SEC503: Cyber Security Training at SANS Cyber Security East: Jan 2025

Provided by

Enquire about this course

What You Will Learn
Detect, Analyze, Protect: Master Proactive Network Threat Detection

SEC503 is the most important course that you will take in your information security career. Past students describe it as the most difficult but most rewarding course they've ever taken. If you want to be able to perform effective threat hunting to find zero-day activities on your network before public disclosure, this is definitely the course for you. SEC503 is not for people looking to understand alerts generated by an out-of-the-box network monitoring tool; rather, it is for those who want to deeply understand what is happening on their network today, and who suspect that there are very serious things happening right now that none of their tools are telling them about. Check out the extensive course description below for a detailed run down of course content and don't miss the free demo available by clicking the "Course Demo" button above!

What sets SEC503 apart from any other course in this space is that we take a bottom-up approach to teaching network monitoring and network forensics, which leads naturally to effective threat hunting. Rather than starting with a tool and teaching you how to use it in different situations, this course teaches you how and why TCP/IP protocols work the way they do. The first two sections present what we call "Packets as a Second Language", then we move to presenting common application protocols and a general approach to researching and understanding new protocols. Throughout the discussion, direct application of this knowledge is made to identify both zero-day and known threats.

With this deep understanding of how network protocols work, we turn our attention to the most important and widely used automated threat detection and mitigation tools in the industry. You will you learn how to develop efficient detection capabilities with these tools, and you'll come to understand what existing rules are doing and identify whether they are useful. The result is that you will leave this course with a clear understanding of how to instrument your network and perform detailed threat hunting, incident analysis, network forensics, and reconstruction.

What makes SEC503 as important as we believe it is (and students tell us it is) is that we force you to develop your critical thinking skills and apply them to these deep fundamentals. This results in a much deeper understanding of practically every security technology used today. Preserving the security of your network in today's threat environment is more challenging than ever, especially as you migrate more and more services into the cloud. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable.

Some of the specific technical knowledge and hands-on training in SEC503 covers the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, enabling you to intelligently examine network traffic for signs of compromise or zero-day threat. You will get plenty of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Suricata, Zeek, tshark, SiLK, and NetFlow/IPFIX. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution, and evening Bootcamp sessions force you to apply the theory learned during the day to real-world problems immediately. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.

SEC503 is most appropriate for students who monitor, defend, and conduct threat hunting on their network, including security analysts and those who work in Security Operations Centers, although red team members often tell us that the course also ups their game, especially when it comes to avoiding detection.
Business Takeaways

This course will help your organization:
  • Avoid your organization becoming another front page headline
  • Augment detection in traditional, hybrid, and cloud network environments
  • Increase efficiency in threat modeling for network activities
  • Decrease attacker dwell time
You Will Learn
  • How to analyze traffic traversing your site to avoid becoming another headline
  • How to identify zero-day threats for which no network monitoring tool has published signatures
  • How to place, customize, and tune your network monitoring for maximum detection
  • How to triage network alerts, especially during an incident
  • How to reconstruct events to determine what happened, when, and who did it
  • Hands-on detection, analysis, and network forensic investigation with a variety of tools
  • TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
  • The benefits and problems inherent in using signature-based network monitoring tools
  • The power of behavioral network monitoring tools for enterprise-wide automated correlation, and how to use them effectively
  • How to perform effective threat modeling for network activities
  • How to translate threat modeling into detection capabilities for zero-day threats
  • How to use flow and hybrid traffic analysis frameworks to augment detection in traditional, hybrid, and cloud network environments
You Will Be Able To
  • Configure and run Snort and Suricata
  • Create and write effective and efficient Snort, Suricata and FirePOWER rules
  • Configure and run open-source Zeek to provide a hybrid traffic analysis framework
  • Create automated threat hunting correlation scripts in Zeek
  • Understand TCP/IP component layers to identify normal and abnormal traffic for threat identification
  • Use traffic analysis tools to identify signs of a compromise or active threat
  • Perform network forensics to investigate traffic to identify TTPs and find active threats
  • Carve out files and other types of content from network traffic to reconstruct events
  • Create BPF filters to selectively examine a particular traffic trait at scale
  • Craft packets with Scapy
  • Use NetFlow/IPFIX tools to find network behavior anomalies and potential threats
  • Use your knowledge of network architecture and hardware to customize placement of network monitoring sensors and sniff traffic off the wire
The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:
  • Section 1: Hands-On: Introduction to Wireshark
  • Section 2: Hands-On: Writing tcpdump Filters
  • Section 3: Hands-On: Snort Rules
  • Section 4: Hands-On: IDS/IPS Evasion Theory
  • Section 5: Hands-On: Analysis of Three Separate Incident Scenarios
You Will Receive
  • Electronic courseware with each course section's material
  • Electronic workbook with hands-on exercises and questions
  • TCP/IP electronic cheat sheet
  • MP3 audio files of the complete course lecture
What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your cybersecurity journey:
  • Security Engineer
    • SEC505: Securing Windows and PowerShell Automation
    • SEC511: Continuous Monitoring and Security Operations
    • SEC573: Automating Information Security with Python
    • SEC586: Security Automation with PowerShell
  • Security Architect
    • SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
  • Security Lead or Manager
    • SEC547: Defending Product Supply Chains
    • LDR551: Building and Leading Security Operations Centers


Start date Location / delivery
27 Jan 2025 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...