SANS SEC511 - Monday

the_Grinch

First SANS course and I am very excited to attend! I will post daily updates here for everyone.

adrenaline19

I'm really interested on personal experiences, keep us updated.

cyberguypr

Very cool. Let us know how it goes.

TechGromit

I assume in Philadelphia? I'll be there, I'll be the tall stupid looking guy.

the_Grinch

Yup. I'll be the bald guy with glasses.

Jinverar

I'm also taking this on demand right now. lots of lab work

the_Grinch

Finished up day one and boy what a long day it was! Day One is a high level overview meant to get everyone on the same page and to go over what ultimately will be covered in class. Our instructor (Bryan Simon) is amazing! He peppered in a lot of humor and also gives you realistic scenarios that he has seen in the field. The labs have been pretty decent and mimic some of the stuff you would perform while taking the OSCP. I have to say the NetWars at the end was probably the most fun I have had in awhile. Getting the right answer amped me up pretty well and there were definitely some tricky questions. The aim is to get you using the Linux command line to go through logs and answer questions. Lots of grep, awk, cat and sort! Overall I can tell we are going to cover some really great stuff in this course and it has definitely gotten me thinking about what to look for on the networks we monitor.

bsjj27

Thanks for posting your thoughts on this, I'm currently taking this course on demand now. I was originally scheduled to take it live in Philly but something came up and am now taking it online. This is my first experience taking a SANS course, so far I have to say I'm impressed with the material, its actually stuff you can walk away with and start using right away. My on demand content expires in June, this being my first experience taking a SANS course I was not aware that I needed to take the test before the the content expires. Is that how all SANS courses are setup? I'm used to taking classes from other vendors where you can take the course and go for the test whenever you feel like it afterwards.

the_Grinch

This is my first SANS course, but I understand the course expiring at some point. If you were taking it live you'd get audio from a class, but otherwise you wouldn't have any access outside of the books.

bsjj27

I understand the course expiring, but I'm required to go to a testing center and take the test before the course expires. My access to my on demand course expires on June 14th. I have to go to a testing center and take and pass the test by June 14th. I figured my access would expire on June 14th and I could take my time studying and take the test when I wanted too.

cyberguypr

SANS courses are designed to be taught in 40 hours. OnDemand gives you access for 4 months. GIAC vouchers are also valid for 4 months. It seems you bought both the course and the voucher at the same time and that is why you need to complete the course and take the test before June. My suggestion is to do your best to go through the OnDemand material within the next 30-60 days and then you'll have 30 extra days to index, review, do practice tests, and then schedule your actual test. Another thing to keep in mind is that if you really absorb the material and take good notes, you should have no need to reference the actual course that much.

the_Grinch

Day Two is complete (finished about 4 hours ago). My instructor gave the keynote and let me just say that he nailed it: day two those smiles turn to frowns. It is an incredibly long day (9 am to 7 pm) and they also have talks at 7:15 PM so dinner is on hold until after those (obviously they are optional talks, but interesting none the less so why miss it?). Today we covered network architecture and what devices could help to prevent and/or detect intrusions. Definitely some of the most interesting stuff I have seen in awhile. It did cement for me that what I am asking for is correct and I merely need to tune a few things to glean the information that will prove to be most useful for me. It also confirmed that the question I've asked during the course of my investigations are the right ones and that the recommendations I've made are appropriate. The biggest thing I have found is that there is more then one way to skin a cat. So in the labs, how they went about something is different from how I did it, but ultimately they were close and I found the right answers.

I won't lie the NetWars kicked my butt today and it definitely frustrated me because I did so well the day before. My only critique at this point is that they pepper the NetWars in throughout the day instead of two hours at the end. Seven hours of straight lectures with short breaks and short labs weighs on me pretty heavily. My instructor is still amazing and I am definitely glad that I did my due diligence on him (along with the course) prior to signing up because he makes the class enjoyable and he is extremely informative.

UnixGuy

Good stuff!

TechGromit

Great lecture today on the Internet of Things. It's an interesting field of cyber security research, not sure what kind of money is it in, but it's certainly interesting.

