SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
ICS515: ICS Visibility, Detection, and Response
ICS515Industrial Control Systems Security
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Robert M. Lee
Course created by:Robert M. Lee
- GIAC Response and Industrial Defense (GRID)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 25 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Acquire critical visibility, detection, and response capabilities to protect ICS/OT environments against sophisticated threats while ensuring the safety and reliability of operations.
Featured Quote
ICS515 is so relevant to my day to day that I feel like I can't take notes fast enough. This is so critical for the ICS and OT community.
Course Overview
This ICS incident response course equips security professionals with practical skills to secure industrial environments. Through hands-on exercises using real industrial equipment, you'll learn to gain network visibility, identify assets, detect threats, and respond to incidents in critical infrastructure and other environments that rely on ICS/OT systems. The curriculum covers advanced defensive techniques against sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, FROSTYGOOP, EKANS, and PIPEDREAM. You'll work with a real programmable logic controller (PLC) kit, sector simulation board, and virtual machines that you keep post-course to continue skill development. Leveraging industry frameworks , you'll develop repeatable methodologies to secure industrial environments.
What You'll Learn
- Implement ICS-specific threat detection strategies
- Apply network security monitoring for OT environments
- Perform incident response in operational technology
- Extract intelligence from ICS threat analysis
- Build effective cybersecurity for industrial systems
Business Takeaways
- Improve visibility into ICS/OT asset inventories
- Reduce risk of operational disruption from cyber threats
- Enhance detection capabilities for ICS-specific attacks
- Develop effective OT incident response procedures
- Increase resilience against targeted industrial threats
- Bridge security gaps between IT and OT environments
- Apply intelligence-driven approaches to ICS security
Meet Your Author
Robert M. Lee
FellowA former U.S. Air Force cyber warfare officer, Robert led the NSA’s first mission targeting threats to industrial infrastructure. Now at Dragos, he spearheads global defense of critical systems, shaping national policy and industry threat response.
Read more about Robert M. LeeCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in ICS515: ICS Visibility, Detection, and Response.
Section 1ICS Cyber Threat Intelligence
Learn to leverage threat intelligence to analyze threats, extract indicators of compromise, document tactics, techniques, and procedures, and guide security teams to protect industrial environments.
Topics covered
- Case Study: STUXNET
- Introduction to ICS Active Defense
- Cyber Threat Intelligence Primer
- ICS Cyber Kill Chain
- Threat Intelligence Consumption
Labs
- Building a Programmable Logic Controller
- Structured Analytical Techniques
- Analysis of Intelligence Reports
- ICS Information Attack Space
- Maltego and Shodan Heatmap
Section 2Visibility and Asset Identification
Understand the networked environment to build comprehensive asset inventories and develop effective collection strategies for both industrial operations and security operations.
Topics covered
- Case Study: Bhopal Disaster
- Asset Inventories
- Collection Management Frameworks
- ICS Network Visibility
- IT Discovery Protocols
Labs
- Operating the Process
- ICS Traffic Analysis
- ICS Protocol Analysis
- ICS Network Mapping
Section 3ICS Threat Detection
Develop detection strategies to remain resilient against targeted and untargeted threats, with focus on safely conducting threat hunting and analyzing attack patterns in industrial environments.
Topics covered
- Case Study: German Steelworks Attack
- ICS Threat Hunting
- Threat Detection Strategies
- Case Study: SANDWORM
- ICS Network Security Monitoring
Labs
- Detecting Stage 1 Intrusions
- Investigating Stage 2 Compromises
- Traffic Analysis of Control Manipulation
- Validating System Logic Changes
- Logic Manipulation of Control Elements
Section 4Incident Response
Learn to safely perform ICS incident response with focus on acquiring digital evidence while scoping threats and their operational impact, using forensic techniques tailored for industrial environments.
Topics covered
- Case Study: SANDWORM - Ukraine 2015
- ICS Digital Forensics
- Preparing an ICS Incident Response Team
- Case Study: ELECTRUM and CRASHOVERRIDE
- Initial Compromise Vectors
Labs
- Acquisition in an Operational Environment
- PLC Logic and Protocol Root Cause Analysis
- Analyzing Phishing Emails
- HMI Memory Forensics
- Process Triage
Section 5Threat and Environment Manipulation
Extract information from threats through malware analysis to reduce the effectiveness of threats and create shareable threat intelligence for improved defensive posture.
Topics covered
- Case Study: XENOTIME - TRISIS
- ICS Threat Manipulation Goals
- Environment Manipulation Considerations
- Threat Analysis and Malware Triaging
- YARA
Labs
- Logic Analysis for Root Cause Analysis
Section 6Capstone Day, Under Attack!
A full-day technical challenge where students apply all learned skills to analyze packet captures, logic, memory images, and more from compromised ICS ranges and equipment, simulating real-world scenarios.
Things You Need To Know
Relevant Job Roles
Threat Hunter
Digital Forensics and Incident ResponseThis expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathAll-Source Analyst (DCWF 111)
DoD 8140: Intelligence (Cyberspace)Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathCyber Defense Infrastructure Support Specialist (DCWF 521)
DoD 8140: CybersecurityDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathControl Systems Security Specialist (DCWF 462)
DoD 8140: CybersecurityOversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.
Explore learning pathCyber Defense Incident Responder (DCWF 531)
DoD 8140: CybersecurityResponds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.
Explore learning pathIncident Response (OPM 531)
NICE: Protection and DefenseResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathICS Security Incident Responder
Industrial Control SystemsExecutes specific industrial incident response for incidents that threaten or impact control system networks and assets, while maintaining the safety and reliability of operations.
Explore learning pathICS Security Analyst
Industrial Control SystemsAcquires and manages resources, supports, and performs key industrial security protection while adhering to safety and engineering goals.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Robert M. LeeDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$9,230 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
London, GB & Virtual (live)
Instructed by Kai ThomsenDate & TimeFetching schedule..View event detailsCourse price£7,505 GBP*Prices exclude applicable taxes | EUR price available during checkoutEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Dean ParsonsDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Huntsville, AL, US & Virtual (live)
Instructed by Mark BristowDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Kai ThomsenDate & TimeFetching schedule..View event detailsCourse price€8,630 EUR*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Peter JacksonDate & TimeFetching schedule..View event detailsCourse price$9,365 USD*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Dean ParsonsDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Muscat, OM & Virtual (live)
Instructed by Jason DelyDate & TimeFetching schedule..View event detailsCourse price$9,365 USD*Prices exclude applicable local taxes
Showing 8 of 22
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3Very good for any ICS program, security-focused or not.
- Slide 2 of 3Very good focus on the OT/ICS side & integrated into class.
- Slide 3 of 3This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it also inspired me to learn more.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources