This past week I completed the SANS SEC560 – Network Penetration Testing and Ethical Hacking course at the SANS Cyber Defense Initiative in Washington DC. With the experience fresh on my mind, I wanted to share my impressions with others considering SANS training.

A Quick Overview of the SANS 560 Class Experience

Curriculum Overview

SANS SEC560 began with a discussion of the consultative side of the business and topics related to documenting work, scoping projects, drafting an effective statement of work and communicating with clients. This initial phase of the course lasted the better part of day one.

The second half of day one and next four days after that kick into high gear and take the student through the logical steps of performing a penetration test. We started with reconnaissance and learning how to use publicly available information to learn about the people, technology and other internal workings of an organization.

Next, in-depth scanning and enumeration with tools such as NMap, Scapy, and Nessus were covered in great detail. We then moved on to exploitation of vulnerabilities discovered during scanning, where the primary focus was on Metasploit.

Day four proved to be one of the most challenging of them all. The class took a deep dive into post exploitation activities and pivoting within a target’s network. We experimenting with cracking passwords, performing pass the hash attacks, and also completed a few labs on Powershell and Windows Command-line.

Finally, the class began to wind down with more in-depth instruction on harvesting credentials and cracking passwords, as well as an overview of web application penetration testing techniques.

The course was capped on day six with a live capture the flag competition, where the class was divided up into teams of two to five people and we completed to see who could extract and decrypt protected PII files from the target network first.  This pivotal day allowed you to see how all the pieces of the puzzle fit together!

Class Structure

Each day is more or less dedicated to a central concept (e.g. In-Depth Scanning). The instructor then presents the class with a concept and applicable tools used to exercise that concept (e.g. network topology and service discovery and using NMap).

SANS did a great job of balancing lecture with hands on application and my instructor was phenomenal. Rarely did labs feel like I was walking through the steps of a process without context and background to support the learning process.  Even better, SANS sprinkled in a ton of great pro-tips along the way that I doubt I would have ever learned on my own.

The class resembled a “Maymester” where an entire semester of curriculum is crammed into a six-day period. The class moved along at a breakneck pace, and I oftentimes had to bookmark my place in labs so that I could revisit after hours if I was unable to finish an assignment before the instructor was ready to move on to the next topic.

Technical Skill Prerequisites and Target Audience

For me, the SANS 560 class was a very humbling experience. I am an experienced IT auditor with a background in IT infrastructure. I would consider myself an information technology generalist who has seen quite a few environments and has some hands-on experience performing technical risk and security posture assessments. I expected a steep learning curve walking into the class room, but I didn’t realize just how challenging it would be to take my skills to the next level.

I would only recommend this class if you’re comfortable and willing to learn new technology concepts fast. 90% of the labs take place in one flavor of command line interface or another, be it Linux shell, Windows command line, or Powershell. There is even some Python, WMI and Powershell scripting sprinkled in for good measure.

Thoughts on the SANS Training Experience as a Whole

I was very impressed with my SANS training experience. There was no shortage of free carbs and caffeinated beverages throughout the week, SANS lined up a plethora of great lectures you were free to attend in the evenings after class, and as a student in the SEC560 class, I was admitted entrance into the NetWars Tournament- a two night event where we were challenged to think like a hacker in order to compete with others and solve a series of challenges in a really neat, Star Wars themed cybersecurity game.

Attending the course was not cheap ($6,000+ for the course alone, not including travel expenses and other addons you might consider), but I feel the experience helped pivot me in a direction to continue improving my skills as a penetration tester and ethical hacker.

If you have any questions or comments, feel free to leave them in the comments below. Now I’m off to study for the GIAC Penetration Tester certification!