Welcome to SEC401 - Security Essentials - Network, Endpoint, and Cloud
Instructor: Bryan Simon | 46 CPEs
Associated Certification: GIAC Security Essentials (GSEC)
SEC401: Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win! 20 Hands-On Labs.
What You Will Learn
Organizations are continually targeted and as such they must be prepared for eventual compromise. Today, more than ever before, TIMELY detection and TIMELY response is critical. The longer an adversary is present in your environment, the more devastating and damaging the impact becomes. It could well be that the most important question in information security is: "How quickly can we detect, respond, and REMEDIATE an adversary?"
Information security is all about making sure you focus on the right areas of defense, especially as applied to the uniqueness of YOUR organization. In SEC401, you will learn the language and underlying workings of computer and information security, and how best to apply them to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems or organizations.
SEC401 will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You will learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.
New and Enhanced Labs Overview
Unlock the essential skills for defending systems and networks with our revamped SEC401 course, now featuring a comprehensive suite of 20 cutting-edge labs. These labs have been meticulously designed to provide hands-on experience and practical skills crucial for modern cybersecurity challenges.
New Lab Highlights:
Network Analysis: Dive deep into network traffic with labs on Tcpdump and Wireshark, and explore AWS VPC Flow Logs to understand cloud-based network operations.
Advanced Threat Detection: Develop skills in SIEM Log Analysis, and employ tools like Snort3 and Zeek for robust Intrusion Detection and Network Security Monitoring.
System Security: Sharpen your skills in Linux Logging and Auditing, Windows Process Exploration, and Windows Filesystem Permissions, ensuring comprehensive system oversight.
Audit and Compliance: Master Password Auditing, Binary File Analysis, and Data Loss Prevention to safeguard sensitive data against emerging threats.
Cryptography and Recovery: Get hands-on with Hashing and Cryptographic Validation, Encryption and Decryption, and Mobile Device Backup Recovery to secure and recover data.
Windows and Linux Security: Apply Windows System Security Policies, manage Linux Permissions, and explore Linux Containers for enhanced security posture.
Automation and Discovery: Utilize PowerShell for Speed and Scale and conduct Network Discovery to efficiently manage security tasks.
Exploitation and Protection: Learn to identify and exploit vulnerabilities in Web App Exploitation, and apply security best practices.
Each lab is crafted to build proficiency in using real-world tools and techniques, preparing you to effectively respond to a variety of security incidents. Whether you are new to cybersecurity or seeking to update your skills, these labs offer a practical, immersive learning experience in the critical aspects of security fundamentals.
Business Takeaways
How to address high-priority security concerns
Leverage security strengths and differences among the top cloud providers
Build a network visibility map to help validate attack surface
Reduce an organization's attack surface through hardening and configuration management
Skills Learned
How to create a security program that is built on a foundation of Detection, Response, and Prevention
Practical tips and tricks that focus on addressing high-priority security concerns within one's organization and doing the right things that lead to effective security solutions
How adversaries adapt their tactics, techniques, and procedures and how to adapt your defense accordingly
What ransomware is and how to better defend against it
How to leverage a defensible network architecture (VLANs, NAC, 802.1x, Zero Trust) based on indicators of compromise
Identity and Access Management (IAM) methodology and related aspects of strong authentication (MFA)
How to leverage the security strengths and differences among various cloud providers (including multi-cloud)
Realistic and practical applications of a capable vulnerability management program
How to sniff network communication protocols to determine the content of network communication (including access credentials) using tools such as tcpdump and Wireshark
How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-risk indicators of compromise, as well as the concepts of basic scripting for the automation of continuous monitoring
How to build a network visibility map that can be used to validate attack surfaces and determine the best methodology to effectively reduce risk through hardening and configuration management
Why some organizations win and why some lose when it comes to cybersecurity
With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge with next generation threats emerging all the time. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-based approach to cyber defense.
PREVENTION IS IDEAL BUT DETECTION AND RESPONSE IS A MUST
With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge, with new threats emerging all the time, including the next generation of threats. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked ... and will always work ... is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:
- What is the risk?
