# ASSESSMENT RUBRICS # Apophis Networking Cybersecurity Applied Lab --- ## MODULE-LEVEL ASSESSMENT RUBRIC Each module (MOD0-MOD8) is assessed on the following criteria: | Criterion | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) | |-----------|---------------------|---------------------|---------------------|--------------------------| | **Technical Execution** | All labs completed flawlessly; goes beyond requirements with additional exploration | All required labs completed correctly; minor errors quickly corrected | Most labs completed; some troubleshooting issues requiring instructor help | Labs incomplete or significant errors unresolved | | **Documentation** | Comprehensive notes with commands, screenshots, and analysis; publication-ready | Complete documentation with all required elements; minor formatting issues | Basic documentation present; missing some screenshots or command history | Incomplete or disorganized documentation | | **Conceptual Understanding** | Demonstrates deep understanding; can explain "why" behind every action | Solid grasp of concepts; can articulate attack/defense tradeoffs | Surface-level understanding; follows instructions without full comprehension | Limited understanding; cannot explain what they did or why | | **Troubleshooting** | Independently resolves all issues using logs, research, and critical thinking | Resolves most issues with minimal guidance; uses systematic approach | Struggles with troubleshooting; requires step-by-step instructor support | Cannot troubleshoot; gives up easily when errors occur | | **Time Management** | Completes module in recommended timeframe or faster | Completes within 1.5x recommended time | Requires 2x+ recommended time | Does not complete within reasonable timeframe | --- ## MODULE 0: PREREQUISITES - ASSESSMENT **Passing Criteria:** Must demonstrate proficiency in ALL prerequisite skills before proceeding. ### Linux CLI Fundamentals (25 points) - [ ] Navigate filesystem (cd, ls, pwd) - 5 pts - [ ] File permissions (chmod, chown, understanding rwx) - 5 pts - [ ] Log analysis (grep, tail, awk on /var/log) - 5 pts - [ ] User management (useradd, passwd, su) - 5 pts - [ ] Process management (ps, top, kill) - 5 pts ### Windows Fundamentals (25 points) - [ ] PowerShell cmdlets (Get-EventLog, Get-Service, Get-Process) - 10 pts - [ ] Event Viewer navigation and filtering - 10 pts - [ ] Identify critical Event IDs (4624, 4625, 4672) - 5 pts ### Networking Fundamentals (25 points) - [ ] Subnetting calculations (hand calculation + verification) - 10 pts - [ ] Ping/traceroute interpretation - 5 pts - [ ] Understand TCP/IP stack and OSI model - 10 pts ### Virtualization (25 points) - [ ] Create and restore VM snapshots - 10 pts - [ ] Configure VM network modes (NAT, Bridged, Host-Only) - 10 pts - [ ] Explain Type 1 vs Type 2 hypervisors - 5 pts **TOTAL: 100 points** **Pass Threshold: 80/100** (Students below 80 must remediate before MOD1) --- ## MODULE 1-5: CORE SKILLS - DETAILED RUBRICS ### MOD1: Secure Infrastructure Provisioning (100 points) | Task | Points | Criteria | |------|--------|----------| | Proxmox VLAN Configuration | 20 | Bridge is VLAN-aware; verified in /etc/network/interfaces | | pfSense Deployment | 20 | VM created with correct specs; pfSense installed and accessible | | VLAN Interface Creation | 20 | VLANs 200, 300, 400 created and assigned to interfaces | | Firewall Rules | 25 | Red→Victim allowed; Victim→Red blocked; Victim→WAN blocked | | Validation Testing | 15 | All 5 tests pass (connectivity, isolation, internet access) | ### MOD2: Reconnaissance & NTA (100 points) | Task | Points | Criteria | |------|--------|----------| | Nmap Scanning | 20 | Multiple scan types demonstrated (-sS, -sV, -A, -p-) | | Service Enumeration | 20 | FTP, SMB, HTTP enumerated with appropriate tools | | Wireshark Analysis | 25 | PCAP captured; SYN scan identified; TCP streams analyzed | | Scan Type Identification | 15 | Can distinguish SYN vs Connect vs UDP scans in PCAP | | Documentation | 20 | Comprehensive recon report with network diagram | ### MOD3: Exploitation & Post-Exploitation (100 points) | Task | Points | Criteria | |------|--------|----------| | Metasploit Exploitation | 25 | vsftpd and/or Samba successfully exploited | | Meterpreter Usage | 20 | Post-exploitation commands executed (sysinfo, hashdump, etc.) | | Manual Exploitation | 15 | vsftpd exploited without Metasploit (netcat method) | | Privilege Escalation | 20 | Demonstrates at least 2 privesc techniques | | Persistence | 10 | Establishes persistence via SSH keys or cron | | Documentation | 10 | Attack chain documented with screenshots | ### MOD4: Defensive Monitoring (100 points) | Task | Points | Criteria | |------|--------|----------| | Security Onion Deployment | 20 | SO installed and sensors operational | | Alert Detection | 25 | Can identify nmap scans and exploitation in alerts | | Custom Rule Writing | 30 | Creates working Suricata/Zeek rule for specific attack | | Log Analysis | 15 | Correlates Suricata alerts with Zeek conn logs | | Documentation | 10 | Detection engineering notes with rule explanations | ### MOD4.5: SIEM Operations (100 points) | Task | Points | Criteria | |------|--------|----------| | KQL Query Mastery | 25 | Writes 10+ functional queries for threat hunting | | Dashboard Creation | 25 | Builds custom Kibana dashboard with 5+ visualizations | | Alert Tuning | 20 | Reduces false positives via threshold.config | | Log Correlation | 20 | Links recon → exploit → post-exploit in timeline | | Dashboard Integration | 10 | Exports data for React SOC dashboard | ### MOD5: Active Directory (100 points) | Task | Points | Criteria | |------|--------|----------| | AD Deployment | 20 | Domain Controller promoted; domain created | | Domain Join | 10 | Windows 10 successfully joined to domain | | Kerberoasting Attack | 30 | Captures service tickets; cracks with hashcat | | Pass-the-Hash | 20 | Uses impacket for lateral movement | | Defense Documentation | 20 | Explains how to detect each attack in logs | --- ## MODULE 6-8: ADVANCED TOPICS - RUBRICS ### MOD6: Incident Response (100 points) | Task | Points | Criteria | |------|--------|----------| | Disk Forensics | 25 | Acquires image; calculates hashes; analyzes with Autopsy | | Memory Forensics | 25 | Captures dump; analyzes with Volatility; finds malicious process | | Network Forensics | 20 | Reconstructs attack from PCAP; extracts transferred files | | IR Report Writing | 20 | Follows NIST PICERL; includes timeline and IOCs | | Remediation Plan | 10 | Provides actionable, prioritized recommendations | ### MOD7: Web Application Security (100 points) | Task | Points | Criteria | |------|--------|----------| | SQL Injection | 20 | Manual and SQLMap exploitation; data extracted | | XSS Attack | 20 | Demonstrates reflected and stored XSS | | Burp Suite Usage | 20 | Intercepts traffic; uses Repeater and Intruder | | WAF Configuration | 20 | Deploys ModSecurity/Suricata rules to block attacks | | Detection in SO | 20 | Creates KQL queries and detection rules for web attacks | ### MOD8: Threat Intelligence (100 points) | Task | Points | Criteria | |------|--------|----------| | MITRE Mapping | 25 | Maps all MOD3 attacks to correct tactics/techniques | | IOC Database | 20 | Creates structured IOC list (IP, hash, file, network) | | Threat Hunting | 25 | Executes 3 hypothesis-driven hunts with results | | Sigma Rules | 15 | Writes 2+ functional Sigma rules | | Dashboard Update | 15 | Integrates MITRE coverage heatmap into React dashboard | --- ## CAPSTONE PROJECT: COMPREHENSIVE RUBRIC (200 points) **Weight:** Equivalent to 2 modules | Category | Max Points | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) | |----------|------------|---------------------|---------------------|---------------------|--------------------------| | **Red Team Execution** | 50 | Novel TTPs; multi-stage campaign; perfect stealth | All required attack phases completed; good stealth | Basic attacks executed; some noisy techniques | Incomplete attack chain; easily detected | | **Blue Team Detection** | 50 | Detects all phases; accurate attribution; timeline perfect | Detects most attacks; good forensic analysis | Detects initial access only; incomplete timeline | Fails to detect multiple attack phases | | **Technical Documentation** | 40 | Publication-quality; comprehensive appendices | Complete with all required sections | Basic documentation; missing some elements | Incomplete or poorly organized | | **Remediation Plan** | 20 | Detailed; cost-benefit analysis; prioritized; realistic | Actionable recommendations; reasonable priorities | Generic recommendations; no prioritization | Vague or unrealistic suggestions | | **Dashboard Integration** | 20 | Fully functional; interactive; accurate data | Data integrated; basic visualizations | Partial integration; some errors | Dashboard not updated or broken | | **Presentation** | 20 | Engaging; clear narrative; professional slides | Organized; covers all points; adequate slides | Basic presentation; some unclear points | Disorganized or incomplete presentation | **TOTAL: 200 points** **Capstone Grading Scale:** - **180-200:** A (Exceptional - ready for professional SOC role) - **160-179:** B (Strong - demonstrates competency) - **140-159:** C (Acceptable - meets minimum standards) - **120-139:** D (Needs improvement - remediation required) - **<120:** F (Fails to demonstrate minimum competency) --- ## OVERALL COURSE GRADING SCHEME ### Point Distribution | Component | Points | Percentage | |-----------|--------|------------| | MOD0 (Prerequisites) | 100 | 5% | | MOD1 (Infrastructure) | 100 | 8% | | MOD2 (Reconnaissance) | 100 | 8% | | MOD3 (Exploitation) | 100 | 8% | | MOD4 (Defensive Monitoring) | 100 | 8% | | MOD4.5 (SIEM Operations) | 100 | 8% | | MOD5 (Active Directory) | 100 | 8% | | MOD6 (Incident Response) | 100 | 9% | | MOD7 (Web App Security) | 100 | 9% | | MOD8 (Threat Intelligence) | 100 | 9% | | **CAPSTONE PROJECT** | 200 | 20% | | **TOTAL** | **1200** | **100%** | ### Final Letter Grades | Grade | Point Range | Percentage | Description | |-------|-------------|------------|-------------| | A | 1080-1200 | 90-100% | Exceptional mastery; ready for professional cybersecurity role | | B | 960-1079 | 80-89% | Strong understanding; competent in most areas | | C | 840-959 | 70-79% | Adequate knowledge; meets minimum standards | | D | 720-839 | 60-69% | Below expectations; significant gaps in knowledge | | F | <720 | <60% | Does not meet minimum competency for certification | --- ## SELF-ASSESSMENT CHECKLIST Use this to gauge your readiness before final assessment: ### Red Team Skills - [ ] Can perform network reconnaissance using nmap (multiple scan types) - [ ] Can identify and exploit common vulnerabilities (FTP, SMB, web apps) - [ ] Understands Metasploit Framework architecture (exploits, payloads, handlers) - [ ] Can perform privilege escalation on Linux and Windows - [ ] Can establish persistence mechanisms - [ ] Can perform Active Directory attacks (Kerberoasting, PTH) ### Blue Team Skills - [ ] Can deploy and configure Security Onion - [ ] Can write custom Suricata and Zeek rules - [ ] Can query logs using KQL (Kibana Query Language) - [ ] Can perform disk forensics with Autopsy - [ ] Can perform memory forensics with Volatility - [ ] Can analyze PCAPs for attack indicators ### Analytical Skills - [ ] Can map attacks to MITRE ATT&CK framework - [ ] Can create and use IOCs for threat detection - [ ] Can perform hypothesis-driven threat hunting - [ ] Can write comprehensive incident response reports - [ ] Can develop remediation plans with cost/benefit analysis ### Technical Writing - [ ] Can document procedures clearly and reproducibly - [ ] Can write executive summaries for non-technical stakeholders - [ ] Can create technical diagrams (network maps, attack flows) - [ ] Can follow professional report templates ### Soft Skills - [ ] Can troubleshoot independently using logs and research - [ ] Can manage time effectively across complex projects - [ ] Can present technical findings to mixed audiences - [ ] Can think critically about attack/defense tradeoffs --- ## REMEDIATION GUIDELINES **If you score below 70% on any module:** 1. **Review Foundational Concepts:** - Re-read module documentation - Watch supplemental videos (Professor Messer, HackerSploit, IppSec) 2. **Hands-On Practice:** - Repeat failed labs with detailed note-taking - Try variations of the attack/defense technique - Use TryHackMe or HackTheBox for additional practice 3. **Seek Clarification:** - Document specific errors/confusion points - Research error messages (Google, Stack Overflow, Reddit r/AskNetsec) - Review relevant MITRE ATT&CK technique pages 4. **Re-Assessment:** - Rebuild VMs from clean snapshots - Attempt labs again without referring to previous notes - Submit new lab report for re-grading 5. **Progress Criteria:** - Must achieve 70% or higher on remediation attempt - If still below 70%, one-on-one tutoring recommended - Cannot proceed to Capstone without passing all modules --- ## CERTIFICATION RECOMMENDATION Upon successful completion (C or higher), students are recommended for: **Entry-Level Certifications:** - CompTIA Security+ (if not already obtained) - CompTIA CySA+ (Cybersecurity Analyst) - CompTIA PenTest+ (Penetration Testing) **Intermediate Certifications:** - GIAC Security Essentials (GSEC) - GIAC Certified Intrusion Analyst (GCIA) - eLearnSecurity Junior Penetration Tester (eJPT) **Advanced Certifications (with additional study):** - Offensive Security Certified Professional (OSCP) - GIAC Certified Incident Handler (GCIH) - Certified Ethical Hacker (CEH) **Students scoring A in Capstone** are well-prepared for OSCP-level challenges. --- ## INSTRUCTOR NOTES ### Grading Consistency - Use this rubric for all students to ensure fairness - Document any exceptions or accommodations - Provide detailed feedback on point deductions ### Common Student Challenges - **MOD0:** Underestimate importance; skip ahead (enforce prerequisite check) - **MOD1:** VLAN tagging errors (most common troubleshooting issue) - **MOD3:** Wrong LHOST IP (check this first when exploits fail) - **MOD4:** Alert fatigue (teach tuning early) - **Capstone:** Time management (enforce interim deadlines) ### Encouraging Excellence - Highlight exceptional work as examples for future students - Offer bonus points for creative attack/defense techniques - Encourage publication of findings (blog posts, conference talks) --- **END OF ASSESSMENT RUBRICS**