SANS Institute InfoSec Reading Room - SANS.org

Page created by Harold Ruiz
 
CONTINUE READING
SANS Institute InfoSec Reading Room - SANS.org
Interested in learning more
                                                                   about cyber security training?

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

 Deception Matters: Slowing Down the Adversary with
 illusive networks®
 Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost
 the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber
 rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In
 this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection
 capabilities to show cyber deception in action.

                               Copyright SANS Institute
                               Author Retains Full Rights
SANS Institute InfoSec Reading Room - SANS.org
Deception Matters: Slowing Down the Adversary
           with illusive networks®

              A SANS Product Review
                Written by Eric Cole, PhD
                       May 2017

                      Sponsored by
                   illusive networks®

                                            ©2017 SANS™ Institute
SANS Institute InfoSec Reading Room - SANS.org
Introduction
                                    Based on the number of system breaches, the frequency of compromises and the amount
                                    of damage being caused, it’s clear adversaries have the advantage over organizations
                                    today. It is also evident that what organizations are doing to prevent breaches is not
                                    working, and that the amount of money being spent on security has little to no impact
                                    on slowing down attackers. One reason they have an advantage is they can easily create
                                    an accurate map of their targets and use it to traverse through sensitive systems, all while
                                    hiding under routine procedures and familiar traffic patterns. In addition, most defensive
                                    approaches are passive, meaning they wait for the adversary to make the first move.

TAKEAWAY:                           To go on the offensive, organizations need to use the same stealth and deception their
Deception is a game changer.        adversaries do. Instead of making it easy to find rich targets, what if attackers were
The fundamental benefit of          provided a very realistic but false view of reality, starting with an incorrect road map of
                                    the network, applications and vulnerabilities? What if there were traps and pitfalls on
deception technology is that
                                    every network and every system along that road map? This is the heart of deception:
it creates an illusion of reality
                                    Provide the adversary a false sense of reality and take back the advantage.
in which the adversary cannot
                                    In this paper, instead of just extolling the benefits and advantages of deception, we
differentiate between the two.
                                    explore how to put deception into action with a hands-on review of illusive networks’
                                    deception technology. Using simulated scenarios, we detail how deception works in the
                                    real world to give defenders the advantage.

                                    In testing this product, we knew deception had been deployed and we actively looked
                                    for it. Instead, illusive networks’ technology found us (posing as malicious actors) first
                                    and monitored our every move. No matter what adversaries do or try to do, they will
                                    inadvertently access and trigger an illusive deception and be monitored from the
                                    moment they begin their attack.

SANS ANALYST PROGRAM
                                                                 1                  Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Benefits of Using Deception
                                  If you think you have not been attacked in the past year, you are fooling yourself. Attacks
                                  are happening, as multiple SANS surveys point out,1 but you just aren’t looking in the
                                  right place. This is why organizations can be compromised for two to three years without
                                  detection—adversaries are stealthy, targeted, data-focused and programmed to sneak
                                  past most of the current security technology deployed today.

                                  Deception offers a twofold advantage:

                                         • It provides so many additional targets that it greatly slows down adversaries,
                                           making it harder for them to compromise critical resources.

                                         • It not only gives the defense more time to respond but allows for detailed
                                           monitoring of adversaries to see exactly what they are doing, how they are doing it
                                           and how to stop them.

                                  These two advantages lead to the ultimate goals of security: detecting threats in a timely
TAKEAWAY:                         manner and minimizing the damage.
With the threat vectors that
exist today, organizations need   Anatomy of a Typical Attack
to recognize that they are        Although attacks come in many variations and styles, the majority of them start through
going to be compromised and       endpoints—particularly user endpoints—and then spread laterally through systems,
                                  looking to exploit richer and richer targets. Attackers also routinely attempt remote
be prepared to quickly detect
                                  attacks directly against discovered devices such as DNS servers, web servers and other
threats and prevent damage.
                                  critical systems. They then steal data and credentials from the devices directly and also
                                  use them as launch points to spread laterally inside the network.

                                  Phishing and email-based social engineering are the top means by which attacks
                                  penetrate organizations, according to the SANS 2017 Threat Landscape Survey.2 In the
                                  survey, 75 percent of respondents identified their most impactful threats as initially
                                  entering through an email attachment, while 46 percent also witnessed attacks that
                                  started with users clicking email links.

                                  To compromise the user’s system, the adversary must get the user’s password or exploit
                                  a vulnerability or exposure, such as a lack of error checking, an outdated service or
                                  an application vulnerability. After the system is compromised, the adversary usually
                                  performs further lateral movement, targeting other critical assets similarly across the
                                  network to map the network and locate the richest targets, such as Microsoft Exchange
                                  or database servers.

                                  1
                                      “ Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,”
                                       www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
                                  2
                                      “ Exploits at the Endpoint: SANS 2016 Threat Landscape Survey,”
                                       www.sans.org/reading-room/whitepapers/firewalls/exploits-endpoint-2016-threat-landscape-survey-37157
SANS ANALYST PROGRAM
                                                                         2                        Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Benefits of Using Deception                       (CONTINUED)

                        Beating Them at Their Game
                        Deception systems anticipate these movements and follow, log and interrupt them
                        by turning real endpoints and servers on the network into deception machines when
                        an attacker, attempting any of the aforementioned actions or others, trips the alarm.
                        Meanwhile, the attacker cannot see the real machine, and all of the attacker’s activity is
                        monitored in real time.

                        For example, the bait might be exposing some connection history, credential data,
                        adjacent systems and services in the data that is on the machine the attacker is on.
                        When attackers try to validate the data or connect using the bait, detection turns on,
                        and more and more deceptions—100 times more machines and accounts than actually
                        present, for example—cause the attackers to waste cycles while never knowing they’ve
                        been had.

 Whatever adversaries   The deployed deception comprehensively and strategically integrated with our review
     try, they will     environment (a virtual host and server architecture), greatly increasing the attack surface
                        for the attacker to fumble around in, as diagramed in Figure 1.
 unwittingly access a
  deception—and be
  monitored from the
  moment an attack
       begins.

                                        Figure 1. Deceptive Attack Surface from the Attacker’s Perspective

                        At any time, security personnel monitoring the actions can lock out the attacker; some
                        can be handled automatically through policy, while activities are logged and saved for
                        future detection and response.

SANS ANALYST PROGRAM
                                                    3                     Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Benefits of Using Deception                      (CONTINUED)

                                   The illusive Deceptions Everywhere® Solution
                                   Today, deception techniques are quite different than honey pots of the past, in that
                                   deceptions are now more widely distributed, much more interactive with the attacker’s
                                   actions, and more difficult for attackers to detect. With illusive’s Deceptions Everywhere
                                   solution, deception is fully integrated across the entire network at multiple levels, with
                                   deception so realistic that it fooled us and is almost impossible to bypass.

                                   Intelligent Policy
                                   Deceptions Everywhere is an intuitive, easy-to-use management solution that allows
                                   deception techniques to be deployed in a scalable manner with minimal overhead.
                                   With a few point-and-clicks, we were able to deploy and configure deceptions across
                                   the simulated test environment. The solution also learns about and understands the
                                   environment, and then autonomously creates and deploys deception techniques that fit
TAKEAWAY:                          within the environment and are adaptive and updatable.
While the power of deception
                                   It then automatically deploys deceptive policy on each endpoint and server on the
has always been recognized,        network, leveraging artificial intelligence (AI) to determine if a certain type of deception
the problem with wide-             is appropriate or not on a per-endpoint basis.
scale deployment stems
                                   The result is a deception deployment that is customized to every endpoint and server
from three main areas:             on the network to look even more realistic to the attacker. The environment is then
scalability, manageability         monitored for any changes, new deception suggestions are automatically generated,
and believability. With illusive   and with just one click, the new deceptions are applied to the policy. See Figure 2.

networks’ solution, these
challenges have been solved.

                                                         Figure 2. User Names Generated for Deception Servers

SANS ANALYST PROGRAM
                                                               4                    Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Benefits of Using Deception                        (CONTINUED)

                            Architecture
                            The Deception Management System™ (DMS) is responsible for deploying realistic
                            deceptions across the network that adapt to the current environment, and the illusive
                            Trap Server is the server attackers are sent to once alarms are triggered. Because the
                            solution is agentless, it requires no modification to existing systems or installation of
    In setting up the       software for the trap servers to operate.
    environment, it         When we (acting as our mock attacker) attempted to use and access a server by trying to
   was obvious that         log in and access a share, we were sent to the Trap Server. From there, our mock attacker
                            looked at connection history from the registry by dumping the browser database or
Deceptions Everywhere
                            employing search techniques on disk while using commands built into the operating
 is not a tool but rather
                            system. All this activity, which is not usually detected by other security tools, triggered
  a solution. In using      more deceptions and so on. See Figure 3.
  the product, it was
   evident that it is a
  preconfigured plug-
   and-play solution.
 Network discovery is
  automatic, network
   analysis is built in,
 and it all deploys via a
  single mouse click.
                                          Figure 3. Attacker in Action: illusive networks Adapting to the Adversary

                            The general environment we tested was a virtual machine environment that simulated
                            a real-world environment. Also, we ran though several real-world case studies and
                            capture-the-flag exercises to verify and validate the authenticity of illusive networks’
                            approach to deception.

SANS ANALYST PROGRAM
                                                         5                     Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Review and Use Case Scenarios for Deceptions Everywhere
                                 The two areas that cause the biggest issues for CIOs are agent solutions and in-line
                                 devices. The illusive networks agentless solution is not in-line and requires no changes to
                                 an existing infrastructure.

                                 Key Components of Deception
                                 In testing the DMS, we took a four-part approach to deploying deception within our
                                 mock environment:

                                     1.	Analysis. For deception to be effective, it must be realistic and comprehensive,
                                         and cover all key areas of a network. If a deception technique is deployed on
                                         only the DMS or open ports that are not being used by the organization, it is not
TAKEAWAY:
                                         believable and therefore not effective. When we worked with the solution, the
If attackers can avoid and
                                         product adapted to and understood the environment with minimal interaction.
bypass deceptions, such
                                     2.	Deployment. Deceptions are non-impactful on legitimate users and network
measures offer little value to
                                         and system operations, but impactful on the adversary. To slow down the
the organization because they            adversary (us), illusive forced us to access multiple deception techniques.
don’t slow down or catch the
                                     3.	Monitoring. From initial compromise to setting up a pivot point to lateral
adversary.
                                         movement, all malicious activities were automatically monitored so proper
                                         action could be taken to control the overall damage. The illusive interface was
                                         easy to use and allowed us to quickly see the before-and-after analysis of what
                                         was deployed.

                                     4.	Adaption. IT environments are always changing and adversaries are constantly
                                         learning, so deception must constantly be changing and adapting. As new
                                         servers are added to an environment, old servers are removed and the network
                                         is redesigned. As we made changes to the environment and deployed new
                                         legitimate systems in our review, the solution automatically adapted and
                                         changed the deception policy that was deployed.

SANS ANALYST PROGRAM
                                                               6               Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Review and Use Case Scenarios for Deceptions Everywhere                                                   (CONTINUED)

                       Policy Management
                       The key to this solution is the policy deployment and management, which began with
                       the DMS deployment, as stated earlier.

                       First, it used artificial intelligence and various machine learning techniques to
                       understand the environment, and automatically deployed deception techniques that
                       mirrored and aligned with our review network infrastructure. See Figure 4.

                                  Figure 4. Overview of Deception Techniques Deployed in the Test Environment

SANS ANALYST PROGRAM
                                                    7                   Deception Matters: Slowing Down the Adversary with illusive networks®
SANS Institute InfoSec Reading Room - SANS.org
Review and Use Case Scenarios for Deceptions Everywhere                                                   (CONTINUED)

                       Then, it automatically monitored and adjusted the deception techniques for each device
                       and server so we could focus on monitoring and tracking the adversary, as shown in
                       Figure 5, and not on installing and maintaining deception patterns.

                           Figure 5. Deceptions Everywhere’s Adaptive Techniques, Tailored to Our Review Environment

                       The screenshot in Figure 5 shows the deception that was deployed and the activity of
                       the adversary.

                       Machine Learning
                       DMS uses machine learning to engage each server or workstation and learn the unique
                       activities of each system on the network. This information was used to generate
                       deceptive policy reflecting the unique characteristics of the review environment.

                       While the solution allows an organization to tune and adjust, it can also be implemented
                       automatically with minimal administrator oversight. Initially we asked illusive’s interface
                       to make all of the decisions, and it effectively deployed realistic deception measures
                       across our mock environment.

