Cyber Defense Analyst 1 - Job Role Training


Looking to become a Cyber Defense Analyst? This package consists of hands-on labs focusing on that NIST National Initiative for Cybersecurity Education (NICE) work role. Completing these labs will help you learn the skills needed for a job in the area. A follow-on package, "Cyber Defense Analyst 2" is also available for more in-depth practice with these job skills.


Prerequisites vary by lab, but are generally: familiarity with the Unix/Linux command line and basic networking concepts (TCP/IP, DNS, etc.).


20 hours, self-paced. Pause and continue at any time.


  • Service Identification I
    Students will use multiple tools to identify services, including software package and version information, running on unknown systems. Network services to be targeted will include those running on non-standard ports or behind firewall rules.
  • Introductory IDS Configuration with Snort
    Students will learn how to configure an Intrusion Detection System (IDS) to examine traffic to/from a firewall. The popular Snort® IDS will be used in this exercise. The exercise will include both harmless background traffic and potentially-malicious traffic to be detected by Snort.
  • Firewall Configuration with IPtables
    Students will configure a network firewall using the standard Linux iptables module. The exercise will include both ingress and egress filtering, stateful packet inspection, and best practices. More advanced techniques such as port knocking will also be introduced. Evaluation will include network probes from both inside and outside the firewall to ensure proper rules are configured.
  • Host IDS Setup with OSSEC
    Students learn how to configure and run the widely-used, free OSSEC Host Intrusion Detection System (HIDS). During the exercise, students will learn how to check for rootkits using OSSEC, how to verify file integrity, how to set up passive and active responses, and more. Host intrusion detection is critical to maintaining a secure system, and is required by HIPAA and PCI regulations, both of which OSSEC can help you meet.
  • Identifying Live Machines and Services on an Unknown Network
    Students will use tools such as nmap, unicornscan, and fping to identify systems on a local network, including both Unix and Windows targets. Students will identify the operating systems these systems are running, as well as the types of network services they are providing.
  • Log Analysis with RSYSLOG
    This lab teaches students to setup and configure a central RSYSLOG server that will receive and store logs from FreeBSD, Linux and Windows clients.
  • Introduction to Metasploit
    Students will gain experience with the widely-used open source Metasploit® framework and related tools for exploiting vulnerable software and insecure system configurations. The exercise leads students through the entire process, from scanning the network to getting remote shells and accessing sensitive information. By seeing the tools available to potential attackers, students will gain a greater appreciation for the need to keep software up-to-date and securely configured.
  • Web Application Security Analysis using OWASP-ZAP
    Students will use the OWASP program’s ZAP tool suite from within Kali Linux to scan multiple web services and document vulnerabilities. Students will see ZAP in action on a vulnerable web site where entire database tables are available to potential attackers.
  • Protocol Analysis I: Wireshark Basics
    Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is "normal" or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
  • Protocol Analysis II: Extracting Data from Network Traffic
    Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.


  • Cyber Defense Analyst

Stock number: