I recently was able to take the SANS SEC460 (https://www.sans.org/course/enterprise-threat-vulnerability-assessment) course focused on Threat and Vulnerability Assessment. This is a newer course compared to most of the others that SANS offers so I didn’t find any actual reviews beforehand other than a friend that did it last year, I figured I’d throw my opinion out there for what it’s worth. My workplace has had a slower start in the whole VA space, part of the downside of starting a security department from scratch. We were able to do what was required for compliance and passing audits, but as most people who dig deeper know, there is always a lot more going on than just that. And, as they say in the course, “if all you’re doing is running scans and handing over reports you’re missing most of the vulnerability management process!”. We already possessed a lot of the tools, but didn’t really have a solid plan or framework to glue it all together and that was my hope for the course.

I was able to do this course through the SANS Work Study program (https://www.sans.org/work-study/) and as you can see from my previous experience doing the SEC504 class (https://secdan.com/2018/09/27/sans-sec504-gcih-class-and-work-study-review/) I highly recommend this if you can work the schedule and it fits your personality. For me, I love it. The staff was all really friendly and helpful. One of the other facilitators started a chat group while we were there so we were all able to coordinate meals and hanging out which made for a great time and lots of networking too. Overall very positive experience and I look forward to being able to do it again. This course was a reasonable drive away, nice to not have to juggle plane schedules and such, a two hour drive in the morning with no traffic and a bunch of podcasts, not bad at all.

The course was taught by one of the course authors, Adrien de Beaupre (https://www.sans.org/instructors/adrien-de-beaupre) so there was clearly nothing lost in translation. It’s a newer course so there isn’t an OnDemand course for it yet but they were recording that during my session so I’m sure so of my goofy questions probably make it into the audio somewhere. Adrien describes himself as “the sarcastic Canadian”, which works with me. Whoever said sarcasm is the lowest form of humor can.. Well, let’s say I don’t agree. Adrien has a ton of real world experience, as I would expect from any SANS instructor, so any questions anyone had along the way here handled easily.

The 460 course is somewhere around a light purple team course. You need to know how to find some holes, and how to fix them. Not as deeply technical as some of the higher level courses that SANS offers but the coursework is fitting for that type of job role. Vulnerability management always seems to fall in different laps ranging anywhere from an auditor asking probing questions to  someone else exploiting vulnerabilities to validate their findings. The course gives a good breakdown of the whole process, if you’re expecting just a class on scanning, then you might be better off with something from your scanner vendor, but if you want to learn the whole process, this one is much more fitting.

SANS has a tendency to avoid focusing on specific vendor tools, because not everyone uses the same tools or can even afford to pay for them. Most management teams wouldn’t be happy to find you out paid for a course and then you get home and can’t do anything because the specific tool is out of reach. That logic holds pretty sound here, we used many different tools for scanning and validation from manual checks, to short powershell scripts and some open source tools. The two areas we did use commercial tools were the network and web app scanners. As the instructor said, (obviously paraphrasing) “we could have had you used OpenVAS, it’s free, but has everyone really tried scanning 10,000 systems with OpenVAS? You don’t want to.” So they settled on Rapid7 Nexpose. I had a bit of an advantage here as I’ve been using the same tool for years, but at the basic level it’s also not overly complicated so the instruction that everyone else got didn’t seem to hold them back at all. For the web application scanning we used Acunetix, I use a different tool at work, but it’s a web GUI and was pretty straightforward. The bulk of the work in this course is around infrastructure scanning, not web apps. I know there was a question of that during the class, the instruction mentioned they’re working on a web app version but that course isn’t available yet. For a lot of the process that you learn, it should be able to be applied to any type of system so it’s not at all wasted knowledge either way.

The days were laid out logically with the different steps of the whole process, starting with planning and threat modeling all the way through remediation and reporting.

A few ideas really stuck out to me during the course, obvious once you hear them but when you have your company blinders on you tend to forget sometimes:

• If you don’t know have your assets classified, and know what your most high risk systems are, then everything is critical. If you can’t tell me how important that server is, then I’m just going to have to safely assume worst case and everything is critical.
• I like to (half-jokingly!) say “culture” is like a four letter word sometime. The idea of “we always did it that way” can make things like changing big processes and mindsets really complicated. There is definitely a manner in how to best prepare the news and reports of your findings to the different levels of employees. Sr management doesn’t care about your 1000 page scan report, they want a chart that shows things are getting better, and why. And if they aren’t, what your plan is to make them better and what help you need to fix that.
•  Most people don’t like to hear their baby is ugly, in the same manner most departments don’t want to hear the process they’ve been following is badly flawed. Because of that they will look for anything (ANYTHING!) that is wrong in your report to discount everything you’re saying. Validation is incredibly important. I once found a subnet that had been ignored for a long time, I scanned it and dropped a report of thousands of critical vulnerabilities on the server team. They checked, found one that was possibly a false positive, they immediately discounted everything in the report, and for quite a few future reports too. My thought process was along the lines of … what even 80% of it is wrong, so you only have hundreds of really terrible things that are publicly accessible?? Their translation was “we found a mistake, your tool is garbage”. Don’t be the boy that cried wolf, some things are going to be missed, but do some basic checks to make sure you are providing valid data.

On the end of the 5th day we had much lighter lab day and took the last part of the day to get familiar with the NetWars engine. I learned a few things, don’t rush, wrong answers because you moved too quickly don’t help you when others have hours to catch up. I answered the sample ones very quickly, whoo I’m a the top.. Oh wait, they’re catching up! I’m pretty competitive by nature, blame a large family where if you don’t move quick you lose out on dinner! So I wanted to win and it almost bit me in the rear by rushing too much.

The 6th day was all a special version of NetWars CTF for the course. This was really a lot of fun, you got to use most of the different tools and ideas from the course and some were definitely tricky. Our team had a quick lead but (not my fault I learned my lesson the day before!) but there was definitely some messy guessing going on so we lost a few points to that. And, like the day before the other teams caught up. It got down to just one question at the end and with four people on the team, two of us wanted one answer the other two wanted another one. We couldn’t get it wrong, luck (and a fair bit of experience with the type of system in question) was on my side and we put in our final answer with just five minutes left and won by a single point. Big nail biter finish there, but we pulled it out and took home the challenge coin!

 

 

The timing was perfect, if not even a month or so late for me, as soon as I got back to the office I found our our internal audit and an outside firm are going to be auditing our whole vulnerability process. I wish I had even a bit more time to implement some of the things I learned but I now have a really good roadmap for the future at my workplace and it should be significantly more advanced than just handing over scan reports.

Overall the class was really enjoyable and recommended if this is your area. The course prerequisites are pretty general but I’d suggest a pretty comfortable knowledge of the Windows command line, how to at least get around in a Linux shell and  basic understanding of Powershell. I know there isn’t a lot of complicated Powershell used, but some people had never even seen the verb-noun type logic or the concept of loops so it was likely harder for them.

I can’t do an exam review on this one as the exam isn’t written yet. Hopefully it doesn’t take too long and I can take a shot at it soon!

Edit – GEVA exam is now live. I took the exam as one of the early testers. It was definitely a different experience taking it months after the course without having access to the OnDemand as I did in the past as a refresher. But, like before I dug into the books and labs, all the information is in there. I created an index and tuned it after taking my practice tests to clean up areas I felt weaker in. I got my same great, roomy cornet seat in the testing area so I could spread out all my stuff and knocked it out!

As an exam tester you have to wait until the exam is actually going live to get the results, for me,  that was a few months process but I tried to forget about it so I didn’t obsess about it. Right at the time we were told the results would be out, I got the email that I passed. Well, I got two emails, one saying I got the GEVA certification and a second saying I scored high enough to be invited to the SANS Advisory Board!

I haven’t updated in a while, but I wanted to focus on knocking out the GCIH after the course and had a ton of other things going on, so, here you go. I’ll try to make up for it with an annoying amount of detail.

