#000001: Credentialing Courses & Apprenticeship Programs
Week by week:
Weeks 1 & 2:Complete required mandatory cyber awareness training including insider threat. Ensure BYOD device compliance. Complete Jumpcloud training modules and Core Certification. Sign NDAs, COCs, and other onboarding requirements which include other onboarding training needs
GRC Fundamentals Knowledge Base Training:CMMC, NIST SP 800-171/172ISO 27001, Annex ANIST SP 800-53, Rev 5CIS Controls as they pertain to SOC, Network Engineering, Cloud Security, and System Administrator roles).Risk Assessment MethodologyOnce the student meets compliance in this area, they will be assigned to a SOC Team based on their time zone and availability.
Exercises:Access to Onboarding project task area for communication and completion of all onboarding task assignmentsData at Rest configuration and complianceBYOD Device Compliance Checklist
OverviewWeeks 3 - 6: Start with an introduction to the blue team, the mission of a SOC, and how to understand an organization's threat model and risk appetite. It is focused on top-down learning to explain the mindset of an analyst, the workflow, and the monitoring tools used in the battle against attackers. Throughout this section, the student will learn how SOC information management tools fit together, including incident management systems, threat intelligence platforms, SIEMs, and SOAR tools. We end by describing the various groups of attackers, how their methods differ, and their motivations.
Begin the technical journey of understanding the environment. To defend a network, you must thoroughly understand its architecture and the impact that it will have on analysis. This section introduces the concepts of a modern organization's network traffic flow by dissecting a typical organization's network setup, the tools that contribute to security, and the features necessary for segmentation and monitoring. These modules ensure that students have a firm grasp on how network design affects their "view of the world" as an analyst.After discussing the network, we then go in-depth on common network services. These sections provide a thorough, working explanation of the current and upcoming features of DNS, HTTP(S), SMTP, and more, with a focus on the most important points for analysts to understand. In each section, there is a focus on understanding what normal data looks like, as well as the standard indicators and areas that are used to spot anomalous behavior. The goal will be to leave with the ability to quickly recognize common tricks used by attackers to turn these every-section services against us.Exercises:Week 3 JC and agent onboarding (device and user provisioning)VPN agent (DiT) provisioning and configurationZendesk OverviewPython Coding BasicsLinux Commands BasicsSecurity Technical Implementation Guides -System HardeningCVEsPatches Vulnerability Scanning Exercise
TopicsWeek 3 Introduction to the Blue Team MissionWhat is a SOC? What is the mission?Why are we being attacked?Modern defense mindsetThe challenges of SOC workSOC OverviewThe people, process, and technology of a SOCAligning the SOC with your organizationSOC functional component overviewTiered vs. tierless SOCsImportant operational documentsDefensible Network ConceptsUnderstanding what it takes to be defensibleNetwork security monitoring (NSM) conceptsNSM event collectionNSM by the network layerContinuous security monitoring (CSM) conceptsCSM event collectionMonitoring sources overviewData centralizationOn-Prem vs Cloud Service ProviderCloud BasicsEvents, Alerts, Anomalies, and IncidentsEvent collectionEvent log flowAlert collectionAlert triage and log flowSignatures vs. anomaliesAlert triage workflow and incident creationWeek 4: Incident Management SystemsSOC data organization toolsIncident management systems options and featuresData flow in incident management systemsCase creation, alerts, observables, playbooks, and workflowCase and alert naming conventionIncident categorization frameworkThreat Intelligence PlatformsWhat is cyber threat intelligence?Threat data vs. information vs. IntelligenceThreat intel platform options, features, and workflowEvent creation, attributes, correlation, and sharingSIEMBenefits of data centralizationSIEM options and featuresSIEM searching, visualizations, and dashboardsUse cases and use case databasesAutomation and OrchestrationHow SOAR works and benefits the SOCOptions and featuresSOAR value-adds and API interactionData flow between SOAR and the SIEM, incident management system, and threat intelligence platformWeek 5: Who Are Your Enemies?Who's attacking us and what do they want?Opportunistic vs. targeted attackersHacktivists, insiders, organized crime, governmentsMotivation by attacker groupCase studies of different attack groupsAttacker group naming conventionsAssessment Exam - StagegateExercises:Exploring DNSHTTP and HTTPS AnalysisSMTP and Email Analysis
TopicsCorporate Network ArchitectureRouters and securityZones and traffic flowSwitches and securityVLANsHome firewall vs. corporate next-gen firewall capabilitiesThe logical vs. physical networkPoints of visibilityTraffic captureNetwork architecture design idealsZero-trust architecture and least-privilege idealsTraffic Capture and AnalysisNetwork traffic capture formatsNetFlowLayer 7 metadata collectionPCAP collectionWireshark and MolochUnderstanding DNSName to IP mapping structureDNS server and client types (stub resolvers, forwarding, caching, and authoritative servers)Walkthrough of a recursive DNS resolutionRequest typesSetting records via registrars and on your own serverA and AAAA recordsPTR records and when they might failTXT records and their usesCNAME records and their usesMX records for mailSRV recordsNS records and glue recordsDNS analysis and attacksDetecting requests for malicious sitesChecking domain reputation, age, randomness, length, subdomainsWhoisReverse DNS lookups and passive DNSShared hostingDetecting DNS reconUnauthorized DNS server useDomain shadowingDNS tunnelingDNS traffic flow and analysisIDNs, punycode, and lookalike domainsNew DNS standards (DNS over TLS, DNS over HTTPS, DNSSEC)Week 6: Understanding HTTP and HTTPSDecoding URLsHTTP communication between client and serverBrowser interpretation of HTTP and REST APIsGET, POST, and other methodsRequest header analysisResponse header analysisResponse codesThe path to the InternetREST APIsWebSocketsHTTP/2 & HTTP/3 Analyzing HTTP for Suspicious ActivityHTTP attack and analysis approachesCredential phishingReputation checkingSandboxingURL and domain OSINTHeader and content analysisUser-agent deconstructionCookiesBase64 encoding works and conversionFile extraction and analysisHigh-frequency GET/POST activityHost headers and naked IP addressesExploit kits and malicious redirectionHTTPS and certificate inspectionSSL decryption - what you can do with/without itTLS 1.3How SMTP and Email Attacks WorkEmail delivery infrastructureSMTP ProtocolReading email headers and sourceIdentifying spoofed emailDecoding attachmentsHow email spoofing worksHow SPF worksHow DKIM worksHow DMARC worksAdditional Important ProtocolsSMB - versions and typical attacksDHCP for defendersICMP and how it is abusedFTP and attacksSSH and attacksPowerShell remotingAssessment Exam - Stagegate OverviewWeeks 7-10: It is extremely difficult to succeed at cyber defense without knowing where and how your data is produced, so this segment of learning takes us down to the host, logging, and file level. Starting with a survey of common endpoint-based attack tactics, and will orient students to the array of techniques that are used against their hosts. The first portion of the section will show how each step of the attack lifecycle aligns with typical defensive tools and what methods an organization can use to detect and prevent attacks on their endpoints.To further prepare the student for attack detection, these sections are followed by a thorough review of how Linux and Windows logging work. Reviewing logging capabilities gives the student perspective on which logs will be present on any given system, where to find them, and how to interpret them. These sections cover high-importance log events and provide an in-depth explanation of how to interpret the most important Windows and Linux logs. The value of parsing and enriching logs is explained, as well as how SIEM log normalization and categorization work. These topics give a complete view of what happens from the moment a log is generated to when it shows up in our security tools.Many new analysts struggle to understand how files are structured at a low level and therefore are hesitant when it comes to answering questions such as "Could a file of type x be used for evil?" The final part of this learning segment provides the student with the concepts needed to reason through the answer, diving into files at the byte level. This section explains the difference between binary and text-based files, and what makes a file a valid document, PDF, executable, word document, or otherwise. It also explains file-based exploitation methods and the features and formats most seen in attacks. Concepts such as using strings, hashes, and file signatures are explained to show the student how to quickly and accurately identify potentially malicious file samples. the student will finish by understanding how different common file formats are identified, how they are typically weaponized, and how to quickly decide whether a given sample is likely to be malicious.Exercises:Interpreting Windows LogsLog Enrichment and VisualizationMalicious File Identification TopicsWeek 7: Endpoint Attack TacticsEndpoint attack centricityInitial exploitationService-side vs. client-side exploitsPost-exploitation tactics, tools, and explanations - execution, persistence, discovery, privilege escalation, credential access, lateral movement, collection, exfiltrationEndpoint Defense In-DepthNetwork scanning and software inventoryVulnerability scanning and patchingAnti-exploitationWhitelistingHost intrusion prevention and detection systemsHost firewallsFile integrity monitoringPrivileged access workstationsWindows privileges and permissionsEndpoint detection