On the negative side of things, I really don't like the hotel, feels cramped. There idea of a business center is a closet with two computers and no printer. There's no restaurant, but it does have a small bar. There's a good one inch gap at the bottom of my hotel room door, with a long coat hanger type wire and little determination, I'm sure someone could fish under the door and open the door latch. I've noticed pretty much every door on my floor has similar gaps, mine seems like one of the worst. The heat is luke warm at best. I also seem to have the good fortune to have one of four the smaller end unit rooms on the floor.

What's your opinion Grinch?

the_Grinch

I skipped the Internet of Things talk tonight. As for the hotel, not too bad, but I can definitely agree that the heat leaves something to be desired. I hadn't noticed the one inch gap till you mentioned it!

Today's lecture was all about applying what we covered yesterday and actively looking for threats. A lot of analysis of pcaps and with hunting for the bad guys. The exercises were pretty interesting and I found that a lot of what you cover in OSCP helps in this course. I can describe it best as you are seeing the techniques, tactics and procedures so you can defend against them, but also getting to see the offensive side (to a degree). Even though the days are long I highly recommend the course!

the_Grinch

Day Four has been completed and it was all about Endpoint Protection (at least in theory). The class revolved all around Windows and the varies methods you could use to detect compromise. 511 is all about detection because as we all know you can't prevent everything. So the mean idea is yeah they can get it, but with the right tools and monitoring in place you can limit what the attackers get access to. As our instructor says, much better to be able to say that 10% of our data was stolen, but we were able to prevent the other 90% because we detected it. The one point that keeps coming up is the fact that you can have all the tools in the world, but if no one is looking at it then you might as well not bother.

As far as tools are concerned we covered Sysmon, AutoRuns, and how to identify persistence, pivoting and pass the hash. Having been a system administrator (and still being one somewhat) I can see why admins aren't able to do things the right way. But I won't lie when I say I never realized how many tools were available for you to do things the right way. With the added benefit that most of them are free (or don't cost a lot). As my instructor pointed out, since Target resulted in C levels getting canned it may become easier to do things the proper way. Also, as I am sure most of us know, how we answer a request dictates what issue we will have. IT is often know as the "no" department, where as if you had said "that's a good idea, let us test it out so that we comply with out internal policies and procedures" you would have had a better experience. Again this course is amazing and I highly recommend it!

alias454

Hmm, method for detecting if a Windows machine is compromised...is it turned on?

Glad you are enjoying the experience.

the_Grinch

Haha, you know prior to this course I held the same belief, but I would be lying if I didn't say what I learned has shown me that you truly can lock Windows down properly.

docrice

I'll likely be taking 511 this year as well. From what I'm reading here, this should be fun and exhausting. 10-hour days is tough, especially when you don't have time for dinner after class because the night talks are going on.

adrenaline19

reading this thread gets my hyped up to take some classes. I thrive in a classroom setting, because it makes me focus. I will definitely look into SANS courses. What other classroom setting courses has anybody taken and can recommend?

the_Grinch

It definitely hit me hard being in class all day then getting 15 minutes before a talk, especially since they were all interesting. Plus that's also hoping that they don't last longer then an hour, which I believe they all basically hit an hour (some a little longer). Ultimately I skipped the internet of things because I needed the break and graduate school work needed to be completed.

Day 5 consisted of actively looking at various logs within Windows and utilizing PowerShell. It was really like riding a bicycle for me because I haven't analyzed a Windows system for issues in a number of years, but it seems things haven't changed too much. What was awesome was being able to go through and sort the logs to find exactly the information you need. More so the ability to utilize PowerShell to further advance your detection mechanisms. As an example, they cover the writing of a PowerShell script that allows you to pull registry keys in areas malware is known to place them and then go on to compare them to those previously pulled. The whole week has centered on continuous diagnostic and mitigation, the idea that you are consistently looking at your environment and making changes when needed.

Tomorrow is NetWars...wish me luck!

TechGromit

Went to the Meet and greet at 6pm, hey free alcohol. The party carried down to the lobby bar where I have drinks until around 10:30pm.

alias454

the_Grinch wrote: »

As an example, they cover the writing of a PowerShell script that allows you to pull registry keys in areas malware is known to place them and then go on to compare them to those previously pulled.

