SANS Incident Response and Indicators of Compromise

  • Tuesday, 19 July, 2016 | 09.00 – 17.00 hrs | Melati Room 4111

View all Sessions

Note: There’s an additional fee of S$959 + 7% GST to attend the SANS Workshop. Attendance is only open to those registered for RSA Conference 2016 Asia Pacific & Japan.

If your organisation has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. With the rise of 0-Days, APTs, other cutting edge evasion techniques, it is quite possible that your intrusion detection tools are being bypassed.

In this subset of the popular SANS SEC504: Hacker Tools, Techniques, Exploits & Incident Handling course, the instructor will focus on Indicators of Compromise - the basic clues that indicate your system may have been compromised, from either internal or external sources. By helping you understand attackers' tactics and strategies, the in-depth information in this course will help you increase your security posture.

Lab Requirements

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network. It is the students' responsibility to make sure that the system is properly configured with all the drivers necessary to connect to an Ethernet network.

John Strand has created a video to help you walk through the setup requirements for the course. This short 10 minute video will help ensure your system is properly configured and ready for class.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.

You are required to bring Windows 8 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate), or 2012/2008 Server, either a real system or a virtual machine. Professional versions only, Home versions will not work.

The course includes a VMware image file of a guest Linux system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

We also require that no enterprise group policies be applied to the system. These policies can and will interfere with our labs.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

If you are using a Macbook or Macbook Pro with OS X 10.8 or later, you will need VMWare Fusion 5.0 or later.

VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • USB Port
  • 4 GB RAM or higher required
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • 40 GB available hard drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7, or Windows Vista

As part of this class we will have wireless labs. If the machine you are using is a virtual machine, please bring an external USB wireless card.

If you have additional questions about the laptop specifications, please contact


This document was retrieved from on Thu, 18 Jul 2019 18:17:26 -0400.