and response tools (EDR)File and drive encryptionData loss preventionUser and entity behavior analytics (UEBA)AI and ML, their use and impact on the defensive side of cybersecurity, how we use predictive, user, and device analytics for threat intelligence and incident responseHow Windows Logging WorksChannels, event IDs, and sourcesXML format and event templatesLog collection pathChannels of interest for tactical data collectionWeek 8: How Linux Logging WorksSyslog log formatSyslog daemonsSyslog network protocolLog collection pathSystemd journalAdditional command line auditing optionsApplication loggingService vs. system logsInterpreting Important EventsWindows and Linux login eventsProcess creation logs for Windows and LinuxAdditional activity monitoringFirewall eventsObject and file auditingService creation and operation loggingNew scheduled tasksUSB eventsUser creation and modificationWindows Defender eventsPowerShell loggingKerberos and Active Directory EventsAuthentication and the ticket-granting serviceKerberos authentication stepsKerberos logs events in detailLog Collection, Parsing, and NormalizationLogging pipeline and collection methodsWindows vs. Linux log agent collection optionsParsing unstructured vs. structured logsSIEM-centric formatsEfficient searching in your SIEMThe role of parsing and log enrichmentLog normalization and categorizationLog storage and retention lifecycleWeek 9: Files Contents and IdentificationFile contents at the byte levelHow to identify a file by the bytesMagic bytesNested filesStrings - uses, encoding options, and viewingWeek 10:Identifying and Handling Suspicious FilesSafely handling suspicious filesDangerous files typesExploits vs. program "features"Exploits vs. PayloadsExecutables, scripts, office docs, RTFs, PDFs, and miscellaneous exploitsHashing and signature verificationSignature inspection and safety of verified filesInspection methods, detecting malicious scripts and other filesAssessment Exam - Stagegate OverviewWeeks 11 - 17: Now that the course has covered the ground required to understand the tools and data most frequently encountered by analysts, it's time to focus on the process of analysis itself. This section will focus on how the analysis process works and explain how to avoid the common mistakes and biases new analysts can slip into. To accomplish this, this learning block examines how our memory perception affects analysis and how cognitive biases cause us to fail to see what is right in front of us. The goal is to teach the student not only how to think clearly and methodically, but also how to explain how they reached their conclusions in a way that can support future analysis.In addition to analysis techniques, this section covers both offensive and defensive mental models that are necessary to understand to perform high-quality analysis. The student will use these models to look at an alert queue and get a quick and intuitive understanding of which alerts may pose the biggest threat and which must be attended to first. Afterward, safe analysis techniques and analysis operational security concerns are discussed to ensure that analysts do not tip their hands to attackers during the investigation process. This section finishes discussing both how to react to identified intrusions and considerations for doing so as well as how to ensure high-quality documentation for incidents is produced and maintained. The goal is for the student to leave better prepared to understand their alert queues, perform error-free investigation, and be able to choose the best response for any given attack situation.Exercises:Alert Triage and PrioritizationStructured Analytical ChallengeCollecting and Documenting Incident Information TopicsWeek 11: Alert Triage and PrioritizationPriority for triageSpotting late-stage attacksAttack lifecycle modelsSpotting exfiltration and destruction attemptsAttempts to access sensitive users, hosts, and dataTargeted attack identificationLower-priority alertsAlert validationPerception, Memory, and InvestigationThe role of perception and memory in observation and analysisWorking within the limitations of short-term memoryEfficiently committing info to long-term memoryDecomposition and externalization techniquesThe effects of experience on speed and creativityWeek 12: Mental Models for Information SecurityNetwork and file encapsulationCyber kill chainDefense-in-depthNIST cybersecurity frameworkIncident response cycleThreat intelligence levels, models, and usesF3EADDiamond modelThe OODA loopAttack modeling, graph/list thinking, attack treesPyramid of painMITRE ATT&CKStructured Analysis TechniquesCompensating for memory and perception issues via structured analysisSystem 1 vs. System 2 thinking and battling tacit knowledgeData-driven vs. concept-driven analysisStructured analytic techniquesIdea generation and creativity, hypothesis developmentConfirmation bias avoidanceAnalysis of competing hypothesesDiagnostic reasoningLink analysis, event matricesWeek 14: Analysis of Questions and TacticsWhere to start - breaking down an investigationAlert validation techniquesSources of network and host informationData extractionOSINT sourcesData interpretationAssessing strings, files, malware artifacts, email, linksWeek 15: Analysis OPSECOPSEC vs. your threat modelTraffic light protocol and intel sharingPermissible action protocolCommon OPSEC failures and how to avoid themWeek 16: Intrusion DiscoveryDwell time and intrusion typeDetermining attacker motivationAssessing business riskChoosing an appropriate responseReacting to opportunistic/targeted attacksCommon Missteps in incident responseWeek 17: Incident Closing and Quality ReviewSteps for closing incidentsQuality review and peer feedbackAnalytical completeness checksClosed case classificationAttributionMaintaining quality over timePremortem and challenge analysisPeer review, red team, team A/B analysis, and structured self-critiqueAssessment Exam - Stagegate
OverviewWeeks 18-23: Repetitive tasks, lack of empowerment or challenges, poorly designed manual processes - analysts know these pains all too well. While these are just some of the everyday painful experiences in section-to-section SOC work, they are also major contributing factors to unhappiness and burnout that can cause turnover in a SOC. Do things have to be this way? Of course not! But it will take some understanding and work on your part to do things differently. This section focuses squarely on improving efficiency and team enthusiasm for SOC work by tackling the most common problems head-on. Through process optimization, careful analytic design and tuning, and workflow efficiency improvements, we can eliminate many of these common pain points. This frees us from the repetitive work we loathe and allows us to focus on what we do best - analysis! Having the time for challenging and novel work leads to a virtuous cycle of growth and engagement throughout the SOC - and improving everyone's life in the process.This section will focus on tuning your tools using clever analysis techniques and process automation to remove the monotonous and non-value-added activities from your section. It also covers containment activities including the containment techniques teams can use, and how to decide which option is best to halt a developing incident or infection. We'll wrap up the section with recommendations on skill growth, long-term career development, and how to get more involved in the cyber defense community.
The Red Team/Offensive Pentesting Course teaches advanced techniques, tools, and rules of engagement for penetration testing. With the constant rise in cyberattacks, the need to enforce adequate cybersecurity safeguards is more important than ever. Penetration testing, also known as a ‘pen test’ or ‘ethical hacking’, is a cybersecurity approach that aims to identify and access the security loopholes in an organization. Students in this course will receive paid CompTIA Pentest +, prep, and exam vouchers with Jumpcloud Learning and Core Certifications as part of this program along with an all-access pass to career mentorship and resume guidance in support of their job search. Students in this course will partake in a purple team exercise performing a red-team (offensive pen test) alongside our blue-teamers (defenders).
The Red Team/Offensive Pentesting Course teaches advanced techniques, tools, and rules of engagement for penetration testing. With the constant rise in cyberattacks, the need to enforce adequate cybersecurity safeguards is more critical than ever. Penetration testing, also known as a ‘pen test’ or ‘ethical hacking’, is a cybersecurity approach that aims to identify and access the security loopholes in an organization.
OverviewWeeks 27 - 28: During the first phase of the course, we will present a common language to discuss adversary tactics and techniques. We will discuss the purpose of the Red Team and highlight the various frameworks and methodologies around this topic. Two critical steps before a successful adversary emulation are to conduct threat intelligence and to plan for engagement. The section closes by looking at the first few actions during the Red Team engagement.Exercises:Environment OrientationNIST SP 800-115Scoping Assessment/Penetration BoundaryRules of EngagementDeep Dive into MITRE® ATT&CK™Consuming Threat IntelligenceRed Team PlanningInstall and use Kali Purple in your Virtual Environment TopicsWeek 27: Adversary EmulationEthical Hacking Maturity ModelFrameworks and MethodologiesUnderstanding AdversariesUnified Kill ChainMITRE® ATT&CK™: Threat IntelligenceThreat Report ATT&CK™ Mapping (TRAM)ATT&CK™ Navigator: End-To-End Testing Model: Assumed Breach: Execution PhaseBuilding a Red Team - Skill DevelopmentWeek 28: ReconnaissanceOpen-Source Intelligence (OSINT)Password AttacksSocial EngineeringAssessment test/Stagegate
