You’ve been hacked, or even only suspect you’ve been hacked. Now what?

Labs in this category guide you through approaches to addressing and managing the aftermath of an attack or security breach. You’ll get to experience actual attacks, within a controlled environment, so that the first time you see ransomware isn’t on your critical systems.

The labs in this category focus on the technical aspects of incident response, mitigation, and recovery, versus site-specific organizational policies or procedures.

Questions about which lab is right for you? Contact cogent@trainonq.com.

DoS Attacks and Defenses

This lab teaches three different Denial of Service attacks and techniques to mitigate them:

  1. A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
  2. A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work,
  3. A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.

Prerequisites

Basic web application knowledge (HTTP, URL parameters, etc.), networking concepts (TCP/IP, DNS, etc.), and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: Enterprise Instructional Labs
  • Introduction to Cybersecurity Lab Package
  • Introduction to Network Security Lab Package
  • Incident Response Package
  • Target Developer 1
  • Cyber Defense Incident Responder
  • Cyber Defense Infrastructure Support Specialist 1
  • Security Architect
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
Educational Lab

Protocol Analysis I: Wireshark Basics

Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is "normal" or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.

Prerequisites

Basic familiarity with TCP/IP networking (advanced knowledge not required) and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: Enterprise Instructional Labs
  • Introduction to Network Security Lab Package
  • Intrusion Detection and Prevention Lab Package
  • Essential Tools for Cybersecurity
  • Essential Tools for Network Engineering
  • Incident Response Package
  • Law Enforcement/Counterintelligence Forensics Analyst 1
  • Cyber Defense Forensics Analyst 1
  • Cyber Defense Analyst 1
  • Cyber Defense Incident Responder
  • Cyber Defense Infrastructure Support Specialist 1
  • Vulnerability Assessment Analyst 1
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
Educational Lab

Protocol Analysis II: Extracting Data from Network Traffic

Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.

Prerequisites

The Protocol Analysis I lab or equivalent knowledge of Wireshark and TCP/IP packet capture. Familiarity with how to use the command line in Linux/Unix systems.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: Enterprise Instructional Labs
  • Incident Response Package
  • Law Enforcement/Counterintelligence Forensics Analyst 1
  • Cyber Defense Forensics Analyst 1
  • Cyber Defense Analyst 1
  • Cyber Defense Incident Responder
  • Cyber Defense Infrastructure Support Specialist 1
  • Vulnerability Assessment Analyst 1
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
Educational Lab

Analyzing Potential Malware

Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.

Prerequisites

Basic knowledge of computer architecture and assembly language, and familiarity with the Unix/Linux command line.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 1: Enterprise Instructional Labs
  • Intrusion Detection and Prevention Lab Package
  • Incident Response Package
  • Law Enforcement/Counterintelligence Forensics Analyst 2
  • Cyber Defense Forensics Analyst 2
  • Cyber Defense Incident Responder
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
Educational Lab

Packet Capture Analysis and Manipulation

Get valuable experience extracting data from network packet captures! Students will use Wireshark® to analyze network packet traces containing normal network traffic and active attacks. Detailed information will be extracted from the traces by examining packets and by using Wireshark's built-in analysis and PCAP-manipulation tools.

Prerequisites

Knowledge of the internals of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.

The Cogent Range Protocol Analysis labs will help you meet these prerequisites.

Expected Duration

3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Law Enforcement/Counterintelligence Forensics Analyst 1
  • Cyber Defense Forensics Analyst 1
  • Cyber Defense Analyst 2
  • Cyber Defense Incident Responder
  • Vulnerability Assessment Analyst 2
  • Incident Response Package
  • Attack, Defense, and System Administration Exercises Package
Live Exercise

Intrusion Analysis using Network Traffic

Examine packet captures from actual intrusions and dive deeper into how attackers operate! Students will learn the details of protocols such as SMB and SSH by examining network traffic captures in Wireshark®, then will proceed to build network packets "by hand" in order to tunnel secret data in normal-looking traffic. Finally, students will learn the details of "web shell" payloads commonly used by attackers.

Prerequisites

Detailed knowledge of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.

The Cogent Range Packet Capture Analysis and Manipulation exercise is recommended before starting this exercise.

Expected Duration

3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Law Enforcement/Counterintelligence Forensics Analyst 2
  • Cyber Defense Forensics Analyst 2
  • Cyber Defense Analyst 2
  • Cyber Defense Incident Responder
  • Cyber Defense Infrastructure Support Specialist 2
  • Vulnerability Assessment Analyst 2
  • Incident Response Package
  • Attack, Defense, and System Administration Exercises Package
Live Exercise

Advanced Analysis of Malicious Network Traffic

Continue your exploration into malware's behavior on the network! Students will analyze network captures containing real, malicious network traffic, both by hand and using tools such as Security Onion and Sguil. Both malware spreading methods and command and control operations will be explored. In addition, students will create web shell payloads of their own to see how they operate from the inside.

Prerequisites

Detailed knowledge of networking protocols, including TCP/IP, DNS, and HTTP. Familiarity with Wireshark and the Unix/Linux command line.

The Cogent Range Intrusion Analysis using Network Traffic exercise is recommended before starting this exercise.

Expected Duration

3 hours, self-paced. Pause and continue at any time.
3 CPEs awarded on successful completion.

Availability

Included if you are a subscriber to any of the following training packages:

  • Level 2: Attack/Defense/IR Exercises and Instructional Labs
  • Level 3: Attack Scenarios, Attack/Defense/IR Exercises, and Instructional Labs
  • Law Enforcement/Counterintelligence Forensics Analyst 2
  • Cyber Defense Forensics Analyst 2
  • Cyber Defense Analyst 2
  • Cyber Defense Incident Responder
  • Cyber Defense Infrastructure Support Specialist 2
  • Vulnerability Assessment Analyst 2
  • Incident Response Package
  • Attack, Defense, and System Administration Exercises Package
Live Exercise