Become a SOC Analyst - Level 3

Students will check for indications of other attack activity.

Students will Identify the use of an SQL Injection through the use of Wireshark. The students will also isolate the different aspects of the SQL Injection and execute the selected code.

Students will review network traffic to confirm the presence of malicious activity using various tools including Wireshark and VirusTotal.com.

In this lab you will attempt to conduct basic analysis on some malware samples that were found on the internal network.

Students will use the open source Volatility tool to analyze a memory snapshot and determine what malicious software has infected the victim machine.

Students will identify the use of a Buffer Overflow exploit through the use of Wireshark and by analyzing items found in the captured traffic. The students will also find the exploit code and isolate the different aspects of a Buffer Overflow exploit.

In this lab you will use Microsoft Baseline Security Analyzer (MBSA) to perform scans of individual host computers and of groups of computers.

Students will use pfTop, a network traffic monitoring/statistics plugin used in pfSense, to analyze and monitor network traffic.

Students will be using Power Shell to search for running processes, users and tasks on local and remote systems in the user environment.

In this lab you will analyze a capture file of a web application attack in order to identify the attack vector and deduce the vulnerability the attack exploited.

Students will conduct scans against a web server, a file share, a printer and a user's host device. The student will identify specific threats posed to the system. Students will then scan a network and identify potential points of ingress (open ports, etc) that could cause compromise to the system.

In this lab, students will perform static and dynamic malware analysis. Analyzing malware is important for many reasons. Malware analysis in general is taking steps to find out more information about things like who crafted a malware payload or what types of actions the malware is trying to perform. Static analysis is where you look at the file contents and look at the strings and don’t execute the file. With dynamic malware analysis, you run the file (likely in a virtual environment not connected to a real network) to see the types of network and process actions that happen to the system.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Linux Server. Some of the relevant forensic artifacts from a Linux system include apache log files, the history file, and the secure or auth.log file, which includes valuable information such as SSH connections or user account activity. You will find that forensic analysis of a Linux system is far different than forensics in Windows.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows client machine. Windows’ client machines tend to be a large target for hackers because end users, who may lack knowledge of computer security, can download malicious files or open malicious attachments. Some of the relevant forensic artifacts from a Windows server include Windows event log files, event viewer files, and registry entries.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows Server. A hacker’s dream is to compromise a Windows Server, especially a domain controller, because they can leverage the Domain administrator account to control most of the other systems within in the network. The relevant forensic artifacts from a Windows Server include log files, event viewer files, and registry entries.

Several company employees have received unsolicited emails with suspicious pdf attachments. The CIO has asked you to look at the attachments and see if they are malicious.

Several company employees have received unsolicited emails with suspicious pdf attachments. The CIO has asked you to look at the attachments and see if they are malicious.

The student will act as attacker and defender in this scenario. They will receive experience using a custom denial of service python script, and then will switch over to the defensive side. On defense they will need to detect the activity, design firewall rules to block the DoS, implement the rules and then check their effectiveness.

This lab is designed to introduce the student to a Windows rootkit and to some tools and techniques used in discovery and removal of the rootkit. This experience should provide them with a basic understanding of rootkits and the challenges they pose during the removal process.

After identifying a SQL Injection attack, students will learn about parameterized queries in back-end web servers to minimize future SQLi attacks.

Students will recover a Windows 7 client infected by an unknown payload loaded after exposure to the FlashPack Exploit Kit. The recovery will encompass network traffic analysis to determine infection vector and payload delivery mechanisms as well as system-specific recovery procedures to restore the system to its original functionality.

Students will will be introduced to a real world international cyber espionage campaign that has been used to target corporate assets in Taiwan. Students will analyze a packet capture in order to determine the nature of the data being sent between a victim machine and a distant server. Using this information they will have the data needed in order to add valuable content to a cyber incident report. CSXS - 4.1

In this lab, as part of the recovery process, the student will restore services to a host in a post-incident environment. Startup services, and firewall settings, will both need to be addressed.

This lab will exercise all the relevant skills found in this domain. We are focusing on responding to incidents and the skills needed to address these sorts of problems at a practitioner level.