Overview:

The Department of Defense Cyber Operator course is presented by Perched, an Elastic company. This instructor-led course teaches network security monitoring (NSM) in a simple, practical way that builds incrementally. You will learn to use the Elastic Stack along with security tools like Zeek (formerly Bro) and Suricata to perform full-spectrum threat detection and hunting. The course ends with a 2-day, guided hunt capstone containing multiple scenarios — both as an individual hunter and as part of a DoD team — that will engage the newly learned skills to find the adversary in the traffic.

The course focuses on the Department of Defense's mission of threat hunting in unique contested networks

Duration: 80 hours

• 10 days | 8 hours per day

Intended Audience:

Cybersecurity operators within the Department of Defense who need to analyze data to find bad actors in their network as part of a machine-assisted, human-driven operation

Prerequisites:

• Familiarity with Linux and Windows operating system
• Basic understanding of cyber security concepts and terms

Requirements

• An OpenSSH-compatible secure-shell client
• Mac, Linux, or Windows
• Stable internet connection (virtual classroom)
• Latest version of Chrome or Firefox (other browsers not supported)
• Disable any ad-blockers and restart your browser before class

Course outlines:

All lessons include hands-on labs.

1.      Linux CLI

This introduction is designed to equip students with basic operational skills for the Linux command line, like file system layout, using Vim, viewing logs, package management, services, SELinux, and some administration. It is not intended to make them an expert, but to familiarize them with enough Linux to succeed.

2.      Zeek Protocol Analyzer

An understanding of Zeek is a foundational skill for NSM. This lesson is designed to take an operator or analyst who has never used Zeek and bring them up to speed with its capabilities, like analyzing packets, commands, filtering and sorting, and more.

3.      The Elastic Stack

The Elastic Stack is integral to NSM. This lesson will provide an overview and introduction to the main Elastic Stack products: Elasticsearch, Kibana, Beats, and Logstash.

4.      Data transformation with Logstash

This lesson will cover what a data processing pipeline is all about, how it is used, and how Logstash is used in NSM. It will cover ETL, enrichment, shipping, and pipelines, and includes labs that progress in complexity in order to provide maximum understanding of what is happening in the pipeline.

5.      Active on network operations

While a “passive first” approach is preferred when responding to a contested environment, there comes a time that defenders must interact with the environment through active response actions. This lesson will discuss how to perform active on-network operations, asset enumeration, and file collection and retrieval.

6.      Packet analysis

This lesson will introduce operators to doing fine-grained packet analysis and Berkeley Packet Filters, and then address strategies to analyze packets at scale using Moloch

7.      Intrusion detection systems (IDS)

This lesson will introduce operators to the leading IDS — Suricata — and cover when and how to employ an IDS to support hunt operations. You will look at signature writing, Suricata vs. Snort, and IDS dashboards within Kibana.

8.      Kibana for operators

This lesson builds on the earlier Kibana training and teaches operators how to use Kibana to support them in their hunting. You will learn about security-focused Beats and their dashboards, perform graph analytics, employ machine learning for threat hunting, and use alerts for automation.

9.      Assisted hunt (2 days)

This capstone lesson is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques. You will learn to choose the right tool for each job, how to know when to dig deeper, response operations, and more before embarking on individual and team hunts. Hunts include: find the beacons, enemy objectives, applying the kill chain, and full-spectrum adversary detection.