I recently was able to take the SANS SEC460 (https://www.sans.org/course/enterprise-threat-vulnerability-assessment) course focused on Threat and Vulnerability Assessment. This is a newer course compared to most of the others that SANS offers so I didn’t find any actual reviews beforehand other than a friend that did it last year, I figured I’d throw my opinion out there for what it’s worth. My workplace has had a slower start in the whole VA space, part of the downside of starting a security department from scratch. We were able to do what was required for compliance and passing audits, but as most people who dig deeper know, there is always a lot more going on than just that. And, as they say in the course, “if all you’re doing is running scans and handing over reports you’re missing most of the vulnerability management process!”. We already possessed a lot of the tools, but didn’t really have a solid plan or framework to glue it all together and that was my hope for the course.

I was able to do this course through the SANS Work Study program (https://www.sans.org/work-study/) and as you can see from my previous experience doing the SEC504 class (https://secdan.com/2018/09/27/sans-sec504-gcih-class-and-work-study-review/) I highly recommend this if you can work the schedule and it fits your personality. For me, I love it. The staff was all really friendly and helpful. One of the other facilitators started a chat group while we were there so we were all able to coordinate meals and hanging out which made for a great time and lots of networking too. Overall very positive experience and I look forward to being able to do it again. This course was a reasonable drive away, nice to not have to juggle plane schedules and such, a two hour drive in the morning with no traffic and a bunch of podcasts, not bad at all.

The course was taught by one of the course authors, Adrien de Beaupre (https://www.sans.org/instructors/adrien-de-beaupre) so there was clearly nothing lost in translation. It’s a newer course so there isn’t an OnDemand course for it yet but they were recording that during my session so I’m sure so of my goofy questions probably make it into the audio somewhere. Adrien describes himself as “the sarcastic Canadian”, which works with me. Whoever said sarcasm is the lowest form of humor can.. Well, let’s say I don’t agree. Adrien has a ton of real world experience, as I would expect from any SANS instructor, so any questions anyone had along the way here handled easily.

The 460 course is somewhere around a light purple team course. You need to know how to find some holes, and how to fix them. Not as deeply technical as some of the higher level courses that SANS offers but the coursework is fitting for that type of job role. Vulnerability management always seems to fall in different laps ranging anywhere from an auditor asking probing questions to  someone else exploiting vulnerabilities to validate their findings. The course gives a good breakdown of the whole process, if you’re expecting just a class on scanning, then you might be better off with something from your scanner vendor, but if you want to learn the whole process, this one is much more fitting.

SANS has a tendency to avoid focusing on specific vendor tools, because not everyone uses the same tools or can even afford to pay for them. Most management teams wouldn’t be happy to find you out paid for a course and then you get home and can’t do anything because the specific tool is out of reach. That logic holds pretty sound here, we used many different tools for scanning and validation from manual checks, to short powershell scripts and some open source tools. The two areas we did use commercial tools were the network and web app scanners. As the instructor said, (obviously paraphrasing) “we could have had you used OpenVAS, it’s free, but has everyone really tried scanning 10,000 systems with OpenVAS? You don’t want to.” So they settled on Rapid7 Nexpose. I had a bit of an advantage here as I’ve been using the same tool for years, but at the basic level it’s also not overly complicated so the instruction that everyone else got didn’t seem to hold them back at all. For the web application scanning we used Acunetix, I use a different tool at work, but it’s a web GUI and was pretty straightforward. The bulk of the work in this course is around infrastructure scanning, not web apps. I know there was a question of that during the class, the instruction mentioned they’re working on a web app version but that course isn’t available yet. For a lot of the process that you learn, it should be able to be applied to any type of system so it’s not at all wasted knowledge either way.

The days were laid out logically with the different steps of the whole process, starting with planning and threat modeling all the way through remediation and reporting.

