SEC501: Advanced Security Essentials – Enterprise Defender

Provided by SANS
GCED Certification
Qualification level
GCED Certification
Study type
View Website
View Website

About the course

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more preventive and detective measures, completing the security lifecycle.


You Will Learn

  • How to build a comprehensive security program focused on preventing, detecting, and responding to attacks
  • Core components of building a defensible network infrastructure and how to properly secure routers, switches, and network infrastructure
  • Methods to detect advanced attacks on systems that are currently compromised
  • Formal methods for performing a penetration test to find weaknesses in an organization's security apparatus
  • How to respond to an incident using the six-step process of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
  • Approaches to analyzing malware, ranging from fully automated analysis to static properties analysis, behavioral analysis, and code analysis


Course Syllabus

SEC501.1: Defensive Network Architecture


Section 1 will focus on security in the design and configuration of various enterprise infrastructures. From a security perspective, proper design and configuration protects both the components being configured, as well as the rest of the organization that depends on that gear to defend other components from attacks. In other words, a good house needs a good foundation!

We'll discuss published security benchmarks, vendor guidance for securing various products, and regulatory requirements and how they impact defending infrastructure against specific attacks. To illustrate these points, we'll be looking in detail at securing and defending a router infrastructure against a number of device- and network-based attacks.

In addition, we'll cover securing Windows and Active Directory against specific attacks. Securing Private and Public Cloud Infrastructure against common attacks will also be discussed, and Active Defense approaches will be covered in some detail.


  • Attack and Defense of Router Architectures
  • Secure Configuration and Audit of Network Architectures
  • Defenses against Attacks Mounted on Authentication Interfaces
  • Defending and Attacking Critical Protocols
  • Logging as a Critical Component of Defense
  • Man-in-the-Middle Attacks and Defenses
  • Active Defense:
    • Honeypots/Honeyports
    • Honey Documents from Both the Attacker and Defender Perspective

CPE/CMU Credits: 8


  • Security Benchmarks, Standards, and the Role of Audit in Defending Infrastructure
  • Defense Using Authentication and Authorization, and Defending Those Services
  • The Use of Logging and Security Information and Event Management (SIEM) in Defending an Organization from Attack
  • Attacking and Defending Critical Protocols
  • Several Man-in-the-Middle Attack Methods, and Defenses against Each
  • Infrastructure Defense Using IPS, Next-Generation Firewalls, and Web Application Firewalls
  • Defense of Critical Servers and Services
  • Active Defense
  • Defense of Private and Public Cloud Architectures

SEC501.2: Penetration Testing


Security is all about understanding, mitigating, and controlling the risk to an organization's critical assets. An organization must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise the environment. On day two, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration tests to better understand the security posture for network services, operating systems, and applications. In addition, we'll talk about social engineering and reconnaissance activities to better emulate increasingly prevalent threats to users.

Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about scoping and planning their test projects, performing external and internal network penetration testing, web application testing, and pivoting through the environment like real-world attackers.

Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the organization's overall security.


  • Scanning and Enumeration Fundamentals
  • More Scanning and Enumeration Options
  • Vulnerability Scanning with OpenVAS
  • Exploitation + Metasploit Basics
  • Basic Web App Scans and Attacks
  • Metasploit and Pivoting

CPE/CMU Credits: 6


  • Introduction to Penetration Testing Concepts
  • Penetration Testing Scoping and Rules of Engagement
  • Online Reconnaissance and Offensive Counterintelligence
  • Social Engineering
  • Network Mapping and Scanning Techniques
  • Enterprise Vulnerability Scanning
  • Network Exploitation Tools and Techniques
  • Web Application Exploitation Tools and Techniques
  • Post-Exploitation and Pivoting
  • OS and Application Exploit Mitigations
  • Reporting and Debriefing

SEC501.3: Network Detection and Packet Analysis


"Prevention is ideal, but detection is a must" is a critical motto for network security professionals. While organizations always want to prevent as many attacks as possible, some adversaries will still sneak into the network. In cases where an attack is not successfully prevented, network security professionals need to analyze network traffic to discover attacks in progress, ideally stopping them before significant damage is done. Packet analysis and intrusion detection are at the core of such timely detection. Organizations need to not only detect attacks but also to react in a way that ensures those attacks can be prevented in the future.

