Thoughts on SANS’ 560 course

I got to take the SEC560: Network Penetration Testing and Ethical Hacking with Bryce Galbraith.

Penetration testing is not part of my official job role, but understanding the mindset, tools and tactics employed is immensely valuable to any one working on behalf of the networks defence team. So off I went and jumped in the deep end.

Having already taken the Sec 504: Hacker Techniques, Exploits & Incident Handling course, which also written by Ed Skoudis, I was keen to see what made the courses different since there appeared to be a overlap of the material at first glance. With the warning “SANS Security 560 is one of the most technically rigorous courses offered by the SANS Institute”, I have to admit I was intrigued.

The first day has a heavy emphasis on methodology and report writing, which seemed to deter a number of students in the class. It became clear how important solid, clear and concise report writing skills are to a professional penetration tester. The writing skills are critical to the client the test is being performed for. If they can understand and act on the report of the test, you get a happy client. Happy client can mean repeat business. That’s good. As someone that has to throw together monthly security reports, it was more encouragement to keep reports clear, concise and not too techie. The methodology section covered how to provide maintain consistent results using a variety of frameworks.

I will not go in to the following days, as they covered skills, concepts and tools in both Windows and Linux. The course layout is detailed here. Many labs made up those days to counter point the theory with solid practicals. The days provided the core elements, a foundation, if you will, of the training and skill sets required  for penetration testers.

The Day Six Challenge

This is the day you put together what you have practiced and learnt and apply it to a real world situation. Thinking on your feet is required, with plenty of lateral brain work. That is all you will get from me J

The day six challenge is perfect. Fiendish, demanding and  aggressively driven to get the prise as quickly as possible but without destroying every jump point or system you touch. This is tailored to the pen tester skills and gives a clear insight in to how broad minded – and skilled – you would have to be.

No, I did not win the challenge, but I took away a great deal of notes, to do lists, insights and a sense of achievement.

As a interesting aside, 504’s final day is much more raw, as it is a hack and slash approach for Sysadmins have at it and play attacker for once. I am not putting the challenge down in the slightest, it was excellent fun to go full tilt at someone else’s systems in the all consuming charge to get the flags first.

In my own mind, I would love the day six challenge of 504 to be more on the defending, and repelling of an attacker, rather than being the attacker. Being an offense is a very different mindset to defence. Attacker need to find one fault, defenders have to fix them all. Guess who feels the more pressure.

Mr Galbraith

As to our instructor, it was absolute pleasure to have Bryce guide us through the lessons, material and labs. Bryce’s teaching style is calm, open to questions and focused. It is all too easy for a question to spark off a whole thread of detours and off topic ramblings. Bryce kept us alert, on track and entertained.  A sprinkling of relevant, and some very funny,  war stories dropped in to highlight the course material and practicals. To have someone that works in the penetration and security space consulting for a wide range of clients teaching, you get a very real sense of how to use these skills and supplement them with a variety of tools. What was amazing to watch and understand was how Bryce use installed tools and utilities of the OS to “live off the land”, as he call it, to subvert the network and systems to reach the target goal. So many standard system tools that ease administration are an absolute menace in the wrong hands.

560 Boot Camp

We also took part in a boot camp session, on the second, fourth and fifth nights of the training. These ran directly after the day class until 6:30 pm.

This was an added bonus, as I had not heard of this before and was not expecting it. The boot camp sessions were voluntary, running for on and a half hours.

The first session was on report writing, we had some drop outs from students keen to avoid more paper work. As a group we broke down a poorly constructed report, then rebuilt it and made it more relevant, giving it focus and flow. The group discussion threw together a wide range of thoughts, ideas, suggestions and the occasional disagreement on how to improve the report. With the before and after example report, it was easy to see how thinking through the layout and to who the audience is, a solid report could be created.

Session two was on Metasploit, using it to deploying ‘sploits to a USB device. The entire class stayed and attended. We all knew it was going to be that good. No-one left their seats as we jumped straight in to the boot camp from class. The hour and a half flew by, but most of us finally brandished a Metasploit backdoor payload hidden on a USB drive, with a large grin on our faces.

Session three, we lost two people (it was Friday night), but again the class stayed glued to their seats and followed Bryce through various methods of Netcat-ing without Netcat using Windows and Linux OS tools to emulated a relay. Never realised how helpful and user friendly *Nix systems could be compared to Windows in this task ;-) This really emphasized that it is creativity, not the tools, that differentiate the truly talented pen testers.

504 and 560: Do They Overlap?

I would have to say the tools used may be the same as 504, but the mindset, application and drive of the course is very, very different. That is where the value is. Mr Skoudis & team has done an excellent job in make the course stand up by itself, but flow on smoothly from the 504 course should you take both.

In my opinion, 504 is understanding the attackers and how to deal with them, with a brief foray into their world and tools. Focus is placed on incident response methodology and being the responder to event on the systems or network.

560 is starkly about being the attacker, albeit in an ethical manner, and using every possible tool, trick, technique, toehold to get in and grab the prize. Each attempt at getting in to a system or network is documented, but it is about finding the weak points in the armour and exploiting them to get to the target.

Final Thoughts

The course was challenging and though provoking. It is easy to get cocky, thinking this stuff is simple when completing the classroom labs, but the day six challenge brings you firmly back to earth. For people searching for a career in penetration testing the course sets you a clear understanding of what you knew to be able to do, think and report on in this role. Too many times I have had poorly cleaned and all to generic Nessus scans handed over to companies I’ve worked for, as part of their yearly audit. This helps sets the bar to what should be expected and delivered.

For those of us non-pen testers, the insights to what can happen if you let basic, simple standards drop or get forgotten about become blindingly obvious. Use good passwords/phrase, patch and keep an eye on logs files and it would stops a great deal of the possible in roads for testers or real attackers.

Oh and it’s great fun too.

Reply now | Feed

Leave a Reply


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Wp Logo Theme: Guangzhou
Home