NATO CCD COE TRAINING CATALOGUE

2015

Tallinn, 17th November 2014 © 2015 NATO CCD COE Training Catalogue NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) 12 Filtri tee, 10132 Tallinn, ESTONIA events@ccdcoe.org www.ccdcoe.org

3

Foreword With the 2015 offering, the NATO Cooperative Cyber Defence Centre of Excellence training programme continues its tradition of excellence. Our courses, trainings and workshops have been developed by reputable subject-matter experts and are designed for advanced levels of proficiency. This catalogue describes available courses covering a broad range of topics within the technical and legal cyber security domain. It has always been our aim to provide knowledge, methods, techniques, and best practices that empower the training audience to effectively cope with real-life cyber challenges. To best meet the training needs of the Centre’s Sponsoring Nations and Contributing Participants as well as the whole North Atlantic Treaty Organization, we provide courses in different formats and locations. They are complemented with workshops, conferences, exercises and e-learning. This complete training inventory is a significant way in which the NATO Cooperative Cyber Defence Centre of Excellence advances its mission to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defence. The participant feedback on the course programme has been immensely useful. We continue to take it into account and constantly improve our offerings. Therefore I hope that those attending courses in 2015 will find the material at least as interesting and relevant as their predecessors. Also, I encourage you to share your comments, ideas and suggestions. Finally, I would like to express my gratitude to all those involved in the conduction of these training activities. Trainings can often be a complicated operation and I could not be prouder of the Centre staff and partners. Artur Suzik Director of NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia

5

Contents

FOREWORD ...................................................................................................................................................... 3

INTRODUCTION ................................................................................................................................................ 7

WHAT WE OFFER .............................................................................................................................................. 9

IN-HOUSE COURSES........................................................................................................................................ 11

INTERNATIONAL LAW OF CYBER OPERATIONS (ILOCOC) ............................................................................................... 11 BOTNET MITIGATION (BMC) ................................................................................................................................... 13 MALWARE AND EXPLOIT ESSENTIALS (MEXEC) ........................................................................................................... 15 CYBER DEFENCE MONITORING (CDMC) .................................................................................................................... 18 IT SYSTEMS ATTACK AND DEFENCE (ITSADC) ............................................................................................................. 20 NETWORK AND HOST FORENSICS (NHFC) .................................................................................................................. 24 INTRODUCTORY DIGITAL FORENSICS (IDFC) ................................................................................................................ 26 SMARTPHONE SECURITY AND FORENSICS (SSFC) ......................................................................................................... 29 IN-HOUSE COURSES CALENDAR ................................................................................................................................ 31

MOBILE COURSES ........................................................................................................................................... 32

CYBER DEFENCE AWARENESS E-COURSE ........................................................................................................ 33

LOCKED SHIELDS ............................................................................................................................................. 35

WORKSHOPS .................................................................................................................................................. 36

RED TEAMING (RTW) ............................................................................................................................................ 36 LS15 RED TEAM PREPARATION (LS15RTPW)............................................................................................................ 37 LS15 NETWORK TRAFFIC ANALYSIS (LS15NTAW) ...................................................................................................... 38 WORKSHOPS CALENDAR ......................................................................................................................................... 39

CYCON ............................................................................................................................................................ 40

ADMINISTRATIVE ISSUES FOR IN-HOUSE COURSES AND WORKSHOPS ........................................................... 43

REGISTRATION ...................................................................................................................................................... 43 ENTRY TO ESTONIA ................................................................................................................................................ 43 ACCOMMODATION ................................................................................................................................................ 44 TRANSPORTATION .................................................................................................................................................. 44 GETTING TO THE HOTEL .......................................................................................................................................... 45 MEALS DURING THE COURSE/WORKSHOP ................................................................................................................... 45 DRESS CODE ......................................................................................................................................................... 45 GENERAL COURSE SCHEDULE .................................................................................................................................... 45

GENERAL INFORMATION ................................................................................................................................ 47

GETTING AROUND IN TALLINN .................................................................................................................................. 47 LUNCH POSSIBILITIES NEAR THE NATO CCD COE ........................................................................................................ 47 CONTACT ............................................................................................................................................................. 48

ABOUT NATO CCD COE ................................................................................................................................... 49

ANNEX A. 2015 NATO CCD COE TRAINING CALENDAR .................................................................................... 51

