T3: Event Schedule & Logistics

[PREREQ, 10 min] Gain access to cluster and add it to ADX

Part 1: Understanding the Environment [1.5 hrs]

[5 min] Intro to Threat Intel
- Briefly mention attribution tools and techniques
- Diamond Model
- Kill Chain

[20 min] Kusto Query Language (KQL) 101
- Introduce tables, commands, and syntax for KQL in ADX browser
- where (has, contains, has_any, ==, etc…)
- count
- take
- let

[10 min] How To Cluster Observed Adversary Activity

[45 min] Scenario 1: Cyber Investigation Introduction

[10 min] Debrief

Break [10 min]

Part 2: Catch the Hacker [1.5 hrs Including One Bonus Activity]

[5 min] Introduction and High Level Overview of Workshop

[30 min] Scenario 2: Catch the Hacker

[10 min] Debrief

(Choose one bonus activity to finish session if time allows)

Option 1: Phishy Activity

Option 1
[5 min] Bonus 1: Phishy Activity

[30 min] Scenario 3: Hackers Sending Malware Docs

  • Free Time to Hunt

[10 min] Debrief & Close Session

Option 2: Truth or Misinformation

Option 2
[5 min] Introduce Blog Analysis (for more advanced audiences)

[30 min] Scenario 3: Truth or Misinformation

  • Free Time to Hunt & Analyze Blog

[10 min] Debrief & Close Session

Option 3: Security Jeopardy

Option 3
[5 min] Introduce Security Jeopardy [30 min] Play game

  • Up to instructor on what format to do this in. Could have students play in Scoreboard on their computers and set a timer to see who has the highest points at the end, this would be an ‘open internet’ quiz. Or use a jeopardy generator to feed in questions for a more knowlegable audience, keep in mind though the other parts of this workshop do not teach these terms already (best to play with an audience that has prior knowledge of cybersecurity terms in a live session) .

[10 min] Debrief & Close Session

Checklist

Here are all the things your students will need:

Here are some things that you may also need:

Setting Up the Scoreboard

To access the KC7 scoreboard, go to this website: https://kc7.azurewebsites.net . You will need to log in using the credentials sent to you in an email after you filled out the form to host a session. If you are not hosting a session, you can create an account to log in.

If you’re managing a session, you should already be added to the game session for your group. You’ll see it on your dashboard when you log in. To join the session, just click the “join this game” button.

You will also need to add questions or challenges for the game participants to answer to score points. To do so:

Additional Resources

KC7 Github Repo: https://github.com/kkneomis/kc7
KC7 Website: https://kc7cyber.com/#demos


You did it!
Workshop completed!