SANS Secure Canberra 2019

18-23 March 2019

Information security training in Australia from SANS Institute, the global leader in security training. At SANS Secure Canberra 2019, SANS offers hands-on, immersion-style security training courses taught by real-world practitioners.

Pay in Australian Dollars when you register through Shearwater. Make sure to ask about group discounts.

Security Courses on offer

SEC401: Security Essentials Bootcamp Style

Course Details

Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment.

Is SEC401: Security Essentials Bootcamp Style the right course for you?

STOP and ask yourself the following questions:

Do you fully understand why some organizations get compromised and others do not?
If there were compromised systems on your network, are you confident that you would be able to find them?
Do you know the effectiveness of each security device and are you certain that they are all configured correctly?
Are proper security metrics set up and communicated to your executives to drive security decisions?

If you do not know the answers to these questions, SEC401 course will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.

You Will Learn:

To develop effective security metrics that provide a focused playbook that IT can implement, auditors can validate, and executives can understand
To analyze and assess the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security
Practical tips and tricks to focus in on high-priority security problems within your organization and on doing the right things that will lead to security solutions that work
Why some organizations are winning and some are losing when it comes to security and, most importantly, how to be on the winning side
The core areas of security and how to create a security program that is anchored on PREVENT-DETECT-RESPOND.

Learn to build a security roadmap that can scale today and into the future.

Price: $6,970 USD
Duration: 6 Days
Instructor: Bryan Simon

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Course Details

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

You Will Learn:

How best to prepare for an eventual breach
The step-by-step approach used by many computer attackers
Proactive and reactive defenses for each stage of a computer attack
How to identify active attacks and compromises
The latest computer attack vectors and how you can stop them
How to properly contain attacks
How to ensure that attackers do not return
How to recover from computer attacks and restore systems for business
How to understand and use hacking tools and techniques
Strategies and tools for detecting each type of attack
Attacks and defenses for Windows, Unix, switches, routers, and other systems
Application-level vulnerabilities, attacks, and defenses
How to develop an incident handling process and prepare a team for battle
Legal issues in incident handling

Price: $6,970 USD
Duration: 6 Days
Instructor: Steve Anson

SEC555: SIEM with Tactical Analytics

Course Details

This course is designed to demystify the Security Information and Event Management (SIEM) architecture and process, by navigating the student through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration. The material will cover many bases in the “appropriate” use of a SIEM platform to enrich readily available log data in enterprise environments and extract actionable intelligence. Once collected, the student will be shown how to present the gathered input into useable formats to aid in eventual correlation. Students will then iterate through the log data and events to analyze key components that will allow them to learn how rich this information is, how to correlate the data, start investigating based on the aggregate data, and finally, how to go hunting with this newly gained knowledge. They will also learn how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not only show how to manually perform these actions, but how to automate many of the processes mentioned so students may employ these tasks the day they return to the office.

The underlying theme is to actively apply Continuous Monitoring and analysis techniques by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to provide real world results and visualizations.

This Course Will Prepare You To:

Deploy the SANS SOF-ELK VM in production environments
Demonstrate ways most SIEMs commonly lag current open source solutions (e.g. SOF-ELK)
Bring students up to speed on SIEM use, architecture, and best practices
Know what type of data sources to collect logs from
Deploy a scalable logs solution with multiple ways to retrieve logs
Operationalize ordinary logs into tactical data
Develop methods to handle billions of logs from many disparate data sources
Understand best practice methods for collecting logs
Dig into log manipulation techniques challenging many SIEM solutions
Build out graphs and tables that can be used to detect adversary activities and abnormalities
Combine data into active dashboards that make analyst review more tactical
Utilize adversary techniques against them by using frequency analysis in large data sets
Develop baselines of network activity based on users and devices
Develop baselines of Windows systems with the ability to detect changes from the baseline
Apply multiple forms of analysis such as long tail analysis to find abnormalities
Correlate and combine multiple data sources to achieve more complete understanding
Provide context to standard alerts to help understand and prioritize them
Use log data to establish security control effectiveness
Implement log alerts that create virtual tripwires for early breach detection

Price: $6,970 USD
Duration: 6 Days
Instructor: Tim Garcia

SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses

Course Details

SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.

Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked “But how do I prevent this type of attack?” With more than 20 labs plus a full-day “Defend-The-Flag” exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.

Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization “SyncTechLabs” in our Day 1 exercises.

Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:

How red and blue teams can improve collaboration, forming a true purple team;
How current advanced adversaries are breaching our defenses;
Security controls structured around the Kill Chain, including:
- Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
- Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
- Leveraging YARA rules to detect malicious payloads on disk and in memory
- Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
- Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
- Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
- Detecting malware persistence using OSQuery
- Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
- Detecting lateral movement through Sysmon and Windows event monitoring
- Blocking and detecting command and control through network traffic analysis
- Managing, sharing and operationalizing threat intelligence using MISP
- Hunting for compromise in the network by leveraging Loki

In designing the course and its exercises, the authors went the extra mile to ensure that attendees “build” something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.

SEC599 will finish with a bang. During the “Defend-the-Flag” challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren’t slowing down, so what are you waiting for?

Price: $6,970 USD
Duration: 6 Days
Instructor: James Shewmaker

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

Course Details

SEC660 starts off by introducing advanced penetration concepts and providing an overview to prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts with a technical module on performing penetration testing against various cryptographic implementations, then turns to PowerShell and post exploitation, escaping Linux restricted environments and Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and remote exploits as well as client-side exploitation techniques are covered. The final course day is devoted to numerous penetration testing challenges that require students to solve complex problems and capture flags.

Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through the labs and the additional time allotted each evening to reinforce daytime material and master the exercises.

You Will Learn:

How to perform penetration testing safely against network devices such as routers, switches, and NAC implementations.
How to test cryptographic implementations.
How to leverage an unprivileged foothold for post exploitation and escalation.
How to fuzz network and stand-alone applications.
How to write exploits against applications running on Linux and Windows systems.
How to bypass exploit mitigations such as ASLR, DEP, and stack canaries.

Price: $6,970 USD
Duration: 6 Days
Instructor: Tim Medin

FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Course Details

This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivism. Constantly updated, FOR508: Advanced Incident Response and Threat Hunting addresses today’s incidents by providing hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to detect, counter, and respond to real-world breach cases.

The course uses a hands-on enterprise intrusion lab – modeled after a real-world targeted APT attack on an enterprise network and based on APT group tactics to target a network – to lead you to challenges and solutions via extensive use of the SIFT Workstation collection of tools.

During the intrusion and threat hunting lab exercises, you will identify where the initial targeted attack occurred and how the adversary is moving laterally through multiple compromised systems. You will also extract and create crucial cyber threat intelligence that can help you properly scope the compromise and detect future breaches.

During a targeted attack, an organization needs the best incident response team in the field. FOR508: Advanced Incident Response and Threat Hunting will train you and your team to respond, detect, scope, and stop intrusions and data breaches.

GATHER YOUR INCIDENT RESPONSE TEAM –

IT’S TIME TO GO HUNTING

FOR508 Incident Response and Threat Hunting Course Topics

Advanced use of a wide range of best-of-breed open-source tools in the SIFT Workstation to perform incident response and digital forensics.
Hunting and responding to advanced adversaries such as nation-state actors, organized crime, and hacktivists.
Threat hunting techniques that will aid in quicker identification of breaches.
Rapid incident response analysis and breach assessment.
Incident response and intrusion forensics methodology.
Remote and enterprise incident response system analysis.
Windows live incident response.
Memory analysis during incident response and threat hunting.
Detailed instruction on Windows enterprise credentials and how they are compromised.
Internal lateral movement analysis and detection.
Rapid and deep-dive timeline creation and analysis.
Volume shadow copy exploitation for hunting threats and incident response.
Detection of anti-forensics and adversary hiding techniques.
Discovery of unknown malware on a system.
Adversary threat intelligence development, indicators of compromise, and usage.
Cyber-kill chain strategies.
Step-by-step tactics and procedures to respond to and investigate intrusion cases

Price: $6,970 USD
Duration: 6 Days
Instructor: Joshua Lemon

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Course Details

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.

