• Introduction to Cloud Computing
• Introduction & Cloud Architecture
• Cloud Essential Characteristics
• Cloud Service Models
• Cloud Deployment Models
• Shared Responsibilities

• Module Intro
• Intro to Infrastructure Security for Cloud Computing
• Software Defined Networks
• Cloud Network Security
• Securing Compute Workloads
• Management Plane Security
• BCDR

• Module Intro
• Intro to Infrastructure Security for Cloud Computing
• Software Defined Networks
• Cloud Network Security
• Securing Compute Workloads
• Management Plane Security
• BCDR

• Module Introduction
• Cloud Data Storage
• Securing Data In The Cloud
• Encryption For IaaS
• Encryption For PaaS & SaaS
• Encryption Key Management
• Other Data Security Options
• Data Security Lifecycle

• Module Introduction
• Secure Software Development Life Cycle (SSDLC)
• Testing & Assessment
• DevOps
• Secure Operations
• Identity & Access Management Definitions
• IAM Standards
• IAM In Practice

• Module Introduction
• Selecting A Cloud Provider
• SECaaS Fundamentals
• SECaaS Categories
• Incident Response
• Domain 14 Considerations
• CCSK Exam Preparation

• Core Account Security
• IAM and Monitoring In-Depth
• Network and Instance Security
• Encryption and Storage Security
• Application Security and Federation
• Risk and Provider Assessment

• Building a successful SOC
• Functions of SOC
• Heart of SOC- SIEM
• Gartner’s magic quadrant
• SIEM guidelines and architecture

ELK Stack:

• Introduction and an overview of Elastic SIEM
• User interface
• How to as a part of alert investigations or interactive threat hunting
• MDR vs. Traditional SIEM; and other various solutions
• Elastic search: Understanding of Architecture, curator fundamentals
• Index template for routing, mapping
• KIBANA: Configuration, policies, visualization
• Deep-dive of Log architecture, parsing, alerts

SecurityOnion

• What is Security Onion?
• Monitoring and analysis tools
• Security Onion Architecture
• Deployment types
• Installing a Standalone server: checking system services with sostat, security onion with web browser tools, security onion terminal
• Replaying traffic on a standalone server

Splunk In-Depth

• Industrial requirements of Splunk in various fields
• Splunk terminologies, search processing language, and various industry use cases AlienVault OSSIM fundamentals
• AlienVault fundamentals and architecturedeployment
• Vulnerability scanning & monitoring with OSSIM

Introduction to QRadar

• IBM QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

Fun with logs

• Working with offense triggered by events
• Working with offense triggered by flows

Monitoring

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

Tools exposure provided in the above section:

• SecurityOnion
• ELK Stack
• SGUILD
• Wireshark
• Splunk
• AlienVault OSSIM
• IBM Qradar CE

• Section Introduction
• What is Digital Forensics?
• Collecting evidence typically related to cybercrime
• Digital Subject Access Requests
• Computer Forensics Process
• Identification, Preservation, collection, examination, analysis, reporting
• Working with Law Enforcement
• The difference between an internal security issue and one that requires external assistance

2. Forensics Fundamentals Section Introduction

• Introduction to Data Representation hexadecimal, octal, binary files vs. txt files, timestamp formats: UNIX epoch, MAC, Chrome, Windows, FILETIME
• Hard Drive Basics
• Platters, sectors, clusters, slack space
• SSD Drive Basics
• garbage, collection, TRIM, wear leveling
• File Systems
• FAT16, FAT32, NTFS, EXT3/EXT4, HFS+/APFS
• Metadata & File Carving
• Memory, Page File, and Hibernation File
• Order of Volatility

3. Evidence Forms

• Section Introduction
• Volatile Evidence
• Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table,kernel statistics, temporary filesystem/swap space
• Disk Evidence
• Data on Hard Disk or SSD
• Network Evidence
• Remotely Logged Data, Network Connections/Netflow, PCAPs, Proxy logs
• Web & Cloud Evidence
• Cloud storage/backups, chat rooms, forums, social media posts, blog posts
• Evidence Forms
• Laptops, desktops, phones, hard drives, tablets, digital cameras, smartwatches, GPS

4. Chain of Custody

• Section Introduction
• What is the Chain of Custody?
• Why is it Important?
• In regard to evidence integrity and examiner authenticity
• Guide for Following the Chain of Custody
• evidence collection, reporting/documentation, evidence hashing, write-blockers, working on a copy of original evidence

5. Windows Investigations

• Section Introduction
• Artifacts
• Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks, start-up files
• Limitations
• Example Investigations

6. *nix Investigations

• Section Introduction
• Artefacts
• Limitations
• Example Investigations
• Artefact Collection
• Section Introduction
• Equipment
• non-static bags, faraday cage, labels, clean hard drives, forensic workstations,

