I’m excited to say that I’ll be teaching SANS SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling this May in Phoenix.  The class will be in the new Multi-Week format starting May 5.  It runs each Friday and Saturday for three weeks.  (May 5, 6, 12, 13, 19 & 20).  This new format combines instructor led classroom training with the convenience of maintaining work-life balance and time to absorb the materials presented each week.

After providing digital forensics services to the corporate sector for almost six years, and being one of the first 350 GCFE’s in 2011, I found more and more of my engagements involving the question of “how do we stop this from happening again?”  Already being familiar with the quality of SANS courses and their active participation in the security community, I chose SEC504 as my next class. 

SANS SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling and accompanying GCIH certification raised my skill set to be more prepared for incidents and set me on a course to easily obtain my CISSP and CISM certifications.  The deep dive into attack techniques, as well as how to prevent and detect such activity laid the foundation for me to write an incident response script that any Windows admin could deploy easily in their environment when the time came.  The script relies on nothing but native Windows commands.  It collects a combination of current state and forensic artifacts from the host system, packages the information and sends to a central location of the client’s choosing. 

I recognize that there are many incident response tools out there, but using what I learned in SEC504 and my forensics background, I was able to 1) write a script that provided me with exactly what I wanted, and 2) understand the ins and outs of quickly triaging systems.  I often deploy the script across an entire environment in cases where patient zero is unknown.  The script allows us to triage the incident, quickly identify suspicious artifacts on hosts, and place those hosts on a short list for a further analysis, including full forensic collection and/or additional monitoring.  Some examples of the script’s output include irregular services like psexec, anomalous user accounts and groups, suspicious account logons, evidence of unauthorized application execution, network connections, hidden shares, running processes, executables in temp directories, and the entire user and machine registries.

The defensive, or Blue Team, nature of SEC504’s content and the challenge of protecting networks without adversely impacting business operations is what most security teams deal with.  I apply the content I learned from SEC504 daily, and have used it as springboard to quickly absorb the material necessary for passing other management focused security certifications like the CISSP and CISM.  I’m still a geek at heart though and have since gone on take SEC560:  Network Penetration Testing and Ethical Hacking, and FOR610:  Reverse-Engineering Malware: Malware Analysis Tools and Techniques.  I plan to take additional SANS courses as the opportunities arise.

I’m excited to say that I’ll be teaching SANS SEC504 this May in Phoenix.  The class will be in the new Multi-Week format starting May 5.  It runs each Friday and Saturday for three weeks.  (May 5, 6, 12, 13, 19 & 20).  For more information visit, https://www.sans.org/community/event/sec504-phoenix-48437.  Use HonorHealth10 when registering for 10% discount.