Description
SEC503 is an essential course for anyone pursuing a career in information security. Past students have called it one of the most challenging yet rewarding courses they’ve ever taken. If you’re serious about mastering threat hunting to uncover zero-day activities on your network before they’re publicly known, this course is for you. It’s not designed for those simply looking to interpret alerts from standard network monitoring tools. Instead, it’s for professionals who want to gain a deep understanding of their network’s current activity and suspect that serious threats may be going undetected. Review the detailed course content below and try the free demo by clicking the “Course Demo” button above!
What distinguishes SEC503 from other courses is its unique bottom-up approach to network monitoring and forensics, which naturally leads to effective threat hunting. Instead of teaching tools first, we focus on understanding the foundational principles of how TCP/IP protocols operate. In the first two sections, you’ll learn “Packets as a Second Language” before exploring common application protocols and methodologies for researching and understanding new ones. This knowledge is then applied directly to identify both zero-day and known threats.
Once you have a solid grasp of network protocols, the course shifts to teaching the most widely used automated threat detection tools. You’ll learn how to create efficient detection methods, understand the functionality of existing rules, and evaluate their usefulness. By the end of the course, you will be equipped to instrument your network for detailed threat hunting, perform incident analysis, conduct network forensics, and reconstruct events.
What makes SEC503 so impactful is that it forces you to develop critical thinking skills and apply them to deep, technical concepts. This leads to a profound understanding of nearly every modern security technology. As the security landscape continues to evolve, particularly with the migration of services to the cloud, SEC503 prepares you to tackle the challenges of safeguarding exposed and mobile systems in a constantly connected, vulnerable environment.
The course covers technical knowledge and hands-on training, focusing on the theory of TCP/IP and widely used application protocols like DNS and HTTP. You’ll learn to examine network traffic for signs of compromise and zero-day threats, while gaining proficiency with tools like tcpdump, Wireshark, Snort, Suricata, Zeek, tshark, SiLK, and NetFlow/IPFIX. Daily hands-on exercises, suitable for all experience levels, reinforce the course material, while evening Bootcamp sessions let you apply the day’s lessons to real-world problems. Exercises offer hints for beginners and advanced challenges for experienced students.
SEC503 is ideal for security analysts, SOC staff, and anyone responsible for monitoring, defending, and conducting threat hunting on their network. Red team members also find value in this course, as it enhances their ability to evade detection.
BUSINESS TAKEAWAYS:
This course will help your organization:
- Avoid your organization becoming another front page headline
- Augment detection in traditional, hybrid, and cloud network environments
- Increase efficiency in threat modeling for network activities
- Decrease attacker dwell time
You Will Learn:
- How to analyze traffic traversing your site to avoid becoming another headline
- How to identify zero-day threats for which no network monitoring tool has published signatures
- How to place, customize, and tune your network monitoring for maximum detection
- How to triage network alerts, especially during an incident
- How to reconstruct events to determine what happened, when, and who did it
- Hands-on detection, analysis, and network forensic investigation with a variety of tools
- TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
- The benefits and problems inherent in using signature-based network monitoring tools
- The power of behavioral network monitoring tools for enterprise-wide automated correlation, and how to use them effectively
- How to perform effective threat modeling for network activities
- How to translate threat modeling into detection capabilities for zero-day threats
- How to use flow and hybrid traffic analysis frameworks to augment detection in traditional, hybrid, and cloud network environments
You Will Be Able To:
- Configure and run Snort and Suricata
- Create and write effective and efficient Snort, Suricata and FirePOWER rules
- Configure and run open-source Zeek to provide a hybrid traffic analysis framework
- Create automated threat hunting correlation scripts in Zeek
- Understand TCP/IP component layers to identify normal and abnormal traffic for threat identification
- Use traffic analysis tools to identify signs of a compromise or active threat
- Perform network forensics to investigate traffic to identify TTPs and find active threats
- Carve out files and other types of content from network traffic to reconstruct events
- Create BPF filters to selectively examine a particular traffic trait at scale
- Craft packets with Scapy
- Use NetFlow/IPFIX tools to find network behavior anomalies and potential threats
- Use your knowledge of network architecture and hardware to customize placement of network monitoring sensors and sniff traffic off the wire
The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:
- Section 1: Hands-On: Introduction to Wireshark
- Section 2: Hands-On: Writing tcpdump Filters
- Section 3: Hands-On: Snort Rules
- Section 4: Hands-On: IDS/IPS Evasion Theory
- Section 5: Hands-On: Analysis of Three Separate Incident Scenarios
You Will Receive:
- Electronic courseware with each course section’s material
- Electronic workbook with hands-on exercises and questions
- TCP/IP electronic cheat sheet
- MP3 audio files of the complete course lecture
Course Syllabus
SEC503.1: Network Monitoring and Analysis: Part I
SEC503.2: Network Monitoring and Analysis: Part II
SEC503.3: Signature-Based Threat Detection and Response
SEC503.4: Building Zero-Day Threat Detection Systems
SEC503.5: Large-Scale Threat Detection, Forensics, and Analytics
SEC503.6: Advanced Network Monitoring and Threat Detection Capstone
Download eBook SANS SEC503
Download video training
Download Part1
Download Part2
Download Part3
Download Part4
Download Part5
Download Part6
Download Part7
- Design
