Thoughts on the SANS 560 at Cybercon

woo hoo!!!

woo hoo!!!

As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills.

So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun.

I’ve already been asked one question about my experience and I’ve been involved with some SEC 560 vs. SEC 504 discussions in the past so there are a few topics I wanted to discuss before I do a course summary.

Q: How Was Cybercon compared to a live conference?

A: I talked a little bit about my previous Cybercon experience here http://digitalforensicstips.com/2013/04/early-thoughts-on-cybercon/ and everything I said there remains true. The software used was different this time out but it still had zero issues and felt smooth.

At the last Cybercon I took the 414 CISSP prep course and there were literally zero issues. Twice a day we would pause to go take the practice tests and meet back up afterwards, everything was flawless. This time there were still no issues with instructor interaction but since students had to VPN into remote labs to perform the exercises a few of the students we’re having some issues. The SANS support stuff was extremely friendly and helpful and even ended up remoting into two students machines to get them configured. I can’t say enough good things about those guys.

So there were issues but when you have students with entirely different setups using VPN to connect to remote labs that’s not terribly surprising. Things change so this advice probably has a shelf life worse than sour cream but if I had a friend taking the next virtual 560 class I would advise them to setup the VPN connection on the Linux VM and a Windows system (for me it was my host OS) as soon as they get their disk. For me setup only took a few minutes each and I made sure that I could not only ping the target IP address SANS provided but also that my Windows host could ping my Linux VM (through the VPN) and vice versa (once I disabled my Windows firewall). I personally had zero connection issues during the class except for the occasional dropped connection on the Linux side which always corrected itself.

Connection issues aside the labs worked flawlessly 99% of the time. There was one lab where the second half required a Metasploit pivot from one box to another and for some reason the target box didn’t want to play nice. I haven’t checked to see if the issue is resolved yet but that was honestly the only issue we had the entire week. Once again kudos to the virtual support staff.

All of the above is necessary background but I haven’t actually answered the question yet so here goes.

If SANS was holding an event in my city and running an online course at the same time I would choose to go to the event in person. The opportunity to network on such a grand scale is well worth getting dressed each morning 🙂

If had had a choice to go to a fully funded trip to a SANS conference or take a course online I would go to the conference. Free trip and a conference, come on!

Unfortunately for me neither of the above two scenarios is likely. What is far more likely is the exact scenario I faced this month. SANS is holding an event this week in Scottsdale a little over two hours north of me. I attended last year and had an absolute blast. I saw this year’s conference was going to have the 560 and I was stoked. Later I saw that the week before the conference (last week) was an online version of 560 at Cybercon and I had to make a decision. I ended up choosing Cybercon and saved the money I would have spent driving there, spending six nights in a hotel and eating out.

My situation was about as pure of a decision as possible. I had been to a SANS Scottsdale and a Cybercon and both of them were offering the course I wanted within one week of each other. I viewed the decision as travel expenses vs. personal networking and nothing more. The quality of learning didn’t factor into my decision nor should it have. After two Cybercon experiences I can say I’m very satisfied with the training I’ve received.

One more thing to mention is cost savings isn’t the only advantage online students get. I love the mp3s as much as anybody but I’m a huge fan of video learning and online students get access to video recordings from the course for four months. At one point while the instructor was giving a very detailed description of rainbow table creation I had to go to the front door to sign for a package. Later that afternoon I was able to go to the video to see what I had missed. That’s pretty darn cool.

Earlier I cited the VPN connection as an issue for some people but it’s also one of the biggest perks. Most of the 560 students in Phoenix this week will play around on one network for a few days performing labs and then on another network for a few hours during the CTF and that will be it. Online students get access to both networks for four full months. That’s pretty darn cool. There are a few things on the CTF network that I plan on going back and playing with this week and I like having that opportunity.

Hopefully that does a decent job comparing the pros and the cons of the multiple formats.

The other topic I wanted to discuss was the amount of overlap between SEC 504 and SEC 560.

