Open in app

Sign in

Write

Sign in

SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling — Course Review (2021)

Ellis S
8 min readJun 3, 2021

SANS provide a very clear pathway for Incident Response in their Cyber Security Map Pathway, starting off with SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling. Having literally just passed the GCIH (GIAC Certified Incident Handler) exam which complements the course, thought it only fair to share my views on the training, materials, labs and exam itself.

I was fortunate enough to be selected for the Work-Study program — this was designed to give participants a discounted pass in exchange for acting as a moderator of the classes. Given this was still during the height of the COVID-19 pandemic, this was done remotely and involved helping anyone set up shop, troubleshooting, managing recordings, managing the day schedules and liaising with the SANS team on a separate Slack Channel (and much more). In a nutshell, the purpose was to make it much easier for the instructor. My specific instructor was Chris Dale, who was an awesome lecturer and very good at explaining things, keeping the class uplifted and engaged. The difference between myself and classmates is that I would be a point of contact for any unattendances, hardware issues, discreprencies in the course/lab material, etc. etc.

Overview

As mentioned above, SEC504 — Hacker Tools, Techniques, Exploits, and Incident Handling, is as an introductory-level course to the Red & Blue Teams of Penetration Testing and Incident Response. It sets you up to have an excellent foundational level of knowledge within this space walking through phases of an attacker lifecycle, thinking like an adversary, and how to conduct and detect some of the oldie-but-goldie attacks, and much more of course.

Class Experience

I was in a class of around 12 and this was part of a two-week course rather than the 1-week which are the standard length. This actually allowed me to soak in the information a lot more and given it was remote I was able to ask questions offline to Chris which really helped cement and answer a lot of questions/gaps in my knowledge.

As far as I’m aware remote sessions are still ongoing but I did find that I got a lot out of it being able to work form 2–3 monitors vs. just your laptop on the training week(s) in person. That also really helped with managing the moderator side whilst also being able to enjoy the classes.

That said, you’d still enjoy the classes in-person as the networking opportunities as well that come with that are excellent.

Furthermore being a moderator does actually give you the opportunity to develop important life/work skills such as facilitating large meetings and multitasking in fast-paced environments, so if anything it’s actually a win-win to do this!

Structure and Content

The course was made up of 6 sections totalling 33 labs (all on contained on two VMs), numerous cheat sheets, external articles, videos and documents. The material starts with an introduction to incident handling, touching on some of the foundations such as a very similar Incident Cycle to the NIST framework, Digital Investigations, Live Examinations, etc.

There are six books in total which comprised the structure of the 10 day course (and a huge book for lab notes), and this roughly worked out as 1 book every 2 days, where some days squeezed in more or less, and the final day was the Capture the Flag event:

  1. Incident Response and Computer Crime Investigations
  2. Recon, Scanning, and Enumeration Attacks
  3. Password and Access Attacks
  4. Public-Facing and Drive-By Attacks
  5. Evasive and Post-Exploitative Attacks
  6. Capture the Flag Event (which I haven’t included in the image below)

Labs

As previously mentioned there are numerous labs to complement the content. These are done in two Virtual Machines (Windows 10 and Linux Slingshot) to help put theory into practice.

One thing I would say is that when going through the material, there may be opportunities to test some of the tools not included in the labs. I would recommend doing this to help cement the knowledge and fully understand them.

Furthermore, you can even access the lab questions in the VMs via FireFox over port 9001!

Slingshot

Capture the Flag Event

On the final day of the course was the SEC504 CTF Netwars Event, applying the skills learnt throughout the fortnight into a single day of challenges. This comprised of many different questions where we teamed up in groups of 3/4 in a score-based competition where first place team would win an achievement coin (similar to what they do in the military).

This was a fantastic opportunity to apply the skills learnt in class to a competition where teams could choose to take their time and learn the knowledge, or go full competitive and go for gold.

In the end my team and I ended up winning the event and got a nice coin as a result.

