This March I attended one really interesting training - SANS ICS Active Defence and Incident Response in Orlando, Florida, lead by its author Robert M. Lee. The experience was both exhausting as well as enriching and thought provoking - exactly what I came for.

Two courses in one?

It is important to say upfront that this training is really like a combo-meal, bringing two concepts at once.

Significant amount of time is dedicated towards the concepts of Active defense in principle and Intelligence driven detection & response - while the second side of the coin has the face of the Industrial Control Systems (ICS), specifics of responding to cyber incidents in this environment as well as the burden of knowledge required both from the attacker and the defender to be effective.

Two chains keep it together - quite literally, as the killchain methodology is leveraged to explain how one killchain aims towards completion in the IT world, enabling then the initiation and completion of the second killchain in the ICS world, finally achieving the desired “action upon objectives”.

Threat-driven incident response?

My motivation to attend this course targeted the active defense part of it the most as the ICS/SCADA world and cyber-to-kinetic koncepts are more of a personal passion and interest than a job description - and I was not disappointed.

We covered the differences between environmental and the threat intelligence driven detections, with their cons and pros in varied scenarios. I was surprised by the insert of a working session aimed at threat intelligence consumption and analysis, using the method of competing hypothesis as referenced in the Richards Heuer’s Psychology of Intelligence Analysis (if you haven’t read this book yet, I can highly recommend) - which clicked really well with the rest of the content, even for other attendees of the course.

Overall, I would not say that the course opened my eyes in this, but it provided much needed perspective, validated some ideas (or challenged them) and maintained rich information sharing, while still being accessible for people of different background.

Hands-on!

Not much to write about the hands-on part of the training, other than the fact it was on point, fun, approachable and educative.

Speaking both about the in-class labs, including the final day dedicated just for them, as well as for the GridWars two day challenge it was fun, thought provoking, starting from easy picks with walkthroughs and evolving into close to the real world scenarios with live malware and realistic simulation of an attack to uncover and investigate.

Wrapping it up

The key takeaway for me from this course was Rob Lee’s strong recommendation: “Don’t let anyone’s first ICS incident response case be yours”. I consider myself strong when it comes to incident response and active defense concepts especially, but I gained massive respect throughout this class towards response in the industrial environment, where your mistake will not cause the company money - but it can as well cost someone his life. Pretty chilling prospects.

Interesting and as I understand ICS specific aspect was the small size of the community and its positive & cooperative vibe, the constant reinventing my existing skills from the incident response in traditional enterprise environment and their application in new context, finding the differences and the similarities.

What is ahead of me now is the re-read of all the materials (and maybe playing with the lab once again), while preparing for the GIAC Response and Industrial Defense (GRID) certification, but the main objective for me has already been achieved. I have challenged myself, learned something new, gained perspective - and had fun.