The training course for the Cyber Defence Analyst role is designed to build proficiency in detecting, analyzing, and mitigating cyber threats. It delves into cybersecurity principles, network defense strategies, and threat intelligence analysis. Participants will complete practical exercises that simulate real-world scenarios, enhancing their skills in incident response and threat mitigation. This hands-on approach ensures that participants can apply theoretical knowledge in practical settings, preparing them for the complexities of the cyber defense field.

In addition to technical skills, the course will focus on developing strategic thought and decision-making prowess in the realm of cyber defense. Participants will examine real evidence from historical cyber incidents to gain a nuanced comprehension of cyber threat evolution and the critical need for swift, decisive action plans.

To provide a comprehensive educational experience, the course will explore the ethical dimensions of cybersecurity, emphasizing adherence to industry security standards and best practices. This expertise is crucial for devising strategies to defend against cyber threats while upholding ethical principles, fostering responsible and compliant cybersecurity operations.

Upon completion of the MCDA Certified Cyber Defence Analyst course, participants will be equipped with the skills to:

• Master network mapping skills to accurately map an organization's network infrastructure and understand device interactions.
• Assess network security posture through comprehensive evaluations to identify vulnerabilities.
• Utilize intrusion detection tools to detect intrusions and unauthorized activities on the network.
• Develop unique intrusion detection strategies tailored to identify and mitigate previously unidentified intrusions.
• Enhance system configurations to fortify defenses against potential intrusions and cyber threats.
• Communicate complex cyber security issues effectively to non-technical audiences.

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

• Lab Setup

  Lab setup is crucial for cyber defense analysts as it provides a controlled environment to simulate real-world cyber threats, allowing analysts to practice detection, analysis, and mitigation techniques safely.

  VirtualBox

  VirtualBox is a powerful virtualization tool that allows analysts to create and manage virtual machines (VMs) for testing and experimenting with different operating systems and network configurations. It's essential for simulating diverse IT environments and testing security measures.

  Pandas

  Pandas is a Python library used for data manipulation and analysis. In cyber defense, analysts can leverage Pandas for processing and analyzing large datasets related to network traffic, logs, or security events, enabling more effective threat detection and response.

  Active Directory

  Active Directory (AD) is a Microsoft service that manages users, groups, and resources within a network environment. Understanding AD is crucial for cyber defense analysts to secure user accounts, enforce policies, and monitor directory services for signs of unauthorized access or anomalies.

  OpenVAS

  OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner used to detect and assess security vulnerabilities in networks and hosts. It's important for analysts to use OpenVAS to identify and prioritize security risks, enabling proactive mitigation and patching.

  Yara

  Yara is a powerful tool used for malware identification and classification based on patterns or rules. Cyber defense analysts use Yara to create custom signatures for detecting specific types of malware or suspicious files, enhancing threat hunting and incident response capabilities.

• Key Risk Management Concepts

  Risk management is essential for cyber defense analysts as it enables them to assess and prioritize threats, allowing for strategic allocation of resources to address critical vulnerabilities.

  By implementing effective risk management practices, analysts can enhance incident response capabilities, mitigate potential impacts of cyber threats, and maintain robust cybersecurity defenses.

  Risk Transfer

  Risk transfer involves shifting the financial burden of potential losses from identified risks to another party, typically through insurance or outsourcing certain activities.

  Risk Register

  A risk register is a documented inventory of identified risks, their characteristics, potential impacts, and mitigation strategies, providing a structured approach to managing risks.

  Disaster Recovery Plan

  A disaster recovery plan outlines procedures to recover and restore critical systems and operations following a disruptive event, ensuring continuity and minimizing downtime in the face of disasters.

• SIEM (Security Information and Event Management)

  SIEM (Security Information and Event Management) is crucial for cyber defense analysts because it provides real-time visibility into security events and logs across an organization's network, allowing for proactive threat detection and response. It aggregates and correlates security data from multiple sources, enabling analysts to identify patterns, anomalies, and potential security incidents efficiently, thus enhancing overall cybersecurity posture.

  ELK Stack

  The ELK Stack is a powerful combination of open-source tools used for log management and analysis. Elasticsearch provides real-time search and analytics, Logstash processes and transforms log data, and Kibana offers visualization and dashboarding capabilities, making it essential for monitoring system health, troubleshooting issues, and detecting security incidents in large-scale environments.

  Writing ELK Filters to Detect Exploits

  Writing ELK filters to detect exploits involves creating specific queries within the ELK Stack that can identify patterns or signatures of known vulnerabilities or exploit attempts in log data, enabling proactive detection and response to potential security threats.

  Writing ELK Filters to Detect Malicious Processes/Executables

  Creating ELK filters to detect malicious processes or executables involves crafting queries that can flag suspicious behavior or activities in log data, aiding in the identification and mitigation of malware or unauthorized activities within the IT environment.

  Creating a Kibana Dashboard

  A Kibana dashboard is a visual interface in the ELK Stack used to display key metrics, logs, and analytics data in a customizable format. Creating effective Kibana dashboards enables cyber defense analysts to gain insights into security events and performance metrics, facilitating informed decision-making and proactive response to cybersecurity threats.

  Using ELK to Analyze Reverse Shells

  Analyzing reverse shells using the ELK Stack involves examining network traffic, log data, and system events to detect signs of compromise or unauthorized access originating from reverse shell connections, enabling swift response and remediation to prevent further exploitation or data breaches.

  Using ELK to Analyze Spear Phishing

  Leveraging the ELK Stack for spear phishing analysis involves scrutinizing email logs, network traffic, and user activity to identify indicators of targeted phishing attacks. This proactive approach allows cyber defense analysts to detect and mitigate spear phishing threats more effectively, reducing the risk of successful cyber attacks targeting specific individuals or organizations.

• Network Analysis

  Network analysis is crucial for cyber defense analysts to gain insights into network traffic patterns, identify anomalies, and detect potential security threats. By analyzing network data, analysts can assess network performance, pinpoint vulnerabilities, and enhance overall network security posture to safeguard against intrusions and unauthorized activities.

  RFI Templates

  RFI (Request for Information) templates are standardized documents used to gather specific details and requirements from potential vendors or suppliers during procurement processes.

  GrassMarlin

  GrassMarlin is an open-source tool used for passive network defense to monitor, detect, and respond to suspicious activities on operational technology (OT) networks.

  Network Situational Awareness

  Network Situational Awareness refers to the ability to monitor, analyze, and understand network behavior and activity to detect potential threats and vulnerabilities.

  Performing risk assessments on APTs

  Performing risk assessments on Advanced Persistent Threats (APTs) involves evaluating the potential impact and likelihood of APTs targeting specific assets or systems within an organization.

  Active & Passive Analysis

  Active and passive analysis techniques are used to assess network security, where active analysis involves direct interaction to evaluate responses, while passive analysis observes without direct interaction.

  Finding network vulnerabilities

  Finding network vulnerabilities involves identifying weaknesses or gaps in network defenses that could be exploited by attackers to compromise systems or data.

  Finding website vulnerabilities

  Finding website vulnerabilities entails identifying security flaws or weaknesses in web applications or websites that could be exploited by malicious actors to compromise data or breach security.

• Incident Response & Forensics

  Incident Response & Forensics is crucial for cyber defense analysts to effectively detect, contain, and mitigate security incidents, minimizing the impact of cyber threats on organizational assets. By conducting incident response and forensics, analysts can gather evidence, understand attack patterns, and improve future incident handling processes to enhance overall cybersecurity resilience.

  Investigating Unauthorized Network Connections

  Analyzing and tracing unauthorized access attempts or connections to identify potential security breaches.

  Investigating Malicious Behavior on Windows

  Examining and analyzing suspicious activities or behaviors on Windows systems to detect and respond to potential threats.

  Performing Network Forensics on EternalBlue Attacks

  Conducting forensic analysis specifically focused on incidents involving EternalBlue exploits, which target vulnerabilities in Windows systems.

  Performing Network Forensics on Malicious Connections

  Investigating and analyzing network traffic to identify and understand connections related to malicious activities or threats.

  Creating Incident Response Playbook

  Developing comprehensive guidelines and procedures for responding to specific security incidents or cyber threats based on best practices and lessons learned.

• Scripting

  Scripting is crucial for cyber defense analysts as it enables the automation of routine tasks, enhances incident response capabilities, and facilitates rapid deployment of security measures.

  Proficiency in scripting languages like PowerShell, Python, and Bash enables analysts to develop custom tools and scripts tailored to specific security needs, improving overall efficiency and effectiveness in cyber defense operations.

  Writing PowerShell Scripts to Harden Windows

  Writing PowerShell scripts is essential for cyber defense analysts to automate security hardening tasks on Windows systems, ensuring robust defenses against vulnerabilities.

  Writing PowerShell Scripts to Prevent Vulnerabilities

  Utilizing PowerShell scripting allows analysts to proactively prevent security vulnerabilities by automating tasks that enhance system security and mitigate potential risks.

  Using Python to Convert Log Types

  Python scripting is instrumental for converting and processing different log types, facilitating effective log analysis and enhancing overall cybersecurity operations.

  Using Python to Capture Executables

  Python scripting enables analysts to capture and analyze executables, providing insights into potential threats and malicious activities within an environment.

• Threat Hunting with Pandas & Yara

  Threat hunting involves proactively searching for signs of advanced threats or malicious activities within an organization's network. It is essential for cyber defense analysts because it allows for early detection of potential threats that traditional security measures may miss, enabling timely mitigation and response to minimize impact.

  Writing YARA Rules to Detect Malicious Activity

  Writing YARA rules allows analysts to create custom patterns that can identify specific types of malicious activity within files or processes, enhancing threat detection capabilities.

  Writing YARA Rules to Search Contents of Files

  By writing YARA rules to search file contents, analysts can pinpoint specific patterns or signatures indicative of malicious behavior, aiding in comprehensive threat hunting and investigation.

  Writing Pandas Queries to Identify Malicious Activity

  Using Pandas queries, analysts can efficiently sift through large datasets to identify and isolate suspicious or malicious activity, streamlining the threat hunting process and enabling timely responses.

  Threat Hunting Against 2000 Machines

  Conducting threat hunting across a large number of machines helps analysts identify potential threats at scale, allowing for proactive mitigation and protection of organizational assets.

• Threat Mapping

  Threat mapping involves identifying and visualizing cyber threats, their origins, attack vectors, and potential impacts within an organization's environment. It's important because it provides a strategic overview of potential risks, enabling proactive defense measures and informed decision-making to strengthen cybersecurity posture and resilience.

  Setting up OpenCTI

  OpenCTI is an open-source platform designed for threat intelligence management. It centralizes and visualizes cyber threat intelligence to facilitate informed decision-making and strategic threat analysis.

  Setting Up MISP

  MISP (Malware Information Sharing Platform & Threat Sharing) is an open-source threat intelligence platform for sharing, storing, and correlating Indicators of Compromise (IOCs) and threat information among security practitioners.

  Creating custom STIX Definitions

  STIX (Structured Threat Information eXpression) is a standard format for representing cyber threat intelligence. Creating custom STIX definitions allows organizations to tailor threat intelligence to their specific needs and use cases.

  Creating custom Google queries to identify hidden information on adversaries

  Crafting custom Google queries helps cybersecurity professionals gather open-source intelligence (OSINT) to uncover information about adversaries, such as leaked credentials, public forums discussions, or other digital footprints.

  Diamond Model

  The Diamond Model is a framework used to analyze cyber threat intelligence. It helps map the relationships between adversaries, infrastructure, capabilities, and victim targeting, enhancing understanding and response to cyber threats.

  Cyber Kill Chain

  The Cyber Kill Chain is a concept that describes the stages of a cyber attack, from initial reconnaissance to data exfiltration. Understanding the Cyber Kill Chain aids in developing effective defense strategies and mitigating threats.

  Graphing Attacks

  Graphing attacks involves visualizing cyber attacks, mapping out relationships and interactions between different entities such as threat actors, tools, and victim assets. This approach helps in identifying patterns and trends for threat analysis and response.

This course teaches the specific Knowledge, Skills, Abilities, and Tasks (KSATs) aligned with the DoD Cyber Workforce Framework (DCWF) as outlined in DoD 8140. By focusing on these critical competencies, the course ensures that you develop the essential capabilities required for various cybersecurity roles within the Department of Defense. This alignment not only guarantees that the training is relevant and comprehensive but also that it prepares you to meet the specific operational needs and standards of the DoD cyber workforce.

• knowledge

  ID	Description
  1069A	Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
  108	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  1158	Knowledge of cybersecurity principles.
  1159	Knowledge of cyber threats and vulnerabilities.
  150	Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
  19	Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
  22	Knowledge of computer networking concepts and protocols, and network security methodologies.
  66	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.
  70	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
  81A	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
  87	Knowledge of network traffic analysis methods.
  92	Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
  922A	Knowledge of how to use network analysis tools to identify vulnerabilities.
  984	Knowledge of cyber defense policies, procedures, and regulations.
  990	Knowledge of the common attack vectors on the network layer.
  991	Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
  6900	Knowledge of specific operational impacts of cybersecurity lapses.
  25	Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
  27	Knowledge of cryptography and cryptographic key management concepts.
  34	Knowledge of database systems.
  49	Knowledge of host/network access control mechanisms (e.g., access control list).
  58	Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
  61	Knowledge of incident response and handling methodologies.
  63	Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  79	Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
  88A	Knowledge of current and emerging cyber technologies.
  90	Knowledge of operating systems.
  95A	Knowledge of penetration testing principles, tools, and techniques.
  98	Knowledge of policy-based and risk adaptive access controls.
  105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  110	Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
  111	Knowledge of security system design tools, methods, and techniques.
  130A	Knowledge of systems security testing and evaluation methods.
  139	Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
  148	Knowledge of Virtual Private Network (VPN) security.
  177B	Knowledge of countermeasures for identified security risks.
  212A	Knowledge of network mapping and recreating network topologies.
  270	Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
  271	Knowledge of common network tools (e.g., ping, traceroute, nslookup).
  277	Knowledge of defense-in-depth principles and network security architecture.
  278	Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).
  286	Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
  342A	Knowledge of operating system command line/prompt.
  904	Knowledge of interpreted and compiled computer languages.
  912	Knowledge of collection management processes, capabilities, and limitations.
  915	Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
  1033	Knowledge of basic system administration, network, and operating system hardening techniques.
  1034C	Knowledge of Personal Health Information (PHI) data security standards.
  1034B	Knowledge of Payment Card Industry (PCI) data security standards.
  1034A	Knowledge of Personally Identifiable Information (PII) data security standards.
  1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  1073	Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
  1114	Knowledge of encryption methodologies.
  1119	Knowledge of signature implementation impact.
  1121	Knowledge of Windows/Unix ports and services.
  3431	Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
  6935	Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
  6938	Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.
  43A	Knowledge of embedded systems.
  133	Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
  59A	Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
  8	Knowledge of authentication, authorization, and access control methods.
  21	Knowledge of computer algorithms.
  138	Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.
  234B	Knowledge of the use of sub-netting tools.
  992C	Knowledge of threat environments (e.g., first generation threat actors, threat activities).
  1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
  1142	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  6210	Knowledge of cloud service models and possible limitations for an incident response.

• skills

  ID	Description
  214A	Skill in performing packet-level analysis.
  353	Skill in collecting data from a variety of cyber defense resources.
  895	Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
  3C	Skill in recognizing vulnerabilities in information and/or data systems.
  75C	Skill in conducting trend analysis.
  175	Skill in developing and deploying signatures.
  179A	Skill in assessing security controls based on cybersecurity principles and tenets.
  181A	Skill in detecting host and network based intrusions via intrusion detection technologies.
  183	Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  229	Skill in using incident handling methodologies.
  233	Skill in using protocol analyzers.
  1118	Skill in reading and interpreting signatures (e.g., snort).

• abilities

  ID	Description
  1120	Ability to interpret and incorporate data from multiple tool sources.
  3007	Ability to analyze malware.

• tasks

  ID	Description
  433	Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
  472	Coordinate with enterprise-wide cyber defense staff to validate network alerts.
  723	Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
  745	Perform cyber defense trend analysis and reporting.
  750	Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
  767	Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.
  800	Provide daily summary reports of network events and activity relevant to cyber defense practices.
  823	Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
  956	Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
  958	Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
  959	Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
  1107	Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
  1108	Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
  1111	Identify applications and operating systems of a network device based on network traffic.
  1111	Identify applications and operating systems of a network device based on network traffic.
  427	Develop content for cyber defense tools.
  559B	Analyze and report system security posture trends.
  559A	Analyze and report organizational security posture trends.
  576	Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
  593A	Assess adequate access controls based on principles of least privilege and need-to-know.
  716A	Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
  717A	Assess and monitor cybersecurity related to system implementation and testing practices.
  782	Plan and recommend modifications or adjustments based on exercise results or system environment.
  806A	Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
  880A	Work with stakeholders to resolve computer security incidents and vulnerability compliance.
  938A	Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
  1103	Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
  1104	Examine network topologies to understand data flows through the network.
  1105	Recommend computing environment vulnerability corrections.
  1109	Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
  1110	Isolate and remove malware.
  1112	Reconstruct a malicious attack or activity based off network traffic.
  1113	Identify network mapping and operating system (OS) fingerprinting activities.
  2062	Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.
  2611	Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.