THE WORLD S LARGEST & MOST TRUSTED PROVIDER OF CYBER SECURITY TRAINING COPENHAGEN MON 2 - SAT 30 APRIL, 201 #COPENHAGEN SEC42 Web App Testing and 2 COURSES FOR08 Digital Forensics and Response Register online and see full course descriptions at www.sans.org/copenhagen-201
COURSES AT A GLANCE ABOUT CONTENTS SEC 42 FOR 08 Web App Testing and Adrien de Beaupre Digital Forensics and Response Nick Klein MON 2 p8 p9 TUE 2 WED 27 THU 28 FRI 29 SAT 30 IS THE MOST TRUSTED AND BY FAR THE LARGEST SOURCE FOR INFORMATION SECURITY TRAINING AND SECURITY CERTIFICATION IN THE WORLD. The Institute was established in 1989 as a cooperative research and education organisation. Our training programs now reach more than 200,000 security professionals around the world. provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats - the ones being actively exploited. courses are full of important and immediately useful techniques that you can put to work as soon as you return to the office. They were developed through a consensus process involving hundreds of administrators, security managers and information security professionals. Courses address security fundamentals and awareness as well as the in-depth technical aspects of the most crucial areas of IT security. -certified instructors are recognised as the best in the world. To find the best teachers for each topic, runs a continuous competition for instructors. Last year more than 100 people tried out for the faculty, but only five new potential instructors were selected. provides training through several delivery methods, both live & virtual: classroom-style at a training event, online at your own pace, guided study with a local mentor, or onsite at your workplace. courses are taught in English by our world class instructors, or in French or Spanish if you attend one of our excellent partner training events in France or Spain. In addition to top-notch training, offers certification through the GIAC security certification program and numerous free security resources such as newsletters, whitepapers, and webcasts. Why is the best training and educational investment: Intensive, hands-on immersion training with the highest-quality courseware in the industry. Incomparable instructors and authors who are industry experts and practitioners fighting the same cyber battles as you and discovering new ways to thwart attacks. Training that strengthens a student s ability to achieve a GIAC certification, which is unique in the field of information security certifications because it not only tests a candidate s knowledge, but also the candidate s ability to put that knowledge into practice in the real world. COURSES AT A GLANCE ABOUT WELCOME TO COPENHAGEN 201 REGISTRATION INFORMATION TRAINING AND YOUR CAREER ROADMAP COURSE CONTENT SUMMARIES COPENHAGEN 201 INSTRUCTORS EMEA 201 TRAINING EVENTS p2 p3 p4 p p p8 p10 p12 Contact www.sans.org/emea Email: emea@sans.org Tel: +44 20 3384 3470 Address: EMEA, PO Box 124, Swansea, SA3 9BB, UK 2 3
WELCOME TO COPENHAGEN 201 REGISTER ONLINE AT: WWW..ORG/COPENHAGEN-201 COPENHAGEN 201 RUNS FROM MONDAY 2TH - SATURDAY 30TH APRIL AT THE RADISSON BLU ROYAL HOTEL AND HOSTS 2 COURSES. TRAINING RUNS FROM 9AM-PM. Registration fees include all courseware and training materials plus morning and afternoon break refreshments and lunch served in the hotel restaurant. Accommodation is not included. The demand for this event is expected to be high so please register online as soon as possible to secure a seat at Copenhagen 201. Read on for course descriptions or visit www.sans.org/copenhagen-201. Over the page you will find the Career Roadmap which provides examples of how courses fit into your career development plan. EVENT LOCATION Radisson Blu Hammerichsgade 1 Copenhagen 111 DK Telephone +4 33 42 0 00 Website www.radissonblu.com CONTACT Email: emea@sans.org Tel: +44 20 3384 3470 4 #Copenhagen 2-30 Apr, 201 COPENHAGEN TAKES PLACE AT THE RADISSON BLU HOTEL, COPENHAGEN. The city centre is reachable via the train station, which is located just across the street from the hotel. Students can travel via the bus system, taxis and rented cars. Business and leisure travellers alike appreciate the city s lively vibe and its array of art, culture and food. The brightly lit Tivoli Gardens, just a walk away, are a perfect place to visit while staying at the Radisson Blu. Copenhagen has a welldeveloped public transport system with nearly 200 rail stations. The