Cyber Defense Forensics Analyst

Labs → Cyber Defense Forensics Analyst

Cyber Defense Analyst is designed to assess an individual’s knowledge, skills and abilities related to using data collected from cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purpose of mitigating threats.



Virtual Online Training Series - Cyber Defense Forensics Analyst Training

Or enter your payment details below


Memory Extraction and Analysis
This is one of the labs for the Advanced Digital Media Forensics class.
3 hours, 40 minutes
Setting up Filters and Queries in Kibana
Students will focus on using filters and queries in Kibana to find indicators of compromise within the network.
1 hour
WebApp Attack PCAP Analysis
In this lab you will analyze a capture file of a web application attack in order to identify the attack vector and deduce the vulnerability the attack exploited.
1 hour
Creating a Forensic Image
Students will create an image of media using FTK Imager.
1 hour
Hash Verification
Students will understand and use hash verification to identify and compare files and forensic images.
1 hour
Creating a Case in FTK
In this lab students will become familiar with creating a lab in FTK. Students will also become familiar with the use of FTK.
2 hours
Introduction to Squert
In this lab, you will learn how to use Squert to view previously generated event data detected by the sensors.
30 minutes
Overview of Kibana
Students will become familiarized with data visualization using Kibana – one of the 3 tools included in Elastic’s ELK stack, a trio of open-source applications that work together in order to meet a myriad of different monitoring and analytics needs.
30 minutes
Dynamic Malware Analysis
Students will use utilize two virtual machines, inside a protected network, to observe configuration changes on a known good / clean system and all of the unusual network traffic generated by the suspect software they will be analyzing. On the clean system they will use Regshot, Argon Network Switcher, Process Hacker, Process Monitor and Noriben to gather details on what the suspicious program is actually doing. On another support machine they will set up a fake DNS server to receive all suspicious traffic, and pass that traffic over to Wireshark for further analysis. This lab will continue to foster tool familiarization and will provide the students an introduction to capturing network traffic by using a simple “man-in-the-middle” system.
1 hour
Denial of Service PCAP Analysis
The student will act as attacker and defender in this scenario. They will receive experience using a custom denial of service python script, and then will switch over to the defensive side. On defense they will need to detect the activity, design firewall rules to block the DoS, implement the rules and then check their effectiveness.
1 hour
Registry Analysis
In this lab, students will understand what type of information is contained within the Windows Registry as well as where to find the information.
1 hour
Data Recovery with Autopsy
Students will ingest and process a previously acquired forensic image using Autopsy. The focus of the lab will be on recovering data from the image, reviewing the supplied forensic report and verifying that the image is forensically sound.
1 hour
Cryptography: Steganography (Scored)
In this lab, students will learn: How information can be hidden in cover files. How to recognize and search for hidden information. How to steganalyze a file to identify that message was hidden inside.
1 hour
Cryptography: Using GPG for Encryption and Key Management (Scored)
Training on how to use GPG with a GPG challenge at the end.
1 hour
LNX101 – Telnet vs. SSH
In this lab, you will learn how to use telnet, an insecure protocol that sends its data over the network in an unencrypted form.
1 hour
Tweaking Firewall Rules for Detection
Students will use organizational firewall for monitoring, detecting and auditing traffic on the network. Students will then configure log traffic of interest forwarded to a syslog server.
1 hour
Analyze Malicious Network Traffic
Students will take some time to review malicious traffic within a controlled environment. Using Wireshark and some pointers from a previous technical report on the FlashPack Exploit Kit, they will focus their attention on finding (in two traffic captures) evidence of when and how a victim system was infected with the exploit kit.
1 hour, 30 minutes
Host Identification Scanning with Linux
Students will utilize Nmap, a network discovery and mapping tool to identify the systems on a network of responsibility. Using the tool, students will identify other devices on the laboratory network, to include computers and network infrastructure devices, such as routers.
1 hour
Host Identification Scanning via Windows
Students will leverage Scanline, a Windows network discovery and mapping tool, to identify the systems on a network of responsibility. Students will utilize non-traditional scans to attempt avoiding an Intrusion Detection System (IDS).
25 minutes
Intro to Linux – Routing and SSH Tunnels
Routing is an important networking concept. Routing is typically done by dedicated routers, but can also be done by host systems, such as pfSense or even a regular Linux machine. In a production network, you would likely not use a Linux machine to perform routing, but by experimenting with routing on Linux, you can gain a deeper understanding of how it works and how to configure it.
2 hours
LNX101 – OpenSSH Installation, Configuration, and Hardening
In this lab, you will learn how to install, configure, harden and test an OpenSSH server.
1 hour
LNX101 – Setting Up a Firewall With UFW and Firewalld
In this lab, you will learn how to use two common firewall management tools called UFW or Uncomplicated Firewall and Firewalld.
3 hours
This lab exercise is designed to allow trainees to remotely access a virtual machine using SSH to create a user account and assign the user account permissions on the virtual machine.
1 hour
Threat Designation
Students will conduct scans against a web server, a file share, a printer and a user’s host device. The student will identify specific threats posed to the system. Students will then scan a network and identify potential points of ingress (open ports, etc) that could cause compromise to the system.
1 hour
Blue Team – Patch Analyst (Demo Lab)
Students will identify if a vulnerability is present in the systems and remediate the vulnerability if necessary.
1 hour, 7 minutes
Manually Analyze Malicious PDF Documents
Several company employees have received unsolicited emails with suspicious pdf attachments. The CIO has asked you to look at the attachments and see if they are malicious.
1 hour
Manually Analyze Malicious PDF Documents 2
Several company employees have received unsolicited emails with suspicious pdf attachments. The CIO has asked you to look at the attachments and see if they are malicious.
1 hour, 30 minutes
Preliminary Scanning
Students will utilize Nmap, a network discovery and mapping tool, to identify the systems on a network of responsibility. Using the tool, students will identify other devices on the laboratory network, to include computers and network infrastructure devices, such as routers.
1 hour
Rogue Device Identification and Blocking
Students will scan a network and identify rogue devices. Students will then customize the firewall rules to ensure that any rogue devices are blocked from communicating with other systems on the network.
1 hour
Scanning From Windows
Students will leverage Scalnline, a windows network discovery and mapping tool, to identify the systems on a network of responsibility. Students will utilize non-traditional scans to attempt avoiding an Intrusion Detection System (IDS).
1 hour
Scanning with Nmap
In this lab, you will perform several scans but, using Wireshark, you will be able to view the scan traffic to see what the tool is actually doing under the hood.
1 hour
Image Forensics Capstone
Students will create a live image using FTK Imager and verify that the image was created successfully.
1 hour, 30 minutes
Using Snort and Wireshark to Analyze Traffic
In this lab we will replicate the need for Analysts to be able to analyze network traffic and detect suspicious activity. Tools like Wireshark and Snort can be utilized to read, capture, and analyze traffic.
1 hour
System Hardening – Scored
A number of technologies exist that work together to protect systems and networks. The real value of your networks and systems rests in the data that networks carry and reside in systems. In this lab you will focus on some ways you can safeguard the data that resides on systems and when data is sent across the network. Securing an operating system, also known as hardening, strives to reduce vulnerabilities in order to protect a system against threats and attacks.
1 hour
Conduct Supplemental Monitoring
In this lab you implement supplemental monitoring solutions on a network using various Microsoft security tools and built-ins.
30 minutes
Identify Access to a LINUX Firewall Through SYSLOG Service
Students will identify access to a PFSENSE firewall through the forwarding of SYSLOG (System logs) from a Firewall to the SYSLOG service we have configured and set up on the Network. Students will then identify malicious activity through system logs.
1 hour
Event Log Collection
In this lab you will use Splunk Enterprise to ingest logs from a local host for analysis.
1 hour
Securing Linux – Firewalls
Firewalls are an important part of limiting network traffic. Properly implemented firewalls can greatly limit the amount of damage an attacker can do by enforcing access control on the network interface. They can also be incredibly useful for regulating the amount of traffic or allowing certain network translations to occur that provide extra functionality.
