On This Page

Active Defense, Offensive Countermeasures And Hacking Back

SANS - John Strand | July 30-August 2


Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy's system. And most importantly, you will find out how to do the above legally.

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. Some of the things we talk about you may implement immediately, others may take you a while to implement. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, attribute who is attacking you and, finally, attack the attackers.

This class is based on the DARPA funded Active Defense Harbinger Distribution live Linux environment. This VM is built from the ground up for defenders to quickly implement Active Defenses in their environments. This class is also very heavy with hands-on labs. We will not just talk about Active Defenses. We will be doing hands-on labs and through them in a way that can be quickly and easily implemented in your environment.

Who Should Take this Course

Security Professionals and Systems Administrators who are tired of playing catch-up with attackers.

Student Requirements

Basic OS understanding of Windows and Linux and a basic understanding of TCP/IP.

What Students Should Bring

  • Host system with at least 4 Gig of memory
  • VMware Player, Workstation or Fusion
  • Windows XP, Windows 7, or OS X
  • Bring Linux as a host OS, if and only if you know Linux
  • Functioning Ethernet Port
  • Admin rights to system with the ability to disable AV
  • Functioning USB Port
  • 10 Gigs of Free Hard Drive Space

What Students Will Be Provided With

Class books and a DVD with the necessary tools and the OCM VM, which is a fully functional Linux system with the tools of OCM installed and ready to go for the class and in their work environment.


John Strand is the Owner of Black Hills Information Security (BHIS), and has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. John is also an instructor and course author of BlackHat's "Active Defense, Offensive Countermeasures, and Hacking Back" and the SANS Institute's "Hacker Tools, Techniques, Exploits and Incident Handling" classes. John is co-author of the" Offensive Countermeasures: The Art of Active Defense" book and is a contributor to the industry shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks. Black Hills Information Security (BHIS) is based out of the beautifully rugged Black Hills of South Dakota. We're a group of adventuresome individuals who find that Information Security is a lot like the other activities we enjoy - skiing (both downhill and cross country) hiking, rock-climbing, camping, spelunking, fishing. We enjoy those activities because they have an innate sense of adventure tied to them - they present a great challenge, and when we meet that challenge we feel a rewarding sense of accomplishment. Information security is no different. We dive into the wilds of the internet, the dark recesses of uncharted territory to keep your business and organization safe - man versus wild, good versus evil, safe versus compromised. Even though our company spans the nation - with employees in every far corner - we bring our sense of adventure which carries over into the work we do and love. Our employees perform security assessments and training around the world and are familiar with privacy laws in the US, Canada and EU.