A few ideas really stuck out to me during the course, obvious once you hear them but when you have your company blinders on you tend to forget sometimes:

• If you don’t know have your assets classified, and know what your most high risk systems are, then everything is critical. If you can’t tell me how important that server is, then I’m just going to have to safely assume worst case and everything is critical.
• I like to (half-jokingly!) say “culture” is like a four letter word sometime. The idea of “we always did it that way” can make things like changing big processes and mindsets really complicated. There is definitely a manner in how to best prepare the news and reports of your findings to the different levels of employees. Sr management doesn’t care about your 1000 page scan report, they want a chart that shows things are getting better, and why. And if they aren’t, what your plan is to make them better and what help you need to fix that.
•  Most people don’t like to hear their baby is ugly, in the same manner most departments don’t want to hear the process they’ve been following is badly flawed. Because of that they will look for anything (ANYTHING!) that is wrong in your report to discount everything you’re saying. Validation is incredibly important. I once found a subnet that had been ignored for a long time, I scanned it and dropped a report of thousands of critical vulnerabilities on the server team. They checked, found one that was possibly a false positive, they immediately discounted everything in the report, and for quite a few future reports too. My thought process was along the lines of … what even 80% of it is wrong, so you only have hundreds of really terrible things that are publicly accessible?? Their translation was “we found a mistake, your tool is garbage”. Don’t be the boy that cried wolf, some things are going to be missed, but do some basic checks to make sure you are providing valid data.

On the end of the 5th day we had much lighter lab day and took the last part of the day to get familiar with the NetWars engine. I learned a few things, don’t rush, wrong answers because you moved too quickly don’t help you when others have hours to catch up. I answered the sample ones very quickly, whoo I’m a the top.. Oh wait, they’re catching up! I’m pretty competitive by nature, blame a large family where if you don’t move quick you lose out on dinner! So I wanted to win and it almost bit me in the rear by rushing too much.

The 6th day was all a special version of NetWars CTF for the course. This was really a lot of fun, you got to use most of the different tools and ideas from the course and some were definitely tricky. Our team had a quick lead but (not my fault I learned my lesson the day before!) but there was definitely some messy guessing going on so we lost a few points to that. And, like the day before the other teams caught up. It got down to just one question at the end and with four people on the team, two of us wanted one answer the other two wanted another one. We couldn’t get it wrong, luck (and a fair bit of experience with the type of system in question) was on my side and we put in our final answer with just five minutes left and won by a single point. Big nail biter finish there, but we pulled it out and took home the challenge coin!

 

 

The timing was perfect, if not even a month or so late for me, as soon as I got back to the office I found our our internal audit and an outside firm are going to be auditing our whole vulnerability process. I wish I had even a bit more time to implement some of the things I learned but I now have a really good roadmap for the future at my workplace and it should be significantly more advanced than just handing over scan reports.

Overall the class was really enjoyable and recommended if this is your area. The course prerequisites are pretty general but I’d suggest a pretty comfortable knowledge of the Windows command line, how to at least get around in a Linux shell and  basic understanding of Powershell. I know there isn’t a lot of complicated Powershell used, but some people had never even seen the verb-noun type logic or the concept of loops so it was likely harder for them.

I can’t do an exam review on this one as the exam isn’t written yet. Hopefully it doesn’t take too long and I can take a shot at it soon!

Edit – GEVA exam is now live. I took the exam as one of the early testers. It was definitely a different experience taking it months after the course without having access to the OnDemand as I did in the past as a refresher. But, like before I dug into the books and labs, all the information is in there. I created an index and tuned it after taking my practice tests to clean up areas I felt weaker in. I got my same great, roomy cornet seat in the testing area so I could spread out all my stuff and knocked it out!

As an exam tester you have to wait until the exam is actually going live to get the results, for me,  that was a few months process but I tried to forget about it so I didn’t obsess about it. Right at the time we were told the results would be out, I got the email that I passed. Well, I got two emails, one saying I got the GEVA certification and a second saying I scored high enough to be invited to the SANS Advisory Board!