1 hour
Use pfTop to Analyze Network Traffic – Scored
Students will use pfTop, a network traffic monitoring/statistics plugin used in pfSense, to analyze and monitor network traffic. They will walk through the steps of performing a detailed investigation to determine what type of traffic is occurring across the exercise network. Finally, with the use of visualization tools they will be able to further analyze network traffic statistics and learn how visuals can quickly aid in the incident response process.
1 hour
Data Backup and Recovery
In this lab we will simulate the recovery phase where we must perform a backup in a server environment.
1 hour
Participate in Attack Analysis Using Trusted Tool Set
Students will participate in attack analysis/incident response, including root cause determination, to identify vulnerabilities exploited, vector/source and methods used (e.g., malware, denial of service). Students will then investigate and correlate system logs to identify missing patches, level of access obtained, unauthorized processes or programs.
38 minutes
Protect Against Beaconing
Students will take a PCAP indicating the presence of a beacon on the network and analyze it. The analysis will determine if there’s activity that we can mitigate mitigation and then implement a Firewall block with logging to prevent future beaconing.
1 hour
Network Forensics Lab Book Environment
Students will develop an understanding of the Network Forensics through a series of hands-on labs.
1 day, 16 hours
Recover from Incident
This lab covers a variety of concepts, and exercises static and dynamic analysis skills related to malware identification and eradication. After identifying and analyzing a malicious executable in a test environment, use the inFOR-mation gained to recover from an incident, and remove the malicious file from the victim’s computer.
2 hours
Auditing Service Accounts and Creation of Service Accounts To Run Specific Services
Students will explore the auditing of service accounts in a Windows Environment. Students will then replace services running with the administrator account with accounts that are appropriate for that running service.
1 hour
Auditing Service Accounts
Students will audit service accounts in a Windows Server environment. They will note the services that are running with the help of the server Administrator account and make necessary corrections to them. The corrections will minimize the chance of a successful attack against those services allowing for privilege escalation attempts, leveraging the associated service account, from going anywhere.
40 minutes
Manual Vulnerability Assessments
Students will learn how to conduct manual scanning against systems using command line tools such as Netcat then they will login to a discovered system and enable object access verify that auditing to the object is enabled.
1 hour
Manually Creating a Baseline with MD5Deep – Scored
Students will create a baseline on a documents folder using md5deep. Students will then modify the folder and observe the changes made to that folder.
1 hour
Parse Files Out of Network Traffic
This lab teach students how to extract various files from network traffic using Network Miner and Wireshark.
1 hour
Snort Signatures, IDS Tuning, and Blocking
Often the security analyst will need to update the existing IDS/IPS (Intrusion Detection/Prevention System) to handle new threats. This lab will simulate creating a reject and drop rule for a specific traffic type and alert the Snoby SEIM when they hit.
1 hour, 9 minutes
This lab exercise is designed to allow the trainee become familiar with the use of Wireshark.
1 hour
Pentesting & Network Exploitation – Linux Target Analysis Labs (4) – Scored
Pentesting & Network Exploitation exposes students to all manner of reconnaissance, scanning, enumeration, exploitation and pillaging for 802.3 networks. The Lab topics expose students to a variety of recon, discovery, scanning, enumeration, exploitation, post-exploitation, pillaging, covering your tracks and persistence.
3 hours
Creating a Baseline Using the Windows Forensic Toolchest (WFT)
Students will run Windows Forensic Toolchest against an existing system to create a baseline that will be used for future analysis.
1 hour
Performing Incident Response in a Windows Environment
This next lab walks students through identifying a security incident, as well as handling and then responding to the incident.
45 minutes
Validate Indications of Compromise: Analysis of PE File
Malware authors frequently use certain functions, symbols and other tools as a way of building and obfuscating the true nature of their executables. As part of the Detect phase you should be able to detect evidence of and determine if an executable is malicious, and be able to provide information that can be used to create signatures to detect it in the future.
30 minutes
Total Expected Duration:  4 days, 5 hours, 54 minutes