10151137Incident Response
Course Information
Description
Provides an overview of the tools and techniques commonly used for detecting threats to an enterprise infrastructure. Implement strategies for documenting and reporting detected events based on industry standard compliance frameworks. We will use the Security Onion distribution. Tools include Elasticsearch, Logstash, Kibana (ELK), Wazuh, Suricata, Zeek, Wireshark, and TCP Dump.
Total Credits
3
Course Competencies
  1. Analyze how different fields are applied in various network flows/sessions
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Filter/Analyze traffic using Berkeley Packet Filters in tcpdump
    Filter/Analyze traffic using Wireshark Display Filters
    Reconstruct/Analyze data flows using Wireshark

  2. Investigate interesting traffic to identify possible anomalies
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze basic protocols to define normal from abnormal behavior
    Analyze abnormalities that common exploits display and explain how they differ from normal traffic
    Analyze complex protocol interactions and demonstrate how these can be used to identify an attack

  3. Develop custom rules and filters to match different patterns of potential malicious traffic
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze current network traffic and construct basic Suricata signatures
    Analyze current network traffic and construct basic Bro/Zeek scripts
    Analyze current network traffic and construct basic ElasticAlerts

  4. Correlate suspicious network events to matching system log activity
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze the relationship between network anomalies and a resulting log entry using Kibana/OSSEC/Wazuh
    Differentiate a malicious from a benign network anomaly

  5. Correlate current traffic flow and log patterns against historical baselines
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze how basic normal user interactions with a system are reflected in logs using Wazuh/OSSEC
    Evaluate and contrast abnormal interactions with normal within system logs using Wazuh/OSSEC

  6. Produce security incident documentation
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Basic report describes an incident based on information obtained using Kibana and other related tools
    Incident report should contain, Incident overview, Incident details, Incident Timeline, and any recommended Remediation Action

  7. Apply threat hunting tools and techniques to basic business processes and topologies
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze concentration points to determine best location to collect network packet and flow data using Security Onion
    Configure syslog forwarding from network devices to aggregate logs using Wazuh, OSSEC and logstash

  8. Analyze the impact of industry compliance frameworks within a given business environment
    Assessment Strategies
    Lab assignment, skill demonstration
    Criteria
    Analyze how Incident Response tools and techniques relate to compliance and regulatory frameworks
    Use event and log monitoring in Kibana to provide confirmation of adhering to a framework using the Cyber Security Maturity Model (CMMC) framework as a reference