SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring

Overview

The traditional security model, focused primarily on prevention, has proven insufficient against the sophisticated and persistent threats faced by organizations today. Given the frequency and extent of significant intrusions, this should not come as a surprise.

In this section of the course, students explore the foundational concepts and methodologies that shape modern cybersecurity strategies. Beginning with a current state assessment, they review traditional and modern attack techniques, understanding how these have evolved and the implications for modern post-exploitation scenarios. The section then delves into advanced cyber defense principles, emphasizing the shift from reactive to proactive measures in threat detection and response. Key techniques, models, and frameworks such as MITRE ATT&CK, CIS Controls, OWASP LLM Top 10, Zero Trust, and Long Tail Analysis are introduced, providing a conceptual toolkit to better understand and mitigate threats. Students learn how to utilize frameworks to better align their defenses with known adversary tactics and techniques.

Threat-informed defensive strategies and threat hunting are central to modernized cyber defense. Learners explore how to apply MITRE ATT&CK in practical scenarios, enhancing their ability to anticipate and respond to threats.

Foundational understanding of GenAI and LLMs equips students to both leverage and defend against emerging AI technologies. Frameworks such as MITRE ATLAS and OWASP LLM Top 10 will be highlighted to structure understanding of this evolving area of cyber defense. Hands-on labs focus on detecting traditional and modern attack techniques, including practical exercises with Security Onion and Apache ActiveMQ analysis, culminating in an immersive NetWars Bootcamp to test skills in real-world scenarios.

Exercises

• Detecting Traditional Attack Techniques with Security Onion and CyberChef
• Detecting Modern Attack Techniques with Security Onion
• Complex Intrusion Analysis: Apache ActiveMQ
• NetWars Bootcamp: Immersive Cyber Challenges

Topics

• Adversary Tactics and Cyber Defense Principles
  • Current State Assessment
  • Traditional Attack/Cyber Defense
  • Modern Attack & Post-Exploitation
  • Advanced Cyber Defense
• Introducing Security Onion 2.X
  • Alerts Menu
  • Pivoting to the Hunt Menu
  • The Pcap Menu
• Frameworks/Mental Models
  • Zero Trust
  • Long Tail Analysis
  • ASD Essential Eight
  • CIS Controls + Continuous Diagnostics and Mitigation (CDM)
  • Threat Informed Defense
  • MITRE ATT&CK
• Threat Informed Defense and Hunting
  • Threat Informed Defense
  • Working with MITRE ATT&CK
• GenAI/LLM Fundamentals
  • MITRE ATLAS
  • OWASP LLM Top 10

Overview

This section covers the critical aspects of security visibility and protection across cloud, edge, and network environments. It begins with an exploration of network intrusion detection and prevention systems, including malware sandboxes and honeypots, highlighting their roles in identifying and mitigating threats. The impact and importance of encryption, particularly TLS inspection and DNS query encryption, is discussed in detail, providing students with insights into balancing protection of data in transit without compromising visibility. The module also introduces various cloud protection mechanisms, such as CSPM, CIEM, CWPP, and CNAPP, alongside the MITRE ATT&CK Cloud Security Mappings, focusing on securing cloud infrastructures and services like AWS.

Edge security is another key focus, where students learn about services such as cloud access security broker (CASB), SASE, secure web gateway (SWG), and firewall-as-a-service (FWaaS). These are vital for protecting data and applications in a modern hybrid enterprise where data, applications, and users are no longer found exclusively on-premises. This section also covers boundary protection and detection strategies, including next-generation firewalls (NGFWs) and web application firewalls (WAFs), emphasizing their role in a layered security approach. Hands-on labs provide practical experience with tools like ModSecurity, Wireshark, and intrusion detection honeypots, reinforcing the theoretical knowledge through real-world applications. The NetWars Bootcamp offers an additional immersive experience, challenging students to apply their skills in a controlled, competitive environment.

Exercises

• Web Application Firewalls: ModSecurity
• Decrypting TLS with Wireshark
• Detecting Adversaries with Protocol Inspection
• Intrusion Detection Honeypots: HoneyTokens for Leak Detection
• NetWars Bootcamp: Immersive Cyber Challenges

Topics

• Security Visibility
  • Network Intrusion Detection Prevention Systems
  • Malware Sandboxes
  • Intrusion Detection Honeypots
• Encryption
  • Encryption and TLS Inspection
  • DNS Architecture and Encryption
• Cloud Protection and Detection
  • Cloud Security Stack
  • CSPM, CIEM, CWPP, CNAPP
  • MITRE ATT&CK Cloud Security Mappings
  • AWS Security Stack
• Edge Security
  • Edge Security Services
  • CASB, SASE, SWG, FWaaS
  • Boundary Protection and Detection
  • L7 and Next-Generation Firewalls
  • Web Application Firewalls

Overview

In this section, students delve into the specialized field of NDR, exploring its role within the broader context of Network Security Monitoring (NSM) and SIEM. The content covers the essential components and tools of an NDR/NSM setup, emphasizing the importance and efficacy of various data sources, including cloud-specific considerations. These elements must be designed to provide comprehensive coverage and analytical capabilities, allowing security teams to detect and respond to threats swiftly. By leveraging advanced NDR tools and methodologies, students learn to identify and interpret suspicious activities, even within encrypted communications. Equipping students with the skills needed to identify anomalies and potential threats in network traffic requires exploration of various analytic approaches and techniques.

The focus then shifts to the hands-on practice of network threat hunting, where students learn to track implants, detect C2 traffic, and analyze both decrypted and encrypted network traffic. Techniques for identifying malicious traffic via beacon discovery, entropy analysis, and behavior anomaly detection are covered in detail, with specific reference to modern adversary tactics and tooling. The practical labs in this section include pcap payload carving and analysis with Zeek, intrusion analysis with Security Onion, and TLS anomaly detection. Hands-on labs and this sections NetWars Bootcamp provide students with the opportunity to apply these techniques and further solidify NDR skills through challenging, real-world scenarios.

Exercises

• Pcap Analysis and Carving with Zeek
• Security Onion Service-Side Attack Analysis
• Wireshark Merlin Analysis
• Detecting TLS Certificate and User-Agent Anomalies
• NetWars Bootcamp: Immersive Cyber Challenges

Topics

• Network Detection Response (NDR)
  • NDR, NSM, and SIEM
  • NDR/NSM Toolbox
  • NDR Data Sources
  • Cloud NDR: Network Visibility
  • NIDS Design
  • Practical NDR/NSM Issues
  • Security Information and Event Management (SIEM)
  • SIEM + Elastic Stack
  • Entropy and freq.py
• Network Threat Hunting
  • Tracking Implants and .EXEs
  • Identifying Command and Control Traffic
  • Tracking User Agents
  • C2 via HTTPS
  • TLS Certificates and Handshakes
  • TLS Fingerprinting
  • Cobalt Strike

Overview

This section focuses on the critical aspects of endpoint and user security within hybrid enterprise environments. Students begin with EDR technologies, exploring tools like Microsoft Defender for Cloud and Endpoint, and learn about the importance of comprehensive endpoint monitoring using solutions like Sysmon. The section also covers EPPs, with a particular emphasis on application control and Microsoft's Defender for Servers, highlighting the integration and management of security measures across various endpoints.

User and identity monitoring is another vital component explored in this section. Students examine advanced techniques for defending identity and access, including privilege management, monitoring, and reduction. The content also addresses persistent challenges of legacy authentication and explores modern authentication methods including elements of multifactor authentication (MFA), passwordless, Windows Hello, and Azure AD/Entra ID. Coverage also includes protection and detection of evolving attacks against authentication systems. The concepts undergirding UEBA provide deeper insights into user activities and identification of potential security risks. Practical labs, such as investigations using Sysmon and AppLocker configurations, offer hands-on experience in managing and responding to endpoint and user-related threats. The NetWars Bootcamp provides an immersive platform for students to practice and refine their skills in a competitive environment.

Exercises

• Sysmon
• CFO Compromise Investigation: Autoruns and Sysmon
• Application Control with AppLocker
• Merlin Sysmon Analysis
• NetWars Bootcamp: Immersive Cyber Challenges

Topics

• Endpoint Detection Response (EDR)
  • Microsoft Defender for Cloud
  • Microsoft Defender for Endpoint (EDR)
  • Endpoint Monitoring and Sysmon
• Endpoint Protection Platform (EPP)
  • Microsoft Defender for Servers
  • Endpoint Protection Platforms (EPPs)
  • Application Control
• Identity/User/Authentication Monitoring
  • Defending Identity and Access
  • Privilege Reduction
  • Legacy Authentication
  • AuthN, Windows Hello, Passwordless, and Azure AD
  • Advanced Authentication Attacks
  • User and Entity Behavior Analysis (UEBA)
  • Privilege Monitoring

Overview

In the final content-driven section, students explore the emerging field of defending applications built on GenAI and LLMs. The courseware addresses the unique attack surfaces associated with AI technologies, focusing on the specific security challenges and defensive strategies for these applications. Topics such as AI and software supply chain security are covered, with a focus on asset and attack surface discovery, secure baseline configuration, and cloud-based configuration and change management. This section prepares students to tackle the complex issues surrounding the protection of traditional and AI-driven systems and associated data.

The module also emphasizes the importance of automation and orchestration in modern SOCs. Students learn about the implementation of SOAR solutions to enhance SOC efficiency and effectiveness. Key topics include DNS threat hunting, adversary emulation, and the detection of lateral movement within networks. The practical labs, such as investigating ransomware incidents and analyzing Windows Event Logs, provide hands-on experience with the tools and techniques discussed. This section concludes with another challenging round of the NetWars Bootcamp, where students apply their knowledge in a series of advanced, real-world scenarios, solidifying their skills in defending against sophisticated cyber threats.

Exercises

• Ransomware Investigation
• Windows Event Logs
• DNS over HTTPS (DoH)
• NetWars Bootcamp: Immersive Cyber Challenges

Topics

• Defending AI/LLM Applications
  • Defending GenAI/LLM Applications
  • AI/LLM Attack Surface
• AI/Software Supply Chain
  • Software/AI Supply Chain Security
  • Asset/Attack Surface Discovery
  • Secure Baseline Configuration
  • Cloud Configuration Management
• Service and Event Log Monitoring
  • DNS Threat Hunting
  • Adversary Emulation
  • Detection Engineering
  • Detecting Lateral Movement
• Automation/SOAR/SOC
  • Automation
  • SOC

Overview

The course culminates in a team-based design, detect, and defend the flag competition. Powered by NetWars, section six provides a full day's worth of hands-on challenges applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout the course.

Topics

• Modern Cyber Defense: Protection, Detection, and Monitoring
• Applied NDR, NSM, and EDR
• Network, Endpoint, and Cloud-Oriented Threat Hunting
• Analyzing Malicious Traffic with Security Onion, Wireshark, and CyberChef
• Analyzing Malicious Windows Event Logs
• Packet Analysis
• Log Analysis
• C2 Detection