As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling. As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace. The teacher was the well known Ed Skoudis of Counter Hack fame.
The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken: The layout of the OnDemand system–Let me quote from my previous OnDemand review:
“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace. I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive. Check out CERT’s VTE for Intuitive.”
Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.
The class was divided into two basic sections: Incident Handling and Hacker Techniques and Exploits.
The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”
The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.
Some of the topics included:
-ARP Cache Poisoning and DNS Injection
-Buffer Overflows in Depth
-Format String Attacks
-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics
-And alot more of the same type stuff.
I found this portion of the class to be my favorite. We got very nitty-gritty technical, and yet it was very practical.
Overall, I would have to give the content a very high rating. Though the content was current, it probably was not cutting edge.
I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.
A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.