AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

SANS SEC401 – Comprehensive Review

To get started in InfoSec, One must drink from the fire hose eventually 

First, I want to apologize for the very late and posts over the last month or so. My life has been a little chaotic bouncing between a few different things and I went on holiday for a few weeks and was told no laptop :). But alas. For this post, I wanted to jump into something that has been very near and dear to me: SANS courses. I’ve done a lot of them…20 to be exact. This is something I am humbled by through various employers and military benefits to put me through many of these classes. In that retrospect, I want to pass on those courses I’ve taken recently in order to provide some semblance of reassurance (or not?) if the class is actually worth it to you and potentially your employer. Let’s face it, these are not cheap courses to attend. But there are reasons to that, that I will not get into now. Just realize there is a lot that goes on behind the scenes to keep SANS as the most up-to-date InfoSec training going full steam ahead. 

With that said, the first course I wanted to touch on is the one that is the most foundational one SANS puts on. Yes, there is a 300-level course but I have not taken that…nor will I probably ever. But you may be asking then, “Tony, why did you take the 401 level course then?!” And I can tell you why, the SEC401 course is part of the 3-5 courses you must take in order to sit for the GIAC-GSE (Global Security Expert) certification. As such, because that cert renews all of your other certs from GIAC — it is something near and dear to me to obtain in order to save a serious amount of money. 

So What is SEC401?

SEC401, or Security Essentials Bootcamp, is essentially a middle ground between CompTIA’s Security+ and ISC2’s SSCP certifications. Make no mistake from the 400-series numbering convention though. This is a class you are going to learn by a fire hose. What you already know within Information Technology will predicate how well you are going to grasp some of this information as it is getting thrown at you. If you want to see a full listing of what you’ll learn, please click this link to redirect over to SANS and you can read what each day entails. Also note, that SANS now tells you what the labs are as well for the class too! Extremely helpful if you want to see if a class is more lecture heavy or exercise heavy. Just note, this course/cert are just like its peer certifications I’ve mentioned above: You will learn a miles worth of information but you’ll only scratch the surface of what it really is. Meaning you will get a very concise overview of the specific topics and maybe a little in-depth depending on the instructor. Don’t expect to walk out and start dissecting TCP Headers and writing python scripts to parse the MFT. 

A big thing to remember with this class: It is what SANS calls a Bootcamp. What does that mean? These are 10-11 hour days, not 8 like you get with something like FOR508 or even SEC560. That also means if you are attending in person, you will get a normal break around 1500 local time and that is it. When everyone else is packing up at 1700, you are going to be sitting in class still for another 2-3 hours. Tie in NetWars or Night Talks and you can seriously be in for a rough week. Plan your dinner accordingly and don’t be afraid to bring a few snacks (and caffeine) in with you in the afternoon. Oh and if that isn’t enough…this is SIX (yes 6!!) full days of course lecture. There is no Day 6 challenge. That means you are in class for close to 60 hours…be ready for that! 

Book 1 

Book 1 is going to get your feet wet in the deep end of the pool quicker than green IT/Management folks are going to probably want. In my opinion, the material is sound but the fact you are going over it in such a rapid succession can be overwhelming on the first day. I’m not going to regurgitate what SANS has already provided on their own website, but be prepared to go over things like Network Architecture/Topologies, Cloud Services, TCP/UDP and Wireless. This is the day you are going to find out if you are prepared for the material or not. Because it is only going to get harder as the week progresses on ya. I liken this day to ISC2’s SSCP in that multiple domains are covered from an IT Security standpoint. Meaning Sys Admins and others outside of say a SOC/CSIRT would gain immense benefits from this day. 

Book 2

Book 2 is what we would call a “Blue Team” book. It is all about Defense and Hardening. Things you’ll be going over consists of the Critical Controls that SANS is well-known for. Along with that you can expect to finally see the CIA (Confidentiality/Integrity/Availability) being explained in-depth. This will scratch the surface for things like Active Directory/Domain Controllers + passwords. You’ll spend so much time on passwords and rules during this book that you’ll feel like a SME when you get back to your office. Lastly, the scary “APT” will be defined in-depth and will go over specific examples. This is the book that most closely resembles what you would see in CompTIA’s Security+. 

Book 3

By this point in the class, your head is going to be absolute jelly. Largely because you’ve just sat through 20 hours of lecture and you’re only going into the third day. But this is probably my favorite day out of the week as it is Threat Management. This is your Red Team introduction day. You’ll see tools like nmap and other vuln scanning type tools that can help an analyst understand what is going on within the network. The day is laden with Pen Testing examples and methodologies. 

The other half of the day is focused on Endpoint and Perimeter defenses, so Firewalls and HIDS/NIDS. Snort is looked at and given to the student to play with in a lab. This is largely because it is free and many of the other classes will focus on that software (SEC503 being the big one). 

Book 4

So if that isn’t enough, day 4 is the infamous cryptography day. What makes it infamous? Largely that you’ve now gone through 30 hours of course lecture and you STILL have 2 more days of this class. 

So half of this day is set aside for your Incident Response portion of the course. The other half is for all things crypto. For the IR side, it is looking at hashing/password cracking + stego. The crypto side is going in depth with things that will look familiar to anyone who has taken an IT college course or certification: Symmetric/Asymmetric, Public/Private Key, Full Disk Encryption, Certificate Authorities, etc. What you may not have seen from other courses is VPN’s and GPG encryption. Largely from what I’ve seen is other certifying bodies like CompTIA or Cisco do not focus heavily on those technologies. 

Book 5

This is the largest book for the entire course. I just looked at mine and it was close to 400 pages. That is a lot of material. Moreso than most other 5 day courses combined! If you are a Sys Admin, or have played in a Sys Admin role before, this is going to be a very quick and easy day for you. If you have not been one, this is a day that will have you feverishly wanting to write notes. This is literally everything to do with Windows Security. From things like NTFS Permissions, Domain/Group Policies, Password Enforcement, Windows Firewall setup, AppLocker, etc. Seriously go look at the SANS syllabus and see what is all listed — extensive isn’t the word  I would use for it! At the end of the day there is a claim to be going through Forensics. As someone who does forensics, this isn’t forensics moreso that it is making sure proper logging is activated for Event Logs and other aspects on the machine in order to recreate an incident if you are compromised. This is a very essential day if you interact with Windows machines at all in your environment. 

Book 6

Finally, the last book is on Linux Security. Shockingly this is probably the one day that I think students get the MOST out of the entire day. The other 5 days, most folks probably know 1 or 2 of the modules through experience and/or research. This is an area where most folks just don’t have the “hands on” knowledge of how Linux works and its intricacies. This makes the day really beneficial in my opinion. It also is going to lay a great foundation of knowledge to anyone who plans on taking future SANS courses, regardless of Blue Team/Red Team/DFIR. Why? Well dang near every class comes with a Linux VM where you are doing things within it. This class is going to make sure YOU know what commands to use and where to go for certain types of files that will make you successful in those classes and in the real-world. It also will save you from like a 2-3 hour bootcamp course they give on Day 1 at any SANS Event where they crash course you through Linux to get you up to speed. 

My Thoughts? 

Overall, this is a great class for those who are just breaking into either IT Support or InfoSec. There is now a manager course that crash courses through most of this material, so if you are going to be a manger of an IT group — take that class instead. That is mentioned in the syllabus provided on the SANS website and that I linked earlier. If you are someone who has 4+ years experience of a Bachelors in this field already — much of this class is going to be trivial to you is my guess. That doesn’t mean you won’t learn something from it though! Heck, even I learned some good stuff in this course I didn’t know before taking it. But if you are planning on taking this more as an elective through your employer, I would tell you to probably find something different. If this class is required for you (DoD I’m looking at you…), then be ready to suck it up and get your thinking cap on. 

Lastly, I feel I need to bring up the three different options that SANS provides for prospective students. Sometimes travel isn’t possible to a location where training is being put on, or duty calls and you’re not able to leave work because of something that is going to keep you in the office. 

LIVE: This is the type of training that almost everyone and their brother are going to tell you to take. Reasons always include: “you get to network” “you get to do NetWars” “you get to listen to Night Talks” and of course my favorite “you to get to go somewhere on the companies dime!” 

Overall, the live training is certainly worth it. However, networking is at your leisure, not SANS’s. If you are an introvert, it is going to be hard for you to really make new friends in this environment. While in class, you most likely are not talking to other students on break anyways. These are literally 8+ hour days of hard-nosed lecture from the foremost experts in the craft. Everyone is there for a crazy amount of money, so they are not going to interrupt or miss classes just to network and hopefully find a new job. The night talks are good, but most get published online in some facet of webcast anyways. Just remember, you are on a schedule when you attend in person. You don’t access to material online in ways that the other methods provide. 

Simulcast: Probably my favorite. You get the newest material being taught, can still watch the lecture as if you’re in class, ask questions in real-time and you can do it from pretty much anywhere. They use Go-To-Meeting as the method of transmission and its pretty decent if you’re in the region (North America, EMEA, APAC) that the course is being taught in. What makes this my favorite though is if you need to go do something else (or take a call) you can simply turn the speakers off and do whatever it is you need to do. Say you know a module pretty well, well if you elect you can simply go do something else or work ahead. You’ll have the books after all. And you get those books by the way about a week earlier than the live students do. That means you can pretty much have gone through all the labs once or twice before the class has even started. And if you have issues with the labs at all, SANS has people available during the class (and after) to help you out with that. 

OnDemand: Another favorite of mine, and my typical “go to” method of delivery. But why wouldn’t this be my favorite then? Well Simulcasts are only available every so often and are specific to the classes. So say I want to take FOR508 but the next simulcast is in March 2019, I would have to wait until then to get into the simulcast. Where with OnDemand, you are going to get access to the materially literally the day you purchase the course. You’ll get the books shipped to you just as you would with Simulcast and you’ll then get new link too on your SANS portal that gives you access to the OnDemand content. In there you’ll find your class. It is literally a breakdown of a real lecture that was taped at some point of that current year and they’ve broken it down by module. This is fantastic if you know Snort information and want to skip that piece of the lecture, because now you can literally skip it. What makes this great for me is you can pick it up and leave it when things come up. You have 120 days of access to the material online and you can move at your own pace. I typically finish them in about 60 days. What makes it great too is you can always go back and relisten to material that you didn’t get. SANS also has SME’s available to help out dang near 24/7 if you have questions or get stuck on labs as well. This is quite possibly the best option out there if you want to save money on travel and do the class at your own pace so the fire hose learning isn’t near as daunting as what it would be normally. 

For this class, I would strongly advocate either Simulcast or OnDemand for it. Day 6 is the only day that is 8 hours. The rest are right around 10-11ish if the instructor is behind. That means you’re basically pushing 60 hours of class in a week. That is too much in my opinion. With the other 2, this gives you some more latitude to get up and move around or go and get food whenever you’re hungry/thirsty. With simulcast, you even get access to the recordings after the day is done as well. So if you need to step away for even a long duration, you can always go back and watch it later. 

Hope this helped anyone who may or may not have thought about taking this class!


Related Posts