Overview

This course exposes students to the tools and techniques used by information security professionals to analyze computer network traffic and identify suspicious and/or malicious activity within that traffic.

Upon successful completion of the course, students will have gained real-world experience that will make them highly desirable to employers with open entry-level Security Operations positions.

This course also exposes students to professional skills, to include: public speaking, business writing, technical writing, and teamwork.

The course is built on the premise that students learn best by actively doing, and through hands-on experience.

Instructors

Name Email Chat Username
Peter Gebura pngebura@buffalo.edu @petergebura
Zach Tenenbaum zatenenb@buffalo.edu @zachtenenbaum
Sean Manly seanmanl@buffalo.edu @smanly
Phil Fox pcfox@buffalo.edu @xphilfox
Chris Crawford christopher.p.crawford@gmail.com @chriscrawford

Course Objectives

At a high level, each student has the following objectives to meet:

  1. Understand the advantage of using the passive voice in comparison to the active voice.
  2. Read the Lockheed Martin Cyber Kill Chain paper to identify Indicators of Compromise (IoC), distinguish intrusion kill chain phases, and recommend mitigation strategies.
  3. Build a 3-node network using VirtualBox (see topology below).
  4. Compile open source network defense tools (such as Zeek and Snort) to monitor legitimate network traffic over their new network.
  5. Using the knowledge and capabilities gained from the previous objectives, analyze malicious network traffic from prior network defense competition packet captures.
  6. Effectively communicate in written reports, without using the passive voice, the steps taken and results of the packet analysis (see report outline below).
  7. Present twice as a group to the Systems Security class.

Course Tasks (20%)

Students will apply an Agile methodology (similar to Scrum) to accomplish the tasks assigned, utilizing Trello to track all progress throughout the semester. Students must complete the tasks in order before moving on to the next task and submit PowerPoint slides to Dropbox upon completion. Additionally, students will upload a daily screenshot to Dropbox prior to the daily meeting which highlights their progress. Students are also required to update their daily progress and active task on Trello before the daily meeting. All class communication will be conducted through the Mattermost course chat channel and students are encouraged to collaborate and ask questions in this channel. The course tasks consist of building a 3-node network, compiling and installing various tools, and becoming familiar with the tools. Students will construct their network using VirtualBox and Vagrant. The primary packet analysis tools utilized in class are Wireshark, Snort, Zeek (Bro), and Splunk. An example list of tasks to be completed is outlined here. Please note that these are tasks from a past semester and that tasks vary between semesters.

Daily Sync Meetings (60%)

This class is designed to be extremely hands-on and borrows some of its structure from scrum.

Class meets five days a week (Sunday-Thursday) on Zoom for no more than 10 minutes, at the same time every day. During the meeting, each student answers the following three questions:

  1. What did you accomplish since the last time we met?
  2. What do you plan to accomplish before our next meeting?
  3. Have you encountered any obstacles? If so, how do you plan to overcome them to complete the task?

Students will also present a daily slide, which is a screenshot highlighting a task that the student worked on since the last meeting. There is an example meeting script outlined below.

The meeting time is set at the beginning of the semester to a time that all students can consistently meet during the same time every day (Sunday-Thursday). Below is the scoring for the daily meetings.

Daily Meeting Grading

Grade Percent of Daily Meeting Grade Criteria
1 5% If student identifies which meeting script they are using and states if they are stuck on a task or not.
1 5% If the student restates the objective that they set in the previous meeting.
1 50% If student accomplished something since the last meeting AND proves it with a daily slide AND submits the daily slide to Dropbox before the meeting begins.
1 20% If the student states a reasonable objective to complete by the next meeting AND describe what the screenshot will look like.
1 5% If the student states if they plan to take a vacation day the next meeting or not.
1 5% If the student does not use more than 2 minutes during the meeting.
1 10% If student is present on Zoom, uses their webcam, are on time, and remains until the end of the meeting (10 minutes maximum).

Daily Meeting Scripts

There are three different daily meeting scripts that students will use for daily sync meetings, based on if they completed their tasks or ran into issues trying to complete them. While students are not required to repeat the scripts verbatim, they are required to complete all bullet points.

Below is the Regular Daily Meeting Script, which is used when the student completes their task and has not ran into any issues.

Identify the Script (5%)

Today I am using the regular daily meeting script.

Restate Objective (5%)

Last time we met, I said I would do _X_.

State Accomplishments and Prove It (50%)

Since then, I accomplished _X_. The slide on the screen is my proof of _X_.

IMPORTANT

  • To earn credit
    • The answer _X_cannot effectively amount to “nothing”, i.e.
      • “I was too busy”
      • “I couldn’t get to it”
      • “I started to do _X_, but ran out of time”
      • Etc.
    • your slide must show clear proof of _X_

State a Reasonable Objective (20%)

Before the next time we meet, I will do _Z_, and I will prove I did _Z_ with a screenshot of _N_.

IMPORTANT

  • To earn credit
    • _Z_ must be concrete and tangible enough so that you can describe the screenshot _N_
      • For example:
        • Before the next time we meet, I will install VirtualBox, and will prove I installed VirtualBox with screenshot of what VirtualBox looks like after I’ve installed it.
        • -OR-
        • Before the next time we meet, I will get started on my next card, which is _XYZ_. I don’t know a lot about what’s involved with _XYZ_, so I will research the steps needed to get started with _XYZ_, and understand what it entails. I will prove I researched the steps needed to get started with _XYZ_ with a screenshot of the most useful Google result I found.
    • _Z_cannot be so vague that you cannot describe what proof of completion will look like.
      • For example, this would not earn credit:
        • “Before the next time we meet, I will get started on the next card.”

Vacation Day (5%)

I plan to use a vacation day for the next meeting, and the next time I will be here is on _DAY_.

-OR-

I do not plan to use a vacation day and will be here for the next meeting.

Here are copies of all three meeting scripts:

Daily Meeting Vacation Days

Students get 5 vacation days, where they may skip the daily sync meeting, with no questions asked. To use a vacation day, the student must state that they plan to use a vacation day for the following Daily Sync Meeting.

Students that do not attend the daily meeting, and have not previously stated that they had planned on taking a vacation day, will receive no credit for that day.

Written Reports (10%)

Students are expected to develop professional written reports after completing the assigned Trello tasks. The report will illustrate the student’s work, in detail, and in such a way that a Systems Security student can easily understand and achieve the same results without any intervention from the author.

The report will include an executive summary, which will professionally convey high level points about their work to a non-technical audience. The report will also contain a table of contents, technical analysis, recommended mitigation, and contributing analysts sections. In addition to the report, students will submit a timeline of interesting events, in the form of an Excel spreadsheet.

Students will be provided templates to develop their weekly reports and timelines. Of note, the following infractions will automatically result in a grade of 0% for a given weekly paper:

  • The report includes one or more spelling errors.
  • The report includes one or more grammatical errors.
  • The executive summary is longer than one page.
  • The report is submitted after the official due date.
  • The report contains the passive voice.

The detailed report instructions can be found here.

Presentations (5%)

Students will present to the Systems Security class twice during the semester as a group. First, students will present the Cyber Kill Chain and explain how it can be used for network defense. Second, students will give a brief overview of their experience in Network Security and present a high-level packet capture analysis.

The dates of the presentations will be determined once the semester begins. The presentations should last 10-15 minutes each.

Lockdown Competition (5%)

Students will participate in running one of the Lockdown competitions during the semester (https://lockdown.ubnetdef.org/). The competition dates will be provided once the semester begins and will be held on a Saturday (usually 9am-5pm). Students will speak to the organizers from SecDev to discuss which positions are available.

Grading Policies

Course Component Percentage of Final Grade
Daily Sync Meetings 60%
Task Slides 20%
Written Reports 10%
Presentations 5%
Lockdown 5%
Final Grade (X) Final Letter Grade
X >= 90% A
80% <= X < 90% B
70% <= X < 80% C
60% <= X < 70% D
X < 60% F

Office Hours

Office hours are dynamic, flexible, and provided on an as-needed basis. Students state a need to meet with an instructor during the daily sync meeting, and the instructor and student schedule a mutually agreeable time to meet on Zoom.

Any questions related to tasks should be asked in the Mattermost group chat, rather than private messages, as usually another student will either have the same question or a possible solution to the question. Although the instructors are willing to help students troubleshoot technical issues they may have, students are expected to spend a reasonable amount of time researching the issue before contacting the instructors. Students are encouraged to utilize searching Google and the Linuxquestions.org forums for answers to questions they may have. Students are encouraged to collaborate and should also consult one another if they are stuck on a task.

Course Conduct

Academic Integrity

Students must conduct their coursework in a manner that does not violate the University at Buffalo’s Academic Integrity Policy. Students found in violation of the Academic Integrity Policy will receive an F for the course.

Ethics Policy

As a student in cyber security, you are learning tools and given resources that are meant to help protect yourself and others. However, these tools and resources can also be used in malicious or illegal ways. It is imperative that while you are a representative of this class, and even well after, you perform any security education or training strictly inside our internal environment or a controlled and contained environment that you have prepared for yourself. Any activity outside of our internal environment is outside of our control and protection. If you are not sure what you’re doing, it is very easy to do something illegal without even knowing you are (even something as simple as port scanning outside our internal network). If you are unsure if something is allowed or not, contact one of the instructors or mentors. All network traffic inside our infrastructure will be monitored for malicious or suspicious activity and acted upon with severe consequences if such privileges are abused. You are being given an opportunity to learn, please do not waste it.