When I took SEC 504 in September of 2012 there was a really nice guy in class who had commented to me that he was enjoying the class but his previous class was the 560 and there was a lot of overlap. I knew this was a topic of interest (SANS even has a FAQ page on the subject) so I wanted to give my thoughts on it.

SEC 504 was my first ever facilitating gig and honestly I think it was my sixth choice. I lucked out. Only the SEC 401 would have been more appropriate for me at that point in my journey. The 504 was awesome. It introduces you to all sorts of different attacks, explains how they work and then spends a little bit of time discussing how to identify and prevent them. In addition to being the first block on the pen testing course chart the 504 is now (rightfully so) listed as the first block on the forensics course chart as well. That speaks volumes about the course’s usefulness.

While the 504 was exactly what it claims to be (a great overview on hacker techniques and exploits) the 560 is also exactly what it claims to be, a great overview on pen testing.

One stark contrast between the two courses is the coverage of Metasploit. In the 504 students are introduced to Metasploit, start it up, and fire it at vulnerable servers. It’s a great introduction and the students get a chance to play with it more during the day six CTF. In the 560 students get the same intro but then go way more in depth looking at the various sorts of modules, at integrating Metasploit with a database so it can use nmap or Nessus results to identify useful exploits, at different ways they can pivot from one machine on a network to another one etc. I have used Metasploit in multiple courses and practicing on my own but I definitely have a better understanding of it now.

I loved the 560 for a lot of the same reasons I loved the 408 Windows forensics course. The courses were very systematic and well laid out. Day one covers a lot of the legalities, best practices and some recon. Day two provides GREAT coverage on scanning so you can map out targets. Day three is using Metasploit and some other tools to get a foot hold on the network and move around. Day four is a great look at password attacks and covers both attacks over the network using tools like hydra and offline attacks using John the Ripper and Ophcrack. Day five was a little different but enjoyable. The first half of the day was wireless and the second half was web applications. I’ve already taken the 617 wireless hacking class and the 542 web application attack class so I would have preferred different content but the content was very well done and enjoyable. Just like the 504 day 6 is a capture the flag event.

The 504 and 560 are both 500 level SANS courses designed by Ed Skoudis with “hack” in the title so there are going to be some similarities. Once again I lucked out in that I went to the classes in the correct order. The 504 exposed me to a lot of techniques and the 560 helped me refine my use of the techniques and develop a game plan. If I had gone to the classes in opposite order (like the gentleman I spoke to had) then I likely would have had similar thoughts. I would have gone from a course which covered tools in depth to a course which covered them with less detail but exposed me to other attacks and techniques.

If you’ve taken the 504 and are interested in the 560 then go for it. The overlap is headed in the right direction. If you’ve taken the 560 and are considering the 504 then it may indeed be an awesome class for you but I would take a good look at your options and what you could get from each of them. If I was  recommending courses to a friend new to pen testing I would recommend both the 504 and the 560 but specify that they should be done in that order.

Kevin Fiscus is a great instructor with a gift for explaining difficult concepts in a way anyone can understand and I was able to take lessons learned from my 504 CTF (mainly to stay organized) and come in first in the 560 CTF. All in all it was a great week and I’m sure it won’t be my last online class or my last class with Kevin.

4 thoughts on “Thoughts on the SANS 560 at Cybercon

  1. Thanks for the insight Matt. The writeup is very informative and the part where you mention the Lab and video access extended to online students intriguing. I like the idea of being able to access the labs and retry the techniques taught in class.

    • I’m glad it was helpful! Every time I go to a SANS conference I meet amazing people but if price is a factor (and it often is) then online is a great option.

      One method I haven’t tried yet but want to is the v-live where it’s two nights a week spread out over multiple weeks. I hear there is a lot of “face time” with instructors and it seems like that would be a really good fit for in depth classes like the 610 so you could have a few days to digest and play with the material.

      It’s not a SANS class but I’m going to try to take Joe McCray’s exploit development class in May which is set up in a similar format.

Leave a Reply

Your email address will not be published. Required fields are marked *