The Cyber Defender Program

Cyber Defender is a progression of three courses designed to impart a strong foundation of defensive cybersecurity skills in 30 weeks of part-time study. Development of the 100% project-based, learn-by-doing program was funded, in part, by the Department of Defense (under agreement C5-16-0023), and the curriculum was designed in conjunction with DoD-selected experts.

In addition to the task-based curriculum, an implicit curriculum runs throughout the program via which students learn and practice the cognitive skills essential for success in all areas of information security. These include:

• Understanding complex, novel problems
• Effectively researching solutions
• Designing and testing solutions
• Making evidence-based decisions
• Communicating effectively with stakeholders
• Self-directed learning

Given the constantly changing nature of threats and challenges, these skills are arguably of equal or greater importance than the task-specific skills students learn. Students must pass each successive course to be eligible to continue.

Schedule

Cybersecurity Immediate Immersion

Duration: 10 weeks at 15 hours/week

Cybersecurity Immediate Immersion is designed to impart basic cybersecurity skills to help students determine if careers in cybersecurity are right for them.

Prerequisites: Professional IT experience, an IT-related degree, or successful completion of a hands-on pre-assessment. Recommended: Basic applied knowledge of computer networks and protocols, knowledge of the Windows and Linux operating systems, and experience using command line interfaces.

Key Skills: Thinking like an attacker, analyzing and verifying intrusion detection system alerts, network traffic analysis, and conducting online technical and open source intelligence research

Tasks:

• Exploit a website and fix its vulnerabilities

Students learn to think like attackers. They investigate a defense contractor’s website surreptitiously, fix a vulnerability, and remove malware. To accomplish this, they must use an LFI exploit uncovered by human intelligence to access to the webserver themselves and then crack the webmaster’s encrypted password, so they can remove the malware and patch the vulnerability that left the system open to attack.

OBJECTIVE:  Think like an attacker
OBJECTIVE:  Exploit a website using a local file inclusion vulnerability
OBECTIVE: Crack a password
OBJECTIVE: Determine if a website has embedded malware
OBJECTIVE: Conduct online technical research
OBJECTIVE: Patch the code of a website to eliminate a local file inclusion vulnerability

• Investigate suspicious behavior

Students receive a report that an employee had unusual text on his screen which didn’t seem to be work related. The company’s security team captured a recording of that employee’s network traffic from the time of the report. Their task is to use two traffic analysis tools to determine what the employee was doing. Was his activity benign—or was this evidence of an insider attack?

OBJECTIVE:  Conduct an investigation of a cybersecurity incident
OBJECTIVE:  Analyze network traffic using NetworkMiner
OBJECTIVE: Analyze network traffic using Wireshark

• Analyze malicious network traffic

Students analyze suspicious network traffic moving in and out of a US military aide’s personal laptop. Using packet capture (PCAP) files, they will determine if it was infected by malware and if so what malware and how the infection occurred.

OBJECTIVE:  Analyze suspicious network traffic in a PCAP using Snort and Wireshark.
OBJECTIVE:  Recognize a cushion redirect in network traffic.
OBJECTIVE:  Recognize the identifying features of a specific exploit kit.
OBJECTIVE:  Recognize a malware payload being transferred to a targeted host.

Cyber Defender 1

Cyber Defender 1 builds on the basic defensive skills and experience students gained in Immediate Immersion. The course is designed to impart a strong foundation of network traffic analysis, log analysis, and malware analysis skills – the fundamental skills required of a security operations center analyst.

Prerequisite: Successful completion of Cybersecurity Immediate Immersion

Key Skills: Network traffic analysis, log analysis, and triage of malicious activity

Students will further master the basic skills of analyzing network traffic at the packet level,  as well as analyzing system and network logs for indicators of malicious activity. They will then learn more complex techniques of log analysis and extraction, and static and dynamic analysis of potentially malicious files.

Tasks:

• Analyze a remote intrusion attemptA security operations center analyst has seen evidence of a password cracking attempt within a key network. Students analyze a PCAP and event logs within a security information and event management system (the Splunk SIEM) to determine whether or not any passwords were compromised, and if the network was breached as a result. The student must also identify which  tools were used by the attacker, and which steps should be taken to safeguard specific hosts in the network from similar cracking attempts in the future.OBJECTIVE: Analyze suspicious network traffic in a PCAP using Wireshark.
  OBJECTIVE: Analyze network and system logs using Splunk
  OBJECTIVE: Cross-correlate events seen in a PCAP with events seen in logs
  OBJECTIVE: Recognize a Hydra brute-forcing attack
  OBJECTIVE: Determine if a brute-forcing attack has been successful
• Investigate an incident using a Security Information and Event Management System (SIEM)Students analyze a possible “watering hole” attack in which clicking on a malicious link embedded in an otherwise legitimate website launches an exploit kit that infects a user’s machine with a “banking trojan.” To accomplish this, they must analyze multiple logs within the Splunk SIEM.OBECTIVE: Analyze network and system logs using Splunk
  OBJECTIVE: Pivot among multiple logs using Splunk’s search facilities
  OBJECTIVE: Identify possible indicators of compromise
  OBJECTIVE: Determine if devices are likely to have been infected using indicators of compromise
  OBJECTIVE: Tentatively identify the malware used and the intent of the attack
• Analyze and understand malware using a sandbox coupled with open source intelligence gatheringStudents use a “hash” of the possible malware-containing file to conduct research using VirusTotal, online sandboxes, and open source intelligence sources to determine specific indicators of compromise to guide forensic analysis of memory and file system images of infected devices.OBJECTIVE: Use VirusTotal to identify a malware sample
  OBJECTIVE: Use advanced features of VirusTotal to learn detailed information about a malware sample
  OBJECTIVE: Use the HybridAnalysis sandbox to perform static and dynamic analysis of a malware sample
  OBJECTIVE: Use open source threat intelligence to learn more about specific malware

Duration: 10 weeks at 15 hours/week

Cyber Defender 2

Cyber Defender 2 focuses on the skills of memory and disk forensics, reporting, and responding to cybersecurity incidents. Acquiring these skills expands a graduate’s career possibilities to include digital forensics analyst and incident responder.

Prerequisite: Successful completion of Cyber Defender 1

Key Skills: Digital forensics and incident response

Tasks

• Examine a compromised host’s memoryStudents perform forensics examination of a memory image taken from a computer to identify sophisticated malware that infected the device.OBJECTIVE:  Acquire a working knowledge of process structures in memory using Volatility
  OBJECTIVE: “Know normal to find evil”
  OBJECTIVE: Formulate  plan for a memory forensics investigation
  OBJECTIVE:  Recognize malware “footprints” in a forensic memory image
  OBJECTIVE:  Locate a malicious binary in a forensic memory image
  OBJECTIVE:  Corroborate findings with other sources such as [Splunk] SIEM logs
  OBJECTIVE:  Identify malware actions such as privilege escalation and browser hooking
  OBJECTIVE: Extract, safely package, and share a malware sample from a forensic disk image
• Conduct a forensic disk examinationStudents perform disk forensics on an infected computer. By analyzing an image the computer’s file system, the students are able to identify malware infections and to create a timeline for the attack.OBJECTIVE:  Analyze a forensic disk image and identify indicators of compromise using Autopsy.
  OBJECTIVE:  Generate a timeline of suspicious events in a forensic disk image.
  OBJECTIVE:  Determine how a device was infected and what malware variant was used.
• Close the investigationStudents are asked to conclude their investigation, carried out over tasks four through seven, by compiling a timeline for the attack and writing a comprehensive report for technical and non-technical stakeholders.OBJECTIVE: Cross-correlating information from a range of sources
  OBJECTIVE: Combining information from a range of sources into a comprehensive report
  OBJECTIVE: Communicating a complex story effectively to technical and non-technical audiences.
• Observe and critique the response to a complex cyber attackStudents observe and critique a sub-optimal response to a cyber attack, and then they revise the company’s incident response plan based on lessons learned from responding to an attack.OBJECTIVE: Recognize common errors in incident response
  OBJECTIVE: Incorporate best practices into an incident response plan.

Duration

10 weeks at 15 hours/week