All CYRIN labs, exercises and attacks happen within a virtual environment. Each trainee or student gets their own virtual instance of a lab, exercise or attack, allowing training to be self-paced and available anywhere at any time. In order to meet specific training objectives, CYRIN subscriptions are sold on a packaged basis. That is, groups of CYRIN labs, exercises and/or attacks are recommended and bundled to meet the individual needs of the student.
80 hours, self-paced. Pause and continue at any time.
80 CPEs awarded on successful completion.
12 months of access.
EXERCISE LAB CONTENTS:
1. Getting Started with CYRIN
An introduction to CYRIN features, as well as an introduction to the Linux Terminal, Windows PowerShell, and shell commands.
2. Introductory IDS Configuration with Snort
Students will learn how to configure an Intrusion Detection System (IDS) to examine traffic to/from a firewall. The popular Snort® IDS will be used in this exercise. The exercise will include both harmless background traffic and potentially malicious traffic to be detected by Snort.
3. Intrusion Detection using Zeek (formerly Bro)
Students will learn how to deploy, configure and customize a Zeek Network Intrusion Detection System (NIDS). They will customize Zeek to generate enterprise specific logs and to send email notifications of events of interest. They will also create a simple Zeek plugin, using the Zeek scripting language, to detect and block brute force ssh login attempts.
4. Firewall Configuration with VyOS
Students will configure a network firewall using the VyOS router appliance, which mimics physical router hardware. The exercise will include both ingress and egress filtering, stateful packet inspection, and best practices. Students will set up a partitioned network and a DMZ area to isolate specific enterprise services, such as an e-mail server. Evaluation will include network probes from both inside and outside the firewall to ensure proper rules are configured.
5. Firewall Configuration with Iptables
Students will configure a network firewall using the standard Linux iptables module. The exercise will include both ingress and egress filtering, stateful packet inspection, and best practices. More advanced techniques such as port knocking will also be introduced. Evaluation will include network probes from both inside and outside the firewall to ensure proper rules are configured.
6. Firewall Configuration with pfSense
Students will learn to secure and configure the widely used, open-source pfSense firewall. They will learn to create firewall rules, the order in which rules are applied, how pfSense aliases can be used to simplify the pfSense rule set, and how to secure pfSense itself. They will also learn to view statistics and logs collected by pfSense.
7. VPN Server Configuration with OpenVPN
Students will learn to configure and set up an OpenVPN server. OpenVPN is an open-source virtual private network (VPN) solution. VPNs extend a private network over a public network, allowing users to send and receive data the public networks as if they are directly connected to the private network.
8. Split-Horizon DNS Configuration using BIND
Hackers shouldn’t be able to explore your internal network. To make sure they do not, you need to learn about split horizon DNS configuration. And it might help to know something about BIND, probably the most used DNS software on the internet.
9. Host IDS Setup with OSSEC
Students learn how to configure and run the widely-used, free OSSEC Host Intrusion Detection System (HIDS). During the exercise, students will learn how to check for rootkits using OSSEC, how to verify file integrity, how to set up passive and active responses, and more. Host intrusion detection is critical to maintaining a secure system, and is required by HIPAA and PCI regulations, both of which OSSEC can help you meet.
10. Using Active Directory to Manage Domain User Accounts
Students learn to use the Windows Active Directory service to create and manage domain user accounts. They also learn to set up security policies and assign these policies to users and organizational units.
11. SSH Server Configuration
Students learn the proper setup of the OpenSSH remote administration tool, including security-relevant settings. During the exercise, students will learn best practices such as host filtering, public-key or Kerberos authentication, and PAM integration.
12. Identifying Live Machines and Services on an Unknown Network
Students will use tools such as nmap, unicornscan, and fping to identify systems on a local network, including both Unix and Windows targets. Students will identify the operating systems these systems are running, as well as the types of network services they are providing.
13. Service Identification I
Students will use multiple tools to identify services, including software package and version information, running on unknown systems. Network services to be targeted will include those running on non-standard ports or behind firewall rules.
14. Service Identification II
Students will build on the Service Identification I exercise to use service-specific information-gathering tools. Students will gather vendor, software, and version information, as well as any configuration information available remotely. Students will then use scripting tools to automate this process.
15. Log Analysis with RSYSLOG
This lab teaches students to setup and configure a central RSYSLOG server that will receive and store logs from FreeBSD, Linux and Windows clients.
16. Log Analytics with Splunk
In this lab the student will learn how to configure and securely run the Splunk Enterprise security information collection and analysis platform. The objective of the lab is to deploy multiple instances of Splunk data forwarders through a deployment server and analyse the logs received from the servers. The student will write custom scripts to generate logs, create both visual and textual reports, organize these reports into a single dashboard, and learn to recognize malicious activity.
17. Log Analytics with Elastic Stack
Elastic Stack is a group of services designed to take data from almost any type of source and in almost any type of format, and to search, analyze and visualize that data in real time. In this lab, Elastic Stack will be used for log analytics. Students will learn to set up and run the Elasticsearch, Logstash and Kibana components of Elastic Stack. Multiple computers in a small network will forward their logs to a central server where they will be processed by Elastic Stack. Student will use Kibana to view logs, filter them and set up dashboards. Information in the logs will be used to identify and block an on-going attack.
18. Introduction to Metasploit
Students will gain experience with the widely used open source Metasploit® framework and related tools for exploiting vulnerable software and insecure system configurations. The exercise leads students through the entire process, from scanning the network to getting remote shells and accessing sensitive information. By seeing the tools available to potential attackers, students will gain a greater appreciation for the need to keep software up-to-date and securely configured.
19. Vulnerability Scanning with OpenVAS
Students will use the free OpenVAS web tool suite to identify vulnerabilities in services available on an unknown network. The network will include several targets with known-vulnerable software versions and/or configurations.
20. Automating Security Analysis with SPARTA
Students will build on the results of labs in the Web Application Security Analysis and Network Monitoring categories by using the SPARTA network infrastructure penetration testing tool, a graphical application that automates many common vulnerability assessment tasks. Students will use SPARTA within a graphical Kali Linux environment, scanning multiple unknown target systems and exploring found weaknesses.
21. Secure Configuration of the Apache Web Server
Students will learn how to set up a web server securely by configuring the commonly used Apache HTTP Server® on a Linux system. Security options will be explored, including location/directory restrictions, permissions, authentication, and SSL configuration.
22. Secure SSL Configuration in Apache
Students will build on the basic Apache configuration exercise to configure Secure Sockets Layer (SSL) encryption for the Apache HTTP Server®. Students will learn and implement best security practices and strong cryptography guarantees while avoiding vulnerabilities such as Heartbleed.
23. Web Application Security Analysis using OWASP-ZAP
Students will use the OWASP program’s ZAP tool suite from within Kali Linux to scan multiple web services and document vulnerabilities. Students will see ZAP in action on a vulnerable web site where entire database tables are available to potential attackers.
24. Web Application Security Analysis using Nikto
Students will use the Nikto tool to test web services over the network and document vulnerabilities. Students will then use network packet capture tools such as Wireshark to verify their understanding of the vulnerabilities and testing procedures.
25. Web Application Security Analysis using Vega
Students will use the Vega scanning tool, within a graphical Kali Linux environment, to test web services over the network and document vulnerabilities. Students will then use network packet capture tools such as Wireshark to verify their understanding of the vulnerabilities and testing procedures.
26. Web Application Security Analysis using Burp Suite
Burp Suite is an industry standard suite of tools used by information security professionals for testing Web application security. Its tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
27. Detecting and Exploiting SQL Injection Vulnerabilities
Students will learn how to detect and exploit SQL injection vulnerabilities. By using several SQL injections techniques students will gather information about a remote database such as Operating System, database type, table names and their content. Students will then use sqlmap, a tool for SQL injection, to automate this process.
28. Web Site Reconnaissance
Web site reconnaissance is about gathering information about a web site. Of course, there is information published on the website that is intended for people to see. Then there is information such as the name and version of the software used in the website and information about databases used by web applications on the site. This is information the website owner may not want known but can be discovered using techniques covered by CYRIN labs in the Network Monitoring and Recon and Web Application Security Analysis categories.
29. DoS Attacks and Defences
This lab teaches three different Denial of Service attacks and techniques to mitigate them:
• A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
• A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work,
• A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.
30. Protocol Analysis I: Wireshark Basics
Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is 'normal' or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
31. Protocol Analysis II: Extracting Data from Network Traffic
Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.
32. Handling Potential Malware
Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.
33. Introductory File System Forensics
Disk-based analysis is the cornerstone of cyber forensics, whether it be to track what a suspect was doing or simply to recover accidentally deleted files. This lab introduces students to the process of imaging and forensically analysing disks, including finding artefacts such as deleted files. The free Autopsy® forensic browser will be used in addition to command-line programs from the open-source Sleuth Kit® tool set.
34. Live Forensics using GRR
GRR Rapid Response is an open source live forensics tool originally created by Google. GRR allows an investigator to collect data about running systems on a network, anywhere from one system to thousands. In this lab, students will perform live remote forensic investigations against running systems. Without having to take the systems offline for imaging, students will examine running processes and network connections, files and disk artefacts, and registry keys across multiple target machines in a forensically-sound manner.
35. Introduction to P2P Forensics
Introduces students to the process of investigating usage of peer-to-peer (P2P) file sharing services for trading illicit content. Students learn what artefacts of P2P file sharing usage are left on a suspect’s hard drive, as well as how to extract forensically relevant information from the raw data. Students then use Architecture Technology Corporation’s P2P Marshal™ software in a hands-on practical, gathering evidence from provided forensic disk images using Microsoft Windows®.
36. Introduction to Memory Analysis with Volatility
Analysing a suspect system 'live', before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. The Volatility® framework is the dominant open-source memory analysis framework, examining RAM snapshots from a large variety of operating systems in multiple formats. This lab introduces students to the process of capturing a live RAM image and analysing it using Volatility. Students will learn about several Volatility plugins for analysing a Windows memory image, then analyse actual RAM images, including one with active malware, and view the results.
37. Introduction to Memory Analysis with Rekall
Analysing a suspect system 'live', before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. Rekall is an advanced, open-source memory capture and analysis framework that has expanded to include a variety of live incident response tools. This lab introduces students to the Rekall framework, both for extracting evidence from memory images and for analysing the current live state of the system. Students will learn about several Rekall tools, both on the command line and via the interactive console, for analysing memory images. Students will then analyse several images of Windows systems with in-memory malware.
38. Windows Forensics Artefacts
A security analyst will likely be asked sometime in his or her career to conduct a forensics analysis of a Windows computer. In this lab the student will learn about _forensics artefacts_ commonly found on Windows computers. Forensics artefacts are traces of user activity left behind on a computer even after the user logs out or the computer is shut down.
39. Advanced P2P Forensics
This course builds on the Introduction to P2P Forensics in order to provide students with a deeper understanding of how to extract evidence from a suspect’s hard drive. Students learn detailed file formats used by popular P2P software and methods for extracting information by hand. The course concludes with a hands-on practical using Architecture Technology Corporation’s P2P Marshal™ and provided forensic disk images using Microsoft Windows®.
40. eMule P2P Forensics
This course provides a deep dive into the eMule peer-to-peer file sharing system and client software. Students will learn how eMule stores forensically relevant data on disk. The course concludes with a hands-on practical using Architecture Technology Corporation’s P2P Marshal™ and provided forensic disk images using Microsoft Windows®.
41. Introduction to Jenkins CI/CD Pipelines
In this lab students will learn to use Jenkins, a widely used automation tool to set up a CI/CD (continuous integration/continuous delivery) pipeline. CI establishes a consistent and automated way to build, package, and test applications. CD automates the delivery of applications. A pipeline is the set of software integration, testing and deployment steps that the software being developed must go through.
42. Introduction to Shell Scripts
The ability to read and write shell scripts is an essential skill for system administrators. They are used to automate frequently executed tasks, saving system administrators time and reducing the likelihood of mistakes.
CYRIN training is sold on a subscription basis. All new CYRIN courses that are added to the training platform during a subscription period will be made available to subscribers at no additional cost.