The SANS SEC504 – Hacker Tools, Techniques, Exploits, and Incident Handling (https://www.sans.org/course/hacker-techniques-exploits-incident-handling) is the most recent SANS course I’ve taken, and the first time I’ve taken one in person. Drinking from the firehose in person is very different from watching the OnDemand at home, overall great experience.

I’m in no way a stranger to different types of education. I’ve done a bunch of classes in different topics, have a BS, a few classes into an MS, have done a pile of self-study certifications, and nothing compared to the experience of a 6 days on-site SANS course. Let’s just say I slept well that week!

Taking a few steps back, I work in infosec and my department is not exactly what I would consider well-staffed. Because of that, I (along with many others in my field I’m sure) have to wear many different hats. Incident response is just one of the tasks that is on my plate and what I’ve done so far has been just what seemed like a logical process. I’ve heard John Strand mention the PICERLL model many times on podcasts but didn’t spend a lot of time digging into it otherwise. Most of my experience is on the blue team side so this class was right down my alley!

My current workplace is pretty free with training time, but, training funds… not so much. Because of that I’ve been applying to the SANS Work Study program (https://www.sans.org/work-study/) and this was the first time the event date, class and location all worked together and I was all in. For those not familiar with the program, you essentially agree to work the live event as a facilitator in exchange for a huge discount on the training and exam. You show up a day or so early, do a bunch of setup, bundle together training materials, get promotional stuff ready. But overall, it was nice just hanging out with people in the field, talking about nerdy infosec stuff and everyone understands you! I work in a small department, that’s a big deal to me, one of the other facilitators called it a free therapy session which was funny but pretty accurate. You can gopher whatever the instructor needs during the day and help students with some issues but I had a smaller class so there weren’t too many technical issues.

I really enjoyed the behind-the-scenes aspect of doing Work Study. One interesting thing that I realized, the surveys are taken very seriously. For anyone who has been to an event, you know you get them for every day of class, every SANS@Night talk, etc, and I just sort of assumed they were all tossed in a box for some later date. Nope, the quality control those is serious. The facilitators take every one, sort them by scores, run them through a spreadsheet, scan every one. Then, every comment is given directly to the instructors after every class and they all go straight to SANS corporate as well. I’ve never seen a company take then so seriously. But, as someone else at the event mentioned, “when you pay this much for the training, you want to feel like you are getting the best experience.” So yes, SANS training isn’t cheap, at all, but if you can swing it, or are lucky enough to get picked for Work Study, then the quality of the whole event was fantastic.

My 504 class was taught by Kevin Fiscus (https://www.sans.org/instructors/kevin-fiscus), he was a great instructor. It was refreshing to be able to walk up after class and ask about nearly anything security related and to get a useful answer. It shows that the instructors don’t only know to teach their one course but have a well rounded background and also work in the field. I’ve taken vendor product training (I’m looking at you, Cisco!) where the instructor is teaching only to the lab, but even questions like “well I want to set it up like X” or “What if I use the other option on the dashboard instead?” were usually met with answers telling you to just stick to the lab and it’ll go fine. As an added bonus for doing Work Study, I also had the OnDemand access included, which was taught by John Strand, the course creator, and it was very helpful to not only get two perspectives on certain topics but be able to refresh on certain topics while creating my test index at home later.

The first day we covered incident response. It seems like a small portion of the class but phases of IR are covered as part of each of the other days through the week by learning how to recognize the tools that attackers will use when you’re doing IR. This portion of the course covers many areas that many people likely forget in the preparation phase, other departments that you need to involve and even interfacing with law enforcement. One thing they really hit home is the need for management support, this might sound obvious but from a tech side, we see things and might think “shut it down!” but in a big corp, that’s an awesome way to get fired, whether you made the right call or not.