Observations

Over the two week stint, there were some key things that I noticed which contributed to this unique learning experience.

  1. Chris took on any feedback immediately — The feedback was consistently good and it was clear our class (including myself) really liked that he gave examples of industry experiences he had (just as one example) for various parts of the material. It really helped the teaching sink in for all of us and after day 1 of receiving this feedback, I noticed he made an effort to add more industry examples and personal experiences — believe it or not that actually helped me remember the material which was a real positive. There was additional material provided which was shared as well which helped build a bigger picture of the content.
  2. SANS take it very seriously to be the best. They are an organisation driven to deliver the best cyber security training in the world and this really does make up for the cost. Being a moderator for the class, I felt like the rest of the SANS staff and myself worked together like a well-oiled machine to ensure that everyone was receiving the best experience they could. I really bought into that ethos and it made me more driven to help people as much as I could, even chipping in when I had experiences or things to add in the class.

What you should know

Let me start from the beginning. Prerequisites are really not important if you work hard but you should at least have a foundational security and networking knowledge or you will be finding yourself googling a fair bit if you don’t have a faint idea of the main adversarial tools. Here are some tips from me to you:

  1. Index. Index. Index. When studying this follow this guide — in here it’ll explain that you need to read the material once, then index the course notes, before taking the two mock exams. This is how I did it and I can’t recommend it enough.
  2. Don’t see this as a cert to fill a quota for a payrise or another job. This is something that Chris actually went through at the end and it was very positive to see him explain the importance in having a foundational knowledge in the cyber domain. This actually brings me onto the next point quite nicely:
  3. Do the labs. If you’re going for GIAC Advisory Board especially (requiring 90%+ on your final score) then you’ll need to do them. There are just some parts of the practical section of the exam which are not included in books and will really help to go through them at least twice after the training.
  4. If you’re working of a singular laptop, buy a monitor. You’ll save yourself a ton of time switching back and forth from notes/labs and in practice, and when responding to incidents you should be using at least two/three monitors anyway.
  5. If you are curious about something in the books just Google it! This is how you get to become more and more knowledgeable.

Exam

Now for the bit you’ve been waiting for. If you were like me and searching for some insight into what the exam was like, then you have come to the right place.

The exam is 4 hours long with 106 questions; these are split between 96 theory questions and 10 hands-on practical questions. They are all multiple choice but do not underestimate this. As I said before, you need to understand the material and you need to index thoroughly to succeed. Another tip is that the material in the CTF event (Book 6) has some excellent materials outside of the cheat sheets which I would recommend you have with you on exam day. Above all, time management is critical here.

I’d also recommend downloading and printing the parent-child process cheat sheet from SANS FOR508 cheat sheet here as it’s not included in SEC504 materials.

I learnt a lot from studying the material and it was enjoyable at times albeit tough. But if you study everything in the content and labs then you will be fine.

Conclusion

The verdict: 10/10 — This is a great course into the world of incident response and adversarial activity. It is both vast, thorough and worth the cost. It will provide you with a fantastic baseline of security, but the key message I must reiterate is that it is fully down to you what you use with it afterwards — but this is the same with all security certifications. Unless you are driven/passionate about the field and constantly in the technical space, your skills diminish and you have to relearn things. However, this is something that’s natural and we shouldn’t beat ourselves up about too much.

Overall, I really enjoyed the course and sitting the exam. It’s really pulled together many concepts that I was acquainted with, but looking at them as a collective from the perspective of an Attacker/Responder to get a greater understanding of the bigger picture, which is much like a game of cat and mouse.

In the end I scored a nice 90% which meant landing on the GIAC Advisory Board which is always a huge positive.

What’s next you ask? Pub again.

As always, stay safe!

Gcih
Sans
Cybersecurity
Training
Incident Response

--

--

Ellis S

Written by Ellis S

136 Followers

Digital Forensics, Incident Response and Threat Hunting things.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams