Threat Analysis (Coursera)

By the end of the course, you will be able to:

•Use the classic kill chain model to perform network security incident analysis

• Describe the reconnaissance phase of the classic kill chain model

• Describe the weaponization phase of the classic kill chain model

• Describe the delivery phase of the classic kill chain model

• Describe the exploitation phase of the classic kill chain model

• Describe the installation phase of the classic kill chain mode l

• Describe the command-and-control phase of the classic kill chain model

• Describe the actions on objectives phase of the classic kill chain model

• Describe how the kill chain model can be applied to detect and prevent ransomware

• Describe using the diamond model to perform network security incident analysis

• Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform, such as ThreatConnect

• Describe the MITRE ATTACK framework and its use

• Walk-through the classic kill chain model and use various tool capabilities of the Security Onion Linux distribution

• Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by threat actors.

To be successful in this course, you should have the following background:

1. Skills and knowledge equivalent to those learned in Implementing and Administering Cisco Solutions (CCNA) v1.0 course

2. Familiarity with Ethernet and TCP/IP networking

3. Working knowledge of the Windows and Linux operating systems

4. Familiarity with basics of networking security concepts.

Course 5 of 7 in the Cybersecurity Operations Fundamentals Specialization.

Syllabus

WEEK 1

Understanding Incident Analysis in a Threat-Centric SOC

If you are an associate-level cybersecurity analyst who is working in security operation centers, this course will help you understand Incident Analysis in a Threat-Centric SOC. By the end of the course, you will be able to: • Use the classic kill chain model to perform network security incident analysis • Describe the reconnaissance phase of the classic kill chain model • Describe the weaponization phase of the classic kill chain model • Describe the delivery phase of the classic kill chain model • Describe the exploitation phase of the classic kill chain model • Describe the installation phase of the classic kill chain mode l• Describe the command-and-control phase of the classic kill chain model • Describe the actions on objectives phase of the classic kill chain model • Describe how the kill chain model can be applied to detect and prevent ransomware • Describe using the diamond model to perform network security incident analysis • Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform, such as ThreatConnect • Describe the MITRE ATTACK framework and its use • Walk-through the classic kill chain model and use various tool capabilities of the Security Onion Linux distribution • Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by threat actors. To be successful in this course, you should have the following background: 1. Skills and knowledge equivalent to those learned in Implementing and Administering Cisco Solutions (CCNA) v1.0 course 2. Familiarity with Ethernet and TCP/IP networking 3. Working knowledge of the Windows and Linux operating systems 4. Familiarity with basics of networking security concepts.

WEEK 2

Identifying Common Attack Vectors

If you are an associate-level cybersecurity analyst who is working in security operation centers, this course will help you understand common attack vectors. By the end of the course, you will be able to: • Identify the common attack vectors • Explain DNS terminology and operations • Describe the automated discovery and registration process of the client public IP addresses via DDNS • Describe the process of recursive DNS queries • Describe HTTP operations and traffic analysis to identify anomalies in the HTTP traffic • Describe the use of and operation of HTTPS traffic • Describe the use of and operation of HTTP/2 and streams • Describe how SQL is used to query, operate, and administer relational database management systems, and how to recognize SQL based attacks• Describe how the mail delivery process works, and SMTP conversations • Describe how web scripting can be used to deliver malware • Explain the use of obfuscated JavaScript by the threat actors • Explain the use of shellcode and exploits by threat actors • Understand the three basic types of payloads within the Metasploit framework (single, stager, and stage) • Explain the use of directory traversal by the threat actors • Explain the basic concepts of SQL injection attacks • Explain the basic concepts of cross-site scripting attacks • Explain the use of Punycode by threat actors • Explain the use of DNS tunneling by threat actors • Explain the use of pivoting by threat actors • Describe website redirection with HTTP 302 cushioning • Describe how attackers can gain access via web-based attacks • Understand how threat actors use exploit kits • Describe the Emotet APT • Play the role of both attacker to simulate attacks, and the role of analyst to analyze the attacks. To be successful in this course, you should have the following background: 1. Skills and knowledge equivalent to those learned in Implementing and Administering Cisco Solutions (CCNA) v1.0 course 2. Familiarity with Ethernet and TCP/IP networking 3. Working knowledge of the Windows and Linux operating systems 4. Familiarity with basics of networking security concepts.

WEEK 3

Identifying Malicious Activity

If you are an associate-level cybersecurity analyst who is working in security operation centers, this course will help you Identify Malicious Activity. By the end of the course, you will be able to: • Explain why security analysts need to understand the network design that they are protecting • Understand the role of the design of the network that you are protecting • Define the different threat actor types • Provide an example of log data search using ELSA • Explore logging functionality in context to Linux systems • Describe how the Windows Event Viewer is used to browse and manage event logs • Describe the context of a security incident in firewall syslog messages • Describe the need for network DNS activity log analysis • Describe web proxy log analysis for investigating web-based attacks • Describe email proxy log analysis for investigating email-based attacks • Describe AAA server log analysis • Describe NGFW log analysis for incident investigation • Describe application log analysis for detecting application misuse • Describe the use of NetFlow for collecting and monitoring of network traffic flow data • Explain the use of NetFlow as a security tool • Describe network behavior anomaly monitoring for detecting deviations from the normal patterns • Describe using NetFlow for data loss detection• Explain how DNS can be used by the threat actors to perform attacks • Describe intrusion prevention system evasion techniques • Explain the Onion Router network and how to detect Tor network traffic • Describe gaining access and control in context to endpoint attacks• Describe peer-to-peer file sharing and risks • Describe encapsulation techniques including DNS tunneling • Explain how to prevent attackers from modifying a device's software image • Explore how attackers leverage DNS in their attacks • Analyze data for investigation of a security event. To be successful in this course, you should have the following background: 1. Skills and knowledge equivalent to those learned in Implementing and Administering Cisco Solutions (CCNA) v1.0 course 2. Familiarity with Ethernet and TCP/IP networking 3. Working knowledge of the Windows and Linux operating systems 4. Familiarity with basics of networking security concepts.

WEEK 4

Identifying Patterns of Suspicious Behavior

If you are an associate-level cybersecurity analyst who is working in security operation centers, this course will help you identify patterns of suspicious behavior. By the end of the course, you will be able to: • Explain the purpose of baselining the network activities • Explain how to use the established baseline to identify anomalies and suspicious behaviors • Explain the basic concepts of performing PCAP analysis • Explain the use of a sandbox to perform file analysis • Investigate suspicious activity using the tools within Security Onion. To be successful in this course, you should have the following background: 1. Skills and knowledge equivalent to those learned in Implementing and Administering Cisco Solutions (CCNA) v1.0 course 2. Familiarity with Ethernet and TCP/IP networking 3. Working knowledge of the Windows and Linux operating systems 4. Familiarity with basics of networking security concepts.