- Is it the highest priority risk?
- What is the most cost-effective way to reduce the risk?
All in all, however, organizations are going to be targeted AND broken into. Today, more than ever before, TIMELY detection and TIMELY response is critical. Once an adversary is inside the environment, damage will occur. In the near future, the key question in information security will become, "How quickly can we detect, respond, and remediate an adversary?" As counterintuitive as it may seem, it needs to be stated that you CANNOT secure what you don't know you have. Security is all about making sure you focus on the right areas of defense (especially as applied to the uniqueness of YOUR organization). In SEC401 you will learn the language and underlying workings of computer and information security, and how best to apply it to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills that you can put into practice immediately upon returning to work; and (2) You will be taught by the best security professionals in the industry.
You Will Be Able To
- Apply what you learn directly to your job when you go back to work
- Design and build a network architecture using VLANs, NAC, and 802.1x based on advanced persistent threat indicators of compromise
- Run Windows command line tools to analyze a system looking for high-risk items
- Utilize Linux command line tools and basic scripting to automate the running of programs to perform continuous monitoring of systems
- Create an effective policy that can be enforced within an organization and design a checklist to validate security and create metrics to tie into training and awareness
- Identify visible weaknesses of a system using various tools and, once vulnerabilities are discovered, configure the system to be more secure
- Build a network visibility map that can be used for hardening of a network - validating the attack surface and determining the best methodology to reduce the attack surface through hardening and patching
- Sniff network communication protocols to determine the content of network communication (including unprotected access credentials), using tools such as tcpdump and Wireshark.
Hands-On Training
SEC401 is an interactive hands-on training course. The following is only a few of the lab activities that students will carry out:
- Set up a virtual lab environment
- Carry out tcpdump network analysis
- Use Wireshark to decode network traffic
- Crack passwords
- Use hashing to preserve digital evidence
- Analyze networks with hping3 and Nmap
- Use steganography tools
- Secure and audit a Windows system against a template
What You Will Receive
- Course books, lab workbook (more than 500 pages of hands-on exercises), virtual machines with tools pre-installed
- TCP/IP reference guides
- MP3 audio files of the complete course lecture
GIAC Security Essentials
The GIAC Security Essentials (GSEC) certification validates a practitioner's knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.
Defense in depth, access control and password management
Cryptography: basic concepts, algorithms and deployment, and application
Cloud: AWS and Azure operations
Defensible network architecture, networking and protocols, and network security
Incident handling and response, data loss prevention, mobile device security, vulnerability scanning and penetration testing
Linux: Fundamentals, hardening and securing
SIEM, critical controls, and exploit mitigation
Web communication security, virtualization and cloud security, and endpoint security
Windows: access controls, automation, auditing, forensics, security infrastructure, and services
Course Syllabus
SEC401.1: Network Security and Cloud Essentials
Overview
In this first section we learn that while organizations try to prevent as many attacks as possible, not all attacks will ultimately be prevented, and therefore must be detected in a timely manner. As such it is critical to understand how to build a defensible network architecture, including the types of network designs and the relational communication flows.
We then move onto how in any organization, large or small, all data is not created equal. Some data is routine and incidental, while other data can be vastly sensitive and critical, and its loss can cause irreparable harm to an organization. It becomes essential to understand how network-based attacks bring risk to critical data and how an organization is vulnerable to such attacks. To achieve this, we need to become familiar with communication protocols of modern networks.
Cloud computing becomes an obvious topic of discussion in relation to our modern public and private networks. A conversation on defensible networking would not be complete without an in-depth discussion of what the cloud is, and most importantly, its security capabilities and related concerns.
Perhaps best stated, adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system on our network until they achieve their long-term goals. Because adversaries need to use OUR network to achieve THEIR goals, by understanding how our networks function (relative to our unique needs), we can more easily uncover the activities of adversaries.
By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Virtualization and Cloud Essentials, and Wireless Network Security.
Exercises
Sniffing and analysis of network traffic including tcpdump
Sniffing, protocol decoding, and extraction of network traffic using Wireshark
Examination and interpretation of Amazon Web Services (AWS) VPC Flow Logs
Topics
Module: Defensible Network Architecture
To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.
Network Architecture
Attacks Against Network Devices
Network Topologies
Network Design
Module: Protocols and Packet Analysis
A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core concepts of computer networks and protocols.
Network Protocols Overview
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Tcpdump
Module: Virtualization and Cloud Essentials
The module begins with an examination of what virtualization is, the security benefits and the risks of a virtualized environment, and the differences found in different types of virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts.
Virtualization Overview
Virtualization Security
Cloud Overview
Cloud Security
Module: Securing Wireless Networks
This module helps the student to understand the differences of the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.
The Pervasiveness of Wireless Communications
Traditional Wireless: IEEE 802.11 and its Continual Evolution
Personal Area Networks
5G Cellular (Mobile) Communications
The Internet of Things
SEC401.2: Defense in Depth
Overview
Module: Defense in Depth
This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense in depth. We will also evaluate related principles (such as Zero Trust) that will further serve you well in protecting your systems.
Defense in Depth Overview
Constituents of Risk: Confidentiality, Integrity and Availability
Strategies for Defense in Depth
Core Security Strategies
Defense in Depth in the Cloud
Zero Trust Methodology
Variable Trust
Module: IAM, Authentication, and Password Security
This module discusses the principles of identity management and access control. As access control models vary in their approaches to security, we will explore their underlying principles, strengths, and weaknesses. The module also includes a brief discussion on authentication and authorization protocols and control. A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various factors of authentication: something you know, something you have, and something you are. We conclude the module by focusing specifically on the most common (and problematic) example of something you know: the password.
IAAA: Identification, Authentication, Authorization, Accountability
Single Sign On (SSO): Traditional On-Premise and Cloud (SAML and OATH)
Password Management
Password Techniques
Password (Passphrase) Policies
Password Storage
Key Derivation Functions
How Password Assessment Works
Password Attack Tools (Hashcat and Mimikatz)
Multi-Factor Authentication
Adaptive Authentication
Privileged Access Management: On-Premise and Cloud
Module: Security Frameworks
In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us on solid footing in defending against the modern adversary.
Introduction to the CIS Controls
CIS Controls Guiding Principles
Case Study: Sample CIS Control
NIST Cybersecurity Framework
MITRE ATT&CK (TTP and Mapping to Known Adversaries)
Module: Data Loss Prevention
Loss or leakage?
In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way. A data breach is an incident that can lead to, among other things, unintentional information disclosure and data leakage. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.
Loss or Leakage
Data Loss
Data Leakage
Ransomware
Preventative Strategies
Redundancy (On-Premise and Cloud)
Data Recovery
Related Regulatory Requirements (GDPR and CCPA)
Data Loss Prevention Tools
Defending Against Data Exfiltration
User Activity Monitoring
Module: Mobile Device Security
The first part of the module gives a comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both mobile operating systems, along with the potential of damaging attacks from malware.
Android versus iOS
Android Security
Android Security Features
What You Need to Know About Android
Android Fragmentation
Android Security Fix Process
Apple iOS Security
Apple iOS Security Features
What to Know About iOS
iOS Updates
Mobile Problems and Opportunities
Mobile Device Management
Unlocking, Rooting, and Jailbreaking
Mitigating Mobile Malware
Android Malware
iOS Malware
Exercises
Password Auditing
Investigative techniques using Data Loss Prevention capabilities
Investigation of artifacts found in mobile device backups
Topics
Module: Defense in Depth
This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense in depth. We will also evaluate related principles (such as Zero Trust) that will further serve you well in protecting your systems.
Defense in Depth Overview
Constituents of Risk: Confidentiality, Integrity and Availability
Strategies for Defense in Depth
Core Security Strategies
Defense in Depth in the Cloud
Zero Trust Methodology
Variable Trust
Module: IAM, Authentication, and Password Security
This module discusses the principles of identity management and access control. As access control models vary in their approaches to security, we will explore their underlying principles, strengths, and weaknesses. The module also includes a brief discussion on authentication and authorization protocols and control. A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various factors of authentication: something you know, something you have, and something you are. We conclude the module by focusing specifically on the most common (and problematic) example of something you know: the password.
