SOC at University.

Setting up a SOC at your University.


Schedule for University Cybersecurity Meetup.

Tuesday, April 6, 2021 5:30 PM-6:30 PM PKT

Tuesday, May 4, 2021 4:00 PM-5:00 PM PKT

Tuesday, June 1, 2021 5:30 PM-6:30 PM PKT

Tuesday, July 6, 2021 5:30 PM-6:30 PM PKT

Tuesday, August 3, 2021 5:30 PM-6:30 PM PKT

Content Will Be Available Soon.

Products & their Certifications

  • IBM Cloud Pak for Security
    • Administrator:
      • IBM Cloud Pak for Security V1.x Administrator
        • Certification
        • Job Title: Certification Lead-Cybersecurity-IBM Cloud Pak for Security V1.x Administrator Apply Now
          Education: BS/MS in Computer Science, Information Technology or similar disciplines
          Location: PK

          Job Description:

          The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

          1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
          2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
          3. SPS will promote these sessions so students are aware and can register, if interested.
          4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
          5. Keep virtual office hours for the students and faculty.
          6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
          7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

           

      • Proficiency in IBM Cloud Pak for Security Deployment
  • QRadar
    • Analyst:
      • IBM Certified Associate Analyst - IBM QRadar SIEM V7.3.2
        • Certification
        • Exam
        • Job Title: Certification Lead-Cybersecurity-IBM Certified Associate Analyst - IBM QRadar SIEM V7.3.2 Apply Now
          Education: BS/MS in Computer Science, Information Technology or similar disciplines
          Location: PK

          Job Description:

          The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

          1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
          2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
          3. SPS will promote these sessions so students are aware and can register, if interested.
          4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
          5. Keep virtual office hours for the students and faculty.
          6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
          7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

           

      • IBM Certified SOC Analyst – IBM QRadar SIEM V7.3.2
        • Certification
        • Job Title: Certification Lead-Cybersecurity-IBM Certified SOC Analyst – IBM QRadar SIEM V7.3.2 Apply Now
          Education: BS/MS in Computer Science, Information Technology or similar disciplines
          Location: PK

          Job Description:

          The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

          1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
          2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
          3. SPS will promote these sessions so students are aware and can register, if interested.
          4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
          5. Keep virtual office hours for the students and faculty.
          6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
          7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

           

    • Deployment:
      • IBM Certified Deployment Professional - IBM QRadar SIEM V7.3.2
        • Certification
        • Exam
        • Job Title: Certification Lead-Cybersecurity-IBM Certified Deployment Professional - IBM QRadar SIEM V7.3.2 Apply Now
          Education: BS/MS in Computer Science, Information Technology or similar disciplines
          Location: PK

          Job Description:

          The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

          1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
          2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
          3. SPS will promote these sessions so students are aware and can register, if interested.
          4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
          5. Keep virtual office hours for the students and faculty.
          6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
          7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

           

      • Proficiency in IBM QRadar SIEM Deployment
    • Administrator:
      • IBM Certified Associate Administrator - IBM QRadar SIEM V7.3.2
        • Certification
        • Exam
        • Job Title: Certification Lead-Cybersecurity-IBM Certified Associate Administrator - IBM QRadar SIEM V7.3.2 Apply Now
          Education: BS/MS in Computer Science, Information Technology or similar disciplines
          Location: PK

          Job Description:

          The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

          1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
          2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
          3. SPS will promote these sessions so students are aware and can register, if interested.
          4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
          5. Keep virtual office hours for the students and faculty.
          6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
          7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

           

SPS is currently seeking Certification Leads for the following certifications in cyber SIG:

  • Job Title: Certification Lead-Cybersecurity-IBM Cloud Pak for Security V1.x Administrator Apply Now
    Education: BS/MS in Computer Science, Information Technology or similar disciplines
    Location: PK

    Job Description:

    The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

    1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
    2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
    3. SPS will promote these sessions so students are aware and can register, if interested.
    4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
    5. Keep virtual office hours for the students and faculty.
    6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
    7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

  • Job Title: Certification Lead-Cybersecurity-IBM Certified Associate Analyst - IBM QRadar SIEM V7.3.2 Apply Now
    Education: BS/MS in Computer Science, Information Technology or similar disciplines
    Location: PK

    Job Description:

    The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

    1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
    2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
    3. SPS will promote these sessions so students are aware and can register, if interested.
    4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
    5. Keep virtual office hours for the students and faculty.
    6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
    7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

  • Job Title: Certification Lead-Cybersecurity-IBM Certified SOC Analyst – IBM QRadar SIEM V7.3.2 Apply Now
    Education: BS/MS in Computer Science, Information Technology or similar disciplines
    Location: PK

    Job Description:

    The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

    1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
    2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
    3. SPS will promote these sessions so students are aware and can register, if interested.
    4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
    5. Keep virtual office hours for the students and faculty.
    6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
    7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

  • Job Title: Certification Lead-Cybersecurity-IBM Certified Deployment Professional - IBM QRadar SIEM V7.3.2 Apply Now
    Education: BS/MS in Computer Science, Information Technology or similar disciplines
    Location: PK

    Job Description:

    The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

    1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
    2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
    3. SPS will promote these sessions so students are aware and can register, if interested.
    4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
    5. Keep virtual office hours for the students and faculty.
    6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
    7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

  • Job Title: Certification Lead-Cybersecurity-IBM Certified Associate Administrator - IBM QRadar SIEM V7.3.2 Apply Now
    Education: BS/MS in Computer Science, Information Technology or similar disciplines
    Location: PK

    Job Description:

    The objective of this role is to to help, guide and lead students and faculty interested in learning and achieving the certification within 30 to 90 days of the start of assignment.

    1. Complete the learning path for the designated certification to ensure that the certification track is indeed available, and achievable by faculty and students.
    2. Work with your SPS counterpart to create a schedule of virtual enablement sessions. These sessions will be published on the website so students can register.
    3. SPS will promote these sessions so students are aware and can register, if interested.
    4. Lead the enablement sessions to help students learn the skillset and prepare for the certification exam.
    5. Keep virtual office hours for the students and faculty.
    6. Register and take the certification exam. You will qualify for PKR 10K as soon as you pass the certification exam.
    7. Help the students register and take the certification exam, you will receive PKR 5K per student, up to 2 students per university who pass the certification exam with in the 90 days.

Course Development

SPS is soliciting proposals from faculty and students to assist in the development of the following Cyber Range courses.
  1. Ethical Hacking
  2. Incident Response
  3. Red Teaming
  4. Blue Teaming I
  5. Blue Teaming II
  6. Blue Teaming III
  7. Mobile Wi-Fi Security
  8. ICS SCADA

Please submit your proposals for Course Development by emailing us at spinnlabs@spsnet.com

Ethical Hacking







Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8
Lesson Topic Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS+ NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX
1 1.1. Introduction LEC 0.5 Introduction to the ethical hacking and how to navigate this system for lecture and lab exercises









1.2 Fundamentals of Networking LEC 2 In this lecture, we will go over the Internet's protocol suite, composed of the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and the Internet Protocol (IP). Understanding these fundamentals will help understand how attacks are being carried. X








1.3 Hacker Methodology and Mindset LEC 2  In this lecture, we explain the mission, the motive behind the hackers. Hackers have a different mindset as they follow paths and will continue to follow until it fails to progress them on their mission. X








2 2.1 Windows and Linux Command Line Usage LEC 2  In this lecture, we will go over a little history of the command line, how to access the command line and why it is useful to be proficient in command line. X








2.2 Windows File Structure and Basic Commands LAB 1 A computer running a Microsoft Windows operating system organizes its data like you would organize files in a file cabinet. Understanding the file structure and leveraging command lines will help speed up your tasks.
X







2.3 Windows File Permissions and Attributes LAB 1  Windows provides different sets of file permissions so users can have different level of access to it. Understanding these permissions and attributes can help them take control over these files when needed
X







2.4 Windows Net Utilities LAB 1 Network utilities are software utilities designed to analyse and configure various aspects of computer networks. Most of them originated on Unix systems, but Windows have its own version to perform the same task.
X







2.5 Windows Powershell script LAB 2 Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows. More and more fileless malwares utilize PowerShell scripts to avoid detection at file download or leaving a digital footprint in the storage device (HDD)
X







2.6 Linux Basic Commands LAB 2  Kali Linux is the most widely used tools for ethnical hackers. It is based on a favor of Linux which understanding Linux commands will help carry out different tasks down the road of ethnical hacking. X








2.7 Linux File Permissions LAB 1 Linux is a multi-user operating system, so it has security to prevent people from accessing each other’s confidential files. Although there are already a lot of good security features built into Linux-based systems, one very important potential vulnerability can exist when file permission was set incorrectly. X








2.8 Linux Bash script LAB 2 Bash is a Unix shell, which is a command line interface (CLI) for interacting with the operating system. Any command that you can run from the command line can be used in a bash script. Scripts are then able to run as a series of commands for automation and even based on conditional of the result. X








3 3.1 Footprinting and Reconnaissance LEC 1 Footprinting is all about seeking out information that can be used to facilitate an attack. Reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities. In this lecture, you'll learn more about these terms, what its uses for, what information is gathered, and the process involved. X








3,2 Basic Port Scanning LAB 1 Network scanner is an important element in the arsenal of the network administrator as well as the penetration tester. It enables them to map the network and its topology without manually searching for devices one by one. It allows a security analyst or penetration tester to find devices on the network that are open for attacks. X








3.3 OS Fingerprint LAB 1 OS Fingerprinting is to detect the type and version of the operating system of an end-host by analyzing packets, which originate from that system. It is used by security professionals and hackers for mapping remote networks and determining which vulnerabilities might be present to exploit X








3.4 Banner Grabbing LAB 1 Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Security analyst or penetration testers can use this to take inventory or gain more information of the systems X








4 4.1 Social Engineering and Insider Threat LEC 1  Social engineering attacks are methods that scammers/hackers use to deceive users to disclose personal and or financial information to help gain access to the network. On the other hand, insider threats come from people within the organization. This lecture will overview how social engineering works and the how it is related to insider threat. X








4.2 Spearphishing LAB 1 Spear phishing is a type of phishing which uses email or electronic communications to scam towards a specific individual, organization or business target. Although often intended to steal data for malicious purposes, cybercriminals may also intend to utilize as point of entry. X








5 5.1 Types of Attacks LEC 1 There are a wide variety of attacks that an attacker could choose to perform on its target. In this lesson, we'll look at several of the different types of attacks that can occur. X








5.2 Network Attacks LAB 1 Network attacks are attacks focused on penetrating the corporate network perimeter and gaining access to internal systems. Typically, once inside, attackers will combine other types of attacks to move/spread within the network. X








5.3 DOS Attacks LAB 2 A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. Unlike attacks that are designed to enable the attacker to gain or increase access, denial-of-service doesn’t provide direct benefits for attackers. X








6 6.1 Types of Vulnerabilities LEC 1 Vulnerability is a weakness which can be exploited by an attacker to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface and in this lecture, we will cover some of the common types of vulnerabilities. X








6.2 Types of Malware LEC 2 Malware is short for malicious software, meaning software that can be used to compromise computer functions, steal data, bypass access controls, or otherwise cause harm to the host computer. Malware is a broad term that refers to a variety of malicious programs and this lecture will cover the common types of malware and what it does. X








7 7.1 Introduction to Metasploit LEC 1 Metasploit is one of the most popular open source penetration testing frameworks available today. It offers tons of tools that range from scanning utilities to easy to launch exploits that include encoders used to bypass common security defenses. This lecture will cover the history and modules in Metasploit. X








7.2 MSFConsole LAB 1 MSFConsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows users efficient access to virtually all of the options available in the MSF. MSFConsole may seem intimidating at first, but once you learn the syntax of the commands you will learn to appreciate the power of utilizing this interface. X








7.3 Metasploit Database LAB 1 An important feature of Metasploit is the presence of databases which you can use to store your penetration testing results. Any penetration test consists of lots of information and can run for several days so it becomes essential to store the intermediate results and findings. X








7.4 Information Gathering With Metasploit LAB 1 Information gathering could be used to gain accurate information about a target without revealing your presence or your intentions. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. X








7.5 Vulnerability Scanning With Metasploit LAB 1 Apart from penetration testing, Metasploit also performs a very good vulnerability assessment in network and web applications. It has built-in plug-ins for some famous vulnerability scanners, such as Nessus, Nexpose, OpenVAS, and WMAP. X








7.6 Metasploit Attacks LAB 2 After vulnerability scanning and validation, the next phase is to exploit these vulnerabilities in order to gain access to the machine. X








7.7 Metasploit Payloads LAB 2 Payload, in simple terms, are simple scripts that the hackers utilize to interact with a hacked system. Using payloads, they can transfer data to a victim system. X








7.8 Armitage LAB 1  Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open source network security tool notable for its contributions to red team collaboration allowing for: shared sessions, data, and communication through a single Metasploit instance. X








7.9 Buffer Overflow LAB 1.00 Buffer overflow has been used for many years as an effective mean for system penetration to gain remote access. Buffer overflow exploitation takes advantage of weak software programming such as boundary check for memory usage of declared buffers somewhere in the program to undermine software security and exploit its vulnerability so that attacker can remotely access victim's system. X








8 8 Defense Mechanisms - Industry Best Practices LEC 2  In this lecture, we will cover some of the common defensive mechanism in the market and what are the best practice in using them. X








9 9.1 Encryption and Cryptography LEC 2 Encryption is the process of taking a readable plain text document or image and scrambling that document or image to an extent that it is no longer readable. The intent of encryption is hide and protect the contents of that file from improper disclosure. Cryptography on the other hand is the techniques for establishing secure communication so data could be transferred without being wiretapped. This lecture will cover both topics and their differences. X








9.2 XOR LAB 1 XOR (Exclusive OR/Exclusive disjunction) is a type of simple additive cipher. XOR is not only used in encryption, it is also used in logical operations in hardware architecture to for data instructions. X








9.3 Base64 LAB 1 Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME content transfer encoding. Each Base64 digit represents exactly 6 bits of data. Three 8-bit bytes (i.e., a total of 24 bits) can therefore be represented by four 6-bit Base64 digits. Some weak authentication will use Base64 encoding as a form of encryption which delivering sensitive information such as credentials over open media. X








9.4 MD5 LAB 1 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. Most malware analysis and signature leverage MD5 as a method to confirm the identity of the file. X








10 10.1 Web Attacks and OWASP Top 10 LEC 2 The web is an indispensable part of many of the business activities a company engages every day. Hackers take advantage of vulnerabilities in these web application coding or software to gain access to a server or database, these types of cyber vandalism threats are known as application layer attacks. OWASP stands for The Open Web Application Security Project which is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. This lecture will go over the background and what are the most common types of web attacks X








10.2 Cross-site Scripting LAB 1.00 Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy X








10.3 Command injection LAB 1.00 Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. X








10.4 SQL Injection LAB 1.00  In this lesson we will learn about SQL injection and how it is used by hackers to retrieve secure data. We will also discuss real life example and ways SQL injection can be prevented. X








11 11.1 Exfiltration LEC 1 Data exfiltration occurs when hackers and/or insider carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. This lecture will explain some the motive and techniques used in data exfiltration X








11.2 Steganography LAB 1.00 Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The art of steganography is that the intended secret message does not attract attention to itself as an object of scrutiny through hiding in plain sight. X








11.3 Data Manipulation LAB 1.00 One of the main data exfiltration methods is to leverage communication channels that are most likely allowed such as HTTP/HTTPS/Email/etc. Hackers can disguise their exfiltration as a legitimate web request to bypass detection. X








11.4 DNS Tunneling LAB 1.00  Tunneling is a more concealed methods of data exfiltration as the technique leverage DNS (another common standard protocol) for illegitimate action to bypass detection X












56.5











Incident Response






Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8 PS team Feasibility Effort Needed Estimated Effort
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS+ NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX


1 Security and Responsibilities LEC 2 This lesson covers the basics of the incident response process, the structure, escalation order, service level agreement [SLA]









NO No
2 Roles and Responsibilities LEC 1 Understand the process of incident response team activity, and learn to focus on minimizing damage, and recovering quickly.
Understand how to collect and analyze all evidence, determines root cause, directs the other security analysts, and implements rapid system and service recovery










NO No
3 Incident Handling LEC 2 Learning the 5 steps of Incident Handling
a. Preparation
b. Identification
c. Containment
d. Eradication
e. Recovery and Lesions learned [RCA]










NO No
4 Hacker Methodology LEC 2 In this lesson, understand the techniques and motive leading to an attack by hacker. To identify, defend and deal with different attacks and zero day attacks in particular, and understand the various method in order to prevent it.









NO No
5 Security Logs LEC/LAB 1 Understand the different kinds of security logs in a security device which helps enable understand the different attacks passing through or being attempted on the network


X





NO No
6 Networking and Packet Analysis LEC/LAB 2 This topic covers how to enable the right packet captures in the network, where the need be and perform deep dive on the same. Looking at different capture files and understanding the traffic and attack flows, help discover network issues and resolve them.

X






NO No
7 Basic Malware Analysis LEC/LAB 1 Performing analysis on the captured flow of traffic to understand the piece of code [malware] in order to assess the damage and find the point of compromise and whether a vulnerability exploitation occurred.









NO No
8 Honeypots LEC/LAB 2 Honeypot is a trap that a network defender lays for a hacker, and the expectation is to have a flow of communication or exchange of packets/traffic flow which can be used to gain useful information about the attacker.









Yes Yes 2
9 Basic Forensics LEC/LAB 1 In this lesson, understand the basics of what forensics means learn identification, collection, analysis and reporting the findings. X








NO No
10 Hashing Algorithms LEC/LAB 2 Learn the need to use the hashing algorithm as it is one of 3 key aspects of CIA [Confidentiality, Integrity and Availability] and work with different hash functions and configure and see the difference X








NO No
11 Parsing and Correlating Security Logs LEC/LAB 2 Learning how the parsing works, tools used must be easy to extract the data elements values from the raw log data. Different incidents happening across the entire network must be correlated in a way to help analyze what is occurring and use that information to learn to solve the issue at hand


X





NO No
12 Back up and Restoration LEC/LAB 1 Being part of the Incident Response team, daily tasks include to do various backups of different systems and machines across the network and being able to restore them in case of any failures/bugs/issues and timely backups safely stored helps enable the same.

X






NO No
13 Insider Threat - DLP LEC/LAB 2 Understand how the attacker works and targets the employees or the people 'inside' the network, so to install a malicious code on the machine or open a backdoor and that gives the attacker access to the system and resources which they shouldn’t have and it can be just a simple click from the inside user side and unknowingly they would have allowed for the hacker to get it.

X






NO No
14 APT - Case Study LEC/LAB 2 In this lesson will explain all the different steps taken by an attacker to be able to get inside a network and access the resources and steal just by exploiting human/machine vulnerability with a Realtime example

X






Yes No



23












2

Red Teaming






Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8 PS team Feasibility Effort Needed Estimated Effort
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS+ NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX


1 Essential Tools LEC/LAB 3 Ethical hacking tools allow you to scan, search and find the flaws and vulnerabilities within any company to help make their systems and applications more secure. In this lesson, we will go over some of the essential tools that most ethnical hackers use. X








Yes No
2 Passive Information Gathering LEC/LAB 3 In passive information gathering, we are collecting information about the targets using publicly available information(resources). We can use Search engine results, who-is information, etc. The goal is to find many information as possible about the target without establishing contact. X








Yes Yes 3
3 Active Information Gathering LEC/LAB 3 In active Information Gathering, we can gather more information about these targets by actively interacting with them. However, unlike passive information gathering, doing this without authorization can be illegal (in some countries). Methods include DNS Enumeration, Port Scanning, OS Fingerprinting,etc. X








Yes No
4 Metasploit framework LEC/LAB 5 Metasploit is one of the most popular open source penetration testing frameworks available today. It offers tons of tools that range from scanning utilities to easy to launch exploits that include encoders used to bypass common security defenses. This lesson will cover the history, modules and usage of Metasploit. X








Yes No
5 Vulnerability Scanning LEC/LAB 2 Vulnerability scanning is the act of identifying potential vulnerabilities in network devices and applications. It is automated and focuses on finding potential and known vulnerabilities on the network or an application level. This lesson will cover different vulnerability scanners and their usage X








Yes Yes 2
6 Password Attacks LEC/LAB 3 Password attacks are a critical arsenal of a pen test in which preparation can make a major impact on the success (or failure) of a pen test. In this lesson, we will look at both local and remote password attacks and their prospective advantages and disadvantages for each. X








Yes No
7 Spoofing Attacks LEC/LAB 5 Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message, and are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. X








Yes No
8 Buffer Overflow Exploitation LEC/LAB 2 Buffer overflow has been used for many years as an effective mean for system penetration to gain remote access. Buffer overflow exploitation takes advantage of weak software programming such as boundary check for memory usage of declared buffers somewhere in the program to undermine software security and exploit its vulnerability so that attacker can remotely access victim's system. X








Yes Yes 2
9 Privilege Escalation LEC/LAB 2 Privilege escalation is the act of exploiting a bug, design flaw, misconfiguration in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. In this lesson, we will explain how that is archived. X








Yes No
10 Web Application Attacks LEC/LAB 5 The web is an indispensable part of many of the business activities a company engages every day. Hackers take advantage of vulnerabilities in these web application coding or software to gain access to a server or database, these types of cyber vandalism threats are known as web application attacks. In this lesson, we will look into different types of web application attacks, how they leverage coding or software errors/vulnerabilities. X








Yes No
11 Exfiltration LEC/LAB 3 Data exfiltration occurs when hackers and/or insider carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. This lesson will explain some the motive and techniques used in data exfiltration with lab exercise X








Yes No



36












7

Blue Teaming I







Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8 PS team Feasibility Effort Needed Estimated Effort
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS+ NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX


1 1.1 Attack Evolution and Trend LEC 1 Learn how the attacks are evolving and becoming smarter and sophisticated with minimal efforts or ongoing effort required by the hackers and a simple code released can do the job. And the existing known attacks can be tweaked in a way they become new [zero-day] attacks which is not detected by the security systems.









NO

1.2 Attack Detection Method LEC 1 In the lesson the various methods to detect and attack are taught which can be used by the defenders depending on the different security systems in place, using captures to detect new attack patterns, identify different traffic types and detecting and using methods to prevent it









NO

2 2.1 Advanced persistent threat (APT) LEC 2 This lesson explains the working of the advanced persistent threat (APT), as it uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term. This infographic details the attack phases, methods, and motivations that differentiate APTs from other targeted attacks.









Yes Yes 2
2.2 Step 1. Reconnaissance Attacks LEC/LAB 2 Students will learn the methodology followed behind the attack, do the same type of research that an attacker uses and learn to use the same by doing various labs on [whois lookups, web based recon, DNS analysis etc.]

X






NO

2.3 Step 2: Malicious URL access | Point of Entry LEC/LAB 2 Understand and perform lab exercises to understand how the attacker uses this step to gain access or to delivery malicious code as an entry point. Attacks use various approaches, social engineering, spamming etc. to ensure the link is clicked or an attachment is downloaded by the user

X






Yes

2.4 Step 3: Using Exploits and Malware to gain access LEC/LAB 2 The delivery method can be any as used by the attacker to pass the exploits or the malwares inside the system to the user. As this exploits/malwares depending on their nature and the code performs various tasks such as granting root access to the attacker on the system, opening a backdoor, moving laterally in the system and advance techniques such as code rewriting to cover the tracks.

X






NO

2.5 Step 4: Callback C&C traffic. LEC/LAB 2 A C&C [Command and Control] server is a system controlled by the attacker. The purpose for it to exist is to be able to receive the connections from the targeted org. internal network and be able to exploit it by getting in. C&C server maintains communications with the compromised host inside the network [computers, smartphones, IoT]. This session will cover the understanding and working in real-time of the same.

