Wednesday, December 30, 2009

Difference Between Bejtlich Class and SANS Class

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010, a reader asked:

I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth.

Would you be able to provide some advice?


That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers.

Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own platform to justify their approach. The two classes are very different, each with a unique focus. It's up to the student to decide what sort of material he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't see anything specifically "wrong" with the SANS approach, but I maintain that a student will learn skills more appropriate for their environment in my class.

  • TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class.

    When you attend my class you get three handouts: 1) a workbook explaining how to analyze digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's guide answering all of the questions for the 15 cases. There are no slides aside from a few housekeeping items and a diagram or two to explain how the class is set up.

    When you attend SANS you will receive several sets of slide decks that the instructor will show during the course of the class. You will also have labs but they are not the focus of the class.

  • I designed TWS2 to meet the needs of a wide range of students, from beginners to advanced practitioners. TWS2 attendees typically finish 5-7 cases per class, with the remainder suitable for "homework." Students can work at their own pace, although we cover certain cases at checkpoints during the class. A few students have completed all 15 cases, and I often ask if those students are looking for a new opportunity with my team!

  • TWS2 is about investigating digital evidence, primarily in the form of network traffic, logs, and some memory captures. The focus is overwhelmingly on the content and not the container. SANS spends more time on the container and less on the content.

    For example, if you look at the SANS course overview, you'll see they spend the first three days on TCP/IP headers and analysis with Tcpdump. Again, there's nothing wrong with that, but I don't care so much about what bit in the TCP header corresponds to the RST flag. That was mildly interesting in the late 1990s when that part of the SANS course was written, but the content of a network conversation has been more important this decade. Therefore, my class focuses on what is being said and less on how it was transmitted.

  • TWS2 is not about Snort. While students do have access to a fully-functional Sguil instance with Snort alerts, SANCP session data, and full content libpcap network traffic, I do not spend time explaining how to write Snort alerts. SANS spends at least one day talking about Snort.

  • TWS is not about SIM/SEM/SIEM. Any "correlation" between various forms of evidence takes place in the student's mind, or using the free Splunk instance containing the logs collected from each case. If you consider dumping evidence into a system like Splunk, and then querying that evidence, to be "correlation," then we have "correlation." (Please see Defining Security Event Correlation for my thoughts on that subject.) SANS spends two days on fairly simple open source options for "correlation" and "traffic analysis."

  • TWS cases cover a wide variety of activity, while SANS is narrowly focused on suspicious and malicious network traffic. I decided to write cases that cover many of the sorts of activities I expect an enterprise incident detector and responder to encounter during his or her professional duties.

    I also do not dictate any single approach to investigating each case. Just like real life, I want the student to produce an answer. I care less about how he or she analyzed the data to produce that answer, as long as the chain of reasoning is sound and the student can justify and repeat his or her methodology.


I hope that helps prospective students make a choice. I'll note that I don't send any of my analysts to the SANS "intrusion detection" class. We provide in-house training that includes my material but also focuses on the sorts of decision-making and evidence sources we find to be most effective in my company. Also please note this post concentrated on the differences between my class and the SANS "intrusion detection" class, and does not apply to other SANS classes.

8 comments:

Anonymous said...

How does this compare to the new SANS classes for Network Forensics?

http://www.sans.org/security-training/network-forensics-1227-mid

They have been putting up some pretty cool contests at http://forensicscontest.com/

What is your opinion of the contests?

Anonymous said...

Great summary of the differences between both. Now...if you could only make it available in a medium and/or forum other than physical attendance to an event. It's great that you can differentiate your product, however, it's not much use to folks that need it and cannot attend. Let's face it...companies are looking for any reason not to pay for most training requests these days. Online, snail mail, any other options in the near future?

Anonymous said...

Does your course cover Advanced Persistent Threat case studies as well?

Richard Bejtlich said...

Anonymous 1: In December 2008, Elizabeth Estabrooks from SANS contacted me to review the SANS network forensics class by April 2009. I declined, citing a conflict of interest. Looking at the network forensics class description, it looks like it covers a lot of the basic skills I would expect a pcap- and log-literate analyst to be able to accomplish. I would say my cases are more advanced and wholistic; for example, the focus of a case won't be "examining and extracting" "ICMP and DNS tunnels." That could be part of one of my cases, but not the focus.

Regarding the contests, I think they are a good way for junior analysts to become familiar with pcap and log review. In some ways I am surprised contestants are writing so many tools to answer the challenges. There are tools already written that can do a lot of that work, but I imagine the contestants do not know about them. In other ways I am not surprised they are writing tools, since writing a tool that does just what the investigator wants is sometimes the best way to analyze a case.

Regarding other ways to deliver content, I am considering working with Pearson to create "Video Mentor" modules. However, I would probably write a new book before I would create Video Mentor classes.

Regarding APT, I don't have a case called "APT". However, I have APT-like elements spread across some cases, and I estimate the class' interest in knowing more about APT. I decide to be careful about APT because you never know who is in the audience.

My classes always spend time on enterprise incident detection and response operations, and I focus on answering student questions. That is one reason why I don't aggressively pursue canned material, since it doesn't match the nature of the class at hand.

Anonymous said...

Hi Richard,

Several months ago I think I read on here a discussion where someone had asked you if you would ever consider releasing some of the older versions of your classes. I can't remember exactly what you said in response to those questions, but somehow I think you said that you were considering releasing something. But I also remember that there was someone who made a very presumptuous post, suggesting that your readers were "entitled" to your IP, and you rightly put that person in his place. So I was wondering - other than the sample case that you released a while back, have you released any others, or do you have any plans to?

Thanks! BTW I really enjoy reading your blog.

Richard Bejtlich said...

Hi Anonymous,

I have no plans to release anything. Thank you.

MPayette said...

I will definitely try to take TWS2 course in Vegas. This is the way I want for this type of course: labs, labs, labs.

I hope to see you in Vegas

Anonymous said...

I took SANS 503 and I really found waste of time and money. Unlike other SANS classes, this class looks and is OLD.

It spends TWO days on tcpdump and only 2 slides on tshark. Correlation is two days, and the benefit from them was really minimum.

You don't coverage of new attacks, examples etc.

I was really disappointed.