jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d0035721e3ffe60b86f081ad297fcf0b9dd7ae5
seclab/ASSESSMENT_RUBRICS.md

321 lines
14 KiB
Markdown
Raw Normal View History

initial commit
2026-05-28 18:27:41 -06:00
# ASSESSMENT RUBRICS
# Apophis Networking Cybersecurity Applied Lab
---
## MODULE-LEVEL ASSESSMENT RUBRIC
Each module (MOD0-MOD8) is assessed on the following criteria:
| Criterion | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) |
|-----------|---------------------|---------------------|---------------------|--------------------------|
| **Technical Execution** | All labs completed flawlessly; goes beyond requirements with additional exploration | All required labs completed correctly; minor errors quickly corrected | Most labs completed; some troubleshooting issues requiring instructor help | Labs incomplete or significant errors unresolved |
| **Documentation** | Comprehensive notes with commands, screenshots, and analysis; publication-ready | Complete documentation with all required elements; minor formatting issues | Basic documentation present; missing some screenshots or command history | Incomplete or disorganized documentation |
| **Conceptual Understanding** | Demonstrates deep understanding; can explain "why" behind every action | Solid grasp of concepts; can articulate attack/defense tradeoffs | Surface-level understanding; follows instructions without full comprehension | Limited understanding; cannot explain what they did or why |
| **Troubleshooting** | Independently resolves all issues using logs, research, and critical thinking | Resolves most issues with minimal guidance; uses systematic approach | Struggles with troubleshooting; requires step-by-step instructor support | Cannot troubleshoot; gives up easily when errors occur |
| **Time Management** | Completes module in recommended timeframe or faster | Completes within 1.5x recommended time | Requires 2x+ recommended time | Does not complete within reasonable timeframe |
---
## MODULE 0: PREREQUISITES - ASSESSMENT
**Passing Criteria:** Must demonstrate proficiency in ALL prerequisite skills before proceeding.
### Linux CLI Fundamentals (25 points)
- [ ] Navigate filesystem (cd, ls, pwd) - 5 pts
- [ ] File permissions (chmod, chown, understanding rwx) - 5 pts
- [ ] Log analysis (grep, tail, awk on /var/log) - 5 pts
- [ ] User management (useradd, passwd, su) - 5 pts
- [ ] Process management (ps, top, kill) - 5 pts
### Windows Fundamentals (25 points)
- [ ] PowerShell cmdlets (Get-EventLog, Get-Service, Get-Process) - 10 pts
- [ ] Event Viewer navigation and filtering - 10 pts
- [ ] Identify critical Event IDs (4624, 4625, 4672) - 5 pts
### Networking Fundamentals (25 points)
- [ ] Subnetting calculations (hand calculation + verification) - 10 pts
- [ ] Ping/traceroute interpretation - 5 pts
- [ ] Understand TCP/IP stack and OSI model - 10 pts
### Virtualization (25 points)
- [ ] Create and restore VM snapshots - 10 pts
- [ ] Configure VM network modes (NAT, Bridged, Host-Only) - 10 pts
- [ ] Explain Type 1 vs Type 2 hypervisors - 5 pts
**TOTAL: 100 points**
**Pass Threshold: 80/100** (Students below 80 must remediate before MOD1)
---
## MODULE 1-5: CORE SKILLS - DETAILED RUBRICS
### MOD1: Secure Infrastructure Provisioning (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| Proxmox VLAN Configuration | 20 | Bridge is VLAN-aware; verified in /etc/network/interfaces |
| pfSense Deployment | 20 | VM created with correct specs; pfSense installed and accessible |
| VLAN Interface Creation | 20 | VLANs 200, 300, 400 created and assigned to interfaces |
| Firewall Rules | 25 | Red→Victim allowed; Victim→Red blocked; Victim→WAN blocked |
| Validation Testing | 15 | All 5 tests pass (connectivity, isolation, internet access) |
### MOD2: Reconnaissance & NTA (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| Nmap Scanning | 20 | Multiple scan types demonstrated (-sS, -sV, -A, -p-) |
| Service Enumeration | 20 | FTP, SMB, HTTP enumerated with appropriate tools |
| Wireshark Analysis | 25 | PCAP captured; SYN scan identified; TCP streams analyzed |
| Scan Type Identification | 15 | Can distinguish SYN vs Connect vs UDP scans in PCAP |
| Documentation | 20 | Comprehensive recon report with network diagram |
### MOD3: Exploitation & Post-Exploitation (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| Metasploit Exploitation | 25 | vsftpd and/or Samba successfully exploited |
| Meterpreter Usage | 20 | Post-exploitation commands executed (sysinfo, hashdump, etc.) |
| Manual Exploitation | 15 | vsftpd exploited without Metasploit (netcat method) |
| Privilege Escalation | 20 | Demonstrates at least 2 privesc techniques |
| Persistence | 10 | Establishes persistence via SSH keys or cron |
| Documentation | 10 | Attack chain documented with screenshots |
