The Most Trusted Source for Information Security Training, Certif ication, and Research

INFORMATION SECURITYTRAINING

Miami 2018Jan 29 - Feb 3

Protect Your Business | Advance Your CareerSeven hands-on, immersion-style courses taught by real-world practitioners

Cyber DefenseEthical HackingPenetration Testing

Digital ForensicsSecurIty ManagementICS/SCADA Security

See inside for courses offered in:

SAVE $400 Register and pay by Dec 6th Use code EarlyBird18

www.sans.org/miami

“SANS training provides valuable, relevant information put into action with examples and exercises.” -Greg O’Brien, Lockheed Martin

Evening Bonus Sessions Take advantage of these extra evening presentations

and add more value to your training. Learn more on page 9.

KEYNOTE: Welcome Threat Hunters, Phishermen, and Other Liars – Rob Lee

Introducing DeepBlueCLI v2, Now Ported to Python and ELK – Eric Conrad

Adversary Simulations: Taking Attack Models and Penetration Testing to the Next Level – Jorge Orchilles

Real-World incidents and Threats to Critical Infrastructure – Mark Bristow

InfoSec Rock Star: Geek Will Only Get You So Far – Ted Demopoulos

Register today for SANS Miami 2018! www.sans.org/miami-2018

@SANSInstitute Join the conversation: #SANSMiami

Miami 2018 JANUARY 29 - FEBRUARY 3

SANS Instructors SANS instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing in order to teach SANS courses, which guarantees what you learn in class will be up to date and relevant to your job. The SANS Miami 2018 lineup of instructors includes:

Mark Bristow Instructor @kodefupanda

Ronald Hamann Instructor @airforceteacher

Ted Demopoulos Principal Instructor @TedDemop

Eric Conrad Senior Instructor @eric_conrad

Robert Kirtley Instructor @RobertNKirtley

Jorge Orchilles Instructor @jorgeorchilles

Rob Lee Faculty Fellow @robtlee @sansforensics

MON 1-29

TUE 1-30

WED 1-31

THU 2-1

FRI 2-2

SAT 2-3

SEC401 Security Essentials Bootcamp Style

SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling

SEC542 Web App Penetration Testing and Ethical Hacking

SEC560 Network Penetration Testing and Ethical Hacking

FOR500 Windows Forensic Analysis

MGT512 SANS Security Leadership Essentials for Managers with Knowledge Compression™

ICS515 ICS Active Defense and Incident Response

Page 3

Page 5

Page 7

Page 8

Page 2

Page 4

Page 6

Courses at a Glance

Save $400 when you register and pay by December 6th using code EarlyBird18

1

SEC401Security Essentials Bootcamp Style

GSEC CertificationSecurity Essentials

www.giac.org/gsec

Six-Day Program Mon, Jan 29 - Sat, Feb 3 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required Instructor: Robert Kirtley

Who Should Attend Security professionals who want to fill the gaps in their understanding of technical information security Managers who want to understand information security beyond simple terminology and concepts Operations personnel who do not have security as their primary job function but need an understanding of security to be e�ective IT engineers and supervisors who need to know how to build a defensible network against attacks Administrators responsible for building and maintaining systems that are being targeted by attackers Forensic specialists, penetration testers, and auditors who need a solid foundation of security principles to be as e�ective as possible at their jobs Anyone new to information security with some background in information systems and networking

This course will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques you can directly apply when you get back to work. You’ll learn tips and tricks from the experts so you can win the battle against the wide range of cyber adversaries who want to harm your environment.

STOP and ask yourself the following questions: Do you fully understand why some organizations get compromised and others do not? If there were compromised systems on your network, are you confident you would be able to find them? Do you know the e�ectiveness of each security device and are you certain they are all configured correctly? Are proper security metrics set up and communicated to your executives to drive security decisions?

If you do not know the answers to these questions, SEC401 will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.

SEC401: Security Essentials Bootcamp Style teaches you the essential information security skills and techniques you need to protect and secure your organization’s critical information assets and business systems. Our course will show you how to prevent your organization’s security problems from being headline news in the Wall Street Journal!

Prevention Is Ideal but Detection Is a Must

With the rise in advanced persistent threats, it is almost inevitable that organizations will be targeted. Whether the attacker is successful in penetrating an organization’s network depends on the effectiveness of the organization’s defense. Defending against attacks is an ongoing challenge, with new threats emerging all of the time, including the next generation of threats. Organizations need to understand what really works in cybersecurity. What has worked, and will always work, is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:

What is the risk? Is it the highest priority risk? What is the most cost-e�ective way to reduce the risk?

Security is all about making sure you focus on the right areas of defense. In SEC401 you will learn the language and underlying theory of computer and information security. You will gain the essential and effective security knowledge you will need if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can put into practice immediately upon returning to work; and (2) You will be taught by the best security instructors in the industry.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/8140

Robert Kirtley SANS InstructorRobert Kirtley has over 20 years of management consulting experience with a focus on providing strategy, operations, and technology infrastructure services in the areas of compliance, operations, information governance, and security. Robert has managed hundreds of client engagements, with teams ranging from two people to more than 100. Robert has focused his career on creating consulting practices that serve law firms and corporate legal clients. With Deloitte, he created the Strategic Legal Solutions practice to enable the firm to have a comprehensive practice focused on serving the needs of attorneys with a broad array

of strategy, operations and technology services. With Du� & Phelps, Robert started and built the Legal Management Consulting practice with an emphasis on supporting corporate legal groups and law firm clients. Robert also created the Information Security, Governance and Computer Forensics practices for Kraft Kennedy, a law firm and legal department consulting firm. Robert is currently consulting on a range of information governance, information management, security and compliance issues with a range of corporate, government and law firm clients. @RobertNKirtley

of strategy, operations and technology services. With Du� & Phelps, Robert started and built the Legal Management Consulting

“This course has given me a broader perspective across the fundamental domains of information security.” -CHRIS DREWS, 3M

Register at www.sans.org/miami-2018 | 301-654-SANS (7267) 2

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/miami-2018/courses 3

“SEC504 fills in the gap of ‘here’s what adversaries do’ and the evidence they leave.” -KEVIN HEITHAUS, JPMORGAN CHASE

“SEC504 is engaging, informative, and mind-blowing. I’ve always known about the topics, but the discussion and labs helped cement the understanding.” -JASON KINDER,

DRS TECHNOLOGIES

SEC504Hacker Tools, Techniques, Exploits, and Incident Handling

GCIH CertificationIncident Handler

www.giac.org/gcih

Six-Day Program Mon, Jan 29 - Sat, Feb 3 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required (If your laptop supports only wireless, please bring a USB Ethernet adapter.) Instructor: Ronald Hamann

Who Should Attend Incident handlers

Leaders of incident handling teams

System administrators who are on the front lines defending their systems and responding to attacks

Other security personnel who are first responders when systems come under attack

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection and one or two disgruntled employees (and whose does not!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

“As someone who works in information security but has never had to do a full incident report, SEC504 taught me all the proper processes and steps.”

-TODD CHORYAN, MOTOROLA SOLUTIONS

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge, insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems so you can prepare for, detect, and respond to those attacks. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. This course will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/cyber-guardian www.sans.org/8140

Ronald Hamann SANS InstructorRon is a retired U.S. Air Force o¢cer and enlisted person with over 20 years of experience in information technology and information assurance, from software development and system administration to security analysis and security operations. Ron is currently a senior security analyst for Rackspace Managed Security in San Antonio, working in its Security Operations Center (SOC) hunting for attacker activity and responding to attacks daily. Ron has been a security instructor since 2010, sharing his experiences at multiple SOCs, both military and commercial, and various consulting clients including NASA and oil, gas, and construction

companies. Ron teaches the three core classes for the GSE and the SANS Technology Institute Masters Program: SEC401, SEC503, and SEC504. When not thinking about attackers and defenses, Ron spends his time looking for yet another craft cider he hasn’t tried and apologizing to his dance partners. @airforceteacher

companies. Ron teaches the three core classes for the GSE and the SANS Technology Institute Masters Program: SEC401, SEC503,

Register at www.sans.org/miami-2018 | 301-654-SANS (7267) 4

“As a non-penetration tester, I found SEC542 very informative and useful. The exercises proved invaluable to illustrating the topics.” -KEITH MCFARLAND, INTEL

“Every day of SEC542 gives you invaluable information from real-world testing you cannot find in a book.” -DAVID FAVA,

THE BOEING COMPANY

SEC542Web App Penetration Testing and Ethical Hacking

GWAPT CertificationWeb Application Penetration Tester

www.giac.org/gwapt

Six-Day Program Mon, Jan 29 - Sat, Feb 3 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Eric Conrad

Who Should Attend General security practitioners

Penetration testers

Ethical hackers

Web application developers

Website designers and architects

Web applications play a vital role in every modern organization. However, if your organization doesn’t properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

SEC542 helps students move beyond push-button scanning to professional, thorough, and high-value web application penetration testing. Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no “patch Tuesday” for custom web applications, and major industry studies find that web application flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on these high-value targets either by directly abusing public-facing applications or by focusing on web apps as targets after an initial break-in.

SEC542 enables students to assess a web application’s security posture and convincingly demonstrate the impact of inadequate security that plagues most organizations. In this course, students will come to understand major web application flaws and their exploitation. Most importantly, they’ll learn a field-tested and repeatable process to consistently find these flaws and convey what they have learned to their organizations. Even technically gifted security geeks often struggle with helping organizations understand risk in terms relatable to business. Much of the art of penetration testing has less to do with learning how adversaries are breaking in than it does with convincing an organization to take the risk seriously and employ appropriate countermeasures. The goal of SEC542 is to better secure organizations through penetration testing, and not just show off hacking skills. This course will help students demonstrate the true impact of web application flaws through exploitation.

In addition to high-quality course content, SEC542 focuses heavily on in-depth, hands-on labs to ensure that students can immediately apply all they learn. In addition to having more than 30 formal, hands-on labs, the course culminates in a web application pen test tournament, powered by the SANS NetWars Cyber Range. This Capture-the-Flag event on the final day brings students into teams to apply their newly-acquired command of web application penetration testing techniques in a fun way that hammers home lessons learned.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/cyber-guardian

Eric Conrad SANS Senior InstructorEric Conrad is lead author of the book The CISSP® Study Guide. Eric’s career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and healthcare. He is now president of Backshore Communications, a company focusing on intrusion detection, incident handling, information warfare, and penetration testing. He is a graduate of the SANS Technology Institute with a Master of Science Degree in Information Security Engineering. In addition to the CISSP®, he holds

the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. Eric also blogs about information security at ericconrad.com. @eric_conradthe prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications.

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/miami-2018/courses 5

SEC560Network Penetration Testing and Ethical Hacking

GPEN CertificationPenetration Tester

www.giac.org/gpen

Six-Day Program Mon, Jan 29 - Sat, Feb 3 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required Instructor: Jorge Orchilles

Who Should Attend Security personnel whose jobs involve assessing networks and systems to find and remediate vulnerabilities

Penetration testers

Ethical hackers

Defenders who want to better understand o�ensive methodologies, tools, and techniques

Auditors who need to build deeper technical skills

Red and blue team members

Forensics specialists who want to better understand o�ensive tactics

As a cybersecurity professional, you have a unique responsibility to find and understand your organization’s vulnerabilities, and to work diligently to mitigate them before the bad guys pounce. Are you ready? SANS SEC560, our flagship course for penetration testing, fully arms you to address this task head-on.SEC560 is the must-have course for every well-rounded security professional.With comprehensive coverage of tools, techniques, and methodologies for network penetration testing, SEC560 truly prepares you to conduct high-value penetration testing projects step-by-step and end-to-end. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. The course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks, and web app manipulation, with more than 30 detailed hands-on labs throughout. The course is chock-full of practical, real-world tips from some of the world’s best penetration testers to help you do your job safely, efficiently…and masterfully.Learn the best ways to test your own systems before the bad guys attack.SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test – and on the last day of the course you’ll do just that. After building your skills in comprehensive and challenging labs over five days, the course culminates with a final full-day, real-world penetration test scenario. You’ll conduct an end-to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization, demonstrating the knowledge you’ve mastered in this course.You will bring comprehensive penetration testing and ethical hacking know-how back to your organization.You will learn how to perform detailed reconnaissance, studying a target’s infrastructure by mining blogs, search engines, social networking sites, and other Internet and intranet infrastructures. Our hands-on labs will equip you to scan target networks using best-of-breed tools. We won’t just cover run-of-the-mill options and configurations, we’ll also go over the lesser-known but super-useful capabilities of the best pen test toolsets available today. After scanning, you’ll learn dozens of methods for exploiting target systems to gain access and measure real business risk. You’ll dive deep into post-exploitation, password attacks, and web apps, pivoting through the target environment to model the attacks of real-world bad guys to emphasize the importance of defense in-depth.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/cyber-guardian

“I like that the labs in SEC560 provided clear, step-by-step guidance. The instructor’s level of knowledge and ability to relay information is fantastic.” - BRYAN BARNHART,

INFILTRATION LABS

Jorge Orchilles SANS InstructorJorge Orchilles, author of Microsoft Windows 7 Administrator’s Reference, holds a bachelor of business administration in management information systems from Florida International University. He leads the Advanced Penetration Testing & Vulnerability Assessment Quality Control teams at a large financial institution and serves on the board of the Information Systems Security Association South Florida Chapter. Jorge holds various certifications from ISC2, ISACA, SANS GIAC, EC-Council, Cisco, Microsoft, and CompTIA, including GXPN, CISSP, CISM, GPEN, GCIH, C|EH, CICP, CCDA, SSSE, CompTIA Security+ (2008), Microsoft

Certified Professional (70-228, 70-282, 70-284) and Microsoft Certified Technology Specialist (70-620). Jorge speaks English, Spanish, and Portuguese in decreasing order of fluency. @jorgeorchillesCertified Professional (70-228, 70-282, 70-284) and Microsoft Certified Technology Specialist (70-620). Jorge speaks English,

Register at www.sans.org/miami-2018 | 301-654-SANS (7267) 6

Rob Lee SANS Faculty FellowRob Lee is an entrepreneur and consultant in the Washington, DC area and currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 15 years’ experience in computer forensics, vulnerability and exploit development, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and earned his MBA from Georgetown University. He served in the U.S. Air Force as a member of the 609th Information Warfare Squadron (IWS), the first U.S. military operational unit

focused on information warfare. Later, he was a member of the Air Force O¢ce of Special Investigations (AFOSI), where he led crime investigations and an incident response team. Over the next seven years, he worked directly with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for vulnerability discovery and exploit development teams, lead for a cyber-forensics branch, and lead for a computer forensic and security software development team. Most recently, Rob was a director for MANDIANT, a commercial firm focusing on responding to advanced adversaries such as the APT. Rob co-authored the book Know Your Enemy, 2nd Edition. Rob is also co-author of the MANDIANT threat intelligence report “M-Trends: The Advanced Persistent Threat.” @robtlee & @sansforensics

focused on information warfare. Later, he was a member of the Air Force O¢ce of Special Investigations (AFOSI), where he led

“Rob’s teaching method is extremely engaging. He is very good at passing information to students in a way that is easily understandable.” -CHRIS JENNINGS, UK MOD

FOR500Windows Forensic Analysis

GCFE CertificationForensic Examiner

www.giac.org/gcfe

Six-Day Program Mon, Jan 29 - Sat, Feb 3 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Rob Lee

Who Should Attend Information security professionals

Incident response team members

Law enforcement o¢cers, federal agents, and detectives

Media exploitation analysts

Anyone interested in a deep understanding of Windows forensics

MASTER WINDOWS FORENSICS – YOU CAN’T PROTECT WHAT YOU DON’T KNOW ABOUTAll organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes, such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world’s best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can’t protect what you don’t know about, and understanding forensic capabilities and artifacts is a core component of information security. You’ll learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You’ll be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new, hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, cloud storage, SharePoint, Exchange, and Outlook). Students leave the course armed with the latest tools and techniques, prepared to investigate even the most complicated systems they might encounter. Nothing is left out – attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to: Conduct an in-depth analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016

Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage

Focus your capabilities on analysis instead of on how to use a particular tool Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

www.sans.edu

WITH THIS COURSE www.sans.org/ondemand

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/miami-2018/courses 7

MGT512SANS Security Leadership Essentials for Managers with Knowledge Compression™

GSLC CertificationSecurity Leadership

www.giac.org/gslc

Five-Day Program Mon, Jan 29 - Fri, Feb 2 9:00am - 6:00pm (Days 1-4) 9:00am - 4:00pm (Day 5) 33 CPEs Laptop Recommended Instructor: Ted Demopoulos

Who Should Attend All newly appointed information security o¢cers

Technically skilled administrators who have recently been given leadership responsibilities

Seasoned managers who want to understand what their technical people are telling them

This completely updated course is designed to empower advancing managers who want to get up to speed quickly on information security issues and terminology. You won’t just learn about security, you will learn how to manage security. Lecture sections are intense; the most common student comment is that it’s like drinking from a fire hose. The diligent manager will gain the vital, up-to-date knowledge and skills required to supervise the security component of any information technology project. Additionally, the course has been engineered to incorporate the NIST Special Publication 800 (series) guidance so that it can be particularly useful to U.S. government managers and supporting contractors.

