SANS Secure Canberra 2019
This event has concluded. Please see below for upcoming training events.
Security Courses on offer
SEC401: Security Essentials Bootcamp Style
Course Details
Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment.
Is SEC401: Security Essentials Bootcamp Style the right course for you?
STOP and ask yourself the following questions:
- Do you fully understand why some organizations get compromised and others do not?
- If there were compromised systems on your network, are you confident that you would be able to find them?
- Do you know the effectiveness of each security device and are you certain that they are all configured correctly?
- Are proper security metrics set up and communicated to your executives to drive security decisions?
If you do not know the answers to these questions, SEC401 course will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.
You Will Learn:
- To develop effective security metrics that provide a focused playbook that IT can implement, auditors can validate, and executives can understand
- To analyze and assess the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security
- Practical tips and tricks to focus in on high-priority security problems within your organization and on doing the right things that will lead to security solutions that work
- Why some organizations are winning and some are losing when it comes to security and, most importantly, how to be on the winning side
- The core areas of security and how to create a security program that is anchored on PREVENT-DETECT-RESPOND.
Learn to build a security roadmap that can scale today and into the future.
Price: $6,970 USD
Duration: 6 Days
Instructor: Bryan Simon
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
Course Details
The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.
You Will Learn:
- How best to prepare for an eventual breach
- The step-by-step approach used by many computer attackers
- Proactive and reactive defenses for each stage of a computer attack
- How to identify active attacks and compromises
- The latest computer attack vectors and how you can stop them
- How to properly contain attacks
- How to ensure that attackers do not return
- How to recover from computer attacks and restore systems for business
- How to understand and use hacking tools and techniques
- Strategies and tools for detecting each type of attack
- Attacks and defenses for Windows, Unix, switches, routers, and other systems
- Application-level vulnerabilities, attacks, and defenses
- How to develop an incident handling process and prepare a team for battle
- Legal issues in incident handling
Price: $6,970 USD
Duration: 6 Days
Instructor: Steve Anson
SEC555: SIEM with Tactical Analytics
Course Details
This course is designed to demystify the Security Information and Event Management (SIEM) architecture and process, by navigating the student through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration. The material will cover many bases in the “appropriate” use of a SIEM platform to enrich readily available log data in enterprise environments and extract actionable intelligence. Once collected, the student will be shown how to present the gathered input into useable formats to aid in eventual correlation. Students will then iterate through the log data and events to analyze key components that will allow them to learn how rich this information is, how to correlate the data, start investigating based on the aggregate data, and finally, how to go hunting with this newly gained knowledge. They will also learn how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not only show how to manually perform these actions, but how to automate many of the processes mentioned so students may employ these tasks the day they return to the office.
The underlying theme is to actively apply Continuous Monitoring and analysis techniques by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to provide real world results and visualizations.
This Course Will Prepare You To:
- Deploy the SANS SOF-ELK VM in production environments
- Demonstrate ways most SIEMs commonly lag current open source solutions (e.g. SOF-ELK)
- Bring students up to speed on SIEM use, architecture, and best practices
- Know what type of data sources to collect logs from
- Deploy a scalable logs solution with multiple ways to retrieve logs
- Operationalize ordinary logs into tactical data
- Develop methods to handle billions of logs from many disparate data sources
- Understand best practice methods for collecting logs
- Dig into log manipulation techniques challenging many SIEM solutions
- Build out graphs and tables that can be used to detect adversary activities and abnormalities
- Combine data into active dashboards that make analyst review more tactical
- Utilize adversary techniques against them by using frequency analysis in large data sets
- Develop baselines of network activity based on users and devices
- Develop baselines of Windows systems with the ability to detect changes from the baseline
- Apply multiple forms of analysis such as long tail analysis to find abnormalities
- Correlate and combine multiple data sources to achieve more complete understanding
- Provide context to standard alerts to help understand and prioritize them
- Use log data to establish security control effectiveness
- Implement log alerts that create virtual tripwires for early breach detection
Price: $6,970 USD
Duration: 6 Days
Instructor: Tim Garcia
SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses
Course Details
SEC599 aims to leverage the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.
Course authors Erik Van Buggenhout & Stephen Sims (both certified as GIAC Security Experts) are hands-on practitioners who have achieved a deep understanding of how cyber attacks work through penetration testing and incident response. While teaching penetration testing courses, they were often asked “But how do I prevent this type of attack?” With more than 20 labs plus a full-day “Defend-The-Flag” exercise during which students attempt to defend our virtual organization from different waves of attacks against its environment, SEC599 gives students real world examples of how to prevent attacks.
Our six-day journey will start with an analysis of recent attacks through in-depth case studies. We will explain what types of attacks are occurring and introduce the Advanced Persistent Threat (APT) Attack Cycle as a structured approach to describing attacks. In order to understand how attacks work, you will also compromise our virtual organization “SyncTechLabs” in our Day 1 exercises.
Throughout days 2 through 5 we will discuss how effective security controls can be implemented to prevent, detect, and respond to cyber attacks. Some of the topics we will address include:
- How red and blue teams can improve collaboration, forming a true purple team;
- How current advanced adversaries are breaching our defenses;
- Security controls structured around the Kill Chain, including:
- Setting up a fundamental detection capability using ELK, OSQuery, and Suricata
- Building your own mail sandbox solution to stop spear phishing using Suricata and Cuckoo
- Leveraging YARA rules to detect malicious payloads on disk and in memory
- Developing effective group policies to stop malicious code execution and implement script control (AppLocker, Software Restriction Policies, Script hardening, etc.)
- Stopping 0-day exploits using exploit mitigation techniques (leveraging EMET and ExploitGuard)
- Preventing malware persistence using least-privilege (UAC, Just-Enough-Admin, privileged account management, etc.)
- Detecting malware persistence using OSQuery
- Preventing lateral movement by hardening Windows Active Directory environments (e.g. CredentialGuard, Privileged Access Workstations, Protected Processes, etc.)
- Detecting lateral movement through Sysmon and Windows event monitoring
- Blocking and detecting command and control through network traffic analysis
- Managing, sharing and operationalizing threat intelligence using MISP
- Hunting for compromise in the network by leveraging Loki
In designing the course and its exercises, the authors went the extra mile to ensure that attendees “build” something that can be used later on. For this reason, the different technologies illustrated throughout the course (e.g., IDS systems, web proxies, sandboxes, visualization dashboards, etc.) will be provided as usable virtual machines on the course USB.
SEC599 will finish with a bang. During the “Defend-the-Flag” challenge on the final course day you will be pitted against advanced adversaries in an attempt to keep your network secure. Can you protect the environment against the different waves of attacks? The adversaries aren’t slowing down, so what are you waiting for?
Price: $6,970 USD
Duration: 6 Days
Instructor: James Shewmaker
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
Course Details
SEC660 starts off by introducing advanced penetration concepts and providing an overview to prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts with a technical module on performing penetration testing against various cryptographic implementations, then turns to PowerShell and post exploitation, escaping Linux restricted environments and Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and remote exploits as well as client-side exploitation techniques are covered. The final course day is devoted to numerous penetration testing challenges that require students to solve complex problems and capture flags.
Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through the labs and the additional time allotted each evening to reinforce daytime material and master the exercises.
You Will Learn:
- How to perform penetration testing safely against network devices such as routers, switches, and NAC implementations.
- How to test cryptographic implementations.
- How to leverage an unprivileged foothold for post exploitation and escalation.
- How to fuzz network and stand-alone applications.
- How to write exploits against applications running on Linux and Windows systems.
- How to bypass exploit mitigations such as ASLR, DEP, and stack canaries.
Price: $6,970 USD
Duration: 6 Days
Instructor: Tim Medin
FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting
Course Details
This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivism. Constantly updated, FOR508: Advanced Incident Response and Threat Hunting addresses today’s incidents by providing hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to detect, counter, and respond to real-world breach cases.
The course uses a hands-on enterprise intrusion lab – modeled after a real-world targeted APT attack on an enterprise network and based on APT group tactics to target a network – to lead you to challenges and solutions via extensive use of the SIFT Workstation collection of tools.
During the intrusion and threat hunting lab exercises, you will identify where the initial targeted attack occurred and how the adversary is moving laterally through multiple compromised systems. You will also extract and create crucial cyber threat intelligence that can help you properly scope the compromise and detect future breaches.
During a targeted attack, an organization needs the best incident response team in the field. FOR508: Advanced Incident Response and Threat Hunting will train you and your team to respond, detect, scope, and stop intrusions and data breaches.
GATHER YOUR INCIDENT RESPONSE TEAM –
IT’S TIME TO GO HUNTING
FOR508 Incident Response and Threat Hunting Course Topics
- Advanced use of a wide range of best-of-breed open-source tools in the SIFT Workstation to perform incident response and digital forensics.
