SEC501 Review - Chicago 2014

cyberguyprcyberguypr Mod Posts: 6,927 Mod
There were some questions a while back about this course so I'll be reviewing it at some point after I finish it this Friday. Reserving this space so I don't forget.

Going through day 3 today.


  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    Good luck and looking forward to the review!
  • WilliamK99WilliamK99 Member Posts: 278
    Just finished it, wasn't a HUGE fan of it, but Day 5 is an absolute winner...Love playing with real Malware! Looking forward to your opinion of it.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 1 - Defensive Network Infrastructure
    This is basically the Cisco day. In typical SANS fashion they try to keep it vendor neutral. The instructor notes that even though it's Cisco heavy the concepts apply to Juniper, etc. Most of what's covered revolves around the Center for Internet Security, the Cisco IOS Switch Security Configuration Guide and the SANS Gold Standard switch configuration.

    The labs consist of some analysis of config files and attempts to brute force some password. Some of the attack tools used include Yersinia, Router Audit Tool.

    If you are new to Cisco you will definitely see some value here. If you are a veteran, you can check your email and catch up with work this day. Although I don't do much Cisco this was an overall snooze fest for me since the material is really basic.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 2 is Packet Analysis

    There’s an overview of WAF, NGFW, and other devices. It moves on quickly to packet/frame headers. Others topic covered include Wireshark filters, IPS/IDS basics and SNORT rule writing. Labs include analyzing PCAP files with TCPdump, Wireshark, SNORT, Modsecurity, TCPtrace. Definitely a 30,000 feet overview. Just enough to get someone who hasn’t played with this get excited.

    The course is definitely a logical step after SEC401. People who have never seen IDS/IPS working or have never been exposed to packet analysis would get a lot out of this. However, at this point is is obvious that having taken SEC504 this course was too basic for me. I'm doing the labs just for giggles but they are extremely basic. It is worth noting that my first choice was SEC503 but it was already taken for the work/study program. Since my company paid for it it’s fine, but if I paid for this I would be banging my head against the desk.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 3 is Pentest

    There’s a nice overview on the pentest process covering rules of engagement, scope, methodologies, etc. It dives into the phases one by one providing good examples. Info gathering phase touches on recon via DNS records, Google searches, Pastebin (and parsing tools), Shodan, dumpster diving, etc. Scanning and enumeration touches on Nmap, traceroute, Touches a lot on fingerprinting and vulnerability assessment. Webapp scanning does a Nikto overview. Vulnerability assessment tools are discussed. There’s a minor mention of wireless attack tools as well as VoIP attacks. Finally, there’s a good intro to Metasploit.

    Labs involve a lot of Nmap with Wireshark running to see the packets go across the wire. Other tools such as Amap, Netcat, Hping, and Xprobe are also there to play with. Another involves OpenVAS so you can see what an awful and slow tool it is. Final lab is some Metasploit action.

    Again, great for those who have not been exposed to this stuff. If you've seen this before, nothing new.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 4 is First Responder
    Emphasis here is an overview of forensics and incident handling. There's a bit of talk about forensics including integrity, preservation, timeline creation, etc. Unless I wasn't paying attention I didn't hear anything about the utmost important chain of custody. I'll check once I index the books to confirm in this in fact was missing. Lots of discussion on little native and add-on tools you can use to inspect stuff of both Win and Linux. We had a light discussion on Eradication and Recovery. Day closed with a case analysis about a compromised system.

    Tools and labs revolve around SIFT Worktation, SleuthKit, Volatility, LogParse, RegRipper and others. Labs do a nice switcharoo between Linux and Windows so you get exposure to both.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 5 is Malware

    Lecture stated discussing places where malware hides: registry RUNONCE, system32, etc. A lot of time is spent showing how to identify malware infections. It started by discussing native tools that can help identify something is wrong: netstat, findstr, tasklist, wmic. Then it moves to other tools such as HijackThis, SysInternals stuff, and others. The was a discussion on anit-rootkit utilities. There was also a section on alternate data streams. There were some slides showing how the Ap0calypse RAT Builder works. Final section talked about cloud-based malware tools (Team Cymru WinHMR, CrowdInspect, Anubis Sandbox, GFI ThreatTrack, Norman, Wepawet).

    Labs involved playing with TCPview, HijackThis, SysInternals tools, alternate data streams, and others. They started with simple live malware and then progressed to the nasty one that take forever to remove.

    I haven't dealt with malware removal in a while so had no idea about those cloud based tool. Good stuff. The other stuff seemed pretty basic, more like the stuff desktop support personnel should handle.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    It's finally great to see some review on 501. It's a course that's normally not talked about. Sounds like there's plenty of variety and lots of labs.

    I wonder, however, if it's worth it if someone has already gone through the more specialized courses like 503, 504, 560, etc.. I've always been curious about this course in this regard.
    Hopefully-useful stuff I've written:
  • azmattazmatt Member Posts: 114
    I've wondered the same thing docrice. I've taken the specialized courses but enjoyed the 401 with Cole so much that the 501 has always had me curious.
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Day 6 is DLP

    This was the shortest day and we were done by 12:30pm. Day started with a discussion of DLP and the importance of data classification. The rest of the day was spent discussing risk assessment and mitigation as well as the dangers of the insider threat. There was also a small section on Digital Rights Management.

    No labs here since at this point everyone is anxious to get home.

    As all things SANS this is a great course. However this comes with an asterisk. If you took 401 and want to see what how different areas of security work and what each one entails, then this is the course for you. If you have been doing Infosec tasks such as packet analysis, IPS/IDS, or incident handling, you would be bored to death in this course. As Docrice mentioned, if you've done 503, 504, or other 500 courses you will need to look elsewhere. 503 and 504 make the most of the material here. There's also a tiny glimpse of 560 stuff as well as a sliver of 542. Since I did 504 last year there wasn't much I gained from this class.

    My fist choice for the work study was 503 but since training dollars form my company were "use it or lose it" when I got approved for 501 I decided to go ahead with it anyway. It's always great to get to meet fellow facilitators as well as other SANS instructor and support personnel so the experience is always gratifying. Refreshing the basics is never bad. Having said that, although I've paid SANS work study out of pocket before, I would've never done it for this class.

    So that's my assessment of this class. If there's anything I can answer let me know.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Thanks for the feedback. I figured this would be the case for students who have already gone through other 500-level courses. The Work Study program definitely seems like a fantastic value, not just in terms of actual cost but making a difference in the SANS event experience for other students. The downside seems to be the rather hit-or-miss for the specific classes you want to be a part of.
    Hopefully-useful stuff I've written:
Sign In or Register to comment.