Disclosure - I work for a company which subscribes to Dragos services so I got the corporate rate.
Last week I attended Dragos's Assessing, Hunting, and Monitoring of Industrial Control System Networks. I didn't really have a need to attended this course having previously attended all three courses in the SANS ICS track, but I had to take some vacation and I had bonus money to spend so I packed up and flew my butt to Baltimore. I arrived on the 13th and left on the 18th.
OK, overall I enjoyed the course. Especially the first 2.5 days, which covered ICS basics and Assessing ICS networks. This is the core of my work so it held the most interest for me. This course had one of the best explanations of the Purdue model I have encountered and a really good explanation of what ICS systems are and how they work. The exercises with the PLC were good, especially since we used actual Phoenix Contact PLCs, which most classes don't do. The discussion of ICS protocols was a little rushed but I did learn a couple things so I can't complain much.
Assessment of ICS networks started on day two and the discussion of architectural review was excellent. Here is my first work of warning - If you attend this class brush up on Wireshark and and reading .pcaps. I have used Wireshark off and on for years but it's not something I do on a routine basis so I was out of practice. This is a major part of the class going forward and it is introduced here. Be proficient in order to really get the most out of the class.
Threat Hunting started the second half of day three and honestly I felt like drug on forever. The material was good / useful but there was so much and the pacing just felt off to me. Some of that is my fault too though as this was the day the jetlag hit and I just couldn't stay focused and awake for the last two hours of the day. Again tools are introduced and you would be well advised to be familiar at least with Bro / Zeek and the ELK stack. Cyberlens is covered in this module and that was pretty fun and I have some uses for that tool at work that I can now pursue since it is freely distributed now.
Monitoring was the last module. It continued with the .pcap. bro/zeek, etc. exercises. This module also introduced the Dragos tool. Honestly that was the least useful section to me as it's not a tool I use or will be using, but if you re using it at work it will be a good exercise.
Like I said overall the course was good and I enjoyed it, but I would have enjoyed it more if I had refreshed my Wireshark and Bro skills. Don't take what I have said as real criticisms of the class but more as suggestions on how to get the most benefit.
Let me also say that the people at the Dragos office were all exceptionally nice and they feed you pretty well.
No comments:
Post a Comment