Understanding communications, networking protocols, networking devices and how to analyze the respective logical and physical components of networking is one of the most crucial skills to learn, adapt, and master as a Cyber Defense Analyst.

• Gain demonstratable experience with networking ports and protocols
• Be able to perform in-depth network traffic capture analysis and triage
• Learn how to use industry tools like Wireshark to dissect network traffic
• Identify networked endpoint vulnerabilities

The Windows domain is the battlefield where insider threats and malicious adversaries conduct their attacks. Knowing how these networks operate is a critical step in your ability to discover the bad within.

• Learn the fundamentals of enterprise Windows networks in today’s workplaces
• Configure key active directory infrastructure and understand how domain services work
• Administer group policies and understand how different components of active directory work together
• Identify common pitfalls of enterprise networks

The business workstation of choice is the Windows Operating System (OS). A deep understanding of its inner workings ensures you have the knowledge and skill to triage and assess systems that are potentially compromised. Dive into the process of remote management, forensic triage, and operational security.

• Deep dive into the Windows operating system
• Understand key components like processes, threads, memory, I/O, DLLs, drivers, and registry
• Be able to perform complete triage of the Windows operating system, binaries, and services
• Perform complete triage of compromised Windows systems and identify indicators of compromise

We will discuss what threat intelligence is and how it is collected, analyzed, and compiled into useful information. You will learn how to gain insight on threat actor behavior with the goal of learning how to predict and prevent malicious activity based on attack patterns.

• Be able to explain what threat intelligence is and isn’t
• Be able to use tools such as MISP and FireEye intelligence reports to gather threat actor data
• Disclose an indicator of compromise in a threat intelligence sharing platform
• Succinctly research and deliver a threat intelligence report on a real-world adversary
• Be able to describe and summarize what a threat actor is and suggest solutions to prevent attacks based on their previous patterns

Gain a solid footing with the Linux operating system and gain proficiency in how to operate it. You’ll learn how to navigate the operating system, manage applications, and manage permissions. Next, you’ll learn how to triage a Linux system, looking for common indicators of compromise.

• Be able to navigate Linux and understand the fundamentals of the operating system
• Be able to manage applications, users, and group permissions
• Be able to triage and hunt for indicators of compromise on a Linux system
• Additionally: you should be able to apply many of these concepts to vulnerable systems like HackTheBox and VulnHub, hunting for misconfigurations or breadcrumbs

Build upon your skills in Linux by learning how adversaries exploit vulnerabilities to gain unauthorized access to systems, bypass common access controls, and maintain a form of persistence. Finally, you’ll learn how to use Command and Control (C2) frameworks like known adversaries.

• Learn how to perform external and local endpoint enumeration
• Learn how threat actors perform their attacks by performing exploits yourself
• Gain working knowledge of exploit frameworks like Metasploit and their purpose
• Perform attacks like SQL injection and remote code execution
• Create malicious shellcode and exploit web servers
• Maintain persistence and perform lateral movement
• Learn how to bypass AMSI
• Use C2 frameworks like Covenant

Forensics are the historians of our digital networks. They reconstruct and provide insights on events and activity within a temporal context. Extract vital clues and indicators to improve intelligence, scope a breach, or assist in an ongoing incident.

• Learn the concepts of forensic collection for both network and endpoint use-cases
• Analyze and extract indicators and evidence from network traffic
• Collect and parse volatile memory from a compromised system
• Compare and contrast the benefit and visibility provided by Windows forensic triage to uncover and identify malicious activity

Delve into analyzing and the reverse engineering of malicious binaries and files to understand the capabilities, goals, and objectives of our adversaries. Identify and extract key indicators of compromise to be used in your analysis and scoping of the breach.

• Learn the difference between static and dynamic malware analysis
• Practice dumping strings from a binary to look for clues
• Learn what Obfuscation means and how it pertains to malware
• Practice de-obfuscating messages to uncover hidden messages
• Familiarize yourself with reverse engineering and how code becomes a program

It’s a matter of when, not if a network will be compromised. Using that mantra while being empowered with the latest threat intelligence and knowledge of adversary tactics, you'll search for the persistent network threat hiding in your network. The culmination of your experience and skill are brought to bear on your network to hunt for adversaries within.

• Understand the concept of threat hunting and what it means for an organization.
• Identify, hypothesize, and plan a threat hunting engagement.
• Learn and apply the methods to operationalize the MITRE ATT&CK framework to support threat hunting activities

The application of knowledge and skill to a problem is just the begining to identifying a solution. Development and refinement of a process will make our tasks more streamlined and repeatable. This module will focus on contextual triage scenarios to assist in defining and refining our triage process.

• Triage and report on diverse incidents within the network
• Analyze logs, OS, binary, and network traffic
• Identify and report on IOCs and MITRE ATT&CK adversary techniques

Understand the benefits and challenges of using the cloud and what we can do to harden, detect, and respond to security events in our cloud deployments. Evaluate and remediate misconfigured cloud accounts and resources to ensure business data, systems, and records are protected.

This module is marked as a bonus in learning content for additional content to those interested in pursuing further cloud focused security positions, and does not encompass any testing material in our CDCP certification.

• Learn about Amazon Web Services, common services, and administering virtualized cloud resources
• Learn the foundations of web application security and conduct a practical assessment of a web application
• Create and audit an AWS cloud account for misconfigurations and known vulnerabilities