Q/CDA® Qualified/ Cyber Defense Analyst Certification Class & Exam

What You Will Learn 5 hrs Lecture  35 hr Labs:
The mission of the CND class is to train the network defender on basic to advanced security concepts and techniques used to detect, recognize, identify, and mitigate network threats and vulnerabilities and how to report them.

Lesson 1 2 hr lecture 7 hr Labs
1) Core Skills summary (like the Q/EH)

• Privilege Escalation
• Reconnaissance
• Scanning
• Enumeration
• Sniffing
• Password Cracking Techniques
• System Hacking 
• Buffer Overflows
• Social Engineering
• SQL Injection
• Hacking Linux
• Virus Worms Trojans Rootkits
• IDS, Firewalls and Honeypots
• Denial of Service
• Cryptography
• Session Hijacking
• Web Application Vulnerabilities
• Hacking Web Servers
• Penetration Testing Methods
• DLL/Code injection
• ARP Poisoning
• Log Tampering
• Data Hiding and Evasion
• Alternate Data Streams
• Locked directories
• Special Shell Folder Locations
• Steganography
• Find/Grep Utilities
• Basic SQL
• File comparison
• Push/Pull logging
• Network mirroring /Port Mirroring/SPAN
• UNIX Epoch Time
• Network Traffic Analysis
  

2) Linux and Unix fundamentals

• Network Traffic Analysis
• Examine how to mitigate or eliminate general problems that apply to all
• Unix-like operating systems,
• vulnerabilities in the password
• authentication system,
• file system,
• virtual memory system,
• applications that commonly run on Linux and Unix.
• configuration guidance and practical, real-world examples,
• tips, and tricks.

Lesson 2 3 hr lecture 7 hr Labs
3) Data Analysis tools and Fundamentals
IS.2. Learn how to create, edit, and manage changes to network access control lists on firewalls and IPS.
IS.3. Learn Anti-Virus or Audit/Remediation administration  including installation, configuration, maintenance, and backup/restore.

• Data Correlation (Data Fusion)
• Logging Architectures and Data Sources
• IP Anomalies and Bogon Routing
• TCP Anomalies
• UDP Anomalie
• Data Correlation (Data Fusion)
• Logging Architectures and Data Sources
• IP , TCP, UDP, ICMP, HTTP Anomalies
• Reverse Shells
• Directory Traversals
• Unicode Exploits
• Command Injection
• IIS Web Service Logging Locations
• HTTP.sys Error Logging
• FTP Bouncing
• Active FTP
• Passive FTP
• SMTP & Unsolicited Mail
• SNMP ver1, 2 or 3?
• RDP Hijacking
• SSL/TLS and SSH Hijacking, with a twist of DNS and ARP Poisoning
• Back up and restore

Lesson 3 3 hr lecture 7 hr Labs
4) Intrusion Analysis
IS.5. Learn how to manage and administer the updating of  rules and signatures for specialized CND applications. (IDS/IPS, anti-virus, and content blacklists)
IS.6. Learn how to Identify potential CND  implementation conflicts (e.g., tool/signature testing and optimization).
IS.7. Learn how to build and administer CND test bed to evaluate new CND applications, rules/signatures, access controls, and configurations of CND-SP managed platforms.
A.2.How to analyze network alerts skills
A.3. How to validate network alerts                                                                                                                                                            
A.4. How to analyze log files from a variety of sources ( host logs, network traffic logs, firewall logs, and ISD logs) or SIM
A.5. Learn how to identify anomalous activity and analyze network traffic and how they threaten network resources.
A.7.  Learn to write signatures for CND network tools in response to new or observed threats.
A.8. Learn how to do event correlation from a variety of sources  to gain situational awareness and determine the effectiveness of an observed attack.
A.9. Notify CND managers, CND incident responders, and other CND-SP team members of suspected CND incidents and articulate the event’s history, status, and potential impact for further action.

• RDP Hijacking
• Analyze network alerts
• Validate network alerts
• Analyze log files from host logs, network traffic logs, IDS logs
• Identify anomalous activity and analyze network traffic & how they threaten resources
• Write signatures for network tools in response to new or observed threats
• Event correlation from a variety of sources to determine the effectiveness of the attack.

Lesson  4 4 hr lecture 7 hr Labs
5) Basic Forensic tools and Fundamentals
IR.2.    You will understand how to collect and analyze intrusion artifacts (e.g., source code, malware, and trojans) to mitigate potential CND incidents.
IR.3. You will learn how perform initial, forensically sound collection of images to discern mitigation/ remediation.
IR.4.Learn how to coordinate with and provide expert technical support to resolve CND incidents.
IR.5.You will learn how to track and document CND incidents from initial detection through final resolution.
IR.6. You will learn the step by step process of  CND incident triage to determine scope, urgency, and potential
impact;  identify the specific vulnerability and make recommendations which enable expeditious remediation.
IR.7. You will learn how to correlate incident data and perform CND trend analysis and reporting.
IR.8. You will coordinate with intelligence analysts to correlate threat assessment data.
IR.9. You will learn how to serve as technical experts to law enforcement for incident details & expert testimony
IR.10. You will perform real-time CND Incident Handling (e.g., forensic collections, intrusion
correlation/tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRT).
IR.11. You will learn how to maintain deployable CND toolkit (e.g., specialized CND software/hardware) to support IRT missions.
IR.12. You will learn who to write and publish CND guidance and reports on incident findings to appropriate constituencies.

• Data Breach Cases &, Intrusion Analysis
• U.S. Laws Investigators you should know
• Evidence Acquisition/Analysis/Preservation Laws and Guidelines
• Forensic Collection of Images
• Forensic Reports and Testimony
• Step by Step Forensics Methodology
• File System Essentials
• Evidence Integrity and Chain of Custody
• Advanced Forensic Evidence Acquisition and Imaging
• File System Timeline Analysis
• Key Forensic Acquisition/Analysis & Correlation Concepts
• Volatile Evidence Gathering and Analysis
• Forensic Analysis Key Methods
• Key Windows File System Analysis Concepts
• File System and Data Layer Examination
• Metadata and File Name Layer Examination
• Windows FAT File System Examination
• Windows NTFS File System Examination
• Linux/Unix File System Examination
• Image File Conversion (E01, Raw, AFF)
• Windows System Restore and Shadow Volume Copy Exploitation
• File Sorting and Hash Comparisons
• Live Response and Volatile Evidence Collection
• Windows Registry Analysis
• Windows Internal File Metadata
• Application Footprinting and Software Forensics
• Automated GUI Based Forensic Toolkits

Lesson 5  7 hr lecture 13 hr Labs
6) Incident handling

AC.2. You will learn applicable CND policies, regulations, and compliance documents specifically related to CND auditing.
AC.3. You will learn how to do step by step CND vulnerability assessments.
AC.4. You will learn how to do step by step CND risk assessments.
AC.5. You will learn how to conduct authorized penetration testing of network assets.
AC.6. You will learn how to analyze site CND policies and configurations and evaluate compliance with regulations and enclave directives.
AC.7. You will learn how to prepare audit reports that identify technical and procedural findings and provide recommended remediation strategies/solutions.

• The step-by-step penetration tester assessment process and methodology workshops
• The latest cyber attack vectors defenses to stop them
• Proactive and reactive defenses of a computer attack with 12 live scenarios
• Scanning for, exploiting, and defending systems
• Strategies and tools for detecting each type of attack
• Attacks and defenses for Windows, Unix, switches, routers and other systems
• Application-level vulnerabilities, attacks, and defenses
• Developing an incident handling process and preparing a team for battle
• Legal issues in incident handling
• Recovering from computer attacks and restoring systems for business

Lesson 5 
Current Trends & developments / Qualified/ Network Defense Exercise QNDX 5 hr lecture 7 hr Labs

Scenario #1—Attacks with no perimeter to soft systems
Scenario #2—Defense with no perimeter and soft systems
Scenario #3—Attacks with no perimeter to hard systems
Scenario #4—Defense with no perimeter and hard systems
Scenario #5—Attacks through perimeter to hard systems
Scenario #6—Defense with perimeter and hard systems
Scenario #7—DOS attacks on hardened network
Scenario #8—DOS defenses with hardened network
Scenario #9—Concurrent attack/defense with no perimeter
Scenario #10—Concurrent attack/defense with perimeter
Scenario #11—Concurrent DOS attack/defense
Scenario #12—Ad Hoc: This scenario can be tailor-made to fit any specific learning objectives.

Each class builds networks with a secure channel (i.e., VPN) setup, start/stop times and dates, roles (attacker or defender), ROE, and learning objectives that will be drafted and published with the described pre-defined Q/ISP Project  scenarios and SOW (Scope of Work) establish parameters of scenarios. These twelve scenarios and SOW will serve as the necessary administrative coordination between QNDX participants. Though the exact content of these scenario descriptions and SOW will not be finalized until approved, the generalized contents and descriptions follow.

The SOW will contain four main elements.
1) A statement regarding the intent of QNDX participation.
2) Elaboration regarding the mandatory implementation of a secure VPN tunnel between the participating networks.
3) Delineation of Qualified -exercise ethical conduct and ROE.
4) A statement indicating that each Major has notified their local IT authorities regarding the exercise, and that each side has taken measures to ensure that their SOW network activities will not adversely hinder routine network operations.  

---