This instructor-led course is designed for operators that serve or are interested in serving as the “human-in-the-loop” to a suite of cybersecurity tools. This course focuses primarily on the best of breed open source security tools, but the knowledge gained aims to be tool agnostic.
You will start with a discussion of operations process models, to provide a big picture roadmap of putting it all together. The remainder of the course will dig into the individual topics, each building upon the last.
This is a lab-intensive course. After a discussion of each topic, you will apply the new knowledge to a provided data sample, followed by a class discussion of what worked and what didn’t.
The course ends with a 2-day guided hunt capstone containing multiple scenarios that will engage the newly learned skills to find the adversary in the traffic. Each scenario will increase in difficulty to keep the challenge coming.
Cybersecurity operators who need to work as part of a team to analyze data to find evil lurking in their network as part of a machine-assisted, human-driven operation.
5 Days | 8 hours per day
While there are no prerequisites for this course, completion of the Perched Foundation course is highly recommended.
Mac, Linux, or Windows
A modern web browser
An OpenSSH-compatible secure-shell client
Introduction to Packet Analysis
This course will introduce operators to doing fine-grained packet analysis and filtering and then address strategies to analyze packets at scale using Google Stenographer.
Packet analysis overview
Berkeley Packet Filters (w/ lab)
Stenographer (w/ lab)
Docket (w/ lab)
This course builds on the Introduction to Bro course from the Foundations track and teaches operators how to leverage Bro for Hunting.
Bro Scripting Overview
Bro Event Engine
Intel Framework (w/ lab)
Files Framework (w/ lab)
Day 3 & 4
Intrusion Detection Systems
This course will cover what message queuing is all about, how it is used, and why Kafka was chosen for ROCK. This is not a lab-intensive course; it is designed to provide an overview of what is happening in the background with RockNSM.
Intrusion Detection Systems Overview
Humans over Hardware
Anatomy of a Signature
Signature Writing (w/ lab)
Suricata vs. Snort
IDS and Kibana dashboards (w/ lab)
Kibana for Operators
This course builds on the Kibana training from the Foundations track and teaches operators how to use Kibana to support them in their hunting.
Building Dashboards to Visualize Anomalies (w/ lab)
Security Beats and their dashboards: osquery and NetFlow (w/ lab)
Using Graph to Find The Enemy Footprint (w/ lab)
Using Machine Learning for Hunting (w/ lab)
Leverage Alerting for Automation Actions (w/ lab
This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.
Selecting the Right Tool
When to Dig Deeper
Incident Response operations
Challenge: Find the Beacons (beginner)
Challenge: Find the Beacons (advanced)
Challenge: Enemy Objectives
Challenge: Applying the Kill Chain
Challenge: Full-Spectrum Adversary Detection