SANS FOR572 (Network Security, Las Vegas)

I'm here at SANS Network Security taking FOR572 taught by Phil Hagen. He's a very clear and concise instructor and the class rolls along at a good pace. It's a mid-sized class (about 30 people) but it's good stuff. Day One reviewed some basics (for me), but otherwise it looks like it's going to get better as the days go by.

I missed out on DFIR NetWars last year. Need to make up for it this time.

It's good to be back at Caesar's Palace. Haven't been at this venue since Black Hat USA was still here back in 2013. Brings back memories.

Find more posts tagged with

Comments

JoJoCal19

Nice!! Are you facilitating? I thought about trying to go for that event but for one thing, I didn't feel like facilitating their largest event and two, my wife and I are wanting to go to Vegas for vacation for what would be our first visit there. I heard that FOR572 is a popular follow-up to SEC503. If you don't mind doing a mini review on the class that would be awesome.

cyberguypr

Very nice. Looking forward to the full review.

I just came back from facilitating FOR 408 at Crystal City VA and kept hearing how hectic big events are. I'm sticking to the minors for now.

cgrimaldo

Sweet...I'm looking forward to your updates.

docrice

I'm not facilitating since this is an employer-sponsored trip. Day Two was mainly about NetFlow and while I already have some experience in this area, at the same time the material filled some gaps since publicly-available resources never answered all my questions on variations on implementations and use.

I also just came out of a great talk by Jason Fossen on Windows 10 and Server 2016 (which went overtime). Lots of interesting things in the works by the folks at Redmond.

cgrimaldo

Sounds awesome....I can't wait for my employer to send me to my first SANS course.

billyr2009

I look forward to this review.

I eventually want to take this one too.

cyberguypr

Fossen is basically a walking Windows securit wiki. Great resource.

rudegeek

@docrice I'm disappointed that I missed Jason's talk, but I am facilitating 401 w/ Eric Cole.

.....At the end of the day (8PM) my body needs food.

JoJoCal19

Docrice, good to hear your employer sent you! Can you give me your thoughts on attending a conference as a regular student vs facilitator? I have been feeling like I would really like to attend some courses as a non-facilitator as I feel that I could relax and enjoy it a bit more, and have the flexibility of coming and going as I please. At least I imagine it must be pretty different but I'm not sure. I figured I'd ask since you're now experiencing it as both.

rudegeek wrote: »

@docrice I'm disappointed that I missed Jason's talk, but I am facilitating 401 w/ Eric Cole.

.....At the end of the day (8PM) my body needs food.

I facilitated 401 with Dr Cole at SANS 2015 (Orlando) which is their second biggest conference and I feel your pain.

docrice

JoJoCal19 wrote: »

I figured I'd ask since you're now experiencing it as both.

I've never done WorkStudy, actually.

JoJoCal19

Oh, I thought you were one I've seen post about having done the Work Study program. Have you challenged some of your GIAC certs?

docrice

You're probably thinking of someone else. I took the corresponing SANS classes for all of my GIAC certification attempts.

docrice

Apologies for the late follow-up. I enjoyed FOR572 and virtually all of it was directly applicable to my day job. I was already a bit familiar with many of the topics covered, but the material filled in a lot of gaps which I had been somewhat struggling with over the years so there was definite value for me here. It's one thing to know concepts and tools, but understanding the methodology to put all the evidence together during an investigation is the glue you're really paying for. If you've taken FOR408 or 508, this is essentially the same scenario but looking at it from a network perspective. I had a co-worker who took 508 across the way from my class and we traded notes after the final day.

As usual, the thing that keeps bringing me back to SANS is the approach to learning practical theory - digging deeper, looking beyond the commercial vendor tools, removing your assumptions, and analyzing (thinking). I see way too many professionals look at their environments through the lens of their equipment rather than trying to understand behavior and pivoting with data.

One definite benefit for me - we covered the basics of SMB. Even SEC503 didn't really dive into this so I was happy there was a section on reviewing the behavior of some of the common protocols we see in just about every environment.

Phil Hagen is a very good instructor, brought many entertaining anecdotes to the class, and the Day Six capstone exercise was fun (our group didn't get into the final three, but that's okay). Like all other SANS instructors I've had experience with, he brought a lot of experience, industry knowledge, and energy and the class was never boring.

One thing I'd note is that for this course, having a larger laptop display would've certainly been helpful for me. I decided to take my MacBook 13 instead of my 17 and there were times when I really could've used the extra screen real estate.

I partook in the first night of DFIR NetWars. It was fun, but yet oh-so-frustrating occasionally. Good times. I was still spending every evening doing work for my employer as there are some things I just can't get away from, even if I'm in training. Sort of goes with the territory. This cut into my SANS conference experience, but that's just how it is for me.

That said, I doubt I'll be returning to SANS in Vegas. This being my third time in this city this year, it gets tiring. Maybe next time I'll do a more local event or go back to OnDemand.

Mechs

Hey, Docrice. I have just been approached to do this course, but I opted for 504 instead as it would accompany my 503 a bit more (which is what I initially thought)

But re-reading the syllabus for 572 this morning makes me want to rethink this decision. The only thing that puts me off is that the course appears to be quite new and I am not sure if it is mature enough. I need a SANS course to REALLY challenge me and use my mind, and it seems that most of this content I am already familiar with except the protocol encoding, etc

I know both 504 and 572 are different streams, but but still revolve around investigating. How would you compare them outright and ROI?

FYI: I am a SOC analyst with around 3 years experience in 1st and 2nd line analysis. Education wise I have studied my MSc in InfoSec and have done my GCIA.

docrice

I think 572 is quite mature, but compared to 504 and considering which one would be more challenging is really difficult to gauge unless I know what your skill level and overall familiarity is. 504 is less investigating and more hands-on basic pentesting (but looking at it also from an IH side).

Unfortunately, there's no assessment quiz for these two the last time I checked.

Mechs

Skill level is hard to describe really, as an ex Windows admin for 4 years I am proficient with Windows and comfortable at the *nix command line. I use Wireshark daily for PCAP analysis and analyse malicious documents weekly as I see them. I have worked for a large MSSP for 2 years and spend the last 1.something years doing government/financial SOC work and in regards to GCIA I passed with relative ease at 93%

That's pretty much it!

I think I will go ahead and book the GNFA considering you said you liked it

docrice

I enjoyed FOR572, but I didn't necessary learn as much as I did from other courses. That said I've been in the IT industry for almost two decades so my perspective and expectations likely will differ from yours.

billyc123

docrice

Hi Docrice,

For the course 572,
There 's two files, for572_capstone_traffic_2014-12 & for572_capstone_netflow_2014-12 which required
the password, but I didn't write it down on my books or notes, and I was not able to find the password from the books either.

I did not write the password on the day6, so I'm now try to re-do the exercise but was unable to extract & open the files.

Can you let me know ?

Thanks

Billy

docrice

I don't recall as it's been too long since I took the class. Check with your instructor.

cyberguypr

Either that or contact SANS support. Should be fairly easy to resolve.

billyc123

Thanks you.

YuckTheFankees

Awesome review, very helpful.