This lab teaches three different Denial of Service (DoS) attacks and techniques to mitigate them:
- A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
- A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work, and
- A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.
Prerequisites
Basic web application knowledge (HTTP, URL parameters, etc.), networking concepts (TCP/IP, DNS, etc.), and familiarity with the Unix/Linux command line.
Expected Duration
2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 1: CYRIN Enterprise Instructional Labs
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Incident Response Package
- Introduction to Cybersecurity Lab Package
- Introduction to Network Security Lab Package
- Target Developer 1
- Security Architect
- Cyber Defense Incident Responder
- Cyber Defense Infrastructure Support Specialist 1
- Systems Architecture NICE Specialty Area Package
- Network Services NICE Specialty Area Package
- Cyber Defense Infrastructure Support NICE Specialty Area Package
- Incident Response NICE Specialty Area Package
Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is "normal" or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
Prerequisites
Basic familiarity with TCP/IP networking (advanced knowledge not required) and familiarity with the Unix/Linux command line.
Expected Duration
2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 1: CYRIN Enterprise Instructional Labs
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Essential Tools for Cybersecurity
- Essential Tools for Network Engineering
- Incident Response Package
- Introduction to Network Security Lab Package
- Intrusion Detection and Prevention Lab Package
- Cyber Defense Analyst 1
- Vulnerability Assessment Analyst 1
- Cyber Defense Forensics Analyst 1
- Law Enforcement/Counterintelligence Forensics Analyst 1
- Cyber Defense Incident Responder
- Cyber Defense Infrastructure Support Specialist 1
- Cyber Defense Infrastructure Support NICE Specialty Area Package
- Incident Response NICE Specialty Area Package
- Cyber Operations NICE Specialty Area Package
Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.
Prerequisites
The Protocol Analysis I lab or equivalent knowledge of Wireshark and TCP/IP packet capture. Familiarity with how to use the command line in Linux/Unix systems.
Expected Duration
2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 1: CYRIN Enterprise Instructional Labs
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Incident Response Package
- Cyber Defense Analyst 1
- Vulnerability Assessment Analyst 1
- Cyber Defense Forensics Analyst 1
- Law Enforcement/Counterintelligence Forensics Analyst 1
- Cyber Defense Incident Responder
- Cyber Defense Infrastructure Support Specialist 1
- Incident Response NICE Specialty Area Package
- Cyber Operations NICE Specialty Area Package
Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.
Prerequisites
Basic knowledge of computer architecture and assembly language, and familiarity with the Unix/Linux command line.
Expected Duration
2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 1: CYRIN Enterprise Instructional Labs
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Incident Response Package
- Intrusion Detection and Prevention Lab Package
- Cyber Defense Forensics Analyst 2
- Law Enforcement/Counterintelligence Forensics Analyst 2
- Cyber Defense Incident Responder
- Incident Response NICE Specialty Area Package
- Exploitation Analysis 2 NICE Specialty Area Package
- Digital Forensics NICE Specialty Area Package
Get valuable experience extracting data from network packet captures! Students will use Wireshark® to analyze network packet traces containing normal network traffic and active attacks. Detailed information will be extracted from the traces by examining packets and by using Wireshark's built-in analysis and PCAP-manipulation tools.
Prerequisites
Knowledge of the internals of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.
The CYRIN Protocol Analysis labs will help you meet these prerequisites.
Expected Duration
3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Attack, Defense, and System Administration Exercises Package
- Cyber Defense Analyst 2
- Vulnerability Assessment Analyst 2
- Cyber Defense Forensics Analyst 1
- Law Enforcement/Counterintelligence Forensics Analyst 1
- Cyber Defense Incident Responder
- Cyber Operations NICE Specialty Area Package
- Incident Response Package
Examine packet captures from actual intrusions and dive deeper into how attackers operate! Students will learn the details of protocols such as SMB and SSH by examining network traffic captures in Wireshark®, then will proceed to build network packets "by hand" in order to tunnel secret data in normal-looking traffic. Finally, students will learn the details of "web shell" payloads commonly used by attackers.
Prerequisites
Detailed knowledge of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.
The CYRIN Packet Capture Analysis and Manipulation exercise is recommended before starting this exercise.
Expected Duration
3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Attack, Defense, and System Administration Exercises Package
- Cyber Defense Analyst 2
- Vulnerability Assessment Analyst 2
- Cyber Defense Forensics Analyst 2
- Law Enforcement/Counterintelligence Forensics Analyst 2
- Cyber Defense Incident Responder
- Cyber Defense Infrastructure Support Specialist 2
- Exploitation Analysis 2 NICE Specialty Area Package
- Cyber Operations NICE Specialty Area Package
- Digital Forensics NICE Specialty Area Package
- Incident Response Package
Continue your exploration into malware's behavior on the network! Students will analyze network captures containing real, malicious network traffic, both by hand and using tools such as Security Onion and Sguil. Both malware spreading methods and command and control operations will be explored. In addition, students will create web shell payloads of their own to see how they operate from the inside.
Prerequisites
Detailed knowledge of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.
The CYRIN Intrusion Analysis using Network Traffic exercise is recommended before starting this exercise.
Expected Duration
3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.
Availability
Included if you are a subscriber to any of the following training packages:
- Level 2: Attack/Defense/IR Exercises and Instructional Labs
- Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
- Attack, Defense, and System Administration Exercises Package
- Cyber Defense Analyst 2
- Vulnerability Assessment Analyst 2
- Cyber Defense Forensics Analyst 2
- Law Enforcement/Counterintelligence Forensics Analyst 2
- Cyber Defense Incident Responder
- Cyber Defense Infrastructure Support Specialist 2
- Exploitation Analysis 2 NICE Specialty Area Package
- Cyber Operations NICE Specialty Area Package
- Digital Forensics NICE Specialty Area Package
- Incident Response Package