X






NO

2.6 Step 5: Data Leakage LEC/LAB 2 This lessons will teach what does data leakage means and looks like in real life. The malware/exploit will steal the intended data on one machine then exfiltrates the data off the network to the external place of storage controlled by the attacker. Data stolen has many purposes, such as attacker wants to just sell it back to the org and make money, sell it on the dark web to the highest bidder and in some cases the whole motive of the entire APT is personal or being paid by the competition.

X






Yes Yes 2
3 3.1 Perimeter Defense LEC 1 Learn the different defense mechanisms used by the companies to protect the perimeter. Everyone has unique network design and some have more perimeter devices to protect the network such as financial or health orgs. The defense used on the perimeter is very crucial as is the first line of defense and is prone to many attacks and unrequired traffic. It is crucial for it to be monitored, updated and handled on daily basis.

X






NO

3.2 Geolocation LAB 1 Geolocation databases are part of the security or network devices used these days. Understand the importance of having a geolocation feature. It is quite crucial and handy method to block unwanted traffic reaching your network and to prevent the devices from being overloaded with traffic not important for the network.

X






NO

3.3 Application awareness and control LAB 1 The traditional devices didn’t have this option - so this lesson covers the need for this feature and how to use it. It lets you see which applications are being used on your network and provides you with a means to control this application usage. By identifying the applications and enforcing network security policy at the application layer - independently of port and protocol

X






NO

3.4 IPS LAB 2 Intrusion Prevention Systems are one of the most important in the line of defense for any network and it works on signature concept which gets triggered based on the traffic/attacks seen. Live in the same area of the network as a firewall or part of it [NGFW], between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

X






NO

3.5 URL Filtering LAB 2 Understand different categories of URLs and the mechanisms to filter the same based on the needs defined by the architecture design and user requirement in an organization. It allows to control Internet access by allowing or blocking access to sites based on the categories that a URL belongs to. By blocking various categories which are not required or the domains or creating personal black-list one can truly reduce the number of threats affecting the network.

X






NO

3.6 Anti-Virus/Anti-Malware LAB 2 Learn the need for having anti-virus/malware feature available on various security tools and practice to configure it. The ability to inspect the http/https traffic on the go for any infected file or any traffic flow and to ensure it doesn’t pass through the device. This ability lets you scan the incoming files for any virus or malware which a user might not be aware of but is hidden as part of the file and thus can be prevented.





X


NO

4 4.1 SIEM LEC 1 Security information and event management (SIEM) software gives enterprise security professionals both insight into and a track record of the activities within their IT environment.


X





NO

4.2 Introduction to SIEM LAB 2 SIEM collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. This lesson will cover the usage of the SIEM to understand the basics and to use various search filters.


X





NO

4.3 Planning and Sizing LAB 1 As part of the defense team for any team of an org. it will be the responsibility of some team members to do the right sizing of the SIEM needed for their network. As this tools parse data and licensing works based on how much traffic is parsed by it and the ability to give that data in a way user understand. It would depend on the users and the bandwidth of the traffic passing through.


X





NO

4.4 Log Collection and Correlation LAB 2 The SIEM identifies and categorizes incidents and events, as well as analyzes them. The software delivers on two main objectives, which are to provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.


X





NO

4.5 Monitoring and Tuning LAB 2 The final SIEM lesson covers how to monitor it efficiently and fine tune it. It can become overwhelming without spending time to understand the context and value from each of the log sources and leverage configuration with the SIEM to control the amount of data presented to you.


X





NO

5 5.1 Introduction to Network and Packet Analysis LEC 2 This lesson will cover the understanding required to analyze the packet or protocol. This methodology is used to capture and intercept different chunks of data as it traverses through the network in order to be able to understanding what is happening inside the network, or debugging actual issue where the connections or traffic is not passing through or to understand the failure of a device or a system which led to downtime.









NO

5.2 Network visibility LAB 2 Network visibility solutions provide real-time, end-to-end visibility, insight and security into physical, virtual networks, delivering the control, coverage and performance in a seamless fashion to protect and improve crucial networking, data center and cloud business assets.







X
NO

5.3 Packet analysis 1 LAB 2 Learn to capture packets in real time and display in human readable format is done by the tools and to be able to make sense of the flow. Intercept, log traffic that passes through the network and perform right interpretation.

X






NO

5.4 Packet analysis 2 LAB 2 Learn to decode the raw data showing the values of the various fields of the packets and analyze the content according to appropriate RFC or the standards. Do a deep analysis of the protocols or packets and extract any payload or attachment and to perform deeper forensic techniques.

X






NO





39












4

Blue Teaming II







Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8 PS team Feasibility Effort Needed Estimated Effort
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS+ NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX


1 1.1 SQL Injection LEC/LAB 1.5 In this scenario, the attackers injects malicious SQL code in the form of requests or queries in user input fields on web applications such as submission forms, contact forms, etc. Doing so, they get access to the application’s backend database where they sneak in to extract sensitive and confidential information of the customers or the business itself, get unauthorized administrative access, modify or delete data, etc. or even gain full control of the web application.



X




Yes No
1.2 Cross-Site Scripting LEC/LAB 1 XSS attacks are aimed at users of vulnerable web applications/ websites in order to gain access to and control their browsers. Here, the attackers use vulnerabilities and gaps in the application to inject malicious scripts/ codes that get executed when the unsuspecting user loads the application/ website.



X




Yes No
1.3 Remote File Inclusion LEC/LAB 1 Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. Attacker’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.



X




Yes Yes 1
1.4 Local File Inclusion LEC/LAB 1 Local file inclusion (LFI) is a vector that involves uploading malicious files to servers via web browsers. LFI assaults aim to exploit insecure local file upload functions that fail to validate user-supplied/controlled input.



X




Yes Yes 1
1.5 OS Command Injection LEC/LAB 1.5 OS Command Injection is a critical class of vulnerability. It allows an attacker to remotely execute code or command on a vulnerable server, which often leads to complete compromise of the server.



X




Yes Yes 1.5
1.6 Cross-Site Request Forgery LEC/LAB 1 Cross-Site Request Forgery or CSRF attacks occur when users are tricked into clicking a link or downloading compromised files that execute unwanted or unknown actions on an authenticated user session.