ANNEX B. STUDENT JOINING REPORT ............................................................................................................ 53

6

7

Introduction The NATO Cooperative Cyber Defence Centre of Excellence is committed to improving its training offerings to address a wide range of aspects of the ever-developing cyber domain. The programme for 2015 comprises of 9 technical in-house courses, 2 legal in-house courses, 4 mobile technical courses, a mobile legal course, an e-Learning course, a technical cyber exercise, 4 hands-on workshops and an annual conference. These courses are set up as a resource for Sponsoring Nations (SNs) and Contributing Participants (CPs) of the Centre as well as NATO bodies. In addition to being educated, the participants can test their individual and collective cyber capabilities, share information and knowledge, and network with the international cyber defence community. This catalogue provides the information needed to join our courses. It provides an overview of all scheduled activities for 2015 as well as the intended target audience, objectives and prerequisites. Please note that applicants for technical courses must meet the prerequisites listed. Instructions for applying to the courses are provided in this catalogue as well as administrative information on logistical issues such as transportation, hotel booking, meals, etc. Please be aware that some details of the training programme, in particular dates, may be subject to change, therefore it is advised that you check the latest information on our web site: http://ccdcoe.org/events.html.

9

What we offer In-house Classroom Training An interactive learning experience. Our instructors deliver knowledge, cutting-edge techniques, and useful tips by combining expertly designed lectures with software demonstrations and hands-on sessions. Classes are held at NATO CCD COE facilities in Tallinn. During 2015, 10 technical and 2 legal courses are planned to be held in Tallinn:

- Botnet Mitigation Course. (2 iterations) - Malware and Exploits Essentials Course. (2 iterations) - Cyber Defence Monitoring Course. (2 iterations) - Introductory Digital Forensics Course. - IT Systems Attacks and Defence Course. - Network and Host Forensics Course. (new) - Smartphone Security and Forensics Course. (new) - International Law of Cyber Operations Course. (2 iterations)

Mobile Training The same quality content and instruction as our in-house training can also be delivered as mobile training. This is a convenient option, offering Sponsoring Nations and Contributing Participants an efficient way to train a group of personnel in a short time. During 2015, 4 technical and 1 legal courses are planned to be held on Centre’s member locations:

- Botnet Mitigation Course. - Introductory Digital Forensics Course. (2 iterations) - IT Systems Attacks and Defence Course. - International Law of Cyber Operations Course.

e-Learning The Centre complements its educational offerings by providing a “Cyber Defence Awareness e-Course”. This course is aimed at raising cyber defence awareness, to a broad audience, such as NATO IT Systems users. As such, the e-Learning platform is chosen since it is the most efficient method to reach a large audience, whilst being flexible and convenient for individual’s participation.

10

Exercises “Learning by practicing”. Sponsoring Nations (SNs) and NATO bodies can check their cyber defence capabilities in a real-time network defence exercise “Locked Shields”. Locked Shields provides to SNs and NATO bodies a great opportunity to test their individual and collective cyber defence capabilities in a fictional scenario based on real-life events. Every year since 2010, the Centre has been organising successfully “Locked Shields”, bringing together more than 300 subject matter experts from SNs, Contributing Participants, NATO bodies and other Partners; and challenging them in the protection against highly advanced and innovative cyber attacks. Workshops The Centre also organises hands-on workshops for a collaborative learning experience focused on a specific hot topic. During 2015, 3 technical workshops are planned to be held in Tallinn:

- Locked Shields Red Team Preparation Workshop. - Locked Shields Network Traffic Analysis Workshop. - Red Teaming Workshop.

Conferences Every year since 2009, the Centre brings together in a conference (CyCon) more than 400 experts from all over the world, to discuss on cyber security topics from technical, legal, political, ethical, sociological and economic standpoints. This year’s topic, “Architectures in Cyberspace,” aims to approach what cyberspace is, what it will be in the coming years, and to identify its unifying and coherent traits.

11

In-house Courses

International Law of Cyber Operations (ILoCOC) Location: Tallinn, Estonia. Date (1st Iteration): 19-23 January 2015 / Registration deadline: 15 December 2014. Date (2nd Iteration): 18-22 May 2015 / Registration deadline: 03 April 2015. Course fee: 500 Euros (1 free slot per SN, CP and NATO bodies) / 400 Euros for students who do not attend Day 1 Overview The 5-day Residential Course begins with an optional “tech-day” that introduces the technology involved in cyber operations, including internet structure, defensive and offensive tools and techniques, the feasibility of and challenges to technical attribution. Additionally, the introductory phase examines the place of cyber operations in the contemporary geopolitical environment. The 4-day core of the course is divided into two blocks of study: 1) the peacetime international law governing cyber operations; and 2) the international humanitarian law that applies during armed conflict involving cyber operations. Each 1.5-day session concludes with a complex exercise that allows participants to apply the law addressed during lectures and discussion. The peacetime law session deals with issues like sovereignty, jurisdiction, due diligence, the law of state responsibility, the prohibition of intervention, and finally, self-defence, in the cyberspace operations context. It will answer questions such as which cyber operations outside an armed conflict violate international law, when can states hack back, and when has a cyber armed attack occurred such that states may engage in self-defence. The second 1.5-day session covers traditional international humanitarian law topics, such as classification of cyber conflict, the principle of distinction during cyber operations, and targetable and protected persons and objects in the cyber context. This session is taught from an operational legal advisor’s perspective, examining all necessary steps in a cyber targeting legal analysis. The course is offered by the Centre in cooperation with the United States Naval War College and the University of Exeter. The lectures will be given by noted scholars and practitioners, including two co-authors of the Tallinn Manual, Professors Michael Schmitt (United States Naval War College and University of Exeter) and Wolff Heintschel von Heinegg (European University Viadrina). As such, attendees have a unique opportunity to discuss cyber legal matters with some of the most renowned scholars in the field. Participants will also receive a complimentary copy of the Tallinn Manual on the International Law Applicable to Cyber Warfare. Objectives Provide a practice-oriented survey of the international law applicable to cyber operations involving states that occur both in peacetime (Block 1) and armed conflict (Block 2). Block 1 answers questions such as which cyber operations outside an armed conflict violate international law, when can states

12

hack back, and when has a cyber armed attack occurred such that states may engage in self-defence. Block 2 covers traditional international humanitarian law topics, and is taught from an operational legal advisor’s perspective, examining all necessary steps in a cyber targeting legal analysis. The course begins with an optional “tech-day”. Target Audience • Military and civilian legal advisors to the Armed Forces. • Intelligence community lawyers. • Other civilian attorneys in governmental security posts. • Policy specialists who advise on cyber issues and wish to acquire a basic understanding of

the applicable legal regimes. • Legal scholars and graduate students. Prerequisites Prior knowledge of relevant international law is recommended, but not a prerequisite. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

13

Botnet Mitigation (BMC) Location: Tallinn, Estonia. Date (1st Iteration): 09-13 February 2015 / Registration deadline: 29 December 2014. Date (2nd Iteration): 06-10 July 2015 / Registration deadline: 25 June 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview This training focusses on infiltration and mitigation of botnets. This very hands-on oriented 4.5 days intermediate course introduces state-of-the-art botnet concepts and teaches how the botnet threat can be countered. Since most of modern botnets are designed as spyware, this course focusses on the detection of data-exfiltration and modern IDS evasion techniques. After an initial briefing on botnet concepts and structures reflecting also the history of botnets and their role in cyber conflict, first practical examples of easy botnet structures are demonstrated and tested in practice. Realising modern botnets usually hide their traffic by blending and encryption techniques, concepts of crypto breaking and polymorphic blending attacks are introduced and shown at recently detected malware samples such as Operation Red October, Zeus and Zero Access Botnet. Finally, having detected botnet activity, the challenge of botnet infiltration is a botnet takeover, which requires a detailed understanding of the command and control (C&C) functions implemented. In this course, we decode real botnet traffic and show the botnet C&C functionality by creating our own classroom botnet with the help of construction kits. Objectives The Course demonstrates how modern botnets work. Attendees gain practical experience on how malware analysts work in a lab environment and how challenging the re-engineering process can be. During hands-on exercises, students learn the basic concepts of both data-exfiltration and infiltration. The course focusses on dynamic analysis approaches such as applied black boxing and protocol re-engineering. In this course we work with real malware. Samples of existing botnets are analysed and obfuscation techniques are experienced with very challenging examples. Target Audience Cyber security technical staff (CERT, IT departments, etc) looking to get familiar with malware analysis and related topics. Outline

• Botnet Introduction • Re-Engineering overview • Applied Black boxing

14

• State-of-the-art Malware self-protecting mechanisms • Crypto-Breaking Introduction and Exercise • Peer-2-Peer Botnets - Analysis and Mitigation • Attacking Peer-2-Peer Botnets • Peer-2-Peer Botnet Mitigation Exercise • Advanced Persistent Threat & Cyber Espionage Campaigns • Introduction into Intrusion Detection Systems • Polymorphic Blending Techniques • Exfiltration Exercise • Botnet Creation Kits • Command & Control with Remote Access Tools

Prerequisites

• Good work/administration experience in Linux (as the work environment) and Windows (as the malware environment).

• Basic understanding of network traffic and malware. • Able to use virtual machine technology (Virtual Box or similar). • Experience with firewalls and network traffic analysis (Wireshark and similar tools). • Basic understanding of assembler and higher programming languages (optional). • Programming experience in assembler, C(++) or PYTHON (optional). • English language skill comparable to STANAG 6001, 3.2.3.2.

NB! Please be aware of the strong technical nature of this course, it is not intended for inexperienced IT security specialists. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

15

Malware and Exploit Essentials (MExEC) Location: Tallinn, Estonia. Date (1st Iteration): 02-06 March 2015 / Registration deadline: 19 January 2015. Date (2nd Iteration): 09-13 November 2015 / Registration deadline: 28 September 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview The malware and exploit essentials course will provide deep technical insights for cyber defenders into techniques modern malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction into modern OS features and analysis techniques, the use of debuggers as the most important tools for exploit research as well as up to date methods for vulnerability detection like fuzzing and code coverage, will be discussed and trained. Objectives Once vulnerabilities have been found, there are different approaches to make use of them to exploit a system. The course will start introducing basic exploitation methods like buffer and heap overflow techniques as well as more advanced ideas for both Windows and Linux systems (for the experts: ASLR, SEH/SEHOP, ROP, DEP etc. will be demonstrated and explained). Since system security is mainly based on encryption technologies, modern crypto systems will also be explained , not leaving out aspect of crypto security and how intruders try to break them. Another important topic in this course is software resilience: malware execution is always based on an unintended program flow redirection. This course will also show how code can be protected from being altered by introducing code morphing and obfuscation techniques. Additionally it is planned to give an overview about virtualisation techniques, which on the one hand helps re-engineers to analyse malware as long as the malware is not aware it is being executed in a research environment, and on the other hand bears the risk of potential malware escapes from the virtual environments which have been seen before. Target Audience The target audience is exclusively technical staff of CERTs/CIRTs or other governmental or military entities being involved in technical IT security or cyber defence.

16

Outline • Introduction

o Course Introduction o Malware and Exploits – basics and definitions

• Modern OS environment o creating a program o compilation, linking, shared libraries, sections of program o assembly introduction, AT&T vs. Intel syntax, endianness

• Debuggers o static and dynamic program analysis o getting info about binaries o introduction into GDB debugger

• Finding bugs o Fuzzing o code coverage o fuzzing exercise

• Buffer overflows o concept of stack frame and local variables of function o buffer overflows without ASLR and NX techniques o Return-to-system and chaining o introduction onto Immunity debugger + exercise o generating shell code

• Heap overflows o exploitability of heap management o modern heap implementation

• Protective mechanisms and common exploitation ideas o Canaries, non-executable stack o ASLR, Position independent code o Sandboxing

• Linux exploitation in practice o Return-Oriented-Programming approach

• Windows exploitation in practice o Structured Exception Handler (SEH, SAFESEH, SEHOP) o Disabling DEP, permanent DEP o ASLR (brute forcing, non ASLR libs, Information Leakage + HEAP spraying) o Use-after-free exploits

• System Resilience o Control flow hijacking prevention o Code protection and obfuscation techniques

17

Prerequisites • Sound knowledge of assembly level programming knowledge. • Sound knowledge of operating system details at process/library level on both

Windows and Linux systems. • English language skill comparable to STANAG 6001, 3.2.3.2.

