There is a common problem in technology education, in that many skills require so much prior knowledge, that it's difficult to know where to even begin teaching a skill or concept. All of these nested skills quickly pile up and can often make training overwhelming for the student. The CVA/H Operator Course solves this problem by teaching Network Security Monitoring (NSM) in a simple way that builds incrementally. The first days lay the common groundwork that will flow into the next higher concept.
Each day in the course is designed to be as practical and engaging as possible. Students are provided with an individual system to encourage usage of the platforms throughout the course content.
You will start with a discussion of foundational skills and process models, to provide a big picture roadmap, and the skills, to put it all together. The remainder of the course will dig into the individual topics, each building upon the last.
This is a lab-intensive course. After a discussion of each topic, you will apply the new knowledge to a provided data sample, followed by a class discussion of what worked and what didn’t.
The course ends with a 2-day guided hunt capstone containing multiple scenarios that will engage the newly learned skills to find the adversary in the traffic. Each scenario will increase in difficulty to keep the challenge coming.
Throughout the entire course, the Operator will learn and hone individual tasks, but this also focuses on team-based operations to teach the Operators how to function as a CVA/H team.
CVA/H Operators who need to work as part of a team to analyze data to find evil lurking in their network as part of a machine-assisted and human-driven operation.
10 Days | 8 hours per day
There are no prerequisites for this course.
Mac, Linux, or Windows
A modern web browser
An OpenSSH-compatible secure-shell client
This introductory course is designed to equip a student with basic survival skills for the Linux command line. It is not intended to make them an expert, but rather familiarize them enough that Linux isn’t a barrier to their success.
File System Layout (w/ lab)
Using Vim (w/ lab)
Viewing Logs (w/ lab)
Package Management (w/ lab)
Working With Services (w/ lab)
SELinux Basics (w/ lab)
Linux Administrative Skills (w/ lab)
The Bro Protocol Analyzer
An understanding of Bro is a foundational skill for anyone that wishes to use the CVA/H platform. This course is designed to take an operator or analyst who has never used Bro and bring them up to speed with its capabilities.
What is Bro?
Bro Project History
Bro vs. Wireshark (w/ lab)
Analyzing a packet capture (w/ lab)
Running Bro from the Command Line (w/ lab)
ASCII Logs Overview (w/ lab)
Filtering and Sorting Data (w/ lab)
Capture the Flag (w/ lab)
The Elastic Stack
Elastic is a data company whose products are integral to CVA/H. This course will provide an overview of the products offered and an introduction to using the three primary products, commonly known as the Elastic Stack.
Elastic Company Overview
Elasticsearch (w/ lab)
Logstash (w/ lab)
Kibana (w/ lab)
Beats (w/ lab)
Data Transformation with Logstash
This course will cover what a data processing pipeline is all about, how it is used, and how Logstash is used in the CVA/H platform. This module includes labs that progress in complexity in order to provide maximum understanding of what is happening in the pipeline with CVA/H.
How does Logstash fit into data flow?
ETL Model / History
Mutating and Shipping (w/ lab)
Building Data Pipelines (w/ lab)Build several pipelines
Active On Network Operations
While a “passive first” approach is preferred when responding to a contested environment, there comes a time that defenders must interact with the environment through active response actions. This module will discuss how to perform active on-network operations.
Performing Active Operations
Asset Enumeration with NMAP (w/ lab)
File Collection and Retrieval (w/ lab)
This course will introduce operators to doing fine-grained packet analysis and filtering and then address strategies to analyze packets at scale using Moloch.
Packet analysis overview
Berkeley Packet Filters (w/ lab)
Moloch (w/ lab)
Intrusion Detection Systems
This course will introduce operators to the leading IDS, Suricata, and cover when and how to employ an IDS to support hunt operations.
Intrusion Detection Systems Overview
Humans over Hardware
Anatomy of a Signature
Signature Writing (w/ lab)
Suricata vs. Snort
IDS and Kibana dashboards (w/ lab)
Kibana for Operators
This course builds on the Kibana training from the Foundations track and teaches operators how to use Kibana to support them in their hunting.
Building Dashboards to Visualize Anomalies (w/ lab)
Security Beats and their dashboards: osquery and NetFlow (w/ lab)
Using Graph to Find The Enemy Footprint (w/ lab)
Using Machine Learning for Hunting (w/ lab)
Leverage Alerting for Automation Actions (w/ lab)
Day 9 & 10
This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.
Selecting the Right Tool
When to Dig Deeper
Incident Response operations
Challenge: Find the Beacons (beginner)
Challenge: Find the Beacons (advanced)
Challenge: Enemy Objectives
Challenge: Applying the Kill Chain
Challenge: Full-Spectrum Adversary Detection