Because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are more stealthy and difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst capable of differentiating between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write intrusion detection rules that detect the latest attacks before they compromise a network environment.

Traffic analysis and intrusion detection used to be treated as a separate discipline within many organizations. Today, prevention, detection, and response must be closely knit, so that once an attack is detected, defensive measures can be adapted and proactive forensics implemented, and the organization can to continue to operate. This course section will start with a brief introduction to network security monitoring, followed by a refresher on network protocols with an emphasis on fields to look for as security professionals. We'll use tools like TCPdump and Wireshark to analyze packet traces and look for indicators of attacks. We'll use a variety of detection and analysis tools, craft packets with Scapy to test detection, and touch on network forensics and the Security Onion monitoring distribution. Students will also explore Snort as a network Intrusion Detection System, and examine rule signatures in-depth.


  • Analyzing PCAPs with TCPdump
  • Attack Analysis with Wireshark
  • Crafting Packets to Test Network Monitoring
  • Network Forensics with Security Onion: Detecting Malicious Activity
  • Extracting PCAP Content for Forensics
  • Snort Basics
  • Wireshark Network Compromise Analysis

CPE/CMU Credits: 6


  • Network Security Monitoring
  • IP, TCP, and UDP Refresher
  • Advanced Packet Analysis
  • Introduction to Network Forensics with Security Onion
  • Identifying Malicious Content and Streams
  • Extracting and Repairing Content from PCAP files
  • Traffic Visualization Tools
  • Intrusion Detection and Intrusion Prevention
    • Snort In-Depth
    • Writing Snort Signatures
  • Handling Encrypted Network Traffic

SEC501.4: Digital Forensics and Incident Response


"Bad guy elimination" is the core mission for Digital Forensics and Incident Response (DFIR) professionals. Incidents happen, and organizations rely on these professional responders to find, scope, contain, and remediate evil from their networks. Investigators employ DFIR practices to determine what happened. DFIR teams conduct investigations to find evidence of compromise, remediate the environment, and provide data to generate local threat intelligence for operations teams in order to continuously improve detection. While traditionally seen as a finite process, incident response is now viewed as ongoing, with DFIR professionals searching for evidence of an attacker that has existed in the environment without detection by applying new threat intelligence to existing evidence - the crux of the concept of "threat hunting."

In this section, you will learn the core concepts of both "Digital Forensics" and "Incident Response." We'll explore some of the hundreds of artifacts that can give forensic investigators specific insight about what occurred during an incident. You will also learn how incident response currently operates, after years of evolving, in order to address the dynamic procedures used by attackers to conduct their operations. We'll look at how to integrate DFIR practices into a continuous security operations program.

We'll cover the general guidelines for a cyclical, six-step incident response process. Each step will be examined in detail, including practical examples of how to apply it. Lastly, you'll learn the artifacts that can best be used to determine the extent of suspicious activity within a given environment and how to migrate techniques to a large data set for enterprise-level analysis.


  • Data Recovery with FTK Imager and Photorec
  • Ransomware Timeline Analysis
  • Ransomware Network Analysis

CPE/CMU Credits: 6


  • DFIR Core Concepts: Digital Forensics
    • Definitions and Use Cases/Mission Areas
    • Performing Forensically Sound Analysis
    • Forensic Artifacts in the Windows Environment
    • Digital Forensics Tools
  • DFIR Core Concepts: Incident Response
    • Definitions and Use Cases
    • Generating and Using Threat Intelligence for Incident Response
    • DFIR Sub-disciplines: Endpoint, Network, Threat Intelligence, Reverse Engineering
    • Incident Response Tools
  • Modern DFIR: A Live and Continuous Process
    • Definitions and Use Cases
    • Six-Step Process Guidelines: Preparation, Identification/Scoping, Containment/Intelligence Development, Eradication/Remediation, Recovery, Follow-up/Lessons Learned
  • Widening the Net: Scaling the DFIR Process and Scoping a Compromise
    • Definitions and Use Cases
    • Generation and Consumption of Threat Intelligence
    • Examples of Artifacts to Support Scoping
    • Scoping as a Continuous Component of Modern Incidence Response
    • Scoping and Scaling Tools