IAAA: Identification, Authentication, Authorization, Accountability
Single Sign On (SSO): Traditional On-Premise and Cloud (SAML and OATH)
Password Management
Password Techniques
Password (Passphrase) Policies
Password Storage
Key Derivation Functions
How Password Assessment Works
Password Attack Tools (Hashcat and Mimikatz)
Multi-Factor Authentication
Adaptive Authentication
Privileged Access Management: On-Premise and Cloud
Module: Security Frameworks
In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us on solid footing in defending against the modern adversary.
Introduction to the CIS Controls
CIS Controls Guiding Principles
Case Study: Sample CIS Control
NIST Cybersecurity Framework
MITRE ATT&CK (TTP and Mapping to Known Adversaries)
Module: Data Loss Prevention
Loss or leakage?
In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way. A data breach is an incident that can lead to, among other things, unintentional information disclosure and data leakage. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.
Loss or Leakage
Data Loss
Data Leakage
Ransomware
Preventative Strategies
Redundancy (On-Premise and Cloud)
Data Recovery
Related Regulatory Requirements (GDPR and CCPA)
Data Loss Prevention Tools
Defending Against Data Exfiltration
User Activity Monitoring
Module: Mobile Device Security
The first part of the module gives a comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both mobile operating systems, along with the potential of damaging attacks from malware.
Android versus iOS
Android Security
Android Security Features
What You Need to Know About Android
Android Fragmentation
Android Security Fix Process
Apple iOS Security
Apple iOS Security Features
What to Know About iOS
iOS Updates
Mobile Problems and Opportunities
Mobile Device Management
Unlocking, Rooting, and Jailbreaking
Mitigating Mobile Malware
Android Malware
iOS Malware
SEC401.3: Vulnerability Management and Response
Overview
In this section the focus shifts to the various areas of our environment where vulnerabilities arise. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program.
Because vulnerabilities represent weaknesses that adversaries exploit, a discussion of vulnerabilities would not be complete without a serious discussion of modern attack methodologies based on real-world examples of compromise. Of all the potential areas for vulnerabilities in our environment, web applications represent one of the most substantial, with the most consequential risk. The extensive nature of vulnerabilities that can arise from web applications dictate that we focus the attention of an entire module on web application security concepts.
While it is true that vulnerabilities allow adversaries to penetrate our systems, sometimes with great ease, it is impossible for those adversaries to remain entirely hidden post-compromise. In leveraging the logging capabilities of our hardware and software, we might detect the adversary in a more timely manner. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management.
Last, but not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology for an appropriate incident response is the subject of the final module of this section.
Exercises
System, Port, and Vulnerability Discovery with Nmap
Malware Analysis
Abusing Web Application Vulnerabilities for Exploitation
Leveraging SIEM Logs for Incident Response and Investigation
Topics
Module: Vulnerability Assessments
This module covers the tools, technology, and techniques used for the mapping of networks and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.
Introduction to Vulnerability Assessments
Steps to Perform a Vulnerability Assessment
Criticality and Risks
Module: Penetration Testing
The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation functions come into play. Furthermore, a methodical and meticulous approach to penetration testing is needed to provide value to your organization.
The What and Why of Penetration Testing
Red Team
Adversary Emulation
Purple Team
External and Internal Penetration Testing
Web Application Penetration Testing
Social Engineering
Mobile Device Testing
Internet of Things Testing
Penetration Testing Process
Penetration Testing Tools (Nmap, Metasploit, Meterpreter)
Password Compromise, Reuse, Stuffing, and Spraying
Module: Attacks and Malicious Software
This module will examine commonalities of well-known breaches as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also strategies that can be used to help manage the risks associated with such attacks.
High-Profile Breaches and Ransomware
Ransomware as a Service
Common Attack Techniques
Malware and Analysis
Module: Web Application Security
This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.
