SANS 504 course experience

Overview:

For my first SANS course experience, I was pleasantly surprised by the quality and efficiency of the course from start to finish. Communication via email was consistent and instructions were clear regarding requirements and directions. I was able to receive my books, find my class with ease and connect to different services pertaining to the course with no issues. The instructor, James Leyte-Vidal, was both witty and exceptionally knowledgeable on the topics listed in the course. Although there was a ton of information to absorb daily during a 8+ hour period, he was able to provide the information in simple digestible chunks. He also provided some comic relief along the way with some memorable jokes. Here is one example, “I can probably tell you a joke about UDP but you probably wouldn’t get it”.

Besides the course, I attended some events that SANS held such as the Welcome Reception, Keynote: Unlocking Secrets: Keypad Safe Attack Using Side-Channel Timing and Pulseview by Monta Elkins and Happy Hour. These were great events and I was able to network and rub shoulders with other professionals.

Day 1 - Incident Response and Cyber Investigations: This was the longest day of the course, ending approximately at 7pm. A great deal of information was shared ranging from topics such as Accelerating Incident Response with AI to different types of Live investigations using tools like PowerShell. The day ended with Linux and PowerShell Olympics where we had this “bootcamp” module designed to test our Linux and PowerShell skills. Other highlights included learning about RITA and the importance of understanding your environment so that one can better detect anomalies.

Day 2 - Scanning and Enumeration Attacks: This section of the course was insightful as it was the start of allowing us to really view things from an attacker’s perspective. Tools such as Nmap, Eyewitness and Netcat were discussed. The instructor also highlighted that people put too much information on network shares which is why SMB security is vital

Day 3 - Password Attacks and Exploit Frameworks: We had a lot of fun on this day. From cracking passwords with Hashcat to conducting password spraying using Legba, we gained some important insight into how attackers can gain credentials. A highlight from this section was Offensive AI where the use of Deepfakes, Voice Clones and phishing campaigns were discussed.

Day 4 - Web Application Attacks: Public web applications are a huge attack vector. With the rise of A.I and Vibe coding, this number will only continue to grow. The instructor emphasized that statement above. Some tools that were discussed here were Ffuf and Bruno. API attacks, Cross Site Scripting attacks and Cloud Bucket Discovery

Day 5 - Post-Exploitation and AI Attacks: The last day of the course did not disappoint. We learned how threat actors use the technique Living off the land (LOL) by leveraging existing binaries and repurposing it in creative ways. Also touched on CPU System Architecture, how it affects EDR tools and why Attackers aim to gain ring 0 access. The day ended with discussing Prompt Injection Attacks and also tips for the exam.

Day 6 (CTF): This event was the culmination of everything we learnt. We divided ourselves into teams and prepared accordingly for the Capture the Flag event. Our team , Brotherhood of Steel, put up a great fight but we were bested by the winning team called Hellfire. Despite this, the instructor stated that both teams did exceptionally well and could have won on either day. He also gave us challenge coins for our efforts. This was a fun event and has inspired me to participate in future CTF events.

Recommendations:

If you are fortunate to attend this training, ensure that you are properly prepared for the course. This will include having the right system requirements, course documents, setting up the labs etc. You will receive communication from SANS leading up to the course as a reminder. I highly recommend having a portable monitor or monitors if you attend in person for obvious reasons.

Closing Summary:

I will definitely cherish this experience for the rest of my career. Being immersed in a classroom after quite some time was interesting. I was able to gain a wealth of knowledge that can be applied to my daily activities. Joshua Wright authored a great course.

I am truly grateful for my employer for providing me with the opportunity to attend this course. I was able to gain great knowledge, expand my network and create lasting memories. I look forward to applying this knowledge and attending another training course in the near future.

Look out for a blog post detailing my preparation leading up to the exam and my exam day.