Essential security topics covered in this management track include network fundamentals and applications, power, cooling and safety, architectural approaches to defense in-depth, cyber attacks, vulnerability assessment and management, security policies, contingency and continuity planning, awareness management, risk management analysis, incident handling, web application security, and offensive and defensive information warfare, culminating with our management practicum. The material uses Knowledge Compression,™ special charts, and other proprietary SANS techniques to help convey the key points of critical slides and keep the information flow rate at a pace senior executives demand every teaching hour of the course. The course has been evaluated and approved by CompTIA’s CAQC program for Security+ 2008 to ensure that managers and their direct reports have a common baseline for security terminology and concepts. You will be able to put what you learn into practice the day you get back into the office.

Knowledge Compression™Maximize your learning potential!Knowledge Compression™ is an optional add-on feature to a SANS class that aims to maximize the absorption and long-term retention of large amounts of data over a relatively short period of time. Through the use of specialized training materials, in-class reviews, examinations and test-taking instruction, Knowledge Compression™ ensures students have a solid understanding of the information presented to them. By attending classes that feature this advanced training product, you will experience some of the most intense and rewarding training programs SANS has to o�er, in ways that you never thought possible!

www.sans.edu

“I have some very specific, achievable things I can do right away suggested by the course that will benefit my organization and me. That’s valuable training.” -WILLIAM E. WEYANDT,

AMERICAN ORTHODONTICS

“MGT512 has excellent coverage of what matters for the leadership/management portion. Also, no B.S. – very concrete.” -HERV’E LOTERIE, PROXIMUS

www.sans.org/8140WITH THIS COURSE

www.sans.org/ondemand

Ted Demopoulos SANS Principal InstructorTed Demopoulos’ first significant exposure to computers was in 1977 when he had unlimited access to his high school’s PDP-11 and hacked at it incessantly. He consequently almost flunked out, but learned he liked playing with computers a lot. His business pursuits began in college and have been continuous ever since. His background includes over 25 years of experience in information security and business, including 20+ years as an independent consultant. Ted helped start a successful information security company, was the CTO at a “textbook failure” of a software startup, and has advised several other businesses. Ted is a

frequent speaker at conferences and other events and is quoted often by the press. He also has written two books on social media, has an ongoing software concern in Austin, Texas in the virtualization space, and is the recipient of a Department of Defense Award of Excellence. In his spare time, he is also a food and wine geek, goes flyfishing, and enjoys playing with his children. @TedDemop

frequent speaker at conferences and other events and is quoted often by the press. He also has written two books on social media,

8 Register at www.sans.org/miami-2018 | 301-654-SANS (7267)

ICS515ICS Active Defense and Incident Response

Five-Day Program Mon, Jan 29 - Fri, Feb 2 9:00am - 5:00pm 30 CPEs Laptop Required Instructor: Mark Bristow

Who Should Attend ICS incident response team leads and members

ICS and operations technology security personnel

IT security professionals

Security Operations Center (SOC) team leads and analysts

ICS red team and penetration testers

Active defenders

ICS515: ICS Active Defense and Incident Response will help you deconstruct cyber attacks on industrial control systems (ICS), leverage an active defense to identify and counter threats, and use incident response procedures to maintain the safety and reliability of operations.

This course will empower students to understand their networked ICS environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security. This process of monitoring, responding to, and learning from threats internal to the network is known as active defense. An active defense is the approach needed to counter advanced adversaries targeting ICS, as has been seen with malware such as Stuxnet, Havex, and BlackEnergy2. Students can expect to come out of this course with the ability to deconstruct targeted ICS attacks and fight these adversaries and others. The course uses a hands-on approach and real-world malware to break down cyber attacks on ICS from start to finish. Students will gain a practical and technical understanding of leveraging active defense concepts such as using threat intelligence, performing network security monitoring, and utilizing malware analysis and incident response to ensure the safety and reliability of operations. The strategy and technical skills presented in this course serve as a basis for ICS organizations looking to show that defense is do-able.