### MOD4: Defensive Monitoring (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| Security Onion Deployment | 20 | SO installed and sensors operational |
| Alert Detection | 25 | Can identify nmap scans and exploitation in alerts |
| Custom Rule Writing | 30 | Creates working Suricata/Zeek rule for specific attack |
| Log Analysis | 15 | Correlates Suricata alerts with Zeek conn logs |
| Documentation | 10 | Detection engineering notes with rule explanations |
### MOD4.5: SIEM Operations (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| KQL Query Mastery | 25 | Writes 10+ functional queries for threat hunting |
| Dashboard Creation | 25 | Builds custom Kibana dashboard with 5+ visualizations |
| Alert Tuning | 20 | Reduces false positives via threshold.config |
| Log Correlation | 20 | Links recon → exploit → post-exploit in timeline |
| Dashboard Integration | 10 | Exports data for React SOC dashboard |
### MOD5: Active Directory (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| AD Deployment | 20 | Domain Controller promoted; domain created |
| Domain Join | 10 | Windows 10 successfully joined to domain |
| Kerberoasting Attack | 30 | Captures service tickets; cracks with hashcat |
| Pass-the-Hash | 20 | Uses impacket for lateral movement |
| Defense Documentation | 20 | Explains how to detect each attack in logs |
---
## MODULE 6-8: ADVANCED TOPICS - RUBRICS
### MOD6: Incident Response (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| Disk Forensics | 25 | Acquires image; calculates hashes; analyzes with Autopsy |
| Memory Forensics | 25 | Captures dump; analyzes with Volatility; finds malicious process |
| Network Forensics | 20 | Reconstructs attack from PCAP; extracts transferred files |
| IR Report Writing | 20 | Follows NIST PICERL; includes timeline and IOCs |
| Remediation Plan | 10 | Provides actionable, prioritized recommendations |
### MOD7: Web Application Security (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| SQL Injection | 20 | Manual and SQLMap exploitation; data extracted |
| XSS Attack | 20 | Demonstrates reflected and stored XSS |
| Burp Suite Usage | 20 | Intercepts traffic; uses Repeater and Intruder |
| WAF Configuration | 20 | Deploys ModSecurity/Suricata rules to block attacks |
| Detection in SO | 20 | Creates KQL queries and detection rules for web attacks |
### MOD8: Threat Intelligence (100 points)
| Task | Points | Criteria |
|------|--------|----------|
| MITRE Mapping | 25 | Maps all MOD3 attacks to correct tactics/techniques |
| IOC Database | 20 | Creates structured IOC list (IP, hash, file, network) |
| Threat Hunting | 25 | Executes 3 hypothesis-driven hunts with results |
| Sigma Rules | 15 | Writes 2+ functional Sigma rules |
| Dashboard Update | 15 | Integrates MITRE coverage heatmap into React dashboard |
---
## CAPSTONE PROJECT: COMPREHENSIVE RUBRIC (200 points)
**Weight:** Equivalent to 2 modules
| Category | Max Points | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) |
|----------|------------|---------------------|---------------------|---------------------|--------------------------|
| **Red Team Execution** | 50 | Novel TTPs; multi-stage campaign; perfect stealth | All required attack phases completed; good stealth | Basic attacks executed; some noisy techniques | Incomplete attack chain; easily detected |
| **Blue Team Detection** | 50 | Detects all phases; accurate attribution; timeline perfect | Detects most attacks; good forensic analysis | Detects initial access only; incomplete timeline | Fails to detect multiple attack phases |
| **Technical Documentation** | 40 | Publication-quality; comprehensive appendices | Complete with all required sections | Basic documentation; missing some elements | Incomplete or poorly organized |
| **Remediation Plan** | 20 | Detailed; cost-benefit analysis; prioritized; realistic | Actionable recommendations; reasonable priorities | Generic recommendations; no prioritization | Vague or unrealistic suggestions |
| **Dashboard Integration** | 20 | Fully functional; interactive; accurate data | Data integrated; basic visualizations | Partial integration; some errors | Dashboard not updated or broken |
| **Presentation** | 20 | Engaging; clear narrative; professional slides | Organized; covers all points; adequate slides | Basic presentation; some unclear points | Disorganized or incomplete presentation |
**TOTAL: 200 points**
**Capstone Grading Scale:**
- **180-200:** A (Exceptional - ready for professional SOC role)
- **160-179:** B (Strong - demonstrates competency)
- **140-159:** C (Acceptable - meets minimum standards)
- **120-139:** D (Needs improvement - remediation required)
- **<120:** F (Fails to demonstrate minimum competency)
---
## OVERALL COURSE GRADING SCHEME
### Point Distribution
| Component | Points | Percentage |
|-----------|--------|------------|
| MOD0 (Prerequisites) | 100 | 5% |
| MOD1 (Infrastructure) | 100 | 8% |
| MOD2 (Reconnaissance) | 100 | 8% |
| MOD3 (Exploitation) | 100 | 8% |
| MOD4 (Defensive Monitoring) | 100 | 8% |
| MOD4.5 (SIEM Operations) | 100 | 8% |
| MOD5 (Active Directory) | 100 | 8% |
| MOD6 (Incident Response) | 100 | 9% |
| MOD7 (Web App Security) | 100 | 9% |
| MOD8 (Threat Intelligence) | 100 | 9% |
| **CAPSTONE PROJECT** | 200 | 20% |
| **TOTAL** | **1200** | **100%** |
### Final Letter Grades
| Grade | Point Range | Percentage | Description |
|-------|-------------|------------|-------------|
| A | 1080-1200 | 90-100% | Exceptional mastery; ready for professional cybersecurity role |
| B | 960-1079 | 80-89% | Strong understanding; competent in most areas |
| C | 840-959 | 70-79% | Adequate knowledge; meets minimum standards |
| D | 720-839 | 60-69% | Below expectations; significant gaps in knowledge |
| F | <720 | <60% | Does not meet minimum competency for certification |
---
## SELF-ASSESSMENT CHECKLIST
Use this to gauge your readiness before final assessment:
### Red Team Skills
- [ ] Can perform network reconnaissance using nmap (multiple scan types)
- [ ] Can identify and exploit common vulnerabilities (FTP, SMB, web apps)
- [ ] Understands Metasploit Framework architecture (exploits, payloads, handlers)
- [ ] Can perform privilege escalation on Linux and Windows
- [ ] Can establish persistence mechanisms
- [ ] Can perform Active Directory attacks (Kerberoasting, PTH)
### Blue Team Skills
- [ ] Can deploy and configure Security Onion
- [ ] Can write custom Suricata and Zeek rules
- [ ] Can query logs using KQL (Kibana Query Language)
- [ ] Can perform disk forensics with Autopsy
- [ ] Can perform memory forensics with Volatility
- [ ] Can analyze PCAPs for attack indicators
### Analytical Skills
- [ ] Can map attacks to MITRE ATT&CK framework
- [ ] Can create and use IOCs for threat detection
- [ ] Can perform hypothesis-driven threat hunting
- [ ] Can write comprehensive incident response reports
- [ ] Can develop remediation plans with cost/benefit analysis
### Technical Writing
- [ ] Can document procedures clearly and reproducibly
- [ ] Can write executive summaries for non-technical stakeholders
- [ ] Can create technical diagrams (network maps, attack flows)
- [ ] Can follow professional report templates
### Soft Skills
- [ ] Can troubleshoot independently using logs and research
- [ ] Can manage time effectively across complex projects
- [ ] Can present technical findings to mixed audiences
- [ ] Can think critically about attack/defense tradeoffs
---
## REMEDIATION GUIDELINES
**If you score below 70% on any module:**
1. **Review Foundational Concepts:**
- Re-read module documentation
- Watch supplemental videos (Professor Messer, HackerSploit, IppSec)
2. **Hands-On Practice:**
- Repeat failed labs with detailed note-taking
- Try variations of the attack/defense technique
- Use TryHackMe or HackTheBox for additional practice
3. **Seek Clarification:**
- Document specific errors/confusion points
- Research error messages (Google, Stack Overflow, Reddit r/AskNetsec)
- Review relevant MITRE ATT&CK technique pages
4. **Re-Assessment:**
- Rebuild VMs from clean snapshots
- Attempt labs again without referring to previous notes
- Submit new lab report for re-grading
5. **Progress Criteria:**
- Must achieve 70% or higher on remediation attempt
- If still below 70%, one-on-one tutoring recommended
- Cannot proceed to Capstone without passing all modules
---
## CERTIFICATION RECOMMENDATION
Upon successful completion (C or higher), students are recommended for:
**Entry-Level Certifications:**
- CompTIA Security+ (if not already obtained)
- CompTIA CySA+ (Cybersecurity Analyst)
- CompTIA PenTest+ (Penetration Testing)
**Intermediate Certifications:**
- GIAC Security Essentials (GSEC)
- GIAC Certified Intrusion Analyst (GCIA)
- eLearnSecurity Junior Penetration Tester (eJPT)
**Advanced Certifications (with additional study):**
- Offensive Security Certified Professional (OSCP)
- GIAC Certified Incident Handler (GCIH)
- Certified Ethical Hacker (CEH)
**Students scoring A in Capstone** are well-prepared for OSCP-level challenges.
---
## INSTRUCTOR NOTES
### Grading Consistency
- Use this rubric for all students to ensure fairness
- Document any exceptions or accommodations
- Provide detailed feedback on point deductions
### Common Student Challenges
- **MOD0:** Underestimate importance; skip ahead (enforce prerequisite check)
- **MOD1:** VLAN tagging errors (most common troubleshooting issue)
- **MOD3:** Wrong LHOST IP (check this first when exploits fail)
- **MOD4:** Alert fatigue (teach tuning early)
- **Capstone:** Time management (enforce interim deadlines)
### Encouraging Excellence
- Highlight exceptional work as examples for future students
- Offer bonus points for creative attack/defense techniques
- Encourage publication of findings (blog posts, conference talks)
---
**END OF ASSESSMENT RUBRICS**
Reference in New Issue Copy Permalink