SANS Industrial Control Systems Security Blog

Active Defense as a Strategy - ICS 515 and Making Better Defenders

Editor's Note: This is a guest Blog Post from Robert M. Lee, the author and instructor for the SANS ICS515 course.

The new SANS ICS 515 class "Active Defense" is not just a class to train individuals in skills that know how to use tools effectively - it is about teaching defenders an effective and tested strategy for undertaking the enduring battle for secure infrastructure. The course uses a strategy I developed while working with ICS in the military titled the Active Cyber Defense Cycle (ACDC). The strategy focuses on four key tenants that occur in concert to help defenders identify and respond to adversaries in a meaningful and sustainable way. The four components are: Threat Intelligence Consumption, Asset Identification and Network Security Monitoring, Incident Response, and Threat and Environment Manipulation. The ultimate idea is to be able to use information from inside and outside of your organization to identify, understand, and monitor your networked infrastructure looking for threats. Once a threat is identified the defenders can respond to it through incident response and then interact with the threat through methods such as malware analysis to learn from it and adapt appropriately. The components of the cycle feed each other and through its repetition organizations learn and become better. Participants in the class will get experience with leading tools and skill sets, but more importantly they will take away strategic thinking towards defense.

Too often in the security community, both in OT and IT, we defenders look to the immediate instead of the big picture. A network breach is seen as a failure even when defenders do not lose anything of value or attackers do not gain access to their intended target. Defense tools are seen as failing for not stopping every breach. Investments in security are seen as wasted resources because of myths such as "the attacker always wins." Ensuring reliable and safe infrastructure requires doing security - performing security effectively requires an effective strategy that goes beyond single encounters. Attackers are continually persistent and defenders must be as well.

ICS 515 participants can expect to gain cutting edge training that goes past a traditional defense mindset of hardening systems. The focus is on training security personnel to not only be able to identify what tools to use when but also what the purpose of their efforts are and where it aligns with the larger mission of their organization. This focus on a strategy also allows defenders to hone themselves in meaningful areas with identifiable paths towards skill progression. But no class would be enticing without labs and cool tools.

The first four days of ICS 515 focus on a single scenario that takes place through four hands-on labs each day. Participants will use tools such as Mandiant's Redline, Wireshark, XPLICO, tcpdump, Volatility, and Security Onion to interact with real world advanced ICS threats. Upon completion of the four days of slides and sixteen labs participants will complete a day long hands-on scenario in day five to reinforce the skills and strategy they have learned throughout the course. The goal is to not to create experts in any given skill set but to empower participants to understand what approach is necessary to combat advanced threats and to become familiar with the skills and tools that will make them immediately more effective in their organizations. There is no instant path to becoming an expert in anything but there are ways to think differently and learn new skill sets that make defenders more dangerous to the adversaries. ICS 515 sets out to do just that - strategic thinking that utilizes the strengths of ICS networks to make defense doable.

Looking for more information on the SANS ICS 515 course? Click here


Robert M. Lee is the SANS ICS 515 course author and instructor. He gained his start in security as a U.S. Air Force Cyber Warfare Operations Officer working in the U.S. Intelligence Community where he established and led a first of its kind ICS threat intelligence and intrusion analysis mission. In this capacity he was responsible for identifying nation-state level threats to critical infrastructure and ways to undermine their efforts. He is also the co-founder of the critical infrastructure cyber security company Dragos Security LLC, the author of SCADA and Me, and is currently pursuing his PhD at Kings College London. He may be found on Twitter at @RobertMLee