Course Outline: Defensive Cyber Operations (DCO)


The current and future demand for cyber security professionals is outweighing the supply. Defensive Cyber Operations (DCO) staff to work in security operations centers around the globe are in short supply.

Defensive Cyber Operations is an essential course for technical staff in a DCO role. Over five days participants will learn about the technical environment, fundamental principles and tactics, techniques, tools and procedures involved with DCO. Completing the course participants will have the well-rounded knowledge and experience on which to build their abilities. Practical training is underpinned by theoretical education.

Learning Outcomes

Conduct basic Defensive Cyber Operations activities:

  • Conduct threat modelling.
  • Deploy network and host-based intrusion detection systems.
  • Identify malicious network and host-based activity.
  • Link malicious indicators of compromise to build an intelligence picture.
  • Classify intrusino intent and damage.
  • Apply DCO theory, methodology and frameworks to innovate defensive techniques.
  • Provide advice and briefings on threats to both technical and non-technical audiences


Course is delivered on-site at Fifth Domain's training facility. Participants are required to BYOD laptop with wi-fi connectivity. All our labs are cloud-based so participant laptops are not required to run virtual machines.


  • 2-3 years working in IT or equivalent study
  • Networking: Intermediate
  • System administration: Basic
  • Programming: Nil
  • Data analysis: Basic


20-24 February 2017


$3,850 per person. Maximum 12 seats per course.


Please reserve your seat on the course by registering online at or by emailing:

Once registered an invoice with payment options will be provided.

Course Program
Defensive Cyber Operations (DCO)

Day 1
Theoretical foundations

Information superiority

Network centric operations

Situational awareness & understanding OODA loop

SOC capabilities - protection, collection & detection analysis & reporting, response

Sensors - deployment and tasking

Fusion - normalization and aggregation

Analytics - signatures and queries

Presentation - visualization and dissemination

Network Fundamentals

TCP/IP model

Addressing - MACs, IPs, ports, hosts and domains

Protocols - TCP, UDP, ARP, DNS, NetBIOS, HTTP

Segmentation - VLANs, submets, subdomains

Standards & taxonomies - CybOX, STIX, and TAXII

Observables, indicators, TTPs, targets

Cyber threat intelligence and STIX IOCs

TAXII feeds and SIEMs

Day 2
Detection: signatures and anomalies

Whitelisting vs blacklisting

IDS signatures and alerts

Traffic analysis - IPs, domains, timings, throughput Log analysis - VPN, DNS, Web, etc.

Host activity and configuration - processes, connections, registry and file integrity monitoring

File analysis - cloud services, static and dynamic techniques.

Analysis: verification and correlation

Associating observables - traffic, processes, binaries, logs, configurations

Modelling network and host activity

Writing, deploying and verifying signatures - IOCs, snort rules, Yara rules.


Written reports


Day 3
Threat modelling

Actors, targets & vectors

Discover, access, assure, leverage

Attack replication, simulation and automation

Protection: hardening and obfuscation

Application whitelisting

User and group privileges

Firewall rules

Collection: network & host

In-line taps, SPAN ports, traffic splitting

Full packet capture, network statistics, NetFlow

Host based agents - deployment and configuration


Day 4
Individual challenges

Participants will deploy network and host-based intrusion detection systems within a simple network. They will then initiate our automated attack package against the target network. The automated attack will generate network and host-based telemetry that participants will collect, analyze and characterize to produce a response and remediation plan.

Day 5
Team exercises

Just like the individual challenge but bigger and in teams. This time teams of 5–8 people will be given the task of defending a medium sized network (approx. 20 machines) against a barrage of different attacks. Participants will need to deal with the added complexity of automated end-user activity of opening emails and browsing the Internet. Finally participants will plan and execute incident response activities.