Provided by SANS

About the course

SEC530: Defensible Security Architecture is designed to help students build and maintain a truly defensible security architecture. "The perimeter is dead" is a favorite saying in this age of mobile, cloud, and the Internet of Things, and we are indeed living in new a world of "de-perimeterization" where the old boundaries of "inside" and "outside" or "trusted" and "untrusted" no longer apply.

This changing landscape requires a change in mindset, as well as a repurposing of many devices. Where does it leave our classic perimeter devices such as firewalls? What are the ramifications of the "encrypt everything" mindset for devices such as Network Intrusion Detection Systems?

In this course, students will learn the fundamentals of up-to-date defensible security architecture. There will be a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. Students will learn how to reconfigure these devices to better prevent the threat landscape they face today. The course will also suggest newer technologies that will aid in building a robust security infrastructure.

While this is not a monitoring course, this course will dovetail nicely with continuous security monitoring, ensuring that security architecture not only supports prevention, but also provides the critical logs that can be fed into a Security Information and Event Management (SIEM) system in a Security Operations Center.

Hands-on labs will reinforce key points in the course and provide actionable skills that students will be able to leverage as soon as they return to work.

Course Syllabus

SEC530.1: Defensible Security Architecture

Overview

This first section of the course describes hardening systems and networks at every layer, from layer one (physical) to layer seven (applications and data). To quote Richard Bejtlich's The Tao of Network Security Monitoring, defensible networks "encourage, rather than frustrate, digital self-defense."

The section begins with an overview of traditional network and security architectures and their common weaknesses. The defensible security mindset is "build it once, build it right." All networks must perform their operational functions effectively, and security can be complementary to this goal. It is much more efficient to bake security in at the outset than to retrofit it later.

The discussion will then turn to layer one (physical) and layer two (data link) best practices, including many "ripped from the headlines" tips the co-authors have successfully deployed in the trenches to harden the infrastructure in order to prevent and detect modern attacks. Examples include the use of private VLANs, which effectively kills the malicious client-to-client pivot, and 802.1X and NAC, which mitigate rogue devices. Specific Cisco IOS syntax examples are provided to harden switches.

CPE/CMU Credits: 6

Topics

• Traditional Security Architecture Deficiencies
  • Emphasis on Perimeter/Exploitation
  • Lack of a True Perimeter ("De-perimeterization" as a Result of Cloud/Mobile)
  • The Internet of Things
  • Predominantly Network-centric
• Defensible Security Architecture
  • Mindset
    • Presumption of Compromise
    • De-perimeterization
    • Predominantly Network-centric
  • Models
    • Zero Trust Model (Kindervag - Forrester)
    • Intrusion Kill Chain
    • Diamond Model of Intrusion Analysis
  • Software-defined Networking and Virtual Networking
  • Micro-Segmentation
• Threat, Vulnerability, and Data Flow Analysis
  • Threat Vector Analysis
    • Data Ingress Mapping
  • Data Exfiltration Analysis
    • Data Egress Mapping
  • Detection Dominant Design
  • Attack Surface Analysis
  • Visibility Analysis
• Layer 1 Best Practices
  • Cabling Best Practices
  • Network Closets
  • Penetration Testing Dropboxes
  • USB Keyboard Attacks (Rubber Ducky)
• Layer 2 Best Practices
  • VLANs
    • Hardening
    • Private VLANs
  • Layer 2 Attacks and Mitigation
    • CDP
    • MAC Spoofing
    • ARP Cache Poisoning
    • DHCP Starvation and Rogue DHCP Servers
    • VLAN Hopping
    • MacSec
    • 802.1X
    • NAC

SEC530.2: Network Security Architecture

Overview

SEC530.2: Network Security Architecture continues hardening the infrastructure and moves on to layer three: routing. Actionable examples are provided for hardening routers, with specific Cisco IOS commands to perform each step.

The section then continues with a deep dive on IPv6, which currently accounts for 23% of Internet backbone traffic, according to Google, while simultaneously being used and ignored by most organizations. This section will provide deep background on IPv6, discuss common mistakes (such as applying an IPv4 mindset to IPv6), and provide actionable solutions for securing the protocol. The section wraps up with a discussion of VPN and stateful layer three/four firewalls.

