SEC599 review
I took the SEC599 course in DC last week. Bryce Galbraith was the initial instructor but had to leave after a few days due to a personal matter. He was replaced by Alissa Torres. Both instructors were great. They have completely different teaching styles but they're both incredibly knowledgeable. Bryce has a more laid back approach while Alissa is more energetic. This course was a lot different than the other SANS courses I've taken. One of the biggest differences is the overlap from other courses. I guess this is to be expected since the course is based on the purple teaming concept of red and blue teams working together. With this in mind they need to teach some red team fundamentals and some blue team fundamentals. Another big difference is with the labs. They give you access to a virtual environment to do the labs. It's not just a VM or two like other SANS courses. Most of the labs involve a domain controller, a Windows workstation and a Linux system of some sort. They do give you the ability to download all these VMs afterwards but it would be difficult to run 4-7 VMs on your workstation so they give each student their own virtual environment. The course starts with a look at some of the bigger breaches from the last 10 years. They dig into the attacks, the threat actors, the tools, etc. The discussion of purple teaming, detection vs prevention and security architectures and frameworks are the focus for the rest of day one. Day two dives into payload delivery and execution. There is a lot of discussion over how payloads are delivered and what security solutions are available to stop the attacks. Powershell, VBA, removable media, JavaScript, AppLocker and Yara are all discussed. Day three focuses on exploitation, persistence and C2. There is a lot of discussion involving Microsoft tools like their SDL, EMET, ExploitGuard and DREAD. They go over reverse engineering patches, DLL search order hijacking, web shells and bootkits. Day four is centered around lateral movement. UAC, credential stealing, kerberos attacks and mimikatz are all discussed. Day five is all about threat hunting and IR. Kerberos attacks like golden tickets and silver tickets are a main focus
of discussion and labs. They also discuss how to stop these attacks
and have labs that demonstrate. Data exfiltration methods and threat intel are also discussed. I learned some cool things and dug deeper on some concepts/tools I already knew. I'm in the SANS masters program so this is my 10th SANS course. I would estimate that about 50% of the material in this course I have learned in another course. The other 50% was great and really fun to learn. I think the attacks against Active Directory and the labs involving mimikatz were the best part of the course. I'm hoping to take the GDAT exam in early January.