The current and future demand for cyber security professionals is outweighing the supply. Defensive Cyber Operations (DCO) staff to work in security operations centers around the globe are in short supply.
Defensive Cyber Operations is an essential course for technical staff in a DCO role. Over five days participants will learn about the technical environment, fundamental principles and tactics, techniques, tools and procedures involved with DCO. Completing the course participants will have the well-rounded knowledge and experience on which to build their abilities. Practical training is underpinned by theoretical education.
Conduct basic Defensive Cyber Operations activities:
Course is delivered on-site at Fifth Domain's training facility. Participants are required to BYOD laptop with wi-fi connectivity. All our labs are cloud-based so participant laptops are not required to run virtual machines.
Network centric operations
Situational awareness & understanding OODA loopSOC capabilities - protection, collection & detection analysis & reporting, response
Sensors - deployment and tasking
Fusion - normalization and aggregation
Analytics - signatures and queries
Presentation - visualization and disseminationNetwork Fundamentals
Addressing - MACs, IPs, ports, hosts and domains
Protocols - TCP, UDP, ARP, DNS, NetBIOS, HTTP
Segmentation - VLANs, submets, subdomainsStandards & taxonomies - CybOX, STIX, and TAXII
Observables, indicators, TTPs, targets
Cyber threat intelligence and STIX IOCs
TAXII feeds and SIEMs
Whitelisting vs blacklisting
IDS signatures and alerts
Traffic analysis - IPs, domains, timings, throughput Log analysis - VPN, DNS, Web, etc.
Host activity and configuration - processes, connections, registry and file integrity monitoring
File analysis - cloud services, static and dynamic techniques.Analysis: verification and correlation
Associating observables - traffic, processes, binaries, logs, configurations
Modelling network and host activity
Writing, deploying and verifying signatures - IOCs, snort rules, Yara rules.Reporting
Actors, targets & vectors
Discover, access, assure, leverage
Attack replication, simulation and automationProtection: hardening and obfuscation
User and group privileges
Firewall rulesCollection: network & host
In-line taps, SPAN ports, traffic splitting
Full packet capture, network statistics, NetFlow
Host based agents - deployment and configuration
Participants will deploy network and host-based intrusion detection systems within a simple network. They will then initiate our automated attack package against the target network. The automated attack will generate network and host-based telemetry that participants will collect, analyze and characterize to produce a response and remediation plan.
Just like the individual challenge but bigger and in teams. This time teams of 5–8 people will be given the task of defending a medium sized network (approx. 20 machines) against a barrage of different attacks. Participants will need to deal with the added complexity of automated end-user activity of opening emails and browsing the Internet. Finally participants will plan and execute incident response activities.