SEC503 is the most important course that you will take in your information security career past students describe it as the most difficult but most rewarding course they've ever taken. If you want to be able to perform effective threat hunting to find zero-day activities on your network before public disclosure, this is definitely the course for you.SEC503 is not for people looking to understand alerts generated by an out-of-the-box network monitoring tool; rather, it is for those who want to deeply understand what is happening on their network today, and who suspect that there are very serious things happening right now that none of their tools are telling them about.
What sets SEC503 apart from any other course in this space is that we take a bottom-up approach to teaching network monitoring and network forensics, which leads naturally to effective threat hunting. Rather than starting with a tool and teaching you how to use it in different situations, this course teaches you how and why TCP/IP protocols work the way they do. The first two sections present what we call "Packets as a Second Language", then we move to presenting common application protocols and a general approach to researching and understanding new protocols. Throughout the discussion, direct application of this knowledge is made to identify both zero-day and known threats.
With this deep understanding of how network protocols work, we turn our attention to the most important and widely used automated threat detection and mitigation tools in the industry. You will you learn how to develop efficient detection capabilities with these tools, and you'll come to understand what existing rules are doing and identify whether they are useful. The result is that you will leave this course with a clear understanding of how to instrument your network and perform detailed threat hunting, incident analysis, network forensics, and reconstruction.
What makes SEC503 as important as we believe it is (and students tell us it is) is that we force you to develop your critical thinking skills and apply them to these deep fundamentals. This results in a much deeper understanding of practically every security technology used today. Preserving the security of your network in today's threat environment is more challenging than ever, especially as you migrate more and more services into the cloud. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable.
Some of the specific technical knowledge and hands-on training in SEC503 covers the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, enabling you to intelligently examine network traffic for signs of compromise or zero-day threat. You will get plenty of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Suricata, Zeek, tshark, SiLK, and NetFlow/IPFIX. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution, and evening Bootcamp sessions force you to apply the theory learned during the day to real-world problems immediately. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.
SEC503 is most appropriate for students who monitor, defend, and conduct threat hunting on their network, including security analysts and those who work in Security Operations Centers, although red team members often tell us that the course also ups their game, especially when it comes to avoiding detection.
This course will help your organization:
- Avoid your organization becoming another front page headline
- Augment detection in traditional, hybrid, and cloud network environments
- Increase efficiency in threat modeling for network activities
- Decrease attacker dwell time
You Will Learn:
- How to analyze traffic traversing your site to avoid becoming another headline
- How to identify zero-day threats for which no network monitoring tool has published signatures
- How to place, customize, and tune your network monitoring for maximum detection
- How to triage network alerts, especially during an incident
- How to reconstruct events to determine what happened, when, and who did it
- Hands-on detection, analysis, and network forensic investigation with a variety of tools
- TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
- The benefits and problems inherent in using signature-based network monitoring tools
- The power of behavioral network monitoring tools for enterprise-wide automated correlation, and how to use them effectively
- How to perform effective threat modeling for network activities
- How to translate threat modeling into detection capabilities for zero-day threats
- How to use flow and hybrid traffic analysis frameworks to augment detection in traditional, hybrid, and cloud network environments
You Will Be Able To:
- Configure and run Snort and Suricata
- Create and write effective and efficient Snort, Suricata and FirePOWER rules
- Configure and run open-source Zeek to provide a hybrid traffic analysis framework
- Create automated threat hunting correlation scripts in Zeek
- Understand TCP/IP component layers to identify normal and abnormal traffic for threat identification
- Use traffic analysis tools to identify signs of a compromise or active threat
- Perform network forensics to investigate traffic to identify TTPs and find active threats
- Carve out files and other types of content from network traffic to reconstruct events
- Create BPF filters to selectively examine a particular traffic trait at scale
- Craft packets with Scapy
- Use NetFlow/IPFIX tools to find network behavior anomalies and potential threats
- Use your knowledge of network architecture and hardware to customize placement of network monitoring sensors and sniff traffic off the wire
The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:
- Section 1: Hands-On: Introduction to Wireshark
- Section 2: Hands-On: Writing tcpdump Filters
- Section 3: Hands-On: Snort Rules
- Section 4: Hands-On: IDS/IPS Evasion Theory
- Section 5: Hands-On: Analysis of Three Separate Incident Scenarios
You Will Receive:
- Electronic courseware with each course section's material
- Electronic workbook with hands-on exercises and questions
- TCP/IP electronic cheat sheet
- MP3 audio files of the complete course lecture
IMPORTANT - BRING YOUR OWN LAPTOP
You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises. TheVMware image used in the course is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.
You can use any version of Windows, Mac OSX, or Linux as your core operating system can install and run current VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 60 gigabytes of free hard disk space.
Please download and install one of the following n your system prior to the start of the class: VMware Workstation 14, VMware Player 14, or VMware Fusion 10 or higher. If you do not own a licensed copy of VMware Workstation, VMware Player, or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Mandatory Laptop Hardware Requirements
- x86- or x64- compatible Core-i7 or higher (or equivalent)
- USB Port
- 8GB RAM or higher
- 60 GB free hard drive space
- Windows 10, Windows 11, Intel based MacOS, or Intel based Linux (any type)
- VMWare Workstation, Fusion, or Player, as stated above
- For live events, WiFi is required
Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.
By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.
If you have additional questions about the laptop specifications, please contact email@example.com.