Web Communication Fundamentals
Cookies
HTTPS
Developing Secure Web Apps
OWASP Top Ten
Basics of Secure Coding
Web Application Vulnerabilities
Web Application Monitoring
Web Application Firewall (WAF)
Module: Security Operations and Log Management
This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential during incident response.
Logging Overview
Log Collection Architecture
Log Filtering
Problems with Logging Standards
Setting Up and Configuring Logging
Log Analysis Tools
Log Aggregation and SIEM
Key Logging Activities
Module: Digital Forensics and Incident Response
This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.
Introduction to Digital Forensics
What is Digital Forensics?
Digital Forensics in Practice
The Investigative Process
Remaining Forensically Sound
Examples of Examining Forensics Artifacts
DFIR (Digital Forensics and Incident Response) Subdisciplines
Digital Forensics Tools
Incident Handling Fundamentals
Multi-Step Process for Handling an Incident
Threat Hunting
SEC401.4: Data Security Technologies
Overview
There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. During the first half of this section, we will look at various aspects of cryptographic concepts and how they can be used to help secure an organization's assets. During the second half of the section, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls and intrusion prevention systems). We will also look at the different detection technologies that can detect the presence of an adversary (intrusion detection systems). These prevention and detection techniques can be deployed from a network and/or endpoint perspective, and we will explore the similarities and differences of each.
Exercises
Hashing and Cryptographic Validation
Encryption, Decryption, and Digital Signature Techniques
Incident Detection Leveraging the Snort and Zeek Intrusion Detection Systems
Topics
Module: Cryptography
Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function.
Cryptosystem Fundamentals
Cryptography
Cryptanalysis
General Types of Cryptosystems (Symmetric, Asymmetric, Hashing)
Digital Signatures
Module: Cryptography Algorithms and Deployment
The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.
Mathematical Features of Strong Cryptography
AES
RSA
ECC
Cryptography Attacks (Cryptanalysis)
Module: Applying Cryptography
This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.
Data in Transit
Virtual Private Networks (VPN), IPsec and SSL-based
Data at Rest
File/Folder Level Encryption
Full Disk Encryption
GNU Privacy Guard (GPG)
Key Management
Public Key Infrastructure (PKI)
Digital Certificates
Certificate Authorities
Module: Network Security Devices
Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.
Overview of Firewalls
Types of Firewalls
Firewall Configuration and Deployment Considerations
NIDS
Types of NIDS
Snort as a NIDS
NIPS
Methods for NIPS Deployment
NIPS Security and Productivity Risk Considerations
Module: Endpoint Security
In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).
Endpoint Security Overview
Core Components of Endpoint Security
Enhancing Endpoint Security
Endpoint Security Solutions
Anti-malware
Endpoint Firewalls
Integrity Checking
HIDS, HIPS, and EDR
SEC401.5: Windows and Azure Security
Overview
Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure and so on. Microsoft is battling Google, Amazon, and other cloud giants for cloud supremacy. The trick, of course, is to do cloud securely.
Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, endpoint security, and User Account Control represent both challenges and opportunities. This course section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work, both on-premise and in the cloud (Microsoft Azure). You will complete the section with a good solid grounding in Windows security by looking at automation and auditing capabilities for the Windows ecosystem.
Exercises
Process Observation and Analysis
NTFS File System Permissions Analysis as Part of Incident Response
Auditing and Enforcement of System Baseline Configurations with Security Templates
PowerShell Scripting and Automation Techniques for Speed and Scale
Topics
Module: Windows Security Infrastructure
This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.
Windows Family of Products
Windows Workgroups and Accounts
Windows Active Directory and Group Policy
Module: Windows as a Service
This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot and Windows Virtual Desktop).
End of Support
Servicing Channels
Windows Update
Windows Server Update Services
Windows Autopilot
Windows Virtual Desktop
Module: Windows Access Controls
This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Active Directory, and Privileges. BitLocker is discussed as another form of access control (encryption), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module (TPM).
NTFS Permissions
Shared Folder Permissions
Active Directory
Permissions
Privileges
BitLocker Drive Encryption
Module: Enforcing Security Policy
This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made by this tool, such as password and auditing policies. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.