Whether you are a consultant responding to a client’s site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of “threat hunters”, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensic alumni from 408 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the SOF-ELK platform – a VMware appliance pre-configured with the ELK stack. This “big data” platform includes the Elasticsearch storage and search database, the Logstash ingest and parse utility, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the Moloch platform is also used. Through all of the in-class labs, your shell scripting abilities will also be used to make easy work of ripping through hundreds and thousands of data records.

FOR572 is truly an advanced course – we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS…ONE BYTE (OR PACKET) AT A TIME.

Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:

Foundational network forensics tools: tcpdump and Wireshark refresher
Packet capture applications and data
Unique considerations for network-focused forensic processes
- Network evidence types and sources
- Network architectural challenges and opportunities for investigators
- Investigation OPSEC and footprint considerations
Network protocol analysis
- Domain Name Service
- Hypertext Transfer Protocol
- File Transfer Protocol
- Microsoft protocols
- Simple Mail Transfer Protocol
Commercial network forensic tools
Automated tools and libraries
NetFlow
- Introduction
- Collection approaches
- Open-source NetFlow tools
Wireless networking
- Capturing wireless traffic
- Modes of wireless operation
- Useful forensic artifacts from wireless traffic
- Common attack methods and detection
Log data to supplement network examinations
- Syslog
- Microsoft Windows Eventing
- HTTP server logs
- Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
- Log collection, aggregation, and analysis
- Web proxy server examination
Encryption
- Introduction
- Man-in-the-middle
- Secure HTTP/Secure Sockets Layer
Deep packet work
- Network protocol reverse engineering
- Payload reconstruction

Price: $6,970 USD
Duration: 6 Days
Instructor: Ryan Johnson

CORE NetWars Tournament

Course Details

Laptop Requirements: A laptop capable of running a VMware virtual machine, with a DVD drive and connecting to an Ethernet network is required.

CORE NetWars Tournament participants receive 6 CPEs

CORE NetWars Tournament is a computer and network security challenge designed to test a participant’s experience and skills in a safe environment. It is accessible to a broad level of player skill ranges and is split into separate levels so that advanced players may quickly move through earlier levels to the level of their expertise.

NetWars Levels:

Level 1 – Played on local Linux image without root
Level 2 – Played on local Linux image with root
Level 3 – Attack a DMZ
Level 4 – Pivot to intranet
Level 5 – Master of your domain… castle versus castle

Topics Include:

Vulnerability Assessment
Packet Analysis
Penetration Testing
System Hardening
Malware Analysis

Digital Forensics and Incident Response

Who Should Attend:

Security Professionals
System Administrators
Network Administrators
Ethical Hackers
Penetration Testers
Incident Handlers
Forensic Analysts
Security auditors
Vulnerability assessment personnel
Security Operations Center (SOC) staff members

Price: $1,610 USD (FREE with any 4-6 day course )
Duration: 2 Evenings
Instructor: Tim Medin

Need help? Talk to a training Advisor

Ask us a question

Get answers! Our SANS training advisors are ready to take your call and provide all the information you need on upcoming courses.

1300 228 872
Mon – Fri, 9am – 6pm

SANS Secure Canberra 2019

Security Courses on offer

1300 228 872

Request a Callback

2019 Course Catalogue

Request a Callback

Ask us a question

Compliance

Penetration Testing

Managed Services

Phishing Prevention

Company

Subscribe to Our Security Updates

Search for products or services