Disk imagers, hardware write blockers, cabling, blank media, and photographs

• Tools
• Wireshark, Network Miner, and others
• ACPO Principles
• Live Forensics
• Fast acquisition of key files
• How to Collect Evidence
• Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social media posts, chat rooms

• Types of Hard Drive Copies visible data, bit for bit, slackspace

7. Live Forensics

• Section Introduction
• Live Acquisition
• What is a live acquisition/live forensics? Why is it beneficial?
• Products
• Carbon Black, Encase, memory analysis with agents, Custom Scripts
• Potential Consequences
• Damaging or modifying evidence making it invalid

8. Post-Investigation

• Section Introduction
• Report Writing
• Evidence Retention
• Legal retention periods, internal retention periods
• Evidence Destruction
• Overwriting, degaussing, shredding, wiping
• Further Reading

9. Tools exposure provided in the above section:

• Command-LINE for Windows / Linux
• FTK IMAGER
• MAGNATE RAM CAPTURE
• AUTOPSY
• Volatility
• Volatility WorkBench
• ENCASE

• What is Incident Response?
• Why is IR Needed?
• Security Events vs. Security Incidents
• Incident Response Lifecycle – NIST SP 800 61r2
• What is it, why is it used
• Lockheed Martin Cyber Kill Chain
• What is it, why is it used
• MITRE ATT&CK Framework
• What is it, why is it used

2. Preparation

• Incident Response Plans, Policies, and Procedures
• The Need for an IR Team
• Asset Inventory and Risk Assessment to Identify High-Value Assets
• DMZ and Honeypots
• Host Defenses
• HIDS, NIDS
• Antivirus, EDR
• Local Firewall
• User Accounts
• GPO
• Network Defenses
• NIDS
• NIPS
• Proxy
• Firewalls
• NAC
• Email Defenses
• Spam Filter
• Attachment Filter
• Attachment Sandboxing
• Email Tagging
• Physical Defenses
• Deterrents
• Access Controls
• Monitoring Controls
• Human Defenses
• Security Awareness Training
• Security Policies
• Incentives

3. Detection and Analysis

• Common Events and Incidents
• Establishing Baselines and Behavior Profiles
• Central Logging (SIEM Aggregation)
• Analysis (SIEM Correlation)

4. Containment, Eradication, Recovery

• CSIRT and CERT Explained
• What are they, and why are they useful?
• Containment Measures
• Network Isolation, Single VLAN, Powering System(s) Down, Honeypot Lure
• Taking Forensic Images of Affected Hosts
• Linking Back to Digital Forensics Domain
• Identifying and Removing Malicious Artefacts
• Memory and disk analysis to identify artefacts and securely remove them
• Identifying Root Cause and Recovery Measures

5. Lessons Learned

• What Went Well?
• Highlights from the Incident Response
• What could be improved?
• Issues from the Incident Response, and How These Can be addressed
• Important of Documentation
• Creating Runbooks for Future Similar Incidents, Audit Trail
• Metrics and Reporting
• Presenting Data in Metric Form
• Further Reading

6. Tools exposure provided in the above section:

• SYSINTERNAL SUITE
• Hash Calculator
• Online Sources
• CyberChef
• Wireshark
• Network Minor

• Threat Intelligence Explained
• What is TI, why is it used?
• Why Threat Intelligence can be Valuable
• Situational awareness, investigation enrichment, reducing the attack surface
• Criticisms/Limitations of Threat Intelligence
• Attribution issues, reactive nature, old IOCs, false-positive IOCs
• The Future of Threat Intelligence
• Tenable Predictive Prioritization (mixing threat intel with vulnerability management data to calculate dynamic risk scores)
• Types of Intelligence
• SIGINT, OSINT, HUMINT, GEOINT

2. Threat Actors

• Common Threat Agents
• Cybercriminals, hacktivists, insider threats, nation-states
• Motivations
• Financial, social, political, other
• Skill Levels/Technical Ability
• Script Kiddies, Hackers, APTs
• Actor Naming Conventions
• Animals, APT numbers, other conventions
• Common Targets
• Industries, governments, organizations

3. Advanced Persistent Threats

• What are APTs?
• What makes an APT? Real-world examples of APTs + their operations
• Motivations for Cyber Operations
• Why APTs do what they do (financial, political, social)
• Tools, Techniques, Tactics
• What do APTs actually do when conducting operations
• Custom Malware/Tools
• Exploring custom tools used by APTs, why they’re used
• Living-off-the-land Techniques
• What LOTL is, why it’s used, why it can be effective

4. Operational Intelligence

• Indicators of Compromise Explained & Examples
• What IOCs are, how they’re generated and shared, using IOCs to feed defenses
• Precursors Explained & Examples
• What precursors are, how they’re different from IOCs, how we monitor them
• TTPs Explained & Examples
• What TTPs are, why they’re important, using to maintain defences (preventative)
• MITRE ATT&CK Framework
• Framework explained and how we map cyber-attacks, real-world example
• Lockheed Martin Cyber Kill Chain
• Framework explained and how we map cyber-attacks, real-world example
• Attribution and its Limitations
• Why attribution is hard, impersonation, sharinginfrastructure, copy-cat attacks

5. Tactical Threat Intelligence

• Threat Exposure Checks Explained
• What TECs are, how to check your environment for the presence of bad IOCs
• Watchlists/IOC Monitoring
• What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
• Public Exposure Assessments
• What PEAs are, how to conduct them, google dorks, harvester, social media
• Open-Web Information Collection
• How OSINT data is scraped, why it’s useful
• Dark-Web Information Collection
• How intel companies scrape dark web intel, why it’s useful, data breach dumps, malicious actors on underground forums, commodity malware for sale
• Malware Information Sharing Platform (MISP)
• What is MISP, why is it used, how to implement MISP

Tools exposure provided in the above section:

• AlienVAULT OTX
• MITRE & ATTACK
• MISP
• Maltego
• ONLINE SOURCES

6. Strategic Threat Intelligence

• Intelligence Sharing and Partnerships
• Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
• IOC/TTP Gathering and Distribution
• Campaign Tracking & Situational Awareness
• Why we track actors, why keeping the team updated is important
• New Intelligence Platforms/Toolkits
• Undertaking proof-of-value demos to assess the feasibility of new tooling
• OSINT vs. Paid-for Sources
• Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter

7. Malware and Global Campaigns

• Types of Malware Used by Threat Actors
• Trojans, RATs, Ransomware, Back- doors, Logic Bombs
• Globally recognized Malware Campaigns
• Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot

8. Further Reading

• Further Reading Material
• Links to more resources that students may find helpful.

• Building a successful SOC
• Functions of SOC
• Heart of SOC- SIEM
• Gartner’s magic quadrant

• IBM QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

• Working with offense triggered by events
• Working with offense triggered by flows
• Working with events of an offense

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

• Investigate the vulnerabilities and services of assets
• Investigate events and flows
• Use index management
• Index and Aggregated Data Management
• Use AQL for advanced searches
• Creating Alerts for intrusions
• Explain error messages and notifications.
• Analyze a Real-World Scenario.
• Creating Reports
• Case Studies

• Creating log source types
• Leveraging reference data collections
• Developing custom rules
• Creating Custom Action Scripts
• Developing Anomaly Detection Rules

• OWASP Top 10 Vulnerabilities
• Threat Modelling Principle
• Site Mapping & Web Crawling
• Server & Application Fingerprinting
• Identifying the entry points
• Page enumeration and brute forcing
• Looking for leftovers and backup files

• Authentication scenarios
• User enumeration
• Guessing passwords – Brute force & Dictionary attacks
• Default users/passwords
• Weak password policy
• Direct page requests
• Parameter modification
• Password flaws
• Locking out users
• Lack of SSL at login pages
• Bypassing weak CAPTCHA mechanisms
• Login without SSL

• Web Agent Model
• Preparing for Web Agent installation
• Install the Web Agent
• Unattended installs
• Settings Added to Web Server
• Test the Web Agent
• Troubleshooting
• Unix Installation Review

• Role-based access control (RBAC)
• Authorization bypassing
• Forceful browsing
• Client-side validation attacks
• Insecure direct object reference

• Input validation techniques
• Blacklist VS. Whitelist input validation bypassing
• Encoding attacks
• Directory traversal
• Command injection
• Code injection
• Log injection
• XML injection – XPath Injection | Malicious files | XML Entity
• bomb
• LDAP Injection
• SQL injection
• Common implementation mistakes – authentication
• Bypassing using SQL Injection
• Cross Site Scripting (XSS)
• Reflected VS. Stored XSS
• Special chars – ‘ &<>, empty

• Path traversal
• Canonicalization
• Uploaded files backdoors
• Insecure file extension handling
• Directory listing
• File size
• File type
• Malware upload

• Session management techniques
• Cookie based session management
• Cookie properties
• Cookies – secrets in cookies, tampering
• Exposed session variables
• Missing Attributes – httpOnly, secure
• Session validity after logoff
• Long session timeout
• Session keep alive – enable/disable
• Session id rotation
• Session Fixation
• Cross Site Request Forgery (CSRF) – URL Encoding
• Open redirect

• Web Services Assessment
• Web Service Testing
• OWASP Web Service Specific Testing
• Testing WSDL
• Sql Injection to Root
• LFI and RFI]
• OWASP Top 10 Revamp