NB! Please be advised about the strong technical nature of this course: this is not a course for beginners. Note that we most strongly discourage the participation of students who do not fulfil aforementioned prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendants in the audience is likely to hinder the overall progress of the course. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

18

Cyber Defence Monitoring (CDMC) Location: Tallinn, Estonia. Date (1st Iteration): 25-27 March 2015 / Registration deadline: 09 February 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview This course concentrates on a number of important Cyber Defence Monitoring techniques and solutions. We will focus on event logging and collection with syslog protocol, regular expression language and its applications to system/network monitoring, event correlation, and finally network intrusion detection and prevention. We will also discuss a number of open-source monitoring solutions, including UNIX rsyslog package, Simple Event Correlator, and Snort IDS/IPS. Each module of the course consists of a presentation from the lecturer which is followed by a hands-on session. Objectives Provide a detailed description and hands-on lab sessions on the following topics:

• to event logging and collection with syslog protocol, • study of regular expression language and its applications to system/network

monitoring, • to rsyslog server for advanced logging on Linux platform, • to syslog-ng log collection framework, • to event correlation and Simple Event Correlator tool, • to network intrusion detection and prevention, • to Snort IDS/IPS framework.

Target Audience

• Technical IT security staff in charge of the implementation of classified networks. • Technical and IT managers who want to get an understanding of monitoring

capabilities. Not target audience: • Experienced monitoring IT professionals are not the target audience to this course.

Outline

• Introduction to the syslog protocol and the UNIX rsyslog daemon. • Introduction to szslog-ng log collection framework. • A study of the regular expression language. • Introduction to event correlation and Simple Event Correlator. • Simple Event Correlator -- advanced event correlation topics. • Introduction to intrusion detection and prevention.

19

• Snort intrusion detection and prevention system. Prerequisites

• Good understanding of TCP/IP networking and system administration. • Recent everyday system administrator's work experience of at least 2 years in UNIX

environments. • Previous detailed knowledge on following topics:

o editing files with vi editor, o work principles of UNIX operating systems and UNIX file system layout, o common UNIX shells (e.g., sh, bash), o common UNIX user tools (e.g., ls, ps, kill) o common UNIX system administration utilities (e.g, mount, shutdown)

• Previous programming experience is not required, but is helpful. • English language skill comparable to STANAG 6001, 3.2.3.2.

NB! We most strongly discourage the participation of students who do not fulfil aforementioned prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendants in the audience is likely to hinder the overall progress of the course. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

20

IT Systems Attack and Defence (ITSADC) Location: Tallinn, Estonia. Date: 31 August – 04 September 2015 / Registration deadline: 20 July 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview IT Systems Attacks and Defence is a practical 5 day introductory course considering the methods and tools used by the attackers to gain access to IT systems and the potential countermeasures to cope with those attacks. The course is built upon hands-on exercises. The tasks are mainly focused on the offensive side of IT security. The participants can try out several most common types of attacks on lab systems. During the missions the participants can take part in so called Capture the Flag competition, the winner is the first person who is able to capture the specific token from vulnerable system. For completing the missions, students will be provided virtual machines based on Kali Linux. The majority of the tools used in the class are open-source or at least non-commercial. The vulnerable web applications are built using mostly PHP and MySQL. Our purpose is not to focus on details of specific technologies, but to explain the most common attack classes using popular and simple to understand solutions. Objectives The course gives an idea how penetration-testers and hackers think, practical work to develop imagination and what it could mean to defend against them. It is an aim to give initial theoretical basics, needs, and an idea where to further read. After that the course members will immediately face hands-on tasks to solve and use the partly introduced and given tools. In this course the attendees can practically try how pen-testers and hackers possibly work in a lab-situation:

• Get introduced to the phases of a penetration testing o Reconnaissance o Scanning and Enumeration o Gaining Access o Privilege Escalation o Lateral Movement

• Provide an overview of possible and common pen-testers and attackers tools • Understand potential ways of reconnaissance • Understand, see and do different ways of network scanning • See and do different ways of network infrastructure attacks • See and do different ways of DNS attacks • See Memory Corruption vulnerabilities

21

• Explore Database security

o How to conduct penetration tests against databases? o What are the easiest and most effective steps to be taken to defend a

database? • Explore Web Application Security

o Main building blocks of web applications o Session management and authentication attacks o Injection attacks (SQL injection, OS command injection, File inclusion,

Insecure file upload functionality) o Cross-site scripting o Cross-site request forgery

• See and do stealing credentials from Windows systems and using them to conduct Pass-the-Hash=Pass-the-Ticket attacks

• Conducting man-in-the-middle attacks • Elaborating the security aspects of MSSQL and Oracle databases • Using Metasploit Framework and existing exploit code against different targets

o includes client-side attacks • Exploiting vulnerabilities in custom-built web applications

Target Audience The course has been designed for network and system administrators, and security specialists. In general the expected audience should consist of persons who have good background in information technology gained whether from studies in university or by practical experiences or both. On the other hand we expect that these individuals do not have the knowledge and good practical know-how about security problems of computer networks and applications. Professional security practitioners or penetration testers with years of experience are not the target audience this course. Outline

• Introduction of the lab environment. The basics of Kali Linux and Metasploit. • Reconnaissance: sources and tools for gathering information about target networks. • Network scanning: host discovery, TCP and UDP port scanning, operating system

detection, vulnerability scanning, scanning in IPv6 networks, honeypots and tarpits. • Enumeration: using DNS, SNMP and other protocols to identify potential

vulnerabilities. • Credential attacks: password guessing and cracking, how passwords are stored in

Linux and Windows, hashing functions and identified vulnerabilities in them, Rainbow Tables, Pass-the Hash, Pass-the-Ticket, Kerberos “Silver and Golden Ticket Attack”.

• Network infrastructure attacks and defence: MAC flooding, ARP spoofing, ICMP redirection, IP spoofing and fragmentation, VLAN hopping, leaking data over CDP,

22

BGP hijacking; port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x.

• DNS security: DNS overview, DNS tunnelling, DNS rebinding, DNS snooping, cache poisoning attacks, DNSSec.

• Memory corruption vulnerabilities: memory models, virtual memory, the heap and the stack, assembly essentials, GDB basics, program execution flow, smashing the stack, shell code basics, basics of Windows and Linux exploitation, memory protection mechanisms.

• Database security: participants will find answers to the questions like o How to conduct penetration tests against databases? o What are the easiest and most effective steps to be taken to defend a

database? During the theoretical part, phases of a penetration testing against databases – scanning, discovery, brute forcing and gaining access, privilege escalation and critical data enumeration – will be analysed step by step. Participants will get practical tips and tricks on how to defend databases in an organisation.

• Various vulnerabilities: overview and practical tasks on latest wide-spread vulnerabilities (2014: Heartbleed, Shellshock).

• Web Application Security: o Main building blocks of web applications. o Session management and authentication attacks. o Injection attacks:

o SQL injection. o OS command injection. o File inclusion. o Insecure file upload functionality.

o Cross-site scripting. o Cross-site request forgery.

Theoretical lectures are supported by set of practical exercises. These expect the students to conduct different tasks such as:

• Using social engineering tools such as The Harvester or recon-ng for information gathering.

• Scanning small networks to finding alive hosts or machines with specific vulnerabilities.

• Using DNS enumeration to find interesting hosts, exploiting unprotected SNMP service for enumeration of information.

• Tunnelling arbitrary IP traffic over DNS protocol in restrictive environment. • Guessing and cracking passwords. • Stealing credentials from Windows systems and using them to conduct Pass-the-

Hash/Pass-the-Ticket attacks.

23

• Conducting man-in-the-middle attacks (e.g. dissecting and sniffing SSL encrypted traffic) by using ARP spoofing in IPv4 networks and falsified Neighbour Advertisements in IPv6 networks.

• Elaborating the security aspects of MSSQL and Oracle databases. • Using Metasploit Framework and existing exploit code against different targets. This

includes client-side attacks. • Exploiting vulnerabilities in custom-built web applications.

Prerequisites

• At best, the students should have experience in administrating Windows and Linux based systems, understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP, SNMP, SMTP), have some experience with web technologies (like HTML, PHP, JavaScript) and knowledge about relational database management systems (MySQL).

• Programming skills in any standard language would be helpful. • English language skill comparable to STANAG 6001, 3.2.3.2. is required. • Student’s workstation will be based on Kali Linux; therefore at least user-level

knowledge of working with Linux systems is expected. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

24

Network and Host Forensics (NHFC) Location: Tallinn, Estonia. Date: 5-9 October 2015 / Registration deadline: 17 August 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview A 5 day course for forensics practitioners where network monitoring and digital forensics techniques will be explained and practically examined. This course provides a theoretical introduction of advanced network and host forensic methods, and also the opportunity to prove effectivity during the hands-on investigations. Objectives The aim of the course is to exercise forensics practitioner's ability of intrusion analysis. A hands-on lab-developed from real targeted attacks leads analysts through the challenges and solutions. