and network infrastructures that control our physical world. We built this course to help fill that gap, teaching cyber warriors how to analyze, control, and defend countless control systems, protocols, and other kinetic infrastructures they will increasingly face in the future. The course is chock full of practical skills that security professionals can use in their own practice. The coolest part of the course is the fact that students can actually see the impact on the city of their hands-on lab work through real-time streaming video to the classroom. For example, when you restore the power grid, you will actually see the lights in the city turn back on (and a newspaper article get published in real-time about the end of the blackout). Nearly every mission in the course provides visual impacts, which inspire and excite students and instructors alike.
-- Ed Skoudis, Josh Wright, and Tim Medin
Who Should Attend SEC562?
- Red & Blue team members
- Cyber warriors
- Incident handlers
- Penetration testers
- Ethical hackers
- Other security personnel who are first responders when systems come under attack.