Not to hijack this thread but I have been looking at doing that with group policy and an internal git server. I setup a gitlab server and have been working on a powershell script to pull all group policies from AD and then push to the git server. This way you can track changes over time. What you are talking about is kinda cool too, very interesting.

Good luck on netwars woot!

the_Grinch

alias454 wrote: »

Not to hijack this thread but I have been looking at doing that with group policy and an internal git server. I setup a gitlab server and have been working on a powershell script to pull all group policies from AD and then push to the git server. This way you can track changes over time. What you are talking about is kinda cool too, very interesting.

Good luck on netwars woot!

No worries! The big thing is to be sure to sign the certs so that you aren't using an execution policy that allows anything to run (which I'm sure you aren't

Today was the sixth and final day. I was sick most of the week, but thankfully I started feeling better Thursday and my boss had other plans so I was able to go to an awesome Ramen place (if you are in Philadelphia I highly recommend NomNom Ramen) and just chill. This meant eating at a normal hour (7 instead of 9 or 10) and something about soup just makes me feel better. I was going to review some stuff, but ultimately I decided that chilling was the way to go. Woke up early, packed and then thought "please dear God don't let me be the weakest link on my team".

There were eight of us in the class and we broke up into teams by sides. I won't lie I truly thought we were going to get demolished. The other team had some extremely bright people and not that we didn't, but the deck looked stacked for them. Instructor gives us the rules of engagement and then says "GO!". Off we went on what would become a five hour saga! The scoreboard was on the projector and would update automatically so you knew where the other team was. I looked up and they already had 200 points to our 60 (total was 511). I panic because while I figured they'd win I didn't think it would be a blowout. But we keep cranking, my boss and I are Linux guys so we're attacking those questions while our other two teammates take on the Windows side. The kicker is taking a hint costs you points and each second guess costs you a point (plus a point for every guess after).

Suddenly I begin to notice they aren't answering as quickly as they were. Even my instructor begins taunting them a bit "oh Team Brawndo has submitted an answer four minutes ago...you guys haven't done anything in a half hour". My adrenaline starts pumping and bam score a 30 point question! Now we're tied and my boss says "no more cheering, we don't want them to realize we're taking the lead". This was a very good strategy for two reasons: first, you get so focused on the questions you stop looking at the board and second the laptop displaying the scoreboard was shutting off it's display after some period of inactivity. Even my instructor was shocked when he looked up and we had taken the lead!

Ultimately, out of 511 points we scored 510 (very ticked because we lost a point though we knew the answer). My instructor told us that this was the highest score for the course in the US (Munich had two teams get 511). A half hour after we finished the last question the other team finally finished and ended with 510. Thus we win haha

This is by far the best training I have been too and I completely understand why it costs so much. Every instructor (that I interacted with) was top notch, the staff from SANS was extremely helpful and the course content was relevant for today. I have a slew of things I will be adding to our detection environment on Monday because of this class. As I've previously stated, this course not only gave me new knowledge, but it also showed that my process and questions used during the course of my investigations is solid.

adrenaline19

Great review! Thanks for sharing it with us.

What are you planning on getting next?

the_Grinch

We're looking now to see what will line up best for us. Our instructor recommend taking one of the offensive courses, though I've been eyeing up SEC 503. Ultimately I will have issue self-funding and this was a bit of work to push through at work so I might have to wait awhile. Thus for now I will start studying for the GMON and then focus on some of the other courses I already have waiting.

TechGromit

It was a pretty good training conference, despite the small size. On a side note, I met "the_Grinch", at the conference and no he's not green in real life.

the_Grinch

LOL just a jerk, but yup not green!

alias454

I have been looking into the GMON stuff seems right up my alley.

the_Grinch

I highly recommend it and suggest you take it with Bryan Simon if you can. This course is going to teach you how to hunt out the enemy in your network and is truly a combo of a number of SANS offerings. It's a great survey course that could be used to see if a deeper dive into their other offerings is in order.

chanakyajupudi

I just got selected to facilitate the course in Melbourne in 16 days! Woop Woop!