This course will prepare you to: Examine ICS networks and identify the assets and their data flows in order to understand the network baseline information needed to identify advanced threats

Use active defense concepts such as threat intelligence consumption, network security monitoring, malware analysis, and incident response to safeguard the ICS

Build your own Programmable Logic Controller using a CYBATIworks Kit and keep it after the class ends Gain hands-on experience with samples of Havex, BlackEnergy2, and Stuxnet through engaging labs while de-constructing these threats and others

Leverage technical tools such as Shodan, Security Onion, TCPDump, NetworkMiner, Foremost, Wireshark, Snort, Bro, SGUIL, ELSA, Volatility, Redline, FTK Imager, PDF analyzers, malware sandboxes, and more

Create indicators of compromise (IOCs) in OpenIOC and YARA while understanding sharing standards such as STIX and TAXII

Take advantage of models such as the Sliding Scale of Cybersecurity, the Active Cyber Defense Cycle, and the ICS Cyber Kill Chain to extract information from threats and use it to encourage the long-term success of ICS network security

WITH THIS COURSE www.sans.org/ondemand

“This course had very good focus on the OT/ICS side and was integrated into the class, not like other courses I’ve taken where it is a general IT security course with the OT added as an afterthought.” -JOSH TANSKI, MORTON SALT

GRID CertificationIndustrial Response and Defense

www.giac.org/grid

Mark Bristow SANS InstructorMark Bristow was born to work in information security, as he found his first bug in an ICS system at the age of 10. As a teen he had a passion for technology and spent a lot of time exploring the possibilities on his computer. Once he realized he could make a career out of this passion, he jumped at the opportunity and earned a computer engineering degree from Penn State. Mark loves the ever-changing landscape of security and views it as a puzzle that must be solved. He especially loves the challenges in ICS security, as it means defending the systems where cyber meets physical in order to make them safe and e�ective.

Currently Mark is the Chief of ICS-CERT Incident Response at the U.S. Department of Homeland Security, where he leverages his expertise in incident response, industrial control systems, network monitoring and defense to support national security interests. In Mark’s 12-year security career he has also worked for SRA and Securicon, where he supported a variety of private and public sector clients. Mark’s experience has led him to the path of sharing his knowledge and helping others learn to protect critical infrastructure. He loves teaching not only to help others, but also because he learns something from his students in every class. Mark shares his real-world experiences with students so they can relate the information to scenarios in the field. When Mark isn’t defending ICS systems, he enjoys spending time with his family and scuba diving. @kodefupanda

Currently Mark is the Chief of ICS-CERT Incident Response at the U.S. Department of Homeland Security, where he leverages his

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/miami-2018/courses 9

Bonus SessionsEnrich your SANS training experience! Evening talks by our instructors and selected subject-matter experts help you broaden your knowledge, hear from the voices that matter in computer security, and get the most for your training dollar.

KEYNOTE: Welcome Threat Hunters, Phishermen, and Other LiarsRob LeeOver the past few years, a new term has continually popped up in the IT Security community: “threat hunting.” While the term seems like it is new, it is in fact the reason all of us joined IT Security in the first place. We “find evil.” While I was at Mandiant and in the U.S. Air Force, “finding evil” was our tagline when we were on engagements. The concept and root idea of threat hunting is nothing new. When I first started in IT Security back in the late 1990s, my job was to find threats in the network. This led to automated defenses such as Intrusion Detection Systems, monitoring egress points, logging technology, and monitoring the defensive perimeter, hoping nothing would get in. Today, while the community is trying to identify intrusions, threat hunting has evolved to be something a bit more than the loose definition of finding evil primarily due to the massive amount of incident response data currently collected about our attackers. These data have evolved into Cyber Threat Intelligence (CTI). It is hard to simply go find evil but if armed with a bit of CTI in the mix – or essentially what you might be looking for, or what your adversaries are likely interested in – it makes the hunt more targeted. These indicators are used to great e�ect when employed properly and proactively against a threat group. Threat hunting has improved the accuracy of threat detection because we can focus our searching on the adversaries exploiting our networks – humans hunting humans. Even with knowing where to look, tools are now being introduced to help make hunting more practical across an enterprise. This talk outlines what exactly “threat hunting” means and will step you through how it works.

Introducing DeepBlueCLI v2, Now Ported to Python and ELKEric ConradRecent malware attacks leverage PowerShell for post-exploitation. Why? Because there is no EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging. Event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected (including the latest PowerShell-fueled post-exploitation) via event logs, after making small tweaks to the logging configuration. DeepBlueCLI will go toe-to-toe with the latest attacks; this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

Adversary Simulations: Taking Attack Models and Penetration Testing to the Next LevelJorge OrchillesIt is extremely rare that a single vulnerability causes a critical, direct risk to your entire environment. In reality, it is what the attacker does with the access gained that matters most. In this presentation, we will talk about maturing our attack models to gain enough intelligence to simulate the tactics, techniques, and procedures of the adversary against our entire environment. Attackers do not limit themselves to one application, instead they look at your organization holistically to formulate an attack that achieves their objectives. We will discuss an adversary simulation framework and share a case study of it in action.

Real-World Incidents and Threats to Critical InfrastructureMark BristowIn this presentation, Mark Bristow will share his experiences from the field conducting incident response in ICS/SCADA environments. Mark has a unique perspective on some of the headline incidents we’ve all read about, including BlackEnergy, Havex, Crash Override and the Ukrainian Cyber Attacks.

InfoSec Rock Star: Geek Will Only Get You So FarTed DemopoulosThis presentation is based on the recently published book of the same title. Some of us are so e�ective, and well known, that the term “Rock Stars” is entirely accurate. What kind of skills do Rock Stars have and wannabe Rock Stars need to develop? Although we personally may never be swamped by groupies, we can learn the skills to be more e�ective, well respected, and well paid. Obviously it’s not just about technology; in fact most of us are very good at the technology part. And although the myth of the Geek with zero social skills is just that – a myth – the fact is that increasing our skills more on the social and business side will make most of us more e�ective at what we do than learning how to read hex better while standing on our heads, becoming “One with Metasploit,” or understanding the latest hot technologies.

10

SANS Training FormatsWhether you choose to attend a training class live or online, the entire SANS team is dedicated to ensuring your training experience exceeds expectations.

Premier Training EventsOur most recommended format, live SANS training events feature SANS’s top instructors teaching multiple courses at a single time and location. This allows for:• Focused, immersive learning without the distractions of your

office environment• Direct access to SANS Certified Instructors• Interacting with and learning from other professionals• Attending SANS@Night events, NetWars tournaments, vendor

presentations, industry receptions, and many other activitiesOur premier live training events in North America, serving thousands of students, are held in Orlando, Washington DC, Las Vegas, New Orleans, and San Diego. Regional events with hundreds of students are held in most major metropolitan areas during the year. See page 12 for upcoming training events in North America.

SummitsSANS Summits focus one or two days on a single topic of particular interest to the community. Speakers and talks are curated to ensure the greatest applicability to participants.

Community SANS CoursesThe same SANS courses, courseware, and labs are taught by up-and-coming instructors in a regional area. Smaller classes allow for more extensive instructor interaction. No need to travel; commute each day to a nearby location.

Private ClassesBring a SANS Certified Instructor to your location to train a group of your employees in your own environment. Save on travel and address sensitive issues or security concerns in your own environment.

Live Classroom Instruction Online TrainingSANS Online successfully delivers the same measured learning outcomes to students at a distance that we deliver live in classrooms. More than 30 courses are available for you to take whenever or wherever you want. Thousands of students take our courses online and achieve certifications each year.

Top reasons to take SANS courses online:• Learn at your own pace, over four

months• Spend extra time on complex topics • Repeat labs to ensure proficiency

with skills• Save on travel costs• Study at home or in your oªce

Our SANS OnDemand, vLive, Simulcast, and SelfStudy formats are backed by nearly 100 professionals who ensure we deliver the same quality instruction online (including support) as we do at live training events.

“The decision to take five days away from the o¬ce is never easy, but so rarely have I come to the end of a course and had no regret whatsoever. This was one of the most useful weeks of my professional life.” -Dan Trueman, Novae PLC

“I am thoroughly pleased with the OnDemand modality. From a learning standpoint, I lose nothing. In fact, the advantage of setting my own pace with respect to balancing work, family, and training is significant, not to mention the ability to review anything that I might have missed the first time.” -Kevin E., U.S. Army

11

12

Future Training EventsMiami . . . . . . . . . . . . . . . . . . . . Miami, FL . . . . . . . . . . . . . Nov 6-11San Francisco Winter . . . . . . . . San Francisco, CA . . .Nov 27 - Dec 2Austin Winter . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . . . .Dec 4-9

Cyber Defense Washington, DC Dec 12-19 Initiative

Security East New Orleans, LA Jan 8-13, 2018

Northern VA Winter . . . . . . . . . . Reston, VA . . . . . . . . . . . . Jan 15-20Las Vegas . . . . . . . . . . . . . . . . . Las Vegas, NV . . . . . .Jan 28 - Feb 2Miami . . . . . . . . . . . . . . . . . . . . Miami, FL . . . . . . . . .Jan 29 - Feb 3Scottsdale . . . . . . . . . . . . . . . . . Scottsdale, AZ . . . . . . . . . . Feb 5-10Anaheim . . . . . . . . . . . . . . . . . . Anaheim, CA . . . . . . . . . . Feb 12-17Dallas . . . . . . . . . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . . Feb 19-24New York City Winter . . . . . . . . New York, NY . . . . . . Feb 26 - Mar 3San Francisco Spring . . . . . . . . San Francisco, CA . . . . . . Mar 12-17Northern VA Spring – Tysons . . McLean, VA . . . . . . . . . . . Mar 17-24 Pen Test Austin . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . .Mar 19-24Boston Spring . . . . . . . . . . . . . . Boston, MA . . . . . . . . . . Mar 25-30

SANS 2018 Orlando, FL Apr 3-10

Baltimore Spring . . . . . . . . . . . . Baltimore, MD . . . . . . . . . Apr 21-28

Security West San Diego, CA May 11-16

Future Summit EventsPen Test HackFest . . . . . . . . . . . Bethesda, MD . . . . . . . . .Nov 13-20SIEM & Tactical Analytics . . . . . Scottsdale, AZ . . . . . Nov 28 - Dec 5Cyber Threat Intelligence . . . . . Bethesda, MD . . Jan 29 - Feb 5, 2018Cloud Security . . . . . . . . . . . . . San Diego, CA . . . . . . . . . . Feb 19-26ICS Security . . . . . . . . . . . . . . . . Orlando, FL. . . . . . . . . . . . Mar 19-26Blue Team . . . . . . . . . . . . . . . . . Louisville, KY . . . . . . . . . . Apr 23-30Automotive Cybersecurity . . . . Chicago, IL . . . . . . . . . . . . . .May 1-8

Future Community SANS EventsLocal, single-course events are also o�ered throughout the year via SANS Community. Visit www.sans.org/community for up-to-date Community course information.

Registration InformationRegister online at www.sans.org/miami-2018www.sans.org/miami-2018

We recommend you register early We recommend you register early to ensure you get your first choice of courses.to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by January 10, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers 13

Pay Early and Save*

DATE DISCOUNT DATE DISCOUNT

Pay & enter code by 12-6-17 $400.00 12-27-17 $200.00

*Some restrictions apply. Early bird discounts do not apply to Hosted courses.

Use code EarlyBird18 when registering early

Top 5 reasons to stay at the Hyatt Regency Coral Gables1 All SANS attendees receive complimentary high-

speed Internet when booking in the SANS block.2 No need to factor in daily cab fees and the time

associated with travel to alternate hotels.3 By staying at the Hyatt Regency Coral Gables,

you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.

4 SANS schedules morning and evening events at the Hyatt Regency Coral Gables that you won’t want to miss!

5 Everything is in one convenient location!

Leave the ordinary behind and escape to the Hyatt Regency Coral Gables. A Mediterranean-style resort designed to replicate the Alhambra Palace in Spain, the TAG approved Coral Gables hotel near Miami Beach exudes grace and elegance while o�ering premium amenities and hospitality that comes straight from the heart. The hotel is only two blocks from Coral Gables’ Miracle Mile and minutes from Miami Beach.

Special Hotel Rates AvailableA special discounted rate of $245.00 S/D will be honored based on space availability. Government per diem rooms are available with proper ID; you will need to call reservations and ask for the SANS government rate. These rates include high-speed Internet in your room and are only available through January 5, 2018.

Hyatt Regency Coral Gables 50 Alhambra Plaza Coral Gables, FL 33134 305-441-1234 www.sans.org/event/miami-2018/location

Hotel Information

Create a SANS Account today to enjoy these free resources at sans.org/account

NewslettersNewsBites Twice-weekly, high-level executive summaries of the most important news relevant to cybersecurity professionals.

OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.

@RISK: The Consensus Security Alert A reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) how recent attacks worked, and (4) other valuable data.

WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.

Analyst Webcasts A follow-on to the SANS Analyst Program, Analyst Webcasts provide key information from our whitepapers and surveys.

WhatWorks Webcasts The SANS WhatWorks webcasts bring powerful customer experiences showing how end users resolved specific IT security issues.

Tool TalksTool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.

Other Free Resources• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs• Tip of the Day

• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus

Operational Readiness Evaluation)

5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407

To be removed from future mailings, please contact unsubscribe@sans.org or (301) 654-SANS (7267). Please include name and complete address. NALT-BRO-Vegas-2018

Save $400 when you pay for any 4-, 5-, or 6-day course and enter the code “EarlyBird18” by December 6th. www.sans.org/las-vegas

As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, the SANS Institute is proud to be a Corporate Member of the AFCEA community.