Each day had a number of different labs. Mixed feedback on “not enough labs!” to “labs are awesome!” came back, so I guess somewhere right around the correct amount of labs. All the full labs come on a USB stick so even if you really break your local environment, you can just extract them again and start fresh. the future labs don’t rely on the past ones either so restoring is no big deal. I think we’ve all played around in labs and broken something and then realized we had to rebuild half an AD infrastructure just to run the next command. Pointing out the quality control again, but all the labs just work. I know they’re supposed to work, but, too many times labs aren’t perfect. I imagine most people in this field have followed different tutorials, it always seems like the tool has updated, or you’re missing a dependency, or an exploit doesn’t have the same options as the screenshots you’re looking at. None of that going on here. Turns out that’s why they don’t use Kali Linux in the image but instead build their own Linux VM loaded with the specific tools and versions that are used in the labs. Kali might update and suddenly you have 30% of the class with essentially a broken lab and now the class is behind.

The one lab we had as part of day 1, but we got to on the morning of day 2, wasn’t what was we typically think of as a lab. It was a table top exercise. The timing was perfect as I was tasked with doing a table top exercise at work and had already been researching something different for the exercise this year. I had come across the idea a few weeks before the class (https://www.blackhillsinfosec.com/dungeons-dragons-meet-cubicles-compromises/) and thought it sounded fun and different but didn’t imagine doing it in my workplace. So, we did a mock table top in class using that exact same methodology with a bunch of mostly strangers. We didn’t have a 20 sided die but we used a phone app to do a pseudo-random roll for 1-20. Turns out it was really fun! The idea was that in reality, not everything works perfectly every time without hiccup, because that’s who real life works.

After that exercise I changed my own table top plan at work and picked up a 55mm die (nothing for scale) that was nice and big so everyone in the room could see it. We had a ransomware exercise and it was great to answer, “nope, I rolled, you tried to pay it, and failed, so what do we do next?” I’m not a D&D guy so I discounted the idea a bit at first but in actual practice it’s a great way to inject some reality and force people to find workarounds in real time.

The remaining four days covered attacker tools and techniques specifically. Tons of tools, some I’ve used, some I’ve never even heard of but all were very cool to see. We followed the whole attack lifecycle from OSINT, recon, scanning, all the way to exploitation and covering your tracks. Again, the labs are really helpful here, you get copies of all of them including video walkthroughs so doing them again at home helps to learn the tools and for test prep.

For day 6, the CTF, that was really a lot of fun. I’ve done some simple vulnerable VMs before and other labs but never really against someone else in real time. No, I won’t give tips outside of what I was told which was “don’t try to overhack” aka, don’t ignore the simple things and try to over-engineer something crazy when there are far faster and easier ways to go about it. Also, bring food, don’t be the teammate who decides to go out to lunch in the middle of the competition. And, SANS will email and remind you, but if you don’t have an Ethernet port, bring an adapter with you, or you can’t participate.

Day 7-8, as our instructor suggested, go home and unplug. Depending on your past experience level you just took in a ton of information and have earned a few days of being lazy!

Now, for the test prep itself. Everyone talks about the index, and the importance is not something you want to ignore. Sure, you are supposed to actually know the material going in, but the depth of some of the questions are definitely something you could be looking up as part of your regular job, the same holds true for the index. I followed Leslie Carhart’s guide (https://tisiphone.net/2015/08/18/giac-testing/) for index creation, this is just one of many great resources on her blog. The tabs in my books weren’t such a mess before or during the exam but after passing I stuffed them all back into my bag and happily ate entirely too much and didn’t unpack them for a few days!

I often see people online asking how long the index is supposed to be, that’s 100% up to what you need on there and totally personal to your learning style. I saw some people say theirs was 80 pages, others said they had five. Figure out what you need to reference, and the practice tests will help iron out out well your plan works.

I took the first practice exam with made a ton of changes to my index afterwards. I had a feeling when I was creating it that I’d be looking up terms in different ways, and it was confirmed as soon as I started trying to use it. I made a few more tweaks after the second exam. After all the colors and tabs, I didn’t end up really referring to them at all, I’d just grab the right book, then go to the page, but everyone has a different method. The testing center was at a local community college and they gave me a big corner cube with a wrap around desk where I could spread out the books and whiteboard, I couldn’t have been happier with the setup.

Overall it was a really positive experience. Lots of work but totally worthwhile, if your workplace is understanding (they should be, you’re getting training to do a better job!) and you have the time and the funds, totally recommended.