SEC573: A

 utomating Information Security GPYC

with Python Python Coder
www.giac.org/gpyc

6 36 Laptop Python is a simple, user-friendly language that is designed to make automating the tasks
Required
Day Program CPEs that security professionals perform quick and easy. Whether you are new to coding or have
been coding for years, SANS SEC573: Automating Information Security with Python will have
You Will Be Able To you creating programs that make your job easier and make your work more efficient. This
self-paced course starts from the very beginning, assuming you have no prior experience or
▐▐ Modify existing open source tools to
customize them to meet the needs knowledge of programming. We cover all of the essentials of the language up front. If you
of your organization already know the essentials, you will find that the pyWars lab environment allows advanced
▐▐ Manipulate log file formats to make
developers to quickly accelerate to more advanced material in the course.
them compatible with various log All security professionals, including Penetration Testers, Forensics Analysts, Network
collectors
Defenders, Security Administrators, and Incident Responders, have one thing in common:
▐▐ Write new tools to analyze log files CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don’t
and network packets to identify evolve with them, we’ll become ineffective and irrelevant, unable to provide the vital defenses
attackers in your environment
our organizations increasingly require.
▐▐ Develop tools that extract otherwise
inaccessible forensics artifacts from Maybe your chosen Operating System has a new feature that creates interesting forensics
computer systems of all types artifacts that would be invaluable for your investigation, if only you had a tool to access it.
▐▐ Automate the collection of Often for new features and forensics artifacts, no such tool has yet been released. You could
intelligence information to augment try moving your case forward without that evidence or hope that someone creates a tool
your security from online resources before the case goes cold...or you can write a tool yourself.
▐▐ Automate the extraction of signs of Or perhaps an attacker bypassed your defenses and owned your network months ago. If
compromise and other forensics
existing tools were able to find the attack, you wouldn’t be in this situation. You are bleeding
data from the Windows Registry and
other databases sensitive data and the time-consuming manual process of finding and eradicating the
attacker is costing you money and hurting your organization big time. The answer is simple if
▐▐ Write a backdoor that uses
exception handling, sockets, you have the skills: Write a tool to automate your defenses.
process execution, and encryption Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to
to provide you with your initial
emulate. What do you do when “off-the-shelf” tools and exploits fall short? If you’re good,
foothold in a target environment
you write your own tool.
SEC573 is designed to give you the skills you need for tweaking, customizing, or outright
developing your own tools. We put you on the path of creating your own tools, empowering
you to better automate the daily routine of today’s information security professional and
to achieve more value in less time. Again and again, organizations serious about security
emphasize their need for skilled tool builders. There is a huge demand for people who can
understand a problem and then rapidly develop prototype code to attack or defend against it.
Join us and learn Python in-depth and fully weaponized.
You Will Learn How To:

“SEC573 is excellent. I went

▐▐ Leverage Python to perform routine tasks quickly and efficiently

from having almost no ▐▐ Automate log analysis and packet analysis with file operations, regular expressions, and
analysis modules to find evil
Python coding ability to
being able to write functional
▐▐ Develop forensics tools to carve binary data and extract new artifacts

and useful programs.” ▐▐ Read data from databases and the Windows Registry
-Caleb Jaren, Microsoft ▐▐ Interact with websites to collect intelligence
▐▐ Develop UDP and TCP client and server applications
▐▐ Automate system processes and process their output
Course Day
Descriptions

