SANS ICS515 ICS Visibility Detection and Response
 
ICS515: ICS Visibility, Detection, and Response equip you with the essential skills to enhance visibility and asset identification within your Industrial Control System (ICS)/Operational Technology (OT) networks, detect cyber threats, analyze ICS cyber attacks, respond to incidents, and implement an intelligence-driven approach for a robust ICS cybersecurity program, ensuring operational safety and reliability.

This course empowers students to comprehend their networked ICS environment, monitor it for threats, respond to identified threats, and learn from adversary interactions to bolster network security. This approach is crucial for countering sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASH OVERRIDE, TRISIS/TRITON, and ransomware. Moreover, it is essential for managing modern complex automation environments and conducting root cause analysis for non-cyber-related network events. Students will possess the fundamental skills required for any ICS cybersecurity program upon completion.

Using a hands-on approach, the course provides access to various technical datasets from ICS ranges and equipment, featuring emulated attacks and real-world malware, offering a highly immersive experience in detecting and responding to threats. Students will also engage with a programmable logic controller (PLC), a physical kit simulating electric system operations, and virtual machines configured as a human-machine interface (HMI) and engineering workstation (EWS).

Key Learning Objectives:

- Analyze ICS networks to identify assets and data flows, enabling the detection of advanced threats.
- Implement active defense concepts, including threat intelligence consumption, network security monitoring, malware analysis, and incident response, to safeguard ICS environments.
Construct a Programmable Logic Controller using the SANS ICS515 Student Kit, which is provided for continued use after the course.
- Develop a comprehensive understanding of ICS-targeted threats and malware, including STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, and EKANS.
- Utilize technical tools like Shodan, Wireshark, Zeek, Suricata, Volatility, FTK Imager, PDF analyzers, PLC programming software, and more.
- Create indicators of compromise (IOCs) using YARA.
- Apply models such as the Sliding Scale of Cybersecurity, Active Cyber Defense Cycle, Collection Management Framework, and ICS Cyber Kill Chain to extract information from threats and enhance long-term ICS network security.

Course Components:

- ICS515: ICS Visibility, Detection, and Response Course
- Courseware
- PDF Guides