Course Overview
Cyber Defender is a progression of three courses designed to impart a strong foundation of defensive cybersecurity skills in 30 weeks of part-time study. Development of the 100% project-based, learn-by-doing program was funded, in part, by the Department of Defense (under agreement C5-16-0023), and the curriculum was designed in conjunction with DoD-selected experts.
In addition to the task-based curriculum, an implicit curriculum runs throughout the program via which students learn and practice the cognitive skills essential for success in all areas of information security. These include:
- Understanding complex, novel problems
- Effectively researching solutions
- Designing and testing solutions
- Making evidence-based decisions
- Communicating effectively with stakeholders
- Self-directed learning
Given the constantly changing nature of threats and challenges, these skills are arguably of equal or greater importance than the task-specific skills students learn. Students must pass each successive course to be eligible to continue.
Cybersecurity Immediate Immersion
Cybersecurity Immediate Immersion is designed to impart basic cybersecurity skills to help students determine if careers in cybersecurity are right for them.
Key Skills
Thinking like an attacker, analyzing and verifying intrusion detection system alerts, network traffic analysis, and conducting online technical and open source intelligence research
Tasks:
Students learn to think like attackers. They investigate a defense contractor’s website surreptitiously, fix a vulnerability, and remove malware. To accomplish this, they must use an LFI exploit uncovered by human intelligence to access to the webserver themselves and then crack the webmaster’s encrypted password, so they can remove the malware and patch the vulnerability that left the system open to attack.
OBJECTIVE: Think like an attacker
OBJECTIVE: Exploit a website using a local file inclusion vulnerability
OBECTIVE: Crack a password
OBJECTIVE: Determine if a website has embedded malware
OBJECTIVE: Conduct online technical research
OBJECTIVE: Patch the code of a website to eliminate a local file inclusion vulnerability
Students receive a report that an employee had unusual text on his screen which didn’t seem to be work related. The company’s security team captured a recording of that employee’s network traffic from the time of the report. Their task is to use two traffic analysis tools to determine what the employee was doing. Was his activity benign—or was this evidence of an insider attack?
OBJECTIVE: Conduct an investigation of a cybersecurity incident
OBJECTIVE: Analyze network traffic using NetworkMiner
OBJECTIVE: Analyze network traffic using Wireshark
Students analyze suspicious network traffic moving in and out of a US military aide’s personal laptop. Using packet capture (PCAP) files, they will determine if it was infected by malware and if so what malware and how the infection occurred.
OBJECTIVE: Analyze suspicious network traffic in a PCAP using Snort and Wireshark.
OBJECTIVE: Recognize a cushion redirect in network traffic.
OBJECTIVE: Recognize the identifying features of a specific exploit kit.
OBJECTIVE: Recognize a malware payload being transferred to a targeted host.
Prerequisites
Professional IT experience, an IT-related degree, or successful completion of a hands-on pre-assessment. Recommended: Basic applied knowledge of computer networks and protocols, knowledge of the Windows and Linux operating systems, and experience using command line interfaces.
Duration
10 weeks at 15 hours/week
Cyber Defender 1
Cyber Defender 1 builds on the basic defensive skills and experience students gained in Immediate Immersion. The course is designed to impart a strong foundation of network traffic analysis, log analysis, and malware analysis skills – the fundamental skills required of a security operations center analyst.
Key Skills
Network traffic analysis, log analysis, and triage of malicious activity
Students will further master the basic skills of analyzing network traffic at the packet level, as well as analyzing system and network logs for indicators of malicious activity. They will then learn more complex techniques of log analysis and extraction, and static and dynamic analysis of potentially malicious files.
Tasks:
A security operations center analyst has seen evidence of a password cracking attempt within a key network. Students analyze a PCAP and event logs within a security information and event management system (the Splunk SIEM) to determine whether or not any passwords were compromised, and if the network was breached as a result. The student must also identify which tools were used by the attacker, and which steps should be taken to safeguard specific hosts in the network from similar cracking attempts in the future.
OBJECTIVE: Analyze suspicious network traffic in a PCAP using Wireshark.
OBJECTIVE: Analyze network and system logs using Splunk
OBJECTIVE: Cross-correlate events seen in a PCAP with events seen in logs
OBJECTIVE: Recognize a Hydra brute-forcing attack
OBJECTIVE: Determine if a brute-forcing attack has been successful
Students analyze a possible “watering hole” attack in which clicking on a malicious link embedded in an otherwise legitimate website launches an exploit kit that infects a user’s machine with a “banking trojan.” To accomplish this, they must analyze multiple logs within the Splunk SIEM.
OBECTIVE: Analyze network and system logs using Splunk
OBJECTIVE: Pivot among multiple logs using Splunk’s search facilities
OBJECTIVE: Identify possible indicators of compromise
OBJECTIVE: Determine if devices are likely to have been infected using indicators of compromise
OBJECTIVE: Tentatively identify the malware used and the intent of the attack
Students use a “hash” of the possible malware-containing file to conduct research using VirusTotal, online sandboxes, and open source intelligence sources to determine specific indicators of compromise to guide forensic analysis of memory and file system images of infected devices.
OBJECTIVE: Use VirusTotal to identify a malware sample
OBJECTIVE: Use advanced features of VirusTotal to learn detailed information about a malware sample
OBJECTIVE: Use the HybridAnalysis sandbox to perform static and dynamic analysis of a malware sample
OBJECTIVE: Use open source threat intelligence to learn more about specific malware
Prerequisites
Successful completion of Cybersecurity Immediate Immersion
Duration
10 weeks at 15 hours/week
Cyber Defender 2
Cyber Defender 2 focuses on the skills of memory and disk forensics, reporting, and responding to cybersecurity incidents. Acquiring these skills expands a graduate’s career possibilities to include digital forensics analyst and incident responder.
Key Skills
Digital forensics and incident response
Tasks:
Students perform forensics examination of a memory image taken from a computer to identify sophisticated malware that infected the device.
OBJECTIVE: Acquire a working knowledge of process structures in memory using Volatility
OBJECTIVE: “Know normal to find evil”
OBJECTIVE: Formulate plan for a memory forensics investigation
OBJECTIVE: Recognize malware “footprints” in a forensic memory image
OBJECTIVE: Locate a malicious binary in a forensic memory image
OBJECTIVE: Corroborate findings with other sources such as [Splunk] SIEM logs
OBJECTIVE: Identify malware actions such as privilege escalation and browser hooking
OBJECTIVE: Extract, safely package, and share a malware sample from a forensic disk image
Students perform disk forensics on an infected computer. By analyzing an image the computer’s file system, the students are able to identify malware infections and to create a timeline for the attack.
OBJECTIVE: Analyze a forensic disk image and identify indicators of compromise using Autopsy.
OBJECTIVE: Generate a timeline of suspicious events in a forensic disk image.
OBJECTIVE: Determine how a device was infected and what malware variant was used.
Students are asked to conclude their investigation, carried out over tasks four through seven, by compiling a timeline for the attack and writing a comprehensive report for technical and non-technical stakeholders.
OBJECTIVE: Cross-correlating information from a range of sources
OBJECTIVE: Combining information from a range of sources into a comprehensive report
OBJECTIVE: Communicating a complex story effectively to technical and non-technical audiences.
Students observe and critique a sub-optimal response to a cyber attack, and then they revise the company’s incident response plan based on lessons learned from responding to an attack.
OBJECTIVE: Recognize common errors in incident response
OBJECTIVE: Incorporate best practices into an incident response plan.
Prerequisites
Successful completion of Cyber Defender 1
Duration
10 weeks at 15 hours/week
