Cyber Core Operations™ (CCO™)
CYBER OPERATIONS PREP (COP)
This is an intense, hands-on course designed to take students through a wide variety of topics relevant to operationally-focused cyber missions within the offensive and defensive arenas. Students will receive highly technical and mission relevant training needed to significantly minimize the burden of on-the-job training required to immediately impact operations. This 4-week course focuses heavily on the TCP/IP stack, deep-packet analysis, network forensics, Windows and *NIX system operator fundamentals, malware triage and the post-compromise forensics of remote targets. Extensive analysis is conducted throughout each stage of the network attack methodology to include packet capturing and inspection, analyzing logs, deep dive examination of the compromised machine. During the last week students will learn how to build custom scripts to perform host surveys on a target system to help identify traces of compromise on the system. Skills learned during the week are evaluated each week on the final day with a hands-on culmination exercise, challenging the students to apply those skills and validate their knowledge.
Cyber Protection Professional™ (CPP™)
This two-week course is focused on the methodologies and processes used by professional "Blue" teams in corporate and government spaces. Instructors use open-source tools to teach students methodologies of securing a network and its hosts. Students will learn the necessary skills to successfully identify: the customer's network, tools required and allowed, mission scope & key terrain, then map the network, and its hosts. They will learn to protect: verifying base-lines, check configurations, evaluate A/V & IDS systems. Student will detect: perform host based assessments, finding vulnerabilities and anomalies, helping the customer with continuous integrity monitoring. They will respond: develop and implement an incident response plan, suggest better sensor placements, help with log correlation, coordinate response activities, develop and apply risk mitigation response. Finally students will recover: developing a recovery plan and making final recommendations to their customers. Their final recommendations will take into account system hardening techniques, priority lists, and risk mitigation. Each of the segments will cover network devices, Unix and Windows Operating Systems and policy.
Cyber Threat Emulation Professional™ (CTEP™)
ADVERSARIAL THREAT MODELING AND EMULATION
The Adversarial Threat Modeling and Emulation course is an intense, hands-on course that takes students through each stage of offensive operations methodologies using tradecraft, stealth and detection avoidance as the key principals. Students will gain proficiency with open-source penetration tools and learn techniques in vulnerability scanning, remote and client-side exploitation, and advanced post-exploitation techniques targeting both Windows and UNIX based operating systems. Students will utilize a wide range of advanced exploitation techniques to gain remote execution on multiple platforms ranging from Ubuntu to Windows 10. The course culminates with a comprehensive, challenging Capture-the-Flag competition. The exercise is a scenario-based challenge that engages the students in a friendly competition between two teams to capture multiple flags implanted throughout the network and solve various challenges and tasks. Techniques used will cover the gamut from scanning, network exploitation, and backdoor installation to artifact recovery and forensics.
WIRELESS EXPLOITATION AND ATTACK
Wireless Exploitation and Attack is an intense, hands-on course that takes students through the most common and current techniques for gaining access to a wireless network. Students will gain proficiency with open-source wireless attack tools and methodology. Subject matter includes everything from learning the foundations of 802.11 technology to the most advanced ways to circumvent wireless defense practices. Each student will learn the latest exploits and use the most effective tools to perform such techniques as secure man-in-the-middle attacks through wireless hotspot impersonations, exploiting weaknesses in Wi-Fi Protected Setup, and how to correctly secure networks using properly configured enterprise grade authentication.
POWERSHELL FOR RED TEAMING
The PowerShell for Red Teaming Course (PoRT) is based on the methodologies and processes used by professional government and corporate penetration testers, but with a strong emphasis on utilizing Windows PowerShell to leverage the .NET framework and Windows Management Instrumentation. PoRT focuses on scanning, host enumeration, remote and local exploitation, as well as tool building and scripting, with an emphasis on avoiding detection by users or security products. Students will be exposed to and learn penetration testing using advanced persistent threat techniques. PoRT covers a wide range of tactics, including clientside exploitation, process analysis, redirection and tunneling, as well as maintaining persistent presence on a target. The course is very hands on, with each section being reinforced with multiple labs, and concludes with a culmination exercise to test the skills the students have learned.
CYBER THREAT EMULATION
The Cyber Threat Emulation Course is focused on the methodologies and processes used by professional “Red” teams in government and corporate spaces. CTE was developed around the behaviors and techniques used by malicious network attackers, while maintaining focus on professional testing, ensuring the integrity and security of information assets. CTE focuses on information gathering, scanning and service enumeration, mapping, remote and local exploitation and reporting. Students will be exposed to and learn advanced penetration testing using advanced persistent threat techniques. CTE perfects the skills needed to effectively identify protection and mitigation strategies and optimize security controls appropriate for the organization.
Discovery and Counter-Infiltration Professional™ (DCIP™)
Reverse Engineering Malware
Students will be taught the fundamentals of malicious code analysis beginning with the configuration of a malware analysis lab in order to gain an understanding of the components of a malware analysis toolbox and to discover each component that contributes to either behavioral or code analysis techniques. In most instances, one is unlikely to have the source code to a piece of malware. To understand malicious code at its core, students will use a disassembler to decompose, execute, and trace each step of the program. Students will then learn how to patch the executable and change its behavior for a more advantageous outcome. Malware analysis is not just about tracing code, but also about understanding the effect on its environment. Hands-on exercises are used throughout the course to examine the effects of various types of malware that run natively on a Windows platform, such as botnets and rootkits. Students will trace back the infection and identify the initial vulnerability that was used to exploit and implant the malware within the system. Students will be challenged to analyze the entirety of an event. Using behavior analysis techniques, Students will be able to not only create signatures based off the malicious code, but also develop techniques to discover and prevent this type of malicious code in their own networks.
Malware Analysis and Threat Assessment
This 5-day course will cover the basic of malware analysis from both static and behavioral perspectives. Students will learn to identify, hash, retrieve, and determine what threats and capabilities the malware presents on target hosts.
CNO ATTACK AND DEFEND
This rigorous, hands-on course is designed to take students through a wide variety of topics relevant to operationally-focused cyber missions within the offensive and defensive arena. This
course focuses heavily on deep packet inspection, statistical flow record analysis, post-exploitation forensics, intrusion detection, network tunneling, and malware network behavior. Extensive network analysis is conducted throughout each stage of the hacker methodology to include packet capturing of scanning, service enumeration, exploitation, man-in-the-middle techniques, and
tunneling. Deep packet inspection is performed on the newest remote and client-side exploits and C&C communications. Forensic analysis using IDS logging and network signatures are used to find, preserve, and extract evidence of intrusion. Students will gain an extensive understanding of each packet transmitted on the wire from the very first scan, up to and after successful (or unsuccessful) compromise of the remote system using a variety of tools to include but not limited to Wireshark, Snort, BRO, Security Onion, and Metasploit. During the course, students will learn exploitation skills, both remote and client-side attacks, through extensive hands on exercises. A 2-day intense culmination exercise designed to replicate real-world operational challenges in both offensive and defensive space reinforces topics taught throughout the course.
DISCOVERY & COUNTER INFILTRATION
This course is focused on the methodologies and processes used by professional "Hunt" teams in corporate and government spaces. Instructors, with multiple years of Hunt experience, use open-source tools to teach students the necessary skills to successfully identify malicious behavior not caught by traditional security products. Students will set up security products and use analytic tools on a mock network to ensure they understand the capabilities of traditional security measures, as well as the gaps. Students will learn how to implement signatures and analyze heuristics to identify anomalous behavior. They will provide written reports for each behavior they identify and build actor profiles based off their findings. They will use timeline analysis and log analysis to map out the incident. Using incident response techniques, they will take the data collected and implement real-time solutions to the customer while providing risk management analysis to help protect networks in the future.
Cyber Development Professional™ (CDP™)
PYTHON FOR EXPLOITERS
The Python for Exploiters Course challenges students to implement their own custom attack frameworks for use during penetration testing and other activities. Students will no longer need to rely on a framework written and designed by someone else during assignments, they will use a tool that they created, free of known and compromising signatures. By leveraging what they have learned in the past with Python and new concepts introduced in the course, students will design and develop a framework that is both extensible and easy to use. During this 5 day course, students will be given a sample framework which will act as a template for their own platform. Each module in the course will allow students to build upon and customize their platform while learning to convert and import new tactics and techniques. The topics covered range from simple scanners to custom browser exploitation to privilege escalation, all built into a custom framework. On the final day of the course, students will be challenged to use this newly created attack platform in a live assessment, including designing and developing new features on-the-fly to handle new challenges within the assessment range. By the end of the course, students will walk away with a framework they can use on future assessments and continue to build upon.
The Python Programming Course is a concentrated, hands-on course that arms students with the skills and knowledge to leverage the Python programming language in everyday computer network operations. Students will start at the beginning with Python, no assumptions are made on prior skill level, and work towards becoming proficient in the language both in reading source code and designing and developing their own applications. The course uses real-world techniques within each of the modules, demonstrating how Python can be leveraged in each scenario to help improve success and efficiency. Topics range from creating your own password cracking tool to setting up client-server applications, all within 5 days. On the final day of the course, students will be challenged with a multi-level culmination exercise, helping to reinforce the skills gained during the week and acquire new skills as well. This culmination exercise will not only test the students understanding of the Python language, but will also help demonstrate the different areas within network operations that Python can be useful. Students will be required to think creatively to get through this challenge.
CNO DEVELOPERS CAPABILITIES
This is an intense, hands-on course designed to take students through the steps needed to develop their own exploits on both Windows and Unix-based operating systems. The course begins with an overview of Python, which is used to develop and deliver most of the exploits. After, students create custom shellcode in Assembly Language, learning how to properly groom the registers and stack for execution. Students create custom exploits against applications, learning to how to fuzz the applications’ inputs to find vulnerabilities and successfully execute arbitrary code on the system. Students learn about the protections used by systems and compilers to block successful exploitation, and how these protections can be subverted. On the last day students are challenged with a culmination exercise that takes them through all of the attacker steps from getting onto a remote machine via a web vulnerability to using a buffer overflow to gain root access. The course teaches these skills by walking the students through the development of all the necessary tools from scratch - it does not rely on Metasploit or any other exploit framework.