SEC501.5: Malware Analysis


Malicious software is responsible for many incidents in almost every type of organization. Types of Malware vary widely, from Ransomware and Rootkits to Crypto Currency Miners and Worms. We will define each of the most popular types of malware and walk through multiple examples. The four primary phases of malware analysis will be covered: Fully Automated Analysis, Static Properties Analysis, Interactive Behavior Analysis, and Manual Code Reversing. You will complete various in-depth labs requiring you to fully dissect a live Ransomware specimen from static analysis through code analysis. You will get hands-on experience with tricking the malware through behavioral analysis techniques, as well as decrypting files encrypted by Ransomware by extracting the keys through reverse engineering. All steps are well defined and tested to ensure that the process to achieve these goals is actionable and digestible.


  • Static Properties Analysis of Ransomware
    • Using Linux Tools such as File, Strings, clamscan, pescan, and VirusTotal
    • Using Windows Tools such as PeStudio and strings2
  • Interactive Behavior Analysis of Ransomware - Part I
    • Use Process Monitor to Monitor File System, Network, Process Activity, and Registry Access
    • Use Process Hacker to Examine Process Behavior and Memory
  • Interactive Behavior Analysis of Ransomware - Part II
    • Perform Advanced Behavioral Analysis against the Ransomware Specimen
    • Trick the Ransomware into Thinking It Is Able to Reach Online Resources
    • Utilize the Burp Proxy Tool to Modify Data to and from the Ransomware
    • Convince the Ransomware that Payment Was Made to Recover All Files
  • Manual Code Reversing of Ransomware
    • Perform Code Analysis of the Ransomware
    • Perform Deobfuscation for Further Analysis and Crypto Key Recovery
    • Utilize PowerShell to Interact with the .NET Framework and Decrypt Files

CPE/CMU Credits: 6


  • Introduction to Malware Analysis
  • The Many Types of Malware
  • ATM/Cash Machine Malware
  • Building a Lab Environment for Malware Analysis
  • Malware Locations and Footprints
  • Fully Automated Malware
  • Cuckoo Sandbox
  • Static Properties Analysis
  • Interactive Behavior Analysis
  • Manual Code Reversing
  • Tools such as IDA, PeStudio, ILSpy, Process Hacker, Process Monitor, NoFuserEx, etc.

SEC501.6: Enterprise Defender Capstone


The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture-the-Flag engine will be provided to score students as they submit flags to score points. More difficult challenges will be worth more points. In this defensive exercise, challenges include packet analysis, routing protocols, scanning, malware analysis, and other challenges related to the course material.

CPE/CMU Credits: 6

Who Should Attend

  • Incident responders and penetration testers
  • Security Operations Center engineers and analysts
  • Network security professionals
  • Anyone who seeks technical in-depth knowledge about implementing comprehensive security solutions


While not required, it is recommended that students take SANS's SEC401: Security Essentials course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.

What You Will Receive

In this course, you will receive the following:

  • MP3 audio files of the complete course lecture
  • USB with the following virtual machines:
    • 64-bit Kali Linux
    • 64-bit Windows 10 Enterprise
    • Metasploitable
    • Security Onion
    • Cisco CSR 1000V

You Will Be Able To

  • Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks
  • Access tools that can be used to analyze a network to prevent attacks and detect the adversary
  • Decode and analyze packets using various tools to identify anomalies and improve network defenses
  • Understand how the adversary compromises systems and how to respond to attacks
  • Perform penetration testing against an organization to determine vulnerabilities and points of compromise
  • Apply the six-step incident handling process
  • Use various tools to identify and remediate malware across your organization
  • Create a data classification program and deploy data-loss-prevention solutions at both a host and network level

Hands-on Training

In SEC501 course labs, students will:

  • Analyze network configurations for routers and build a defensible network architecture
  • Perform detailed analysis of traffic using various sniffers and protocol analyzers
  • Identify and track attacks and anomalies in network packets
  • Use various tools to perform vulnerability scanning, penetration testing, and network discovery
  • Analyze both Windows and Unix systems during an incident to identify signs of a compromise
  • Find, identify, and clean up various types of malware, such as Ransomware


Contact the course provider: