Provided by SANS
Qualification level
Study type
View Website
View Website

About the course

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. You may be able to immediately implement some of the measures we discuss in this course, while others may take a while. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, determine who is attacking you, and, finally, attack the attackers.

SEC550: Active Defense, Offensive Countermeasures and Cyber Deception is based on the Active Defense Harbinger Distribution live Linux environment funded by the Defense Advanced Research Projects Agency (DARPA). This virtual machine is built from the ground up for defenders to quickly implement Active Defenses in their environments. The course is very heavy with hands-on activities - we won't just talk about Active Defenses, we will work through labs that will enable you to quickly and easily implement what you learn in your own working environment.


Course Syllabus

SEC550.1: Setup and Baseline

CPE/CMU Credits: 6


  • Setup
  • Mourning Our Destiny, Leaving Youth and Childhood Behind
  • Bad Guy Defenses
  • Basics and Fundamentals (Or, Don't Get Owned Doing This)
  • Playing With Advanced Backdoors
  • Software Restriction Policies
  • Legal Issues
  • Venom and Poison

SEC550.2: Annoyance

CPE/CMU Credits: 6


  • How to Connect to Evil Servers (Without Getting Shot)
  • Recon on Bad Servers and Bad People
  • Honeypots
  • Honeyports
  • Kippo
  • Deny Hosts
  • Artillery
  • More Evil Web Servers
  • Cryptolocked

SEC550.3: Attribution

CPE/CMU Credits: 6


  • Dealing with TOR
  • Decloak
  • Word Web Bugs (Or Honeydocs)
  • More Evil Web Servers
  • Cryptolocked

SEC550.4: More Attribution and Attack

CPE/CMU Credits: 6


  • Nova
  • Infinitely Recursive Windows Directories
  • Web Application Street Fighting with BeEF!
  • Wireless and Brotherly Love
  • Evil Java Applications with SET
  • AV Bypass (for the Good Guys!)
  • Arming Word Documents
  • Python Injection
  • Ghostwriting
  • HoneyBadger
  • Let's Try to Trojan Some Java Applications

SEC550.5: Capture the Flag


Capture the Flag challenge that draws on what you have learned over the previous four days of the course.

CPE/CMU Credits: 6

Who Should Attend

  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects


  • Basic understanding of Windows and Linux Command line
  • Basic TCP/IP understanding.

What You Will Receive

  • A fully functioning Active Defense Harbinger Distribution ready to deploy
  • Class books and a DVD with the necessary tools and the OCM virtual machine, which is a fully functional Linux system with the OCM tools installed and ready to go for the class and for the students' work environments.

You Will Be Able To

  • Track bad guys with callback Word documents
  • Use Honeybadger to track web attackers
  • Block attackers from successfully attacking servers with honeyports
  • Block web attackers from automatically discovering pages and input fields
  • Understand the legal limits and restrictions of Active Defense
  • Obfuscate DNS entries
  • Create non-attributable Active Defense Servers
  • Combine geolocation with existing Java applications
  • Create online social media profiles for cyber deception
  • Easily create and deploy honeypots

Hands-on Training

  • Layers of defense for the bad guys
  • Software restrictions policies
  • Testing DLP systems
  • Testing command and control systems
  • OSFuscate
  • Fuzzing attacker tools for attacker-side DoS
  • Spidertrap to gunk up web crawlers
  • Thug for attack site research
  • for attack site research
  • Recon against bad people
  • Dionea
  • Honeyports from the command line
  • Kippo
  • Deny Hosts
  • Artillery
  • Weblabyrinth
  • Cryptolocked
  • Conpot for SCADA emulation
  • Decloking TOR actors
  • Word Web Bugs
  • Infinitely Recursive Directories for crashing malware
  • BeEF for the bad guys
  • Evil Java applications
  • AV bypass for the bad guys
  • Powercat
  • Ghostwriting
  • Honeybadger
  • Backdooring existing Java applications to track bad guys
  • Full-day Capture the Flag challenge

Contact the course provider: