Students play the role of a network security administrator of an enterprise. They are told that a host on the Internet has been persistently scanning their network.

They will use an Incident Response Rack with intrusion detection systems and log analysis tools to determine:

  1. The service being targeted by the attacker.
  2. If the attackers succeeds in finding and exploiting a vulnerability in this service.

Finally, they must block the attacker from the network.

After the attack is blocked, students will learn to exploit the vulnerability in the service.

Prerequisites

  1. Create/edit pfSense firewall rules.
  2. Set up port mirroring (span ports) in pfSense.
  3. Create Suricata IDS alerts.
  4. Analyze information displayed on a Kibana dashboard.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Training Package

In this exercise, the student plays the role of a security admin of an enterprise network. They are asked to investigate a potential malware-based attack.

The student is told that an intrusion detection system has seen periodic outgoing connections from a computer within the enterprise network to a computer on the Internet. The student must block the outgoing traffic, determine the computer from which the traffic is originating, find the malware on that computer, examine it to see what information is being sent out, and stop the attack.

Prerequisites

  • Familiarity with the Linux/UNIX command line (shell commands)
  • Basics of the TCP/IP network protocol stack
  • Exposure to tools such tcpdump
  • Some knowledge of administering a pfSense firewall including editing rules and viewing logs

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Training Package