SANS ANALYST PROGRAM
                                                    8                   Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere                                                   (CONTINUED)

                       For example, in our review, illusive’s DMS learned the conventions and standards of
                       the virtual business and generated unique system names and usernames (targets for
                       attackers) for use with deceptive services and credentials, as shown in Figure 6.

                                       Figure 6. Deceptive Server Names that Were Automatically Created

                       We could choose to be involved in setup and customization as much or as little as
                       we wanted. This indicated advancements in maturity of deception technologies
                       and their uses. The policy was then intelligently deployed and managed across the
                       environments so that every endpoint and server had deceptive data that was unique
                       and indistinguishable from the organic data on each machine (so it could not be
                       guessed or detected).

SANS ANALYST PROGRAM
                                                   9                    Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere                                                  (CONTINUED)

                       Attacker View
                       To get a better view of the environment through the eyes of the adversary, illusive
                       networks created Attacker View™. The following gives an overview of the “virtual”
                       environment that is created by the DMS for attackers to fall into (see Figures 7 and 8).

                                                    Figure 7. Pre-deception Attacker View

                                                   Figure 8. Post-deception Attacker View

SANS ANALYST PROGRAM
                                                  10                   Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere                                                   (CONTINUED)

                       When we switched from our view to the Attacker View, we could see the fake network
                       from an attacker’s perspective, and the relationships between systems and resources the
                       attacker would map to. In security, one of the rules of success is offense must inform the
                       defense. We saw the attack vectors, represented by the blue circles. These represent the
                       various deception techniques from extraneous servers, fake credentials and deception
                       shares. The Attacker View shows the deceptive entities deployed in the environment that
                       the attacker will try to take advantage of.

                       By combining any mix of deceptive connection information with real or deceptive
                       credential data, the attacker (us) is attempting to target real servers, but instead we are
                       covertly sent to the deception that is deployed without our knowing it. Figure 9 shows
                       the fake vectors used to attract our attacker.

                                               Figure 9. Attacker View Revealing Attack Vectors

                       Attacker View allowed us to understand the real attack vectors by focusing on the risks
                       that actually matter to our environment.

SANS ANALYST PROGRAM
                                                  11                    Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere                                                       (CONTINUED)

                           In Figure 10, Attacker View showed us the threat intelligence to make the right decisions
                           around our attacker’s changing tactics.

                                        Figure 10. Attacker View Displaying Deceptions While Tracking an Attack
  The illusive solution
                           Attacker View also allowed us to make on-the-fly changes to the environment and see
 acted automatically,      the impact it had on the adversary in real time.
adapting with artificial
                           User View
intelligence to changes
                           In User View, we also explored how Administrative, Domain and Local User credentials
   we added to the
                           naturally interact with the real environment. This impact analysis enabled us, acting as
     environment.          administrators rather than as attackers, to understand where concentrations of activity
                           take place and how credentials are used in order to determine how deceptive and
                           traditional security controls can be applied to the organization. See Figure 11.

                                              Figure 11. User View Showing Administrator Privilege Abuse

SANS ANALYST PROGRAM
                                                       12                   Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios
                       We started with Deceptions Everywhere turned off for our initial testing, and began
                       exploiting the review environment and moving laterally across systems without being
                       stopped. Within a short period, we were able to compromise several systems; had it
                       been a real attack, we could have caused damage—for example, captured additional
                       administrative credentials, accessed critical systems or exfiltrated sensitive data.

                       We then performed similar exploitations and movements with illusive turned on and
                       were easily detected by the system. As the attackers, however, we were unable to
                       detect illusive—we became completely lost in the deceptive data without being able to
                       differentiate between what was real and what was deceptive.

                       Deceptions Reviewed
                       While there are many variations, the three main deception methods utilized for this
                       review were:

                           • Share deceptions. Attackers look for shares as an easy way into a system and
                             sensitive information. Additional legitimate-looking shares were created by illusive
                             to slow down our adversary (us), but also provided valuable insight into what the
                             adversary was doing and attack methods.

                           • Credential deceptions. In this part of the review, we launched an elevation-of-
                             privileges attack, to elevate access from a normal user to a privileged account
                             such as root or admin. When attempting to do this in deceptive accounts, we felt
                             frustration from the perspective of the attacker because it kept sending us down
                             rabbit holes to research further. For the deception administrator it provided an
                             early warning system to show what the adversary (us) was doing.

