Playing the Defense

Module 3: The Playing the Defense lectures and labs provide an in-depth coverage of the Incident Response Life Cycle, the NIST framework which covers all activities before, during and after a cyber attack. As we progress through the phases of the framework we will dive down on best practices concerning preparatory actions, risk assessments, environment awareness and policy suggestions while the network is in a trusted state. Later, we address detection schemes, host/network analysis, popular attack vectors and how to contain, mitigate and recover from a variety of attacks. Finally, we cover post-incident actions
  • Understand the NIST Incident Response Framework and how it can be used as an effective methodology for continual incident preparation and awareness
Module 3 labs include:
  • Scanning and Mapping Networks – Students will use Zenmap to scan a network segment in order to create an updated network map and detail findings on the systems discovered.
  • Assess A High-Risk System – Students will run a small penetration test against a single system and then will then shift to Incident Response mode to collect critical system information to confirm the success of their compromise.
  • Log Correlation & Analysis to Identify Potential IOC - Students will correlate server logs, system logs, and application logs to determine what level of access was obtained to the system and what program was used to provide access.
  • Assessing Vulnerabilities Post Addressal – Students will use tcpdump to conduct a packet capture and then run the capture through Snort to generate any possible alerts. After reviewing the alerts they will configure the firewall to mitigate any potential vulnerability vectors.
Additional labs in module 3 for the 2-day course include:
  • Use pfTop to Analyze Network Traffic – Students will use pfTop, a network traffic monitoring/statistics plugin used in pfSense, to analyze and monitor network traffic. They will walk through the steps of performing a detailed investigation to determine what type of traffic is occurring across the exercise network.
  • IDS Setup and Configuration – Students will setup Security Onion to function as a network based IDS and Snorby, the GUI web interface for Snort.
  • CIRP Creation After Cyber Attacks – Students will create a general Computer Incident Response Plan based off of received reports of successful attacks against a fictitious company network.