CPE/CMU Credits: 6

Topics

• Layer 3: Router Best Practices
  • CIDR and Subnetting
• Layer 3 Attacks and Mitigation
  • IP Source Routing
  • ICMP Attacks
  • Unauthorized Routing Updates
  • Securing Routing Protocols
  • Unauthorized Tunneling (Wormhole Attack)
• Layer 2 and 3 Benchmarks and Auditing Tools
  • Baselines
    • CISecurity
    • Cisco's Best Practices
    • Cisco Autosecure
    • DISA STIGs
    • Nipper-ng
• Securing SNMP
  • SNMP Community String Guessing
  • Downloading the Cisco IOS Config via SNMP
  • Hardening SNMP
  • SNMPv3
• Securing NTP
  • NTP Authentication
  • NTP Amplification Attacks
• Bogon Filtering, Blackholes, and Darknets
  • Bogon Filtering
  • Monitoring Darknet Traffic
  • Building an IP Blackhole Packet Vacuum
• IPv6
  • Dual-Stack Systems and Happy Eyeballs
  • IPv6 Extension Headers
  • IPv6 Addressing and Address Assignment
• Securing IPv6
  • IPv6 Firewall Support
  • Scanning IPv6
  • IPv6 Tunneling
  • IPv6 Router Advertisement Attacks and Mitigation
• VPN
  • Path MTU Issues
  • Fragmentation Issues Commonly Caused by VPN
• Layer 3/4 Stateful Firewalls
  • Router ACLs
  • Linux and BSD Firewalls
  • pfSense
  • Stateful
• NetFlow
  • Layer 2 and 3 NetFlow
  • Nfsen and ntopng

SEC530.3: Network-Centric Application Security Architecture

Overview

Organizations own or have access to many network-based security technologies ranging from Next-Generation Firewalls to web proxies and malware sandboxes. Yet the effectiveness of these technologies is directly affected by their implementation. Too much reliance on built-in capabilities like application control, antivirus, intrusion prevention, data loss prevention, or other automatic evil-finding deep packet inspection engines leads to a highly preventative-focused implementation, with huge gaps in both prevention and detection.

This section focuses on using application layer security solutions that an organization already owns with a modern mindset. By thinking outside the box, even old controls like a spam appliance can be used to catch modern attacks such as phishing via cousin domains and other spoofing techniques. And again, by engineering defenses for modern attacks, both prevention and detection capabilities gain significantly.

CPE/CMU Credits: 6

Topics

• Proxy
  • Web Proxy
  • SMTP Proxy
    • Augmenting with Phishing Protection and Detection Mechanisms
  • Explicit vs. Transparent
  • Forward vs. Reverse
• NGFW
  • Application Filtering
  • Implementation Strategies
• NIDS/NIPS
  • IDS/IPS Rule Writing
  • Snort
  • Suricata
  • Bro
• Network Security Monitoring
  • Power of Network Metadata
  • Know Thy Network
• Sandboxing
  • Beyond Inline
  • Integration with Endpoint
  • Feeding the Sandbox Potential Specimens
  • Malware Detonation Devices
• Encryption
  • The "Encrypt Everything" Mindset
    • Internal and External
  • Free SSL/TLS Certificate Providers
  • SSL/SSH Inspection
  • SSL/SSH Decrypt Dumps
  • SSL Decrypt Mirroring
  • Certificate Pinning
    • Malware Pins
  • HSTS
  • Crypto Suite Support
    • Qualys SSL Labs
• Secure Remote Access
  • Access into Organization
  • Dual Factor for All Remote Access (and More)
    • Google Authenticator/TOTP: Open Authentication
  • IPSec VPNs
  • SSH VPNs
  • SSL/TLS VPN
  • Jump Boxes
• Distributed Denial-of-Service (DDOS)
  • Impact of Internet of Things (IoT)
  • Types of Attacks
  • Mitigation Techniques

SEC530.4: Data-Centric Application Security Architecture

Overview

Organizations cannot protect something they do not know exists. The problem is that critical and sensitive data exist all over. Complicating this even more is that data are often controlled by a full application stack involving multiple services that may be hosted on-premise or in the cloud.

This section focuses on identifying core data where they reside and how to protect those data. Protection includes the use of data governance solutions and full application stack security measures such as web application firewalls and database activity monitoring, as well as a keeping a sharp focus on securing the systems hosting core services such as on-premise hypervisors, cloud computing platforms, and container services such as Docker.

The data-centric security approach focuses on what is core to an organization and prioritizes security controls around it. Why spend copious amounts of time and money securing everything when controls can be optimized and focused on securing what matters? Let's face it: Some systems are more critical than others.

CPE/CMU Credits: 6

Topics

• Application (Reverse) Proxies
• Full Stack Security Design
  • Web Server
  • App Server
  • DB Server
• Web Application Firewalls
  • Whitelisting and Blacklisting
  • WAF Bypass
  • Normalization
  • Dynamic Content Routing
• Database Firewalls/Database Activity Monitoring
  • Data Masking
  • Advanced Access Controls
  • Exfiltration Monitoring
• File Classification
  • Data discovery
    • Scripts vs. Software Solutions
    • Find Sensitive Data in Databases or Files/Folders
    • Advanced Discovery Techniques such as Optical Character Recognition Scanning of Pictures and Saved Scan Files
  • Methods of Classification
  • Dynamic Access Control
• Data Loss Prevention (DLP)
  • Network-based
  • Endpoint-based
  • Cloud Application Implementations
• Data Governance
  • Policy Implementation and Enforcement
  • Access Controls vs. Application Enforcement and Encryption
  • Auditing and Restrictions
• Mobile Device Management (MDM) and Mobile Application Management (MAM)
  • Security Policies
  • Methods for Enforcement
  • End-user Experience and Impact
• Private Cloud Security
  • Securing On-premise Hypervisors (vSphere, Xen, Hyper-V)
  • Network Segmentation (Logical and Physical)
  • VM Escape
  • Surface Reduction
  • Visibility Advantages
• Public Cloud Security
  • SaaS vs. PaaS vs. IaaS
  • Shared Responsibility Implications
  • Cloud Strengths and Weaknesses
  • Data Remanence and Lack of Network Visibility
• Container Security
  • Impact of Containers on On-premise or Cloud Architectures
  • Security Concerns
  • Protecting against Container Escape

SEC530.5: Zero Trust Architecture: Addressing the Adversaries Already in Our Networks

Overview

Today, a common security mantra is "trust but verify." But this is a broken concept. Computers are capable of calculating trust on the fly, so rather than thinking in terms of "trust but verify" organizations should be implementing "verify then trust." By doing so, access can be constrained to appropriate levels at the same time that access can become more fluid.

This section focuses on implementing a zero trust architecture where trust is no longer implied but must be proven. By doing so, a model of variable trust can be used to change access levels dynamically. This, in turn, allows for implementing fewer or more security controls as necessary given a user's and a device's trust maintained over time. The focus is on implementing zero trust with existing security technologies to maximize their value and impact for an organizations security posture.

During this section encryption and authentication will be used to create a hardened network, whether external or internal. Also, advanced defensive techniques will be implemented to stop modern attack tools in their tracks while leaving services fully functional for authorized assets.

CPE/CMU Credits: 6

Topics

• Zero Trust Architecture
  • Why Perimeter Security Is Insufficient
  • What Zero Trust Architecture Means
  • "Trust but Verify" vs. "Verify then Trust"
  • Implementing Variable Access
  • Logging and Inspection
  • Network Agent-based Identity Controls
• Credential Rotation
  • Certificates
  • Passwords and Impact of Rotation
  • Endpoints
• Compromised Internal Assets
  • Pivoting Adversaries
  • Insider Threat
• Securing the Network
  • Authenticating and Encrypting Endpoint Traffic
  • Domain Isolation (Making Endpoint Invisible to Unauthorized Parties)
  • Mutual TLS
  • Single Packet Authorization
• Tripwire and Red Herring Defenses
  • Honeynets, Honeypots, and Honeytokens
  • Single Access Detection Techniques
  • Proactive Defenses to Change Attacker Tool Behaviors
  • Increasing Prevention Capabilities while Adding Solid Detection
• Patching
  • Automation via Scripts
• Deputizing Endpoints as Hardened Security Sensors
  • End-user Privilege Reduction
  • Application Whitelisting
  • Host Hardening
    • EMET
  • Host-based IDS/IPS
    • As Tripwires
  • Endpoint Firewalls
    • Pivot Detection
• Scaling Endpoint Log Collection/Storage/Analysis
  • How to Enable Logs that Matter
  • Designing for Analysis rather than Log Collection

SEC530.6: Hands-On Secure the Flag Challenge

Overview

The course culminates in a team-based design-and-secure the flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout this course. Teams will assess, design, and secure a variety of computer systems and devices, leveraging all seven layers of the OSI model.

CPE/CMU Credits: 6

Topics

• Capstone - Design/Detect/Defend
  • Defensible Security Architecture
  • Assess Provided Architecture and Identify Weaknesses
  • Use Tools/Scripts to Assess the Initial State
  • Quickly/Thoroughly Find All Changes Made

Who Should Attend

• Security Architects
• Network Engineers
• Network Architects
• Security Analysts
• Senior Security Engineers
• System Administrators
• Technical Security Managers
• CND Analysts
• Security Monitoring Specialists
• Cyber Threat Investigators

Prerequisites

• Basic understanding of network protocols and devices.
• Experience with Linux from the command line.

What You Will Receive

• Intro and walkthrough videos of most labs
• A Linux VM loaded with tons of tools and other resources
• A 32GB USB 3.0 stick that includes the above and more

You Will Be Able To

• Analyze a security architecture for deficiencies
• Apply the principles learned in the course to design a defensible security architecture
• Determine appropriate security monitoring needs for organizations of all sizes
• Maximize existing investment in security architecture by reconfiguring existing assets
• Determine capabilities required to support continuous monitoring of key Critical Security Controls
• Configure appropriate logging and monitoring to support a Security Operations Center and continuous monitoring program

While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer. Hands-on labs throughout the course will reinforce key concepts and principles, as well as teach you how to use key scripting tools.

When your SEC530 training journey is complete, and your skills are enhanced and honed, it will be time to go back to work and deliver on the SANS promise that you'll be able to apply what you learned in this course the day you return to the office.