                           • File deceptions. We wanted to access critical data, which is in files. With deception
                             deployed, this became almost an impossible task because it was difficult to
                             distinguish between legitimate data and fake data, leading us to spend significant
                             time harvesting fake information of little to no value.

SANS ANALYST PROGRAM
                                                  13                  Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios                    (CONTINUED)

                       Lost in the Deception
                       With deceptions now deployed, it was time to repeat our exploitation of the
                       environment using the fundamental steps to gain access. Along the way, we were met
                       with various deceptions, as described in Table 1:

                                                 Table 1. Malicious Actions and Deceptions
                                        Malicious Actions Taken           Deceptions Deployed

                                        Reconnaissance                    All deceptions
                                        Scanning                          Share deceptions
                                        Exploitation
                                          • Pivot points                    Credential deceptions
                                          • Internal reconnaissance         Share deceptions
                                          • Internal scanning               File deceptions
                                          • Data exploitation               File deceptions
                                        Creating back doors               All deceptions
                                        Covering our tracks               All deceptions

                       Being a little skeptical, we were overly confident launching our attacks in the new
                       environment. Convinced we had identified a path to bypass the deception, we spent
                       time continuing our attack on what we thought were the legitimate systems. However,
                       when we switched and checked the Attacker View, we were embarrassed: Not only was
                       our analysis wrong, but we were caught red-handed by the illusive system. See Figures
                       12 and 13 to view illusive detecting our port scanning activities.

SANS ANALYST PROGRAM
                                                    14                    Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios          (CONTINUED)

   Even though we
   knew the system
  was deployed and
                                  Figure 12. Illusive User View Detecting Our Port Scan
 knew how the system
worked, this advantage
 proved no match for
   illusive networks.

                                Figure 13. Illusive Forensic Analysis of Port Scan Attempt

SANS ANALYST PROGRAM
                                       15                     Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios                (CONTINUED)

                           Tracking and Metrics
                           A common shortcoming of many security solutions is that they promise great things but
                           lack a way to track overall effectiveness. A valuable component of illusive’s solution is
                           provision of a variety of metrics to track the benefit of the deployed deceptive measures.
Taking deception to the    See Figure 14.

 next level of maturity,
 metrics enable large-
 scale management of
 deception measures.
 The metrics revealed
   weaknesses and
needed improvements,
and informed us where
 to tune the deception
measures to maximize
   the benefit of the
   illusive solution.                       Figure 14. Overall Dashboard Showing the Metrics for the Deception

                           The illusive DMS platform revealed that our ability to detect an advanced attacker
                           improved over time during our review. Attack surface information from the perspective
                           of the adversary—such as number of lateral movement targets per endpoint or number
                           of lateral movements to reach domain admin credential—was also provided.

SANS ANALYST PROGRAM
                                                        16                    Deception Matters: Slowing Down the Adversary with illusive networks®
Conclusion: Future of Deception
                                    With many persistent, targeted attacks, prevention is in many cases postponing the
                                    inevitable, because the adversary will eventually get in. Therefore, security is going to be
                                    all about timely detection and damage control.

                                    Setting up a virtual world of confusion clearly slows down attackers and makes
                                    their job more difficult, but it is often forgotten that deceptions serve no legitimate
                                    purpose, meaning no one should be connecting to these deceptions. If that occurs, the
TAKEAWAY:
                                    probability of an adversary touching at least one of the deceptive measures is very high,
While deception was originally
                                    which allows for early detection capability.
about slowing down the
                                    The illusive solution provides a comprehensive way to deploy deception across an
adversary, in the future it will
                                    environment with minimal to no human interaction. The deception is highly effective
move toward functioning as          and covert, making it virtually undetectable when deployed within an existing
an early detection tool.            environment. Even the most skilled adversary would access a deception technique,
                                    allowing for early detection of an attack.

                                    Expect deception technology to gain wider use and become more tailored to and
                                    focused on an organization’s critical assets. If the databases’ servers, the applications
                                    themselves and even the tables in the databases all have deception, it raises the
                                    difficulty of attacks to a whole new level of complexity.

SANS ANALYST PROGRAM
                                                                17                  Deception Matters: Slowing Down the Adversary with illusive networks®
About the Author
        Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of
        McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on
        several executive advisory boards and is a member of the Center for Strategic and International
        Studies’ Commission on Cybersecurity for the 44th Presidency. Eric’s books include Advanced
        Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible and Insider Threat. As
        founder of Secure Anchor Consulting, Eric puts his 20-plus years of hands-on security experience to
        work helping customers build dynamic defenses against advanced threats.

