By Adrian | January 3, 2023

I’ve been fortunate in that my workplace has sponsored me to take the SANS SEC504 - Hacker Tools, Techniques and Incident Handling as a 4 month on-demand course.

This is the second SANS course that I have been fortunate enough to attend. The first one was the SEC511 - Continous Security Monitoring back in 2016, which was done on-site over 6 days. I have to say that with the amount of content thats jammed into these courses, I found that on-site was a struggle for me. Its a full on 6 days trying to absorb all that content nevermind trying to take notes and properly retain the new found knowledge. It was literally as SANS says…. like drinking from the firehose.

For this OnDemand course theres a lot of resources available that should accomodate your learning style.

  • You get a set of reference books. 1 for each day, 1 for the CTF Event, plus 2 for the Labs
  • 4 Months access to pre-recorded Instrutor led video training
  • Password protected / watermaked copy of the books
  • Audio recordings for the entire course
  • A very generous time limited VMWare Workstation license
  • A 47Gb ISO file containing 2 Lab VM’s, Video Walkthroughs of the labs, Bonus Content, Visual Association Maps
  • Access to SME’s online

The OnDemand course let me work at my pace, and with 4 months to complete the course before you lose access to the instrutor videos, theres plenty of time to get through it….. twice… with note taking, providing you can give it the time. You will always have the books and audio as a reference afterwards as well.

On the flip side, attending in person has a sense of community, learning with others in the classroom environment. You get to speak and interact with people, share stories over a catered lunch, ask many more questions and perhaps squeeze a little extra knowledge or another in the trenches story from the instructor.

If you go down this OnDemand path, I would encourage you to speak with your boss to lock away some time each week to complete this course. I was dedicating about 15-20 hours a week this, completing some during work hours and the majority during my own free time.

In terms of the way that I tackled this course, For each page, I would read the course notes from the book, write my notes, then watch the video about that slide/page, pausing and rewinding as necessary if I wanted to make some more notes. If the section had a lab, I would then complete the lab, writing out the steps, I also completed each “Bonus/Homework” lab and then followed it up by watching the walkthough video.

In total there are 30 labs not including the CTF Event (+1 lab about using the Anki flashcarding tool). Personally I felt that the Anki flashcarding tool should have been introduced much earlier in the course, as it will be super useful as a retention tool. A lot of the labs utilise docker environments allowing you to play with the tools in a safe and controlled environment.

I was also activley indexing the tools and MITRE techniques as they came up (the tool list is provided as bonus content). I found that some of the MITRE references were outdated/legacy and there were lots of missed opportunities to mention the specific tactics in the content after I mapped them all out. It would be difficult to keep up given that TTP’s are always evolving. Whilst I think I got most of the MITRE references, I know theres bound to be some that I’ve missed (I have a feeling I missed at least one about a DNS Exfil tool, as its something that was labbed about), and I tried to only map techniques that were seen as part of the course. For instance, tools like Metaspolit cover a very wide range across the matrix, but this course only scratched the surface of Metasploit’s full capabilities.

Download SANS_SEC504.json

Due to all the documentation I was doing, it meant that any given section took at least 5x longer than the video length to complete. Definitly the long and slow approach! (but hey - time was on my side, and I was happy to slowly grind through it all).

I was also listening to the Audio MP3 files at a day behind where I was at in the book. For instance, when I was working on the Book 2 content, I was listening to Day 1 audio. These MP3’s now sit in rotation for when im driving around to try and keep the content in my mind.

After I completed the main books (Days 1 - 5), I just straight rewatched the video content for a second pass. Finally I completed the Day 6 CTF event. With time to spare in my subscription, I will probably watch them all over again.

The SEC504 CTF was more forgiving that the SEC511 one. You had the chance to take multiple free hints without scoreboard punishment, and while I tried to avoid taking the hints, there were times where I was totally over thinking what needed to be done in order to answer the question. There were other times that while I kind of knew what tool I should be using, the hint gave me a confirmation I was working in the right direction.

This CTF took me the better part of a full day to complete. I guess if your working in teams of 4 (like you do for the on-site training) you would divide and conquer, in order to get it done in the allotted morning on day 6.

I found that with this course you get a taste of other cyber security areas as well. Whilst this course was the majority of red team tools, and how to defend against them as a blue teamer, you do touch on areas like forensics, reverese engineering, OSINT, cloud and monitoring, which surprise, surprise SANS also has courses for. Felt like a bit of a teaser ;-)

Overall, this is an excellent course. Its helped me formalise some of the tools and techniques I may have heard, seen or touched in the past. The labs just work, the instuctor is clear, the stories are interesting and you have a set of reference materials until the TTPs age out. I had a chuckle at one story where the Josh was saying he liked filling in subscription paper cards with JavaScript to see how poorly input validation is done.

Would I recommend this course? That’s a more difficult question to answer. If your workplace is sponsoring it, absolutley. If you’re paying out of your own pocket, consideration to the cost is required. A lot of the content is based on open source tools which you could research yourself.

I am in the process of checking out some other training from TCM Security that I was able to pickup a bargain on during a recent sale. It’s much more affordable and hope to do a write up on it as well. In the meantime. Never stop learning.