OverviewWeeks 29 - 35: The second phase of the course will introduce various Red Team tools and command-and-control frameworks, both of which rely on a well-maintained attack infrastructure. We will spend most of the section discussing the important aspects of a resilient attack infrastructure and how the Red Team can create a bit of distance from defenders by utilizing redirectors. Another key aspect of protecting the attack infrastructure that will be discussed is implementing monitoring and operational security.Exercises:Setting Up C2 FrameworksSetting Up RedirectorsVECTRCovenantPowerShell EmpireAttacks Against MFA - evilnginx2 TopicsWeek 29: Red Team Tools Command and Control (C2)C2 ComparisonWeek 30: Listeners and Communication ChannelsWeek 31: Advanced Infrastructure ICS OT/ITWeek 32: RedirectorsWeek 33: Third-Party HostingComparison of Self-Hosted vs. Third-PartyWeek 34:Operational SecurityWeek 35:Understand IoCsIntroduction to VECTRCovenantAssessment test/Stagegate
OverviewWeeks 36- 43: In the third phase of the course, we will prepare our malicious payloads through weaponization. We will discuss various methods of delivery in order to achieve that initial access into the target network. After surveying the initial host and surrounding network, we will stealthily propagate through the network in a cycle of discovery, privilege escalation, credential access, and persistence.Exercises:Creating and Testing PayloadsTest BypassesInitial AccessDiscovery and Privilege EscalationPersistence TopicsWeek 36: WeaponizationCustom ExecutablesBlending InWeek 37: Execution GuardrailsWeek 38: Initial AccessWeek 39: Network PropagationDiscoveryWeek 40: Operational SecurityDeception TechnologyWeek 41: Local Network EnumerationLocal Privilege EscalationPassword CrackingPersistence & Assessment test/StagegateWeek 42: IoS and Android Surfing/Attack VectorsIoT AttacksMacOSWeek 43: SAST/DAST OWASP ToolsWhitebox testingBlackbox testingGreybox testing OverviewWeeks 44- 47: The fourth phase dives deep into Microsoft Active Directory (AD), learning and practicing the tactics, techniques, and procedures used to attack and enumerate it. We will use various tools to enumerate, escalate, and pivot through these enterprise networks, including Domain and Forest Trusts, and identify how we can move between them.Exercises:Domain EnumerationPrivilege Hunting and Token ImpersonationAD Attack ToolsBloodhoundAD Lateral MovementForest Lateral Movement TopicsWeek 44: Introduction to Active DirectoryTrees and ForestsAD Certificate ServicesAuthentication, Authorization, Access TokensAD EnumerateDNSDNS ExtractionDomain Privilege EscalationWeek 45: Access Token ManipulationPass-The-Hash, Pass-The-TicketWeek 46: KerberoastingSilver Ticket, Golden Ticket, Skeleton KeyUnconstrained and Constrained DelegationCoerced Authentication Using PrinterBug and PetitPotamHopping the TrustLLMNR/NBNS/WPADLLMNR/NBT-NS Poisoning and RelayWeek 47Bloodhound/SharpHoundAD ExplorerSMB Pipes, Remote Desktop Protocol, PsExec, Windows Management Instrumentation, DCOMSMB RelayResponderSetting Up Shadow CredentialsDomain Privilege AbuseDC SyncDomain Lateral Movement, Domain Trust AttacksPivoting Between Domains and ForestsForest Enumeration, Forest AttacksAssessment test/Stagegate OverviewWeeks 48 - 52: In section five, we will use our newly exploited access to discover critical and sensitive information stored in the environment. We will collect and exfiltrate these data and demonstrate the impact of the Red Teams' actions. After the active testing period, the Red Team must analyze the engagement, deliver reporting, and plan for retesting. The section will close with preparations for the immersive Red Team Capture-the-Flag Exercise in the final course section.Exercises:Database AttacksAction on ObjectivesVECTRSCYTHE TopicsWeek 48:Action on ObjectivesDatabase AttacksSQL AbuseTrust AbusePowerupSQLWeek 49: Target ManipulationCollectionData StagingExfiltrationImpactWeek 50: Emulating RansomwareEngagement ClosureAnalysis and ResponseRed Team RevealMeasuring People and ProcessesWeek 51: RetestingRemediation and Action PlanBreach and Attack SimulationAPTSimulatorNetwork Flight SimulatorAtomic Red TeamMITRE® CALDERASCYTHE Week 52: Final Exam and CapstoneOverviewCAPSTONE EXERCISE: Students will participate in a Purple Team Exercise on a Red Team engagement in a threat representative range depicting a Windows Active Directory enterprise network. Students will each have their own environment consisting of three domains. This story-driven environment provides ample opportunity for each student to exercise many of the skills learned throughout the course. The environment is seasoned with rich user stories, target intelligence, and user activity. We will target Windows servers, workstations, and databases along with Active Directory infrastructure, ios, and Android devices. We will also attack Linux servers and databases leveraging the systems maneuver through the segmented network. Students will develop a report of findings, recommendations, and alternatives that will be presented in PowerPoint format as teams.Exercises:Red Team/Purple Team engagement against Windows Active Directory enterprise network TopicsAdversary EmulationReconnaissanceInitial AccessPersistence and Privilege EscalationCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactClosure
Copyright © 2023 Cyvergance.AI Inc. All Rights Reserved.