                                                      Sponsor
                              SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM
                                                             18                  Deception Matters: Slowing Down the Adversary with illusive networks®
Last Updated: October 15th, 2018

                    Upcoming SANS Training
                    Click here to view a list of all SANS Courses

SANS Houston 2018                                             Houston, TXUS         Oct 29, 2018 - Nov 03, 2018   Live Event

SANS Gulf Region 2018                                         Dubai, AE             Nov 03, 2018 - Nov 15, 2018   Live Event

SANS Sydney 2018                                              Sydney, AU            Nov 05, 2018 - Nov 17, 2018   Live Event

SANS DFIRCON Miami 2018                                       Miami, FLUS           Nov 05, 2018 - Nov 10, 2018   Live Event

SANS London November 2018                                     London, GB            Nov 05, 2018 - Nov 10, 2018   Live Event

SANS Dallas Fall 2018                                         Dallas, TXUS          Nov 05, 2018 - Nov 10, 2018   Live Event

Pen Test HackFest Summit & Training 2018                      Bethesda, MDUS        Nov 12, 2018 - Nov 19, 2018   Live Event

SANS Mumbai 2018                                              Mumbai, IN            Nov 12, 2018 - Nov 17, 2018   Live Event

SANS Rome 2018                                                Rome, IT              Nov 12, 2018 - Nov 17, 2018   Live Event

SANS Osaka 2018                                               Osaka, JP             Nov 12, 2018 - Nov 17, 2018   Live Event

SANS San Diego Fall 2018                                      San Diego, CAUS       Nov 12, 2018 - Nov 17, 2018   Live Event

SANS November Singapore 2018                                  Singapore, SG         Nov 19, 2018 - Nov 24, 2018   Live Event

SANS ICS410 Perth 2018                                        Perth, AU             Nov 19, 2018 - Nov 23, 2018   Live Event

SANS Paris November 2018                                      Paris, FR             Nov 19, 2018 - Nov 24, 2018   Live Event

SANS Stockholm 2018                                           Stockholm, SE         Nov 26, 2018 - Dec 01, 2018   Live Event

SANS Austin 2018                                              Austin, TXUS          Nov 26, 2018 - Dec 01, 2018   Live Event

SANS San Francisco Fall 2018                                  San Francisco, CAUS   Nov 26, 2018 - Dec 01, 2018   Live Event

European Security Awareness Summit 2018                       London, GB            Nov 26, 2018 - Nov 29, 2018   Live Event

SANS Khobar 2018                                              Khobar, SA            Dec 01, 2018 - Dec 06, 2018   Live Event

SANS Dublin 2018                                              Dublin, IE            Dec 03, 2018 - Dec 08, 2018   Live Event

SANS Santa Monica 2018                                        Santa Monica, CAUS    Dec 03, 2018 - Dec 08, 2018   Live Event

SANS Nashville 2018                                           Nashville, TNUS       Dec 03, 2018 - Dec 08, 2018   Live Event

Tactical Detection & Data Analytics Summit & Training 2018    Scottsdale, AZUS      Dec 04, 2018 - Dec 11, 2018   Live Event

SANS Frankfurt 2018                                           Frankfurt, DE         Dec 10, 2018 - Dec 15, 2018   Live Event

SANS Cyber Defense Initiative 2018                            Washington, DCUS      Dec 11, 2018 - Dec 18, 2018   Live Event

SANS Bangalore January 2019                                   Bangalore, IN         Jan 07, 2019 - Jan 19, 2019   Live Event

SANS Sonoma 2019                                              Santa Rosa, CAUS      Jan 14, 2019 - Jan 19, 2019   Live Event

SANS Amsterdam January 2019                                   Amsterdam, NL         Jan 14, 2019 - Jan 19, 2019   Live Event

SANS Threat Hunting London 2019                               London, GB            Jan 14, 2019 - Jan 19, 2019   Live Event

Secure DevOps Summit & Training 2018                          OnlineCOUS            Oct 22, 2018 - Oct 29, 2018   Live Event

SANS OnDemand                                                 Books & MP3s OnlyUS            Anytime              Self Paced
You can also read