I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth.
Would you be able to provide some advice?
That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers.
Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own platform to justify their approach. The two classes are very different, each with a unique focus. It's up to the student to decide what sort of material he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't see anything specifically "wrong" with the SANS approach, but I maintain that a student will learn skills more appropriate for their environment in my class.
- TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class.
When you attend my class you get three handouts: 1) a workbook explaining how to analyze digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's guide answering all of the questions for the 15 cases. There are no slides aside from a few housekeeping items and a diagram or two to explain how the class is set up.
When you attend SANS you will receive several sets of slide decks that the instructor will show during the course of the class. You will also have labs but they are not the focus of the class.
- I designed TWS2 to meet the needs of a wide range of students, from beginners to advanced practitioners. TWS2 attendees typically finish 5-7 cases per class, with the remainder suitable for "homework." Students can work at their own pace, although we cover certain cases at checkpoints during the class. A few students have completed all 15 cases, and I often ask if those students are looking for a new opportunity with my team!
- TWS2 is about investigating digital evidence, primarily in the form of network traffic, logs, and some memory captures. The focus is overwhelmingly on the content and not the container. SANS spends more time on the container and less on the content.
For example, if you look at the SANS course overview, you'll see they spend the first three days on TCP/IP headers and analysis with Tcpdump. Again, there's nothing wrong with that, but I don't care so much about what bit in the TCP header corresponds to the RST flag. That was mildly interesting in the late 1990s when that part of the SANS course was written, but the content of a network conversation has been more important this decade. Therefore, my class focuses on what is being said and less on how it was transmitted.
- TWS2 is not about Snort. While students do have access to a fully-functional Sguil instance with Snort alerts, SANCP session data, and full content libpcap network traffic, I do not spend time explaining how to write Snort alerts. SANS spends at least one day talking about Snort.
- TWS is not about SIM/SEM/SIEM. Any "correlation" between various forms of evidence takes place in the student's mind, or using the free Splunk instance containing the logs collected from each case. If you consider dumping evidence into a system like Splunk, and then querying that evidence, to be "correlation," then we have "correlation." (Please see Defining Security Event Correlation for my thoughts on that subject.) SANS spends two days on fairly simple open source options for "correlation" and "traffic analysis."
- TWS cases cover a wide variety of activity, while SANS is narrowly focused on suspicious and malicious network traffic. I decided to write cases that cover many of the sorts of activities I expect an enterprise incident detector and responder to encounter during his or her professional duties.
I also do not dictate any single approach to investigating each case. Just like real life, I want the student to produce an answer. I care less about how he or she analyzed the data to produce that answer, as long as the chain of reasoning is sound and the student can justify and repeat his or her methodology.
I hope that helps prospective students make a choice. I'll note that I don't send any of my analysts to the SANS "intrusion detection" class. We provide in-house training that includes my material but also focuses on the sorts of decision-making and evidence sources we find to be most effective in my company. Also please note this post concentrated on the differences between my class and the SANS "intrusion detection" class, and does not apply to other SANS classes.