sans.org/sec699 • Watch a preview of this course • Discover how to take this course: Online, In-Person SEC699: Advanced Purple Teaming – Adversary Emulation & Detection Engineering This cutting-edge purple team training immerses participants in the world of adversary emulation to fortify defenses against data breaches. Delving into the realm of real-life threat actors, students undergo hands-on experiences within a dynamic enterprise setting, mastering the art of detection and emulation of adversarial techniques.Sixty percent of class time is spent on labs, and class activities include: • A course section on typical automation strategies such as Ansible, Docker, and Terraform, which can be used to deploy a multi-domain enterprise environment for adversary emulation at the press of a button • Building a proper process as well as tooling and planning for purple teaming • Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34, and Turla, using tools such as Covenant and Caldera to execute the plans • In-depth techniques such as Kerberos Delegation attacks, Attack Surface Reduction/Applocker bypasses, EDR bypasses, AMSI, process injection, and COM Object Hi-jacking • Detection engineering and delemetry review to detect the above techniques • A dynamic capstone where your adversary emulation skills are put to the test SEC699 is a natural follow-up to SEC599. Course authors Erik Van Buggenhout (lead author of SEC599) and Jean-Francois Maes (lead author of SEC565) are both certified GIAC Security Experts as well as experienced practitioners with a deep understanding of how cyber attacks work through both red and blue team activities. In SEC699, they combine these skill sets to teach students adversary emulation methods for data breach prevention and detection. The SEC699 journey is structured as follows: • In Section 1, we will lay the foundations that are required to perform successful adversary emulation and purple teaming. As this is an advanced course, we will go in-depth on several tools that we’ll be using and learn how to further extend existing tools. • Sections 2–4 will be heavily hands-on lecturing a number of advanced techniques and their defenses (focused on detection strategies). Section 2 focuses on initial-access techniques, Section 3 covers lateral movement and privilege escalation, while Section 4 deals with persistence. • Finally, in Section 5, we will build an emulation plan for a variety of threat actors. These emulation plans will be executed both manually using popular C2 frameworks and automatically using Breach Attack Simulation tools. Author Statement After the success of SEC599, I’m very excited to unleash this course offering upon the SANS audience! SEC699 is an amazing course that came about because we listened to student requests for a hands-on adversary emulation class leveraging an enterprise lab environment. This is it! SEC699 attendees will learn advanced red and blue team techniques for proper purple teaming in an enterprise environment. Throughout the week we do not just focus on explaining tips and tricks, but also empower students to build and adapt their own tooling for proper adversary emulation. This includes, for example, custom Caldera, SIGMA and Velociraptor development. The SEC699 lab environment is fully built using Teraform playbooks and covers multiple domains and forests that can be attacked! Students spin up the lab environment in their own AWS account and can thus keep on practicing months (and years) after they took the class! —Erik Van Buggenhout Business Takeaways • Build realistic adversary emulation plans to better protect your organization • Deliver advanced attacks, including application whitelisting bypasses, cross- forest attacks (abusing delegation), and stealth persistence strategies • Building SIGMA rules to detect advanced adversary techniques Prerequisites • This is a fast-paced, advanced course that requires a strong desire to learn advanced red and blue team techniques. The following SANS courses are recommended either prior to or as a companion to taking this course: SEC599 and SEC560. • Experience with programming in any language is highly recommended. At a minimum, students are advised to read up on basic programming concepts. • You should also be well versed with the fundamentals of penetration testing prior to taking this course. Familiarity with Linux and Windows is mandatory. A solid understanding of TCP/IP and networking concepts is required. Please contact the author at [email protected] if you have any questions or concerns about the prerequisites. 5 Day Program 36 CPEs Laptop Required “ I’ve been in this field a long time, and I’ve learned something new from each segment of SEC699. That’s not something I’m used to at this point in my career.” — Taya Steere, Lyft