A Real-World Take on SANS SEC760

I recently embarked upon a journey through time and space to learn some new things, challenge myself technically and wipe off the rust of a near dead skill I once used to cultivate when cybersec was still a little more space cowboy.

I pondered whether to do SEC660 or just stick to 760 and in the end the latter won out because I didn't want to do a course that teaches you another variant of “Smashing the Stack for Fun and Profit”. I am sure that the course is great but the truth is that I know how to kill the stack. I wanted to once again be closer to the state of the art. So I picked the SEC760, which covered more advanced topics.

The course was broken down into five learning modules with the sixth reserved for a CTF challenge.

I started off with a spring in my step, bright-eyed and bushy tailed. And honestly, it was good. The first module was just learning, and some practical exercises to set up a good environment and become familiar with IDA Pro. There was a 4 month license for IDA also, which gave me the chance to see the latest version and delve into the new features since my experiences with it.

Overall, this module was good in that it introduced me to a lot of developments in preventing exploitation. The vast majority of this was focused on Windows (where most of them have been implemented) but didn’t venture much outside of that area. It was quite fast paced but overall informative.

The exercises themselves were fun, not particularly difficult but perhaps something to simply whet the whistle and force some accountability on getting things working for later in the course.

Advanced Linux Exploitation Rating 6/10

Linux heap management, constructs, and environment

• Navigating the heap

• Abusing macros such as unlink() and frontlink()

• Function pointer overwrites

• Off by One bugs

• TCache Poisoning

• Format string exploitation

• Using format string bugs for ASLR bypass

Linux Heap Exploitation was where I started to get stuck into practical exploitation. This was fun and while some of the challenges were contrived, they were those that had been released for actual challenges in the past. Learning about new developments in Linux Heap was good, and it was nice to be given the chance to write some exploits for it. I liked this module a lot.

Advanced Fuzzing Rating 7/10

Fuzzing overview and review of basic fuzzing concepts from SEC660

• Advanced fuzzing theory

• Fuzzing challenges and how to overcome them

• Gathering and viewing code coverage

• Building a fuzzing harness

• Using WinAFL to perform graybox fuzzing on a complex, closed source Windows application

• Overview of full-system and snapshot fuzzing

I have used (Win)AFL before and found it to be a fantastic framework for fuzzing. At first, I thought there wouldn't be much to learn but after working through the course some of the depth of its capability were revealed and working through exercises increased familiarity in a way that made it a much more robust tool. The bit I really liked was reversing applications and then writing test harnesses. Going through this process for an example application was great practice. The repeated process helped to solidify the process and make it more usable with each iteration. A particularly good thing was the iterative process used to refine the test harness; this helped to understand how bottlenecks and inefficiencies could slow down the fuzzing process and how to work around them. It’s a shame that there was only officially one solid example, though. I’d have liked to go through 2-3 applications with a bit of hand holding to get the most out of this module.

Patch Diffing, One-Day Exploits, and Windows Kernels Rating 6/10

The Microsoft patch management process and Patch Tuesday

• Obtaining patches and patch extraction

• Binary diffing with BinDiff 5

• Visualizing code changes and identifying fixes

• Reversing 32-bit and 64-bit applications and modules

• Triggering patched vulnerabilities

• Writing one-day exploits

• An introduction to Windows Kernel internals

This was probably my favourite module. The patch extraction and analysis process was great and I was happy to see a good, refined workflow for this. It has triggered the most post-course work and I’m currently using the insight provided to set up a platform for AnchorSec to help automate vulnerability identification and triage. This will hopefully lead to faster weaponisation. The examples in here were great, and so were the extended exercises.

I wasn’t entirely sure why Windows Kernel Internals was part of this particular module rather than just being part of the next module but it felt a bit tacked on. (I do know why, it’s to fit the course into 6 days).

Windows Kernel Debugging and Exploitation Rating 8/10

Understanding the Windows kernel

• Navigating the Windows kernel

• Modern kernel protections

• Debugging the Windows 10 kernel and drivers with WinDbg

• Analyzing kernel vulnerabilities and vulnerability types

• Kernel exploitation techniques

• Token stealing and information disclosure vulnerabilities

This felt like one of the modules that was very heavy on content. The Windows kernel is its own thing and pretty complex overall. Is one day enough to cover it? Not really. Could one suggest they’re an expert of Kernel exploitation after doing this course? Absolutely not. It just needs more time.

Again the example content was quite good and fun if on the easier side of exploitation but I think the biggest benefit was (again) seeing a good, refined workflow that worked and having the content of the module available to back up what you’ve already done, in the course.

Getting insight into to the kernel is no small thing and given the limited time, a lot was covered.

Capture-the-Flag Challenge Rating 7/10

What is to say about this. 15% of the the course is a CTF. Don’t get me wrong, I like the idea of doing a CTF but in this case it’s a very big portion of a very expensive course that would have server the trainee better if it were replaced with more guided examples of previous content, or just an opportunity to learn more.

I did like that there was a walk through of the CTF too.

I know that SANS courses have the CTFs, I just would like to have more learning.

Overall Rating Rating 5/10

I think the OnDemand version is the perfect model for learning. It gives people all the time they need to process new information without holding up the rest of the group and allows the re-watching of anything that they didn't pick up first time. A lot of the content is good and it’s curated in a way that makes sense.

As the instructors noted, however, each of these topics were simply the tip of the iceberg and Stephen quoted that “An entire week could be dedicated just to the Windows Kernel”, so it made me wonder is this just an “Advanced Introductory course?”. I appreciate there’s a time factor but I wish there were more days for the course, then the modules built to fit that rather than in reverse. A good course should be made first and then take an amount of time appropriate for what is being taught, rather than “introduction to X” type courses everyone gets bite-sized chunks of information. Perhaps it's naive, I just wanted more.

There were however a few things I really didn’t like.

1. 4 months access to the content

2. Unable to Download Videos

3. Inability to earn a SANS COIN

4. “Help-desk” like support

5. Price

Limited access to the OnDemand content was quote upsetting considering the cost of the course. There are courses for less that provide either unlimited or a full year’s access. For half the price of this course it is possible to get a full year’s access to the entire catalog of Offensive Security’s course ware. If one considers that the last module is a CTF, we’re only getting 5 modules, one of which is relatively introductory. Even though the CTF is a fun challenge, and has a walk through it feels like a high cost for 15% of the course.

OnDemand doesn’t allow coins to be gathered either. That’s a shame. Not hugely important but still something that would be nice.

Apropos price, I did briefly entertain the idea that I would be sent a gold-plated certificate. Instead I only got a digital one. For what this course was, and when drawing a comparison to competitor courses I believe the SEC760 is an outlier in terms of cost.

When this is coupled with the fact one can’t even download all of the content for a course that costs nearly ten thousand dollars, it starts to hurt a little. Obviously SANS is world reknowned - and honestly has fantastic instructors - but a lot of the markup is simply about brand SANS.

Overall, would I recommend this course? It is informative and covers a lot of stuff that ultimately gets the blood pumping and security research moving in the right direction. But, and there is a big one, when considering almost any other course on the same topic comes in at half this price, give or take, it's hard not to feel hard done by. I wonder if they will make 860, 960 1060 too.

Overall Rating 7/10

A Note on the Instructors

Stephen Sims and Jaime Geiger are both engaging and cover the topics in a way that is understandable. I like some of the anecdotes that add a personal touch to the course modules. I hold both of the instructors in high regard and once involved in the meat and potatoes of the course, it was clear that they were both very knowledgeable. Kudos to them.