X




Yes Yes 1
2 2.1 ICMP Flood LEC/LAB 1 In this scenario, we will look at a common Denial of Service (DoS) attack in which an attacker takes down a victim's computer by overwhelming it with ICMP echo requests, also known as pings.






X

Yes Yes 1
2.2 SYN Flood LEC/LAB 1 In this scenario, we will exploits the TCP handshake by sending a target a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses






X

Yes Yes 1
2.3 UDP Flood LEC/LAB 1 In this scenario, we will look at a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a connectionless computer networking protocol.






X

Yes Yes 1
2.4 SlowLoris LEC/LAB 1 In this scenario, we will look DoS from a different approach. Instead of volumetric based attack for DoS, overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections to the target doesn't utilize a lot of bandwidth.






X

Yes No
2.5 DNS Amplification LEC/LAB 1 In this scenario, we will leverage the DNS server to carry out the attack. DNS server responds to the target with a large amount of data. As a result, the target receives an amplification of the attacker’s initial query






X

Yes Yes 1
2.6 Network Meltdown LEC/LAB 1.5 In this scenario, a combination of volumetric attacks such as UDP flooding and TCP SYN flooding attacks & critical malware attacks flooded to measure the mitigation capabilities of an anti-DDoS & IPS solution






X

Yes No
3 3.1 Spammers and Anti-spam LEC/LAB 1.5 In this scenario, we look at what is a spammer and their objectives. How secure email gateway solution prevent users from receiveing spam emails or how spam emails are handled




X



Yes No
3.2 Antivirus in Email LEC/LAB 1 In this scenario, we look at how secure email gateway protect users from malicious attachements using antivirus engines and what are some common or best practice approach




X



Yes No
3.3 Phishing Email LEC/LAB 1 Phishing email is the most common entry point on a cyber security attack. In this scenario, we examine what is a phishing email, the motives behind it and its objectives. Then we will look at ways we could prevent phishing emails.




X



Yes Yes 1
3.4 Content Disarm and Reconstruction LEC/LAB 1 In this scenario, we examine how some HTML contents in email body and attachments may contain potentially malicious tags and attributes (such as hyperlinks and scripts). Also, MS Office and PDF attachments may contain malicious macros, active scripts, and other active contents which is harmful to users. content disarm and reconstruction could remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files.




X



Yes Yes 1
3.5 Bounce Verification LEC/LAB 1 In this scenario, we examine how spammers fraudulently use others’ email addresses as the sender email address in the message envelope (MAIL FROM:) when delivering spam. When an email cannot be delivered, email servers often return a a delivery status notification (DSN) message (also known as a bounce message) to the sender email address located in the message envelope who never actually sent the original message.




X



NO

3.6 Adult Image Analysis LEC/LAB 1.5 In this scenario, we examine law to prohibit anyone sending or in possession of nude images of minors. One method of identifying and or preventing anyone breaking this law especially in work environment is to detect users sending/receiving adult images via email




X



Yes Yes 1.5
3.7 DLP in Email LEC/LAB 1.5 In this scenario, we looked at how users accidentally or intentionally send confidential or sensitive information out of the organization via email. Data Loss Prevention on email allows you to prevent sensitive data from leaving your network




X



Yes Yes 1.5
3.8 Directory Harvest Attack LEC/LAB 1.5 In this scenario, we look at one common method used by spammers to determine an email server’s valid email addresses so that they can be added to a spam database. We will look at how we could prevent directory harvest attack.




X



NO

1 1.1 Network Traffic Access (TAP vs SPAN) LEC/LAB 1.5 In this scenario, we will examine how to gain access to network traffic at packet level. What is the pros and cons of using SPAN ports and network Taps







X
NO

1.2 Role of Network Packet Broker LEC/LAB 1 In this scenario, we look at network security with visibility layer. What is a Network Packet Broker and how it enable security tools to the correct data







X
NO

1.3 Application Processing in NPB LEC/LAB 1 In this scenario, we dig deeper into some of the features in Network Packet Broker and how it could enhance security by providing visibility in encrypted traffic with passive SSL decryption







X
NO

1.4 Active/Inline SSL Interception LEC/LAB 1 In this scenario, we look at how SSL/TLS evolved with PFS, why it is a double edged sword and organizations' approach to detect malicious traffic inside encrypted traffic with TLS 1.3







X
NO

2 2.1 Endpoint Protection LEC/LAB 1.5 In this exercise, we look at how endpoint protection evolved from Antivirus software(AV) to Endpoint Detection and Response (EDR). What is the differences between the two and how EDR works.








X Yes No
2.2 Indicator of Compromise (IOC) on Endpoint LEC/LAB 1 In this exercise, we will examine how EDR defines or determine an indicator of compromise (IOC) on an endpoint device. What will trigger an IOC and how to confirm an IOC.








X NO

2.3 Endpoint Triage Summary and Report LEC/LAB 1 In this exercise, we will look at the triage summary and triage report in EDR. We will go through the information and investigation techniques in these triage summary and reports.








X NO

2.4 Compromised Endpoint Containment LEC/LAB 1 In this scenario, we will take action on containing a compromised endpoint with EDR. Containment should be done immediately to prevent other endpoints being infected by compromised endpoint. It could also help to further investigate and finding root cause of compromise with containment.








X NO

2.5 Data Acquisition on Endpoint LEC/LAB 1 In this scenario, after an endpoint had been contained, data acquistion or live forensic could be performed on the compromised endpoint without affecting other endpoints. This is an essential step in understanding the extent and potential impact of the intrusion








X NO

2.6 Automated rule creation from Network Security Alerts LEC/LAB 1.5 In this scenario, we will look at how network security (NX) could integrate and create custom IOC rules for EDR (HX). Network security will be able to identify new threat then create a new rule for all endpoints to protect themselves.







X X NO

3 3.1 Sandboxing technique LEC/LAB 3 In this exercise, we will go over sandboxing technique. How it is different from traditional detection method and what are the ways/mode of operations in using sandboxing





X


Yes Yes 3
3.2 Suspicious characteristics of a file LEC/LAB 2 In this scenario, we look at what kind of behavior would be consider suspicious or malicious when a file is being executed in a sandboxing environment.