DAY 1: Essentials Workshop DAY 2: Essentials Workshop with MORE Who Should Attend
with pyWars pyWars ▐▐ Security professionals
The course begins with a brief introduction to Python and You will never learn to program by staring at PowerPoint who benefit from
the pyWars Capture-the-Flag game. We set the stage for slides. The second day continues the hands-on, lab- automating routine
students to learn at their own pace in the 100% hands- centric approach established on day one. This section tasks so they can
on pyWars lab environment. As more advanced students covers data structures and more detailed programming focus on what’s most
take on Python-based Capture-the-Flag challenges, concepts. Next, we focus on invaluable tips and tricks to important
students who are new to programming will start from the make you a better Python programmer and on how to ▐▐ Forensics analysts who
very beginning with Python essentials. debug your code. can no longer wait
Topics: Syntax; Variables; Math Operators; Strings; Topics: Lists; Loops; Tuples; Dictionaries; The Python on someone else to
Functions; Modules; Control Statements; Introspection Debugger; Coding Tips, Tricks, and Shortcuts; System develop a commercial
Arguments; ArgParser Module tool to analyze artifacts
▐▐ Network defenders who
DAY 3: Defensive Python DAY 4: Forensics Python sift through mountains
of logs and packets to
In this section we take on the role of a network defender On day four we will play the role of a forensics analyst find evildoers in their
with more logs to examine than there is time in the day. who has to carve evidence from artifacts when no networks
Attackers have penetrated the network and you will have tool exists to do so. Even if you don’t do forensics
to analyze the logs and packet captures to find them. you will find that these skills covered on day four are ▐▐ Penetration testers who
We will discuss how to analyze network logs and packets foundational to every security role. We will discuss are ready to advance
to discover where the attackers are coming from and the process required to carve binary images, find from script kiddie to
what they are doing. We will build scripts to empower appropriate data of interest in them, and extract professional offensive
continuous monitoring and disrupt the attackers before those data. Once you have the artifact isolated, there computer operations
they exfiltration your data. Forensicators and offensive is more analysis to be done. You will learn how to operator
security professional won’t be left out because reading extract metadata from image files. Then we will discuss ▐▐ Security professionals
and writing files and parsing data is also an essential techniques for finding artifacts in other locations such who want to evolve from
skill they will apply to their craft as well. as SQL databases and interacting with web pages. security tool consumer
Topics: File Operations; Python Sets; Regular Expressions; Topics: Acquiring Images from Disk, Memory, and the to security solution
Log Parsing; Data Analysis Tools and Techniques; Network; File Carving; The STRUCT Module; Raw Network provider
Long Tail/Short Tail Analysis; Geolocation Acquisition; Sockets and Protocols; Image Forensics and PIL; SQL
Blacklists and Whitelists; Packet Analysis; Packet Queries; HTTP Communications with Python Built-In
You Will Receive
Reassembly; Payload Extraction Libraries; Web Communications with the Requests
Module ▐▐ A virtual machine
with sample code and
working examples
DAY 5: Offensive Python DAY 6: Capture the Flag
▐▐ A copy of the book
On day five we play the role of penetration testers whose In this final section, you will be placed on a team
Violent Python: A
normal tricks have failed. Their attempts to establish with other students. You will apply the skills you have
Cookbook for Hackers,
a foothold have been stopped by modern defenses. To mastered in a series of programming challenges.
Forensic Analysts,
bypass these defenses, you will build an agent to give Participants will exercise the new skills and the code
Penetration Testers
you access to a remote system. Similar agents can be they have developed throughout the course in a series
and Security Engineers,
used for incident response or systems administration, of challenges. You will solve programming challenges,
which shows how to
but our focus will be on offensive operations. exploit vulnerable systems, analyze packets, parse logs,
forge your own weapons
Topics: Network Socket Operations; Exception Handling; and automate code execution on remote systems. Test
using the Python
Process Execution; Blocking and Non-blocking Sockets; your skills! Prove your might!
programming language
Asynchronous Operations; The Select Module; Python
Objects; Argument Packing and Unpacking
▐▐ MP3 audio files of the
complete course lecture

SEC573 Training Formats

Live Training Online Training

Live Events OnDemand
sans.org/information-security-training/by-location/all sans.org/ondemand

Summit Events Simulcast

sans.org/cyber-security-summit sans.org/simulcast

Private Training
sans.org/private-training