- Hunting and responding to advanced adversaries such as nation-state actors, organized crime, and hacktivists.
- Threat hunting techniques that will aid in quicker identification of breaches.
- Rapid incident response analysis and breach assessment.
- Incident response and intrusion forensics methodology.
- Remote and enterprise incident response system analysis.
- Windows live incident response.
- Memory analysis during incident response and threat hunting.
- Detailed instruction on Windows enterprise credentials and how they are compromised.
- Internal lateral movement analysis and detection.
- Rapid and deep-dive timeline creation and analysis.
- Volume shadow copy exploitation for hunting threats and incident response.
- Detection of anti-forensics and adversary hiding techniques.
- Discovery of unknown malware on a system.
- Adversary threat intelligence development, indicators of compromise, and usage.
- Cyber-kill chain strategies.
- Step-by-step tactics and procedures to respond to and investigate intrusion cases
Price: $6,970 USD
Duration: 6 Days
Instructor: Joshua Lemon
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Course Details
This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.
Whether you are a consultant responding to a client’s site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of “threat hunters”, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensic alumni from 408 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.
The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the SOF-ELK platform – a VMware appliance pre-configured with the ELK stack. This “big data” platform includes the Elasticsearch storage and search database, the Logstash ingest and parse utility, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the Moloch platform is also used. Through all of the in-class labs, your shell scripting abilities will also be used to make easy work of ripping through hundreds and thousands of data records.
FOR572 is truly an advanced course – we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS…ONE BYTE (OR PACKET) AT A TIME.
Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:
- Foundational network forensics tools: tcpdump and Wireshark refresher
- Packet capture applications and data
- Unique considerations for network-focused forensic processes
- Network evidence types and sources
- Network architectural challenges and opportunities for investigators
- Investigation OPSEC and footprint considerations
- Network protocol analysis
- Domain Name Service
- Hypertext Transfer Protocol
- File Transfer Protocol
- Microsoft protocols
- Simple Mail Transfer Protocol
- Commercial network forensic tools
- Automated tools and libraries
- NetFlow
- Introduction
- Collection approaches
- Open-source NetFlow tools
- Wireless networking
- Capturing wireless traffic
- Modes of wireless operation
- Useful forensic artifacts from wireless traffic
- Common attack methods and detection
- Log data to supplement network examinations
- Syslog
- Microsoft Windows Eventing
- HTTP server logs
- Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
- Log collection, aggregation, and analysis
- Web proxy server examination
- Encryption
- Introduction
- Man-in-the-middle
- Secure HTTP/Secure Sockets Layer
- Deep packet work
- Network protocol reverse engineering
- Payload reconstruction
Price: $6,970 USD
Duration: 6 Days
Instructor: Ryan Johnson
CORE NetWars Tournament
Course Details
Laptop Requirements: A laptop capable of running a VMware virtual machine, with a DVD drive and connecting to an Ethernet network is required.
CORE NetWars Tournament participants receive 6 CPEs
CORE NetWars Tournament is a computer and network security challenge designed to test a participant’s experience and skills in a safe environment. It is accessible to a broad level of player skill ranges and is split into separate levels so that advanced players may quickly move through earlier levels to the level of their expertise.
NetWars Levels:
- Level 1 – Played on local Linux image without root
- Level 2 – Played on local Linux image with root
- Level 3 – Attack a DMZ
- Level 4 – Pivot to intranet
- Level 5 – Master of your domain… castle versus castle
Topics Include:
- Vulnerability Assessment
- Packet Analysis
- Penetration Testing
- System Hardening
- Malware Analysis
Digital Forensics and Incident Response
Who Should Attend:
- Security Professionals
- System Administrators
- Network Administrators
- Ethical Hackers
- Penetration Testers
- Incident Handlers
- Forensic Analysts
- Security auditors
- Vulnerability assessment personnel
- Security Operations Center (SOC) staff members
Price: $1,610 USD (FREE with any 4-6 day course )
Duration: 2 Evenings
Instructor: Tim Medin
After you complete the form, a SANS training advisor will contact you to answer any questions you might have on registrations, courses, and group discounts.
Ask us a question
Get answers! Our SANS training advisors are ready to take your call and provide all the information you need on upcoming courses.
1300 228 872
Mon – Fri, 9am – 6pm