X


Yes Yes 2
3.3 Yara rules LEC/LAB 1 In this scenario, we look at what is a yara rule, how to create one and how it is used to identify malware families.





X


NO

3.4 Custom VM for Sandboxing LEC/LAB 1 In this scenario, we examine the VM used for sandboxing. Each organization uses different combination of OS version, applications and configuration which should be used in the sandboxing environment in order to simulate file execution in realistic set up.





X


NO

3.5 Indicator of Compromise (IOC) and STIX LEC/LAB 1 In this exercise, we will look at what information is collected when there is an indicator of compromise. These information Typically includes virus signatures, IP addresses, malware files or URLs MD5 hashes, or domain names of botnet command and control servers. It is common in the industry to store these data in STIX format.





X


NO





43












13.5

Blue Teaming III







Red Team Tools Red Team Tools Blue Team Group 1 Blue Team Group 2 Blue Team Group 3 Blue Team Group 4 Blue Team Group 5 Blue Team Group 6 Blue Team Group 7 Blue Team Group 8 PS team Feasibility
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) Kali Linux Windows BPS + NGFW BPS + NGFW + SIEM + NAC BPS + NGFW + WAF BPS + NGFW + Email FW BPS + NGFW + Vision One + SandBox BPS + NGFW + Anti DDoS BPS + TAP + Vision One + NX NGFW +  End Protection HX
1 1.1 Network Traffic Access (TAP vs SPAN) LEC/LAB 1.5 In this scenario, we will examine how to gain access to network traffic at packet level. What is the pros and cons of using SPAN ports and network Taps







X
NO
1.2 Role of Network Packet Broker LEC/LAB 1 In this scenario, we look at network security with visibility layer. What is a Network Packet Broker and how it enable security tools to the correct data







X
NO
1.3 Application Processing in NPB LEC/LAB 1 In this scenario, we dig deeper into some of the features in Network Packet Broker and how it could enhance security by providing visibility in encrypted traffic with passive SSL decryption







X
NO
1.4 Active/Inline SSL Interception LEC/LAB 1 In this scenario, we look at how SSL/TLS evolved with PFS, why it is a double edged sword and organizations' approach to detect malicious traffic inside encrypted traffic with TLS 1.3







X
NO
2 2.1 Endpoint Protection LEC/LAB 1.5 In this exercise, we look at how endpoint protection evolved from Antivirus software(AV) to Endpoint Detection and Response (EDR). What is the differences between the two and how EDR works.








X NO
2.2 Indicator of Compromise (IOC) on Endpoint LEC/LAB 1 In this exercise, we will examine how EDR defines or determine an indicator of compromise (IOC) on an endpoint device. What will trigger an IOC and how to confirm an IOC.








X NO
2.3 Endpoint Triage Summary and Report LEC/LAB 1 In this exercise, we will look at the triage summary and triage report in EDR. We will go through the information and investigation techniques in these triage summary and reports.








X NO
2.4 Compromised Endpoint Containment LEC/LAB 1 In this scenario, we will take action on containing a compromised endpoint with EDR. Containment should be done immediately to prevent other endpoints being infected by compromised endpoint. It could also help to further investigate and finding root cause of compromise with containment.








X NO
2.5 Data Acquisition on Endpoint LEC/LAB 1 In this scenario, after an endpoint had been contained, data acquistion or live forensic could be performed on the compromised endpoint without affecting other endpoints. This is an essential step in understanding the extent and potential impact of the intrusion








X NO
2.6 Automated rule creation from Network Security Alerts LEC/LAB 1.5 In this scenario, we will look at how network security (NX) could integrate and create custom IOC rules for EDR (HX). Network security will be able to identify new threat then create a new rule for all endpoints to protect themselves.







X X NO
3 3.1 Sandboxing technique LEC/LAB 3 In this exercise, we will go over sandboxing technique. How it is different from traditional detection method and what are the ways/mode of operations in using sandboxing





X


NO
3.2 Suspicious characteristics of a file LEC/LAB 2 In this scenario, we look at what kind of behavior would be consider suspicious or malicious when a file is being executed in a sandboxing environment.





X


NO
3.3 Yara rules LEC/LAB 1 In this scenario, we look at what is a yara rule, how to create one and how it is used to identify malware families.





X


NO
3.4 Custom VM for Sandboxing LEC/LAB 1 In this scenario, we examine the VM used for sandboxing. Each organization uses different combination of OS version, applications and configuration which should be used in the sandboxing environment in order to simulate file execution in realistic set up.





X


NO
3.5 Indicator of Compromise (IOC) and STIX LEC/LAB 1 In this exercise, we will look at what information is collected when there is an indicator of compromise. These information Typically includes virus signatures, IP addresses, malware files or URLs MD5 hashes, or domain names of botnet command and control servers. It is common in the industry to store these data in STIX format.





X


NO




19.5











Mobile Wi-Fi Security







Red Team Red Team PS team Feasibility
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) FortiAP UXM
1 1.1 Wi-Fi Introduction LEC/LAB 5 Wi-Fi (IEEE 802.11 based WLANs) allows networking of computers and digital devices without the need for wires. Data is transferred over radio frequencies, allowing Wi-Fi capable devices to receive and transmit data when they are in range of a Wi-Fi network. In this lecture, we will go through the history and technology used in Wi-Fi

NO
1.2 Beacon Frames LAB 1 Beacon frame is one of the management frames in IEEE 802.11 based WLANs. It contains all the information about the network. Beacon frames are transmitted periodically, they serve to announce the presence of a wireless LAN and to synchronize the members of the service set. Beacon frames are transmitted by the access point (AP) in an infrastructure basic service set (BSS). X
NO
1.3 Wlan Authentication LAB 1 Before a wireless client device can communicate on a network through the access point, it must first authenticate to the access point. There are different types of authentication supported and some are more vulnerable for sniffing than others X
NO
1.4 Hotspot Attacks LAB 1 A rogue WiFi access point that appears to be a legitimate one, but actually has been set up by a hacker to eavesdrop on wireless communications. An evil twin is the wireless version of the “phishing” scam: an attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. X
NO
1.5 Cracking WPA2 LAB 2 Cracking WPA2 has been known for quite a long time and involves momentarily disconnecting a connected device from the access point we want to try to crack. However, a lot of public Wi-Fi networks still rely on this authentication method. X
NO
1.6 Hacking WPA3 LAB 2 WPA3 is the next generation authentication technique in 802.11 for security measure. However, it had been proven that WPA3 has a serious flaw which can trick the technology to effectively leak the password to a Wi-Fi network. X
NO
2 2.1 Pen testing mobile devices LEC 1 Mobile devices and applications are everywhere. Mobile application penetration testing allows organizations the ability to weed out any imperfections in their network that require immediate patching and/or protection. In this lecture, we will cover how pen test works for mobile devices and some of the tools required.

NO
2.2 Jailbreaking iOS LAB 2 To jailbreak your iPhone means you are freeing it from the limitations imposed by Apple. Freeing a device means that it can install applications from outside Apple’s iTunes App Store and you can fiddle with previously restricted aspects of an iOS device.
X NO
2.3 Android root access LAB 2 Android phone uses Linux permissions and file-system ownership. Users are allowed to do certain things based on their permissions and having root access means it have permission to do it all
X NO
2.4 Man in the Middle Attack LAB 1 The man in the middle attack is not something new. They have been around for years but have been mostly restricted to computers and laptops. With mobile growing at a fast pace, there has been a shift in emphasis to hacking mobile devices and apps to gather personal information
X NO
2.5 SSL/TLS Attack LAB 1 SSL/TLS protocol is designed for enhanced security, however, a lot of app developers doesn't have the security background or experiences to design the app with proper security measure. Incorrect use of the Android platform’s SSL libraries can expose applications and or the device to MITM attacks.
X NO
2.6 Malicious payload download LAB 2 An attacker may hide a malicious payload as an executable apk/jar inside the APK resources. After installing the app, it opens the malware payload and executes the code. The malware may persuade the user to install the embedded apk by pretending to be a significant update to gain permission or control.
X NO
2.7 Mobile Device Remote Access Trojans LAB 1 A RAT is a type of malware that’s very similar to legitimate remote access programs. The main difference, of course, is that RATs are installed on a device without a user’s knowledge.
X NO
2.8 Mobile App Attacks LEC/LAB 1 Mobile apps are often the cause of unintentional data leakage due to coding error or inproper security practice. Moreover, more and more hackers are focusing on leverage vulnerabilities in these mobile apps to personal information and access to a network.
X NO
3 3.1 4G Network Architecture LEC/LAB 2 LTE, an abbreviation for Long-Term Evolution, commonly marketed as 4G LTE, is a standard for wireless communication of high-speed data for mobile phones and data terminals. It is based on the GSM/EDGE and UMTS/HSPA network technologies, increasing the capacity and speed using a different radio interface together with core network improvements. In this lecture, we will cover the technologies and architecture of a 4G network.
X NO
3.2 5G Network Architecture LEC/LAB 2 5G is the next generation mobile network that promises to be a game changer when it comes to how we live our lives – and also challenges how business will be conducted in just about every industry. In this lecture, we will cover the technologies and architecture of a 5G network.
X NO
3.3 4/5G vulnerabilities LEC/LAB 3 In this lecture, we will cover some of the known vulnerabilities in 4 and 5G technologies such as aLTEr attack and IMP4GT.

NO




30


NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO

ICS SCADA







Blue Team Group 1 Blue Team Group 9 PS team Feasibility
Lesson Module Topic Content Type Module Duration (hours) Detail description ( purpose, target, detail content) BPS+ NGFW BPS
1 1.1 Introduction to Industrial Control Systems LEC 1.5 In this lecture, we will go over the high level overview of what is Industrial Control System. The history of ICS and how it is evolving.

NO
1.2 Increasing Relevance of ICS Protection LEC 1 In this lecture, we will look at how industry 4.0 is making a big push in protecting ICS as they are no longer running in an isolated environment

NO
1.3 ICS Architecture LEC 2 In this lecture, we will examine the architecture in ICS environment in previous days and in modern day.
X NO
1.4 HMI Role in ICS Environment LEC 1 In this lecture, we will go over the role of HMI in the ICS environment.

NO
1.5 Protocol Vulnerabilities LEC/LAB 2 In this lesson, we will look at the history of some of the common SCADA protocols, what it is for and why they are vulnerable to security attacks.
X NO
1.6 Introduction to Security Practices in ICS LEC 1 In this lesson, we will examine some security best practice in ICS and SCADA protocol. How security can be implemented in ICS environment

NO
2 2.1 Introduction to ICS Security Threats and consequences LEC 2 In this lecture, we will look at some of the security threats in ICS environment and the consequences of it

NO
2.2 Source of ICS Vulnerabilities LEC 2 In this lecture, we will cover where to get the latest vulnerability information on ICS environment. How organization such as ICS-CERT is taking part in enhancing security in ICS.

NO
2.3 Attack Vectors in ICS Environment LEC 1.5 In this lecture, we will look at the different attack vectors that exist in ICS environment. These attack vectors could be very different from typical network environment as their deployement nature is vastly different.

NO
2.4 Cyber Threats- SCADA HMI - Historian Vulnerabilities LEC 2 In this lecture, we will take one example vulnerability case (Historian) and examine the cause and effect of it

NO

2.5 Additional Steps in Securing ICS Networks LEC 1.5 In this lecture, we will go over additional security measures in securing ICS networks that was not consider as best practice X
NO

2.6 Incident Response Plans LEC 2 In this lecture, we will go through the incident response plans in ICS security and how it coud be different with incident response in typical network

NO
3 3.1 StuxNet LAB 2 In this exercise, we will look at one famous ICS breach (StuxNet), how the attack was carried, the damage it cost and what is the end result X
NO
3.2 BlackEnergy LAB 2 In this exercise, we will look at one famous ICS breach(BlackEnergy), how the attack was carried, the damage it cost and what is the end result X
NO




23.5


NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO








NO