Applying Security Templates
Employing the Security Configuration and Analysis Snap-in
Understanding Local Group Policy Objects
Understanding Domain Group Policy Objects
Administrative Users
Privileged Account Management
Reduction of Administrative Privileges
AppLocker
User Account Control
Windows Firewall
IPsec Authentication and Encryption
Remote Desktop Services
Recommended GPO Settings
Module: Microsoft Cloud Computing
Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and later versions for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.
Microsoft s All-In Bet on Cloud Computing
Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
Microsoft Azure
Entra ID (Azure Active Directory)
Entra ID Single Sign-On
Multi-Factor Authentication
Administrative Role Reduction
Endpoint Security Enforcement
Microsoft Intune
Azure Conditional Access
Azure Monitor
Azure Sentinel (SIEM and SOAR)
Azure Policy
Azure Security Center
Module: Automation, Logging, and Auditing
Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!
What Is Windows PowerShell?
Windows PowerShell versus PowerShell Core
Windows Subsystem for Linux (WSL)
Automation and Command-Line Capability in Azure (PowerShell Az Module and Azure CLI)
Azure Cloud Shell
Runbooks
Gathering Ongoing Operational Data Employing Change Detection and Analysis
SEC401.6: Linux, AWS, and Mac Security
Overview
While organizations may not have many Linux systems, the Linux systems they do have are often the most critical systems that need to be protected. This course section focuses on the practical guidance necessary to improve the security of any Linux system. The section provides practical how-to instructions with background information for Linux beginners as well as security advice and best practices for administrators with various levels of expertise.
Since Linux is perceived as being a free operating system, it is not a surprise that many advanced security concepts are first developed for Linux. One example is containers, which provide powerful and flexible concepts for cloud computing deployments. While not specifically designed for information security purposes, containers are built on elements of minimization, and that is something we can leverage in an overall information security methodology (as part of defense in depth). We will discuss what containers do and do not represent for information security, as well as best practices for their management.
Last, but not least, we conclude the section with a review of Apple's macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunities for hardware and software security but is often misunderstood in terms of what can and cannot be achieved.
Exercises
Linux Permissions
Containers and Logging Concepts
Linux Logging and Auditing Capabilities
Topics
Module: Linux Fundamentals
This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.
Operating System Comparison
Linux Vulnerabilities
Linux Operating System
Shells
Linux Kernel
Linux Filesystem and Intrinsic Security Capabilities
Encryption at Rest
Permissions
User Accounts
PAM Subsystem
Command-Line Capabilities
Service Hardening
Package Management
Module: Containerized Security
The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including virtualization and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may arise within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.
Virtualization
Containers versus VMs
Containers and Orchestration
LXC
Cgroups and Namespaces
Docker
Docker Images
Kubernetes
Container Security
Docker Best Practices
Vulnerability Management and Secure Configuration Baselines
Module: Linux Security Enhancements and Infrastructure
This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demands. Because of this, we will also explore additional logging enhancements ranging from Syslog-ng to Auditd.
Operating System Enhancements
SELinux
AppArmor
Linux Hardening
Kernel Module Security
SSH Hardening
CIS Hardening Guides and Utilities
Log Files
Syslog
Syslog Security
Log Rotation
Auditd
Firewalls: Network and Endpoint
Module: macOS Security
This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.
What is macOS?
Privacy Controls
Keychain
Strong Passwords
Gatekeeper
Anti-Phishing and Download Protection
XProtect
Firewall Capabilities
FileVault
Sandboxing and Runtime Protection
Security Enclaves
macOS Vulnerabilities and Malware
Prerequisites
SEC401 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide the introductory knowledge to help maximize the experience with SEC401.
Laptop Requirements
Click to view
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.
Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.
MANDATORY SEC401 SYSTEM HARDWARE REQUIREMENTS
CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
16GB of RAM or more is required.
100GB of free storage space or more is required.
At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY SEC401 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
Download and install7-Zip(for Windows Hosts) orKeka(for macOS hosts). These tools are also included in your downloaded course materials.
Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloadsas soon as you get the link.You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.
Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.
Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.
If you have additional questions about the laptop specifications, please contact support.