by Mike Poor
Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This challenging track methodically progresses from understanding the theory of TCP/IP, examining packets, using Snort to analyze traffic, becoming familiar with the tools and techniques for traffic and intrusion analysis, to reinforcing what you've learned with a hands-on challenge of investigating an incident. Students should be able to "hit the ground running" once returning to a live environment where traffic analysis it required.
This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection/prevention analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with tcpdump before coming to class.
by Jess Garcia
Updated Course / Content Notice Brand New! Relaunch in 2012 - Entire course materials, exercises, and challenges fully updated to give students experience in investigating real-world advanced attacks and APT-like scenarios in a Windows Enterprise Environment. Don't miss the NEW FOR508!
Over the past two years, we have seen a dramatic increase in sophisticated attacks against nearly every type of organization. Economic espionage in the form of cyber-attacks, also known as the Advanced Persistent Threat (APT), has proven difficult to suppress. Attackers from Eastern Europe and Russia continue to steal credit card and financial data resulting in millions of dollars of losses. Hackivist groups attacking government and Fortune 500 companies are becoming bolder and more frequent.
Sophisticated hackers can advance rapidly through your network using advances in spear phishing, web application attacks, and custom malware. Incident Responders and Digital Forensic Investigators must master a variety of operating systems, investigative techniques, incident response tactics, and even legal issues in order to combat challenging intrusion cases across the enterprise.
Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight and avoid detection by standard host-based security measures. Every action that adversaries make leaves a trace; you merely need to know where to look.
Our adversaries are good and getting better. Are we learning how to counter them? Yes we are. Learn how.
FOR508: Advanced Computer Forensic Analysis and Incident Response will give you the tools and techniques necessary to master advanced incident response, investigate data breach intrusions, find tech-savvy rogue employees, counter the Advanced Persistent Threat, and conduct complex digital forensic cases.
This course uses the popular SIFT Workstation to teach investigators how to investigate sophisticated crimes. SIFT contains hundreds of free and open source tools, easily matching any modern forensic tool suite. It demonstrates that advanced investigations and incident response can be accomplished using frequently updated, cutting-edge open source tools.
FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
by Seth Misenar
It seems wherever you turn organizations are being broken into and the fundamental question that everyone wants to know is Why? Why do some organizations get broken into and others do not. SEC401 Security Essentials is focused on teaching you the right things that need to be done to keep an organization secure. Organizations are spending millions of dollars on security and are still compromised. The problem is they are doing good things but not the right things. Good things will lay a solid foundation but the right things will stop your organization from being headline news in the Wall Street Journal. SEC401's focus is to teach individuals the essential skills and techniques needed to protect and secure an organization's critical information assets and business systems. We also understand that security is a journey and not a destination. Therefore we will teach you how to build a security roadmap that can scale today and into the future. When you leave our training we promise that you will be given techniques that you can implement today and tomorrow to keep your organization at the cutting edge of cyber security. Most importantly, your organization will be secure.
by Bryce Galbraith
As cyber attacks increase, so does the demand for information security professionals who possess true network penetration testing and ethical hacking skills. There are several ethical hacking courses that claim to teach these skills, but few actually do. SANS SEC560: Network Penetration Testing and Ethical Hacking truly prepares you to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed hands-on exercises and practical tips for doing the job safely and effectively. You will finish up with an intensive, hands-on Capture the Flag exercise in which you'll conduct a penetration test against a sample target organization, demonstrating the knowledge you mastered in this course.
by Paul A. Henry
One of today's most rapidly evolving and widely deployed technologies is server virtualization. Many organizations are already realizing the cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management for virtualized systems. There are even security benefits of virtualization - easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructures.
Server virtualization vulnerabilities
With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks and require careful planning with regard to access controls, user permissions, and traditional security controls.
In addition, many organizations are evolving virtualized infrastructure into private clouds - internal shared services running on virtualized infrastructure. Security architecture, policies, and processes will need to adapt to work within a cloud infrastructure, as well, and there are many changes that security and operations teams will need to accommodate to ensure assets are protected.
by Nick Klein
Sooner or later, most organisations will require some form of investigation, whether it's looking into misuse of emails or the internet, breach of company policies, investigating a computer system compromised or a rouge employee stealing company secrets. While IT staff will often have the technical skills and interest to help, they can easily get caught in the minefield of technical, legal, and procedural traps that computer forensic investigations entail.
This presentation will help you understand the proper methodology behind a computer forensic investigation, enabling you to achieve the best results while staying well clear of trouble. Based on the philosophy that it's always good to learn from mistakes - especially someone else's - this presentation will be full of real world examples and practical advice to enable you to deal with these situations clearly and confidently.
by Mark Goudie
Data breaches continue to plague organizations worldwide. In 2011, 58% of the data stolen was attributed to hactivism, according to the annual 2012 Data Breach Investigations Report (DBIR) by Verizon. The new trend contrasts sharply with the data breach pattern of the past several years - during which the majority of attacks were carried out by cybercriminals whose primary motivation was financial gain. This change represents a significant change in the approach needed by defenders, as there are now three key groups we need to be prepared for.
Key findings included:
79% of the attacks represented in the report were opportunistic;
96% were not highly difficult, meaning they did not require advanced skills or extensive resources; and
97% of the attacks were avoidable, without the need for organisations to resort to difficult or expensive countermeasures.
The presentation will be a combination of statistics coloured by real world war stories from APAC and overseas to illustrate key points.
8th–20th October 2012