Cyber Defense Infrastructure Support
Mastering Advanced Cyber Defense Infrastructure Support with Cyrin’s NICE Specialty Area Package Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors …
Mastering Advanced Cyber Defense Infrastructure Support with Cyrin’s NICE Specialty Area Package
Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities.
This package consists of CYRIN labs focusing on the NIST National Initiative for Cybersecurity Education (NICE) Cyber Defense Infrastructure Support specialty area. Completing these labs will help you learn the skills needed for a job in the area.
Prerequisites vary by lab, but are generally: familiarity with the Unix/Linux command line and basic networking concepts (TCP/IP, DNS, etc.).
22.0 hours, self-paced. Pause and continue at any time.
22.0 CPEs awarded on successful completion.
Introductory IDS Configuration with Snort
Students will learn how to configure an Intrusion Detection System (IDS) to examine traffic to/from a firewall. The popular Snort® IDS will be used in this exercise. The exercise will include both harmless background traffic and potentially-malicious traffic to be detected by Snort.
Intrusion Detection using Zeek (formerly Bro)
Students will learn how to deploy, configure and customize a Zeek Network Intrusion Detection System (NIDS). They will customize Zeek to generate enterprise specific logs and to send email notifications of events of interest. They will also create a simple Zeek plugin, using the Zeek scripting language, to detect and block brute force SSH login attempts.
Firewall Configuration with VyOS
Students will configure a network firewall using the VyOS router appliance, which mimics physical router hardware. The exercise will include both ingress and egress filtering, stateful packet inspection, and best practices. Students will set up a partitioned network and a DMZ area to isolate specific enterprise services, such as an e-mail server. Evaluation will include network probes from both inside and outside the firewall to ensure proper rules are configured.
Firewall Configuration with IPtables
Students will configure a network firewall using the standard Linux IPtables module. The exercise will include both ingress and egress filtering, stateful packet inspection, and best practices. More advanced techniques such as port knocking will also be introduced. Evaluation will include network probes from both inside and outside the firewall to ensure proper rules are configured.
Firewall Configuration with pfSense
Students will learn to secure and configure the widely used, open-source pfSense firewall. They will learn to create firewall rules, the order in which rules are applied, how pfSense aliases can be used to simplify the pfSense rule set, and how to secure pfSense itself. They will also learn to view statistics and logs collected by pfSense.
Configure an Enterprise Network
In this exercise students must configure the firewalls and routers of an enterprise network in accordance with the security policies of the organization. The computers and network devices in the network have been physically connected but the firewalls and routers have not been configured. You must configure these firewalls and routers to implement policies related to how traffic to/from the Internet and traffic between the different subnets is handled. This exercise is brought to you by the Rochester Institute of Technology-Global Cybersecurity Institute.
This exercise uses pfSense, an open-source firewall and router that is used by thousands of enterprises and officially supported by Netgate. Students must be familiar with the pfSense console and web interfaces. Those not familiar with pfSense are encouraged to complete the CYRIN Firewall Configuration with pfSense lab before attempting this exercise.
Log Analysis with RSYSLOG
This lab teaches students to setup and configure a central RSYSLOG server that will receive and store logs from FreeBSD, Linux and Windows clients.
Students will learn to configure log forwarding on the clients, and log rotation and filtering on the server. They will also learn to use Logwatch to analyze logs and fail2ban to automatically respond to suspicious activity found in the logs.
Log Analytics with Elastic Stack
Elastic Stack is a group of services designed to take data from almost any type of source and in almost any type of format, and to search, analyze and visualize that data in real time. In this lab, Elastic Stack will be used for log analytics. Students will learn to set up and run the Elasticsearch, Logstash and Kibana components of Elastic Stack. Multiple computers in a small network will forward their logs to a central server where they will be processed by Elastic Stack. Student will use Kibana to view logs, filter them and set up dashboards. Information in the logs will be used to identify and block an on-going attack.
DoS Attacks and Defenses
This lab teaches three different Denial of Service (DoS) attacks and techniques to mitigate them:
- A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
- A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work, and
- A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.
Protocol Analysis I: Wireshark Basics
Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you’re seeing is “normal” or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
Detect and Neutralize a Malware-Based Attack
In this exercise, the student plays the role of a security admin of an enterprise network. They are asked to investigate a potential malware-based attack.
The student is told that an intrusion detection system has seen periodic outgoing connections from a computer within the enterprise network to a computer on the Internet. The student must block the outgoing traffic, determine the computer from which the traffic is originating, find the malware on that computer, examine it to see what information is being sent out, and stop the attack.
Price included 6 months of access.