SEC599: SANS Paris Republique September 2025
Provided by SANS
What You Will Learn
You just got hired to help our virtual organization "SYNCTECHLABS" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service... We're not even sure where to start!"
Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.
Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: "How do I prevent or detect this type of attack?" Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.
Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization "SYNCTECHLABS" in section one exercises.
In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:
Purple Team Course FAQ
Business Takeaways
SEC599 leverages SANS OnDemand systems, where attendees will be able to complete the 20+ labs in the course in a full-fledged browser environment. This eliminates possible issues with student laptops and increases time spent on actually learning security topics, not configuring virtual machines. The student VMs are provided to allow students to continue learning at home!
Examples of the practical labs and exercises you will complete in this course will enable you to:
You just got hired to help our virtual organization "SYNCTECHLABS" build out a cyber security capability. On your first day, your manager tells you: "We looked at some recent cyber security trend reports and we feel like we've lost the plot. Advanced persistent threats, ransomware, denial of service... We're not even sure where to start!"
Cyber threats are on the rise: ransomware tactics are affecting small, medium, and large enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most precious crown jewels. SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries.
Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts) are hands-on practitioners who have built a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked the question: "How do I prevent or detect this type of attack?" Well, this is it! SEC599 gives students real-world examples of how to prevent attacks. The course features more than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment.
Our six-part journey will start off with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce formal descriptions of adversary behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand how attacks work, you will also compromise our virtual organization "SYNCTECHLABS" in section one exercises.
In sections two, three, four and five we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. The topics to be addressed include:
- Leveraging MITRE ATT&CK as a "common language" in the organization
- Building your own Cuckoo sandbox solution to analyze payloads
- Developing effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
- Highlighting key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
- Stopping 0-day exploits using ExploitGuard and application whitelisting
- Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
- Detecting and preventing malware persistence
- Leveraging the Elastic stack as a central log analysis solution
- Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
- Blocking and detecting command and control through network traffic analysis
- Leveraging threat intelligence to improve your security posture
Purple Team Course FAQ
Business Takeaways
- Understand how recent high-profile attacks were delivered and how they could have been stopped
- Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks
SEC599 leverages SANS OnDemand systems, where attendees will be able to complete the 20+ labs in the course in a full-fledged browser environment. This eliminates possible issues with student laptops and increases time spent on actually learning security topics, not configuring virtual machines. The student VMs are provided to allow students to continue learning at home!
Examples of the practical labs and exercises you will complete in this course will enable you to:
- Use MITRE ATT&CK Navigator to assess different techniques
- Leverage MITRE ATT&CK as a "common language" in the organization
- Build your own Cuckoo sandbox solution to analyze payloads
- Develop effective group policies to improve script execution (including PowerShell, Windows Script Host, VBA, HTA, etc.)
- Highlight key bypass strategies for script controls (Unmanaged Powershell, AMSI bypasses, etc.)
- Stop 0-day exploits using ExploitGuard and application whitelisting
- Highlight key bypass strategies in application whitelisting (focus on AppLocker), including:
- Detecting and avoiding malware persistence using Autoruns and OSQuery
- Leveraging the Elastic stack as a central log analysis solution
- Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and group policies
- Blocking and detecting command and control through network traffic analysis using Suricata, Zeek, and RITA
- Leveraging threat intelligence to improve your security posture using MISP, Loki, and Volatility
- MP3 audio files of the complete course lecture
- Digital Download Package that includes:
- Virtual machines for training
- Electronic Courseware
- Download link to the target VMs
Enquire
Start date | Location / delivery | |
---|---|---|
29 Sep 2025 | Paris | Book now |