Radisson Blu sits across from Central Station and offers indoor parking as well as easy access to major car rental agencies. Public buses and private taxis are also widely available. The train from Copenhagen Airport to Central Station takes approximately 13 minutes. Guests should disembark at the 3rd stop, called Københavns Hovedbanegård, and walk about minutes to the hotel. Bus A takes approximately 3 minutes from the airport. Guests should disembark at stop Københavns Hovedbanegård and walk minutes to the hotel. A taxi ride from the airport takes approximately 20 minutes. GROUP SAVINGS (APPLIES TO TUITION ONLY) -9 people = % 10 or more people = 10% Early bird rates and/or other discounts cannot be combined with the group discount. To obtain a group discount please email emea@sans.org. TO REGISTER To register, go to www.sans.org/ copenhagen-201 Select your course or courses and indicate whether you plan to test for GIAC certification. How to tell if there is room available in a course: If the course is still open, the secure, online registration server will accept your registration. Soldout courses will be removed from the online registration. Everyone with internet access must complete the online registration form. We do not take registrations by phone. CONFIRMATION Look for e-mail confirmation. It will arrive soon after you register. We recommend you register and pay early to ensure you get your first choice of courses. An immediate e-mail confirmation is sent to you when the registration is submitted properly. If you have not received e-mail confirmation within two business days of registering, please call the Registration office at +1 301-4-727 9:00am - 8:00pm Eastern Time or email emea@sans.org. CANCELLATION You may subsitute another person in your place at any time by sending an e-mail request to emea@sans.org. Cancellation requests by April 201 by emailing emea@sans.org REGISTER NOW www.sans.org/copenhagen-201 REGISTER NOW www.sans.org/copenhagen-201
EMEA IT SECURITY TRAINING AND YOUR CAREER ROAD MAP CORE COURSES NETWORK OPERATIONS CENTRE, SYSTEM ADMIN, SECURITY ARCHITECTURE A Operations Centre (NOC) is where IT professionals supervise, monitor, and maintain the enterprise network. The NOC is the focal point for network troubleshooting, software distribution and updating, router and system management, performance monitoring, and coordination with affiliated networks. The NOC analysts work hand-in-hand with the Operations Centre, which safeguards the enterprise and continuously monitors threats against it. Analyst / Engineer, SOC Analyst, Cyber Threat Analyst, CERT Member, Malware Analyst SEC0 Securing Windows with PowerShell and the Critical Controls GCWN SEC0 Securing Linux/Unix GCUX SEC01 GCED SEC Implementing and Auditing the Critical Controls - In-depth GCCC SEC79 Virtualisation and Private Cloud The Operations Centre (SOC) is the focal point for safeguarding against cyber-related incidents, monitoring security, and protecting assets of the enterprise network and endpoints. SOC Analysts are responsible for enterprise situational awareness and continuous surveillance, including monitoring traffic, blocking unwanted traffic to and from the Internet, and detecting any type of attack. Point solution security technologies are the starting point for hardening the network against possible intrusion attempts. Endpoint Monitoring SEC01 - Enterprise Defender GCED FOR08 SECURITY OPERATIONS CENTRE/ INTRUSION DETECTION SEC02 Perimeter Detection GPPA Digital Forensics and Response GCFA Monitoring SEC03 Intrusion Detection GCIA FOR72 SEC04 Hacker Tools, Techniques, Exploits, & Handling GCIA SEC11 Continuous Monitoring and Operations GMON Intrusion Detection Analyst, Operations Centre Analyst / Engineer, CERT Member, Cyber Threat Analyst SEC0 Threat Intelligence FOR78 Cyber Threat Intelligence Active Defense, Offensive Countermeasurers, & Cyber Deception RISK & COMPLIANCE/AUDITING/ GOVERNANCE These experts assess and report risks to the organisation by measuring compliance with policies, procedures, and standards. They recommend improvements to make the organisation more efficient and profitable through continuous monitoring of risk management. Auditor, Compliance Officer SEC Implementing & Auditing the Critical Controls - GCCC AUD07 Auditing & Monitoring s, Perimeters, and Systems GSNA INFORMATION SECURITY Information security professionals are responsible for research and analysis of security threats that may effect an organisation s assets, products, or technical specifications. These security professionals will dig deeper into technical protocols and specifications related to security threats than most of their peers, identifying strategies to defend against attacks by gaining an intimate knowledge of the threats. Cyber Analyst, Cyber Engineer, Cyber Architect Intro to Information Bootcamp Style SEC01 Enterprise Defender GCED When the security of a system or network has been compromised, the incident responder is the first-line defense during the breach. The responder not only has to be technically astute, he/she must be able to handle stress under fire while navigating people, processes, and technology to help respond and mitigate a security incident. SEC03 Intrusion Detection GCIA FOR72 GNFA FOR78 INCIDENT RESPONSE analyst/engineer, SOC analyst, Cyber threat analyst, CERT member, Malware analyst SEC04 FOR408 Windows Forensic GCFE Hacker Tools, Techniques, Exploits and Handling Endpoint FOR08 Digital Response GCFA Malware FOR10 Reverse Engineering Malware: Malware Tools & Techniques GREM PENETRATION TESTING/ VULNERABILITY ASSESSMENT Because offense must inform defense, these experts provide enormous value to an organisation by applying attack techniques to find security vulnerabilities, analyse their business risk implications, and recommend mitigations before they are exploited by real-world attackers. & Exploits SEC0 Testing and Ethical Hacking GPEN SEC0 Testing, Exploit Writing, and GXPN tester, Vulnerability assessor, Ethical hacker, Red/Blue team member, Cyberspace engineer Web Mobile / Wireless SEC42 Web App Testing and GWAPT SEC42 SEC04 Web App Testing and Hacker Tools, Techniques, Exploits and Handling SEC7 Mobile Device and Ethical Hacking GMOB SEC17 Wireless Ethical Hacking, Testing, and Defenses GAWN Lab Centred SEC1 Intense Hands-on Pen Testing Skill Development (with NetWars) SEC2 CyberCity Hands-on Kinetic Cyber Range Exercise SECURE DEVELOPMENT The security-savvy software developer leads all developers in the creation of secure software, implementing secure programming techniques that are free from logical design and technical implementation flaws. This expert is ultimately responsible for ensuring customer software is free from vulnerabilities that can be exploited by an attacker. Developer, Software Architect, QA Tester, Development Manager Securing the Human for Developers STH.Developer Application Awareness Modules CYBER OR IT SECURITY MANAGEMENT Management of people, processes, and technologies is critical for maintaining proactive enterprise situational awareness and for the ongoing success of continuous monitoring efforts. These managers must have the leadership skills, current knowledge, and best practice examples to make timely and effective decisions that benefit the entire enterprise information infrastructure. CISO, Cyber Manager / Officer, Director DIGITAL FORENSIC INVESTIGATIONS & MEDIA EXPLOITATION With today s ever-changing technologies and environments, it is inevitable that every organisation will deal with cybercrime, including fraud, insider threats, industrial espionage, and phishing. To help solve these challenges, organisations are hiring digital forensic professionals and relying on cybercrime law enforcement agents to piece together a comprehensive account of what happened. Computer Crime Investigator, Law Enforcement, Digital Investigations Analyst, Media Exploitation Analyst, Information Technology Litigation Support & Consultant, Insider Threat Analyst FOR408 Windows Forensic GCFE FOR08 Digital Response GCFA FOR2 Memory Forensics ICS-focused courses are designed to equip both security professionals and control system engineers with the knowledge & skills they need to safeguard critical infrastructure. ICS/SCADA Cyber Threat Intelligence Specialisations Specialisations GICSP Specialisations SEC70 SEC80 SEC73 SEC42 SEC42 FOR2 MGT3 Exploit Metasploit Python for Web App ICS1 Windows Development Kung Fu for Web App ICS Active Memory Response Team for Enterprise Testers Testing & Response and Forensics Management Pen Testing Testing & Defense & 7 Testers GWAPT Response DEV41 Secure Coding in Java/JEE: Developing Defensible Applications GSSP-JAVA DEV22 Defending Web Applications GWEB DEV44 Secure Coding in.net: Developing Defensible Applications GSSP-.NET Foundational Core Specialisation MGT12 Leadership For Managers with Knowledge Compression GSLC MGT2 IT Project Management, Effective Communication, and PMP Exam Prep GCPM MGT414 Training Programme for CISSP Certification GISP MGT14 IT Strategic Planning, Policy & Leadership MGT3 Response Team Management LEG23 Law of Data and Investigations GLEG MGT433 Securing The Human: Building and Deploying an Effective Awareness Programme AUD07 Auditing & Monitoring s, Perimeters, and Systems GSNA FOR8 Smartphone Forensics FOR10 Reverse Engineering Malware: Malware Tools & Techniques GREM ICS410 SEC04 Hacker Tools, Techniques, Exploits and Handling INDUSTRIAL CONTROL SYSTEMS / SCADA FOR18 MAC Forensic SAMPLE JOB TITLES: IT & OT Support, IT & OT Cyber, ICS Engineer
SEC 42 WWW..ORG/SEC42 ADVANCED WEB APP PENETRATION TESTING AND ETHICAL HACKING WWW..ORG/FOR08 ADVANCED DIGITAL FORENSICS AND INCIDENT RESPONSE FOR 08 ADRIEN DE BEAUPRE 3 CPE/CMU Credits Monday - Saturday: 9am - pm NICK KLEIN 3 CPE/CMU Credits GIAC Cert: GCFA Monday - Saturday: 9am - pm YOU WILL BE ABLE TO... Assess and attack complex modern applications. Understand the special testing and exploits available against content management systems such as SharePoint and WordPress. Use techniques to identify and attack encryption within applications. Identify and bypass web application firewalls and application filtering techniques to exploit the system. Use exploitation techniques learned in class to perform advanced attacks against web application flaws such as XSS, SQL injection and CSRF. VERY GOOD TECHNIQUES AND METHODS COVERED WHICH WILL BE USEFUL TO ANY NEW APP TESTER. Vivek Veerappan GEMALTO HANDS-ON AND TO THE POINT! Frans Kollée MADISON GUIRKHA B.V. COURSE DETAILS SEC42 teaches the advanced skills and techniques required to test web applications. This advanced pen testing course uses a combination of lectures, real-world experiences, and hands-on exercises to impart the techniques used to test the security of enterprise applications. The course culminates in a Capture the Flag event. The course begins by exploring specific techniques and attacks to which applications are vulnerable. These techniques and attacks use advanced concepts and skills to exploit the system through various controls and protections. SEC42 explores encryption as it relates to web applications. Students learn how encryption works as well as techniques to identify the type of encryption in use within the application. Additionally, students learn methods for exploiting or subverting this encryption, again through lecture and labs. As students move through the course they learn to identify web application firewalls, filtering, and other protection techniques. Students explore methods to bypass these controls. To further the evaluation of security within the application, students gain skills in exploiting the control itself. Following these general exploits, students study techniques that target specific enterprise applications. Participants attack systems such as content management and ticketing systems. We explore the risks and flaws found within these systems and how to better exploit them. Due to their prevalence within modern organisations, this part of the course includes web services and mobile applications. SEC42 ends with a day-long Capture the Flag event. This targets an imaginary organisation s web applications, includes both internet and intranet applications and various technologies. In summary, SEC42 enhances students exploitation and defence skill sets. It also fulfils a need to teach more advanced techniques, such as those covered in the foundational course, SEC42: Web Application Testing and. COURSE DETAILS Over 80% of breach victims learn about a compromise from third-party notifications, not from internal security teams. In most cases, adversaries have been rummaging through a network undetected for months or even years. response tactics and procedures have evolved rapidly over the past few years. Data breaches and intrusions are growing more complex. Adversaries are no longer compromising one or two systems in an enterprise - they compromise hundreds. A team can no longer afford antiquated incident response techniques techniques that fail to identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident. This in-depth incident response course provides responders with advanced skills to hunt down, counter, and recover from a wide range of threats within enterprise networks. Situations include APT adversaries, organised crime syndicates, and hactivism. Constantly updated, FOR08 addresses today s incidents by providing hands-on response tactics and techniques that elite responders are successfully using in real-world breach cases. Elsewhere in the course, a hands-on enterprise intrusion lab (developed from a realworld targeted APT attack on an enterprise network and based on how an APT group will target your network) leads students through the challenges and solutions via extensive use of the SIFT Workstation collection of tools. During the intrusion lab exercises, students identify where the initial targeted attack occurred and lateral movement through multiple compromised systems. Participants extract and create crucial cyber threat intelligence that can help properly scope the compromise and detect future breaches. WE RE SETTING UP A NEW FORENSIC CAPABILITY AND THIS COURSE HAS GIVEN ME EVERYTHING I NEED TO DO JUST THAT. Simon Fowler VIRGIN MEDIA YOU WILL BE ABLE TO... Discover every system comprised in an enterprise utilising incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing at- tack mechanisms, lateral movement, and data exfiltration techniques. Use system memory and the volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response. Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redline s Malware Rating Index (MRI) to quickly ascertain the threat to an organisation and aid in scoping the true extent of the data breach 8 #Copenhagen #Copenhagen 2-30 Apr, 201 REGISTER NOW www.sans.org/copenhagen-201 REGISTER NOW www.sans.org/copenhagen-201 9 2-30 Apr, 201
COPENHAGEN 201 INSTRUCTORS Adrien de Beaupre CERTIFIED INSTRUCTOR @adriendb Nick Klein CERTIFIED INSTRUCTOR @kleinco STOCKHOLM 9TH - 14TH MAY 201 AT THE RADISSON BLU WATERFRONT HOTEL Adrien de Beaupre is a certified instructor and works as an independent consultant in Ottawa, Ontario. His work experience includes technical instruction, vulnerability assessment, penetration testing, intrusion detection, incident response and forensic analysis. He is a member of the Internet Storm Center (isc.sans.edu). He is actively involved with the information security community, and has been working with since 2000. Adrien holds a variety of certifications including the GXPN, GPEN, GWAPT,, GCIA,, CISSP, OPST, and OPSA. Nick is the Director of Klein & Co. Computer Forensics from Sydney, Australia. He has over fifteen years of IT experience, specialising in forensic technology investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in hundreds of cases including commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property, computer hacking and system intrusion. He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies. SEC04 Hacker Tools, Techniques, Exploits and Handling led by BJ Gleason TRAINING LINE UP FOR STOCKHOLM: SEC7 Mobile Device and led by Raul Siles SEC79 Virtualization and Private Cloud led by Dave Shackleford FOR10 Reverse-Engineering Malware: Malware Tools and Techniques led by Jess Garcia DEV22 Defending Web Applications led by Jason Lam 10 #Copenhagen 2-30 Apr, 201 REGISTER NOW www.sans.org/copenhagen-201 Register online and see full course descriptions at www.sans.org/stockholm-201 Save 40 with discount code EarlyBird1 for a 4- day course by 23 March, 201.
V17 - A Most courses are also available online, via OnDemand. Contact emea@sans.org for information. Dates, Locations and Courses offered subject to change FRANKFURT, 201 DEC 12 TH - 17 TH AMSTERDAM, 201 DEC 12 TH - 17 TH LONDON, 201 NOV 14 TH - 19 TH EUROPEAN SECURITY AWARENESS SUMMIT NOV 9 TH - 11 TH GULF REGION, 201 TBC DFIR PRAGUE, 201 OCT 3 RD - 1 TH OSLO, 201 OCT 3 RD - 8 TH LONDON AUTUMN, 201 SEP 19 TH - 24 TH ICS LONDON, 201 SEP 19 TH - 2 TH BRUSSELS AUTUMN, 201 SEP TH - 10 TH LONDON SUMMER, 201 JUL 11 TH - 1 TH PEN TEST BERLIN, 201 JUN 20 TH - 2 TH STOCKHOLM, 201 MAY 9 TH - 14 TH PRAGUE, 201 MAY 9 TH - 14 TH COPENHAGEN, 201 APR 2 TH - 30 TH ICS AMSTERDAM, 201 APR 18 TH - 22 ND SECURE EUROPE, 201 APR 4 TH - 1 TH ABU DHABI, 201 MAR TH - 10 TH LONDON SPRING, 201 FEB 29 TH - MAR TH LOCATION DATE AUD07 DEV22 MGT433 MGT12 FOR408 FOR08 FOR18 FOR2 FOR72 FOR78 FOR8 FOR10 ICS410 ICS1 SEC01 SEC02 SEC03 SEC04 SEC0 SEC0 SEC11 SEC42 SEC0 SEC0 SEC2 SEC SEC73 SEC7 SEC79 SEC17 SEC42 SEC0 SEC70 2 IT AUDIT DEVELOPER MANAGE FORENSICS ICS/SCADA SECURITY EMEA EMEA TRAINING EVENTS For a full list of training events, please visit www.sans.org 201