14 KiB
14 KiB
ASSESSMENT RUBRICS
Apophis Networking Cybersecurity Applied Lab
MODULE-LEVEL ASSESSMENT RUBRIC
Each module (MOD0-MOD8) is assessed on the following criteria:
| Criterion | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) |
|---|---|---|---|---|
| Technical Execution | All labs completed flawlessly; goes beyond requirements with additional exploration | All required labs completed correctly; minor errors quickly corrected | Most labs completed; some troubleshooting issues requiring instructor help | Labs incomplete or significant errors unresolved |
| Documentation | Comprehensive notes with commands, screenshots, and analysis; publication-ready | Complete documentation with all required elements; minor formatting issues | Basic documentation present; missing some screenshots or command history | Incomplete or disorganized documentation |
| Conceptual Understanding | Demonstrates deep understanding; can explain "why" behind every action | Solid grasp of concepts; can articulate attack/defense tradeoffs | Surface-level understanding; follows instructions without full comprehension | Limited understanding; cannot explain what they did or why |
| Troubleshooting | Independently resolves all issues using logs, research, and critical thinking | Resolves most issues with minimal guidance; uses systematic approach | Struggles with troubleshooting; requires step-by-step instructor support | Cannot troubleshoot; gives up easily when errors occur |
| Time Management | Completes module in recommended timeframe or faster | Completes within 1.5x recommended time | Requires 2x+ recommended time | Does not complete within reasonable timeframe |
MODULE 0: PREREQUISITES - ASSESSMENT
Passing Criteria: Must demonstrate proficiency in ALL prerequisite skills before proceeding.
Linux CLI Fundamentals (25 points)
- Navigate filesystem (cd, ls, pwd) - 5 pts
- File permissions (chmod, chown, understanding rwx) - 5 pts
- Log analysis (grep, tail, awk on /var/log) - 5 pts
- User management (useradd, passwd, su) - 5 pts
- Process management (ps, top, kill) - 5 pts
Windows Fundamentals (25 points)
- PowerShell cmdlets (Get-EventLog, Get-Service, Get-Process) - 10 pts
- Event Viewer navigation and filtering - 10 pts
- Identify critical Event IDs (4624, 4625, 4672) - 5 pts
Networking Fundamentals (25 points)
- Subnetting calculations (hand calculation + verification) - 10 pts
- Ping/traceroute interpretation - 5 pts
- Understand TCP/IP stack and OSI model - 10 pts
Virtualization (25 points)
- Create and restore VM snapshots - 10 pts
- Configure VM network modes (NAT, Bridged, Host-Only) - 10 pts
- Explain Type 1 vs Type 2 hypervisors - 5 pts
TOTAL: 100 points Pass Threshold: 80/100 (Students below 80 must remediate before MOD1)
MODULE 1-5: CORE SKILLS - DETAILED RUBRICS
MOD1: Secure Infrastructure Provisioning (100 points)
| Task | Points | Criteria |
|---|---|---|
| Proxmox VLAN Configuration | 20 | Bridge is VLAN-aware; verified in /etc/network/interfaces |
| pfSense Deployment | 20 | VM created with correct specs; pfSense installed and accessible |
| VLAN Interface Creation | 20 | VLANs 200, 300, 400 created and assigned to interfaces |
| Firewall Rules | 25 | Red→Victim allowed; Victim→Red blocked; Victim→WAN blocked |
| Validation Testing | 15 | All 5 tests pass (connectivity, isolation, internet access) |
MOD2: Reconnaissance & NTA (100 points)
| Task | Points | Criteria |
|---|---|---|
| Nmap Scanning | 20 | Multiple scan types demonstrated (-sS, -sV, -A, -p-) |
| Service Enumeration | 20 | FTP, SMB, HTTP enumerated with appropriate tools |
| Wireshark Analysis | 25 | PCAP captured; SYN scan identified; TCP streams analyzed |
| Scan Type Identification | 15 | Can distinguish SYN vs Connect vs UDP scans in PCAP |
| Documentation | 20 | Comprehensive recon report with network diagram |
MOD3: Exploitation & Post-Exploitation (100 points)
| Task | Points | Criteria |
|---|---|---|
| Metasploit Exploitation | 25 | vsftpd and/or Samba successfully exploited |
| Meterpreter Usage | 20 | Post-exploitation commands executed (sysinfo, hashdump, etc.) |
| Manual Exploitation | 15 | vsftpd exploited without Metasploit (netcat method) |
| Privilege Escalation | 20 | Demonstrates at least 2 privesc techniques |
| Persistence | 10 | Establishes persistence via SSH keys or cron |
| Documentation | 10 | Attack chain documented with screenshots |
MOD4: Defensive Monitoring (100 points)
| Task | Points | Criteria |
|---|---|---|
| Security Onion Deployment | 20 | SO installed and sensors operational |
| Alert Detection | 25 | Can identify nmap scans and exploitation in alerts |
| Custom Rule Writing | 30 | Creates working Suricata/Zeek rule for specific attack |
| Log Analysis | 15 | Correlates Suricata alerts with Zeek conn logs |
| Documentation | 10 | Detection engineering notes with rule explanations |
MOD4.5: SIEM Operations (100 points)
| Task | Points | Criteria |
|---|---|---|
| KQL Query Mastery | 25 | Writes 10+ functional queries for threat hunting |
| Dashboard Creation | 25 | Builds custom Kibana dashboard with 5+ visualizations |
| Alert Tuning | 20 | Reduces false positives via threshold.config |
| Log Correlation | 20 | Links recon → exploit → post-exploit in timeline |
| Dashboard Integration | 10 | Exports data for React SOC dashboard |
MOD5: Active Directory (100 points)
| Task | Points | Criteria |
|---|---|---|
| AD Deployment | 20 | Domain Controller promoted; domain created |
| Domain Join | 10 | Windows 10 successfully joined to domain |
| Kerberoasting Attack | 30 | Captures service tickets; cracks with hashcat |
| Pass-the-Hash | 20 | Uses impacket for lateral movement |
| Defense Documentation | 20 | Explains how to detect each attack in logs |
MODULE 6-8: ADVANCED TOPICS - RUBRICS
MOD6: Incident Response (100 points)
| Task | Points | Criteria |
|---|---|---|
| Disk Forensics | 25 | Acquires image; calculates hashes; analyzes with Autopsy |
| Memory Forensics | 25 | Captures dump; analyzes with Volatility; finds malicious process |
| Network Forensics | 20 | Reconstructs attack from PCAP; extracts transferred files |
| IR Report Writing | 20 | Follows NIST PICERL; includes timeline and IOCs |
| Remediation Plan | 10 | Provides actionable, prioritized recommendations |
MOD7: Web Application Security (100 points)
| Task | Points | Criteria |
|---|---|---|
| SQL Injection | 20 | Manual and SQLMap exploitation; data extracted |
| XSS Attack | 20 | Demonstrates reflected and stored XSS |
| Burp Suite Usage | 20 | Intercepts traffic; uses Repeater and Intruder |
| WAF Configuration | 20 | Deploys ModSecurity/Suricata rules to block attacks |
| Detection in SO | 20 | Creates KQL queries and detection rules for web attacks |
MOD8: Threat Intelligence (100 points)
| Task | Points | Criteria |
|---|---|---|
| MITRE Mapping | 25 | Maps all MOD3 attacks to correct tactics/techniques |
| IOC Database | 20 | Creates structured IOC list (IP, hash, file, network) |
| Threat Hunting | 25 | Executes 3 hypothesis-driven hunts with results |
| Sigma Rules | 15 | Writes 2+ functional Sigma rules |
| Dashboard Update | 15 | Integrates MITRE coverage heatmap into React dashboard |
CAPSTONE PROJECT: COMPREHENSIVE RUBRIC (200 points)
Weight: Equivalent to 2 modules
| Category | Max Points | Excellent (90-100%) | Proficient (80-89%) | Developing (70-79%) | Needs Improvement (<70%) |
|---|---|---|---|---|---|
| Red Team Execution | 50 | Novel TTPs; multi-stage campaign; perfect stealth | All required attack phases completed; good stealth | Basic attacks executed; some noisy techniques | Incomplete attack chain; easily detected |
| Blue Team Detection | 50 | Detects all phases; accurate attribution; timeline perfect | Detects most attacks; good forensic analysis | Detects initial access only; incomplete timeline | Fails to detect multiple attack phases |
| Technical Documentation | 40 | Publication-quality; comprehensive appendices | Complete with all required sections | Basic documentation; missing some elements | Incomplete or poorly organized |
| Remediation Plan | 20 | Detailed; cost-benefit analysis; prioritized; realistic | Actionable recommendations; reasonable priorities | Generic recommendations; no prioritization | Vague or unrealistic suggestions |
| Dashboard Integration | 20 | Fully functional; interactive; accurate data | Data integrated; basic visualizations | Partial integration; some errors | Dashboard not updated or broken |
| Presentation | 20 | Engaging; clear narrative; professional slides | Organized; covers all points; adequate slides | Basic presentation; some unclear points | Disorganized or incomplete presentation |
TOTAL: 200 points
Capstone Grading Scale:
- 180-200: A (Exceptional - ready for professional SOC role)
- 160-179: B (Strong - demonstrates competency)
- 140-159: C (Acceptable - meets minimum standards)
- 120-139: D (Needs improvement - remediation required)
- <120: F (Fails to demonstrate minimum competency)
OVERALL COURSE GRADING SCHEME
Point Distribution
| Component | Points | Percentage |
|---|---|---|
| MOD0 (Prerequisites) | 100 | 5% |
| MOD1 (Infrastructure) | 100 | 8% |
| MOD2 (Reconnaissance) | 100 | 8% |
| MOD3 (Exploitation) | 100 | 8% |
| MOD4 (Defensive Monitoring) | 100 | 8% |
| MOD4.5 (SIEM Operations) | 100 | 8% |
| MOD5 (Active Directory) | 100 | 8% |
| MOD6 (Incident Response) | 100 | 9% |
| MOD7 (Web App Security) | 100 | 9% |
| MOD8 (Threat Intelligence) | 100 | 9% |
| CAPSTONE PROJECT | 200 | 20% |
| TOTAL | 1200 | 100% |
Final Letter Grades
| Grade | Point Range | Percentage | Description |
|---|---|---|---|
| A | 1080-1200 | 90-100% | Exceptional mastery; ready for professional cybersecurity role |
| B | 960-1079 | 80-89% | Strong understanding; competent in most areas |
| C | 840-959 | 70-79% | Adequate knowledge; meets minimum standards |
| D | 720-839 | 60-69% | Below expectations; significant gaps in knowledge |
| F | <720 | <60% | Does not meet minimum competency for certification |
SELF-ASSESSMENT CHECKLIST
Use this to gauge your readiness before final assessment:
Red Team Skills
- Can perform network reconnaissance using nmap (multiple scan types)
- Can identify and exploit common vulnerabilities (FTP, SMB, web apps)
- Understands Metasploit Framework architecture (exploits, payloads, handlers)
- Can perform privilege escalation on Linux and Windows
- Can establish persistence mechanisms
- Can perform Active Directory attacks (Kerberoasting, PTH)
Blue Team Skills
- Can deploy and configure Security Onion
- Can write custom Suricata and Zeek rules
- Can query logs using KQL (Kibana Query Language)
- Can perform disk forensics with Autopsy
- Can perform memory forensics with Volatility
- Can analyze PCAPs for attack indicators
Analytical Skills
- Can map attacks to MITRE ATT&CK framework
- Can create and use IOCs for threat detection
- Can perform hypothesis-driven threat hunting
- Can write comprehensive incident response reports
- Can develop remediation plans with cost/benefit analysis
Technical Writing
- Can document procedures clearly and reproducibly
- Can write executive summaries for non-technical stakeholders
- Can create technical diagrams (network maps, attack flows)
- Can follow professional report templates
Soft Skills
- Can troubleshoot independently using logs and research
- Can manage time effectively across complex projects
- Can present technical findings to mixed audiences
- Can think critically about attack/defense tradeoffs
REMEDIATION GUIDELINES
If you score below 70% on any module:
-
Review Foundational Concepts:
- Re-read module documentation
- Watch supplemental videos (Professor Messer, HackerSploit, IppSec)
-
Hands-On Practice:
- Repeat failed labs with detailed note-taking
- Try variations of the attack/defense technique
- Use TryHackMe or HackTheBox for additional practice
-
Seek Clarification:
- Document specific errors/confusion points
- Research error messages (Google, Stack Overflow, Reddit r/AskNetsec)
- Review relevant MITRE ATT&CK technique pages
-
Re-Assessment:
- Rebuild VMs from clean snapshots
- Attempt labs again without referring to previous notes
- Submit new lab report for re-grading
-
Progress Criteria:
- Must achieve 70% or higher on remediation attempt
- If still below 70%, one-on-one tutoring recommended
- Cannot proceed to Capstone without passing all modules
CERTIFICATION RECOMMENDATION
Upon successful completion (C or higher), students are recommended for:
Entry-Level Certifications:
- CompTIA Security+ (if not already obtained)
- CompTIA CySA+ (Cybersecurity Analyst)
- CompTIA PenTest+ (Penetration Testing)
Intermediate Certifications:
- GIAC Security Essentials (GSEC)
- GIAC Certified Intrusion Analyst (GCIA)
- eLearnSecurity Junior Penetration Tester (eJPT)
Advanced Certifications (with additional study):
- Offensive Security Certified Professional (OSCP)
- GIAC Certified Incident Handler (GCIH)
- Certified Ethical Hacker (CEH)
Students scoring A in Capstone are well-prepared for OSCP-level challenges.
INSTRUCTOR NOTES
Grading Consistency
- Use this rubric for all students to ensure fairness
- Document any exceptions or accommodations
- Provide detailed feedback on point deductions
Common Student Challenges
- MOD0: Underestimate importance; skip ahead (enforce prerequisite check)
- MOD1: VLAN tagging errors (most common troubleshooting issue)
- MOD3: Wrong LHOST IP (check this first when exploits fail)
- MOD4: Alert fatigue (teach tuning early)
- Capstone: Time management (enforce interim deadlines)
Encouraging Excellence
- Highlight exceptional work as examples for future students
- Offer bonus points for creative attack/defense techniques
- Encourage publication of findings (blog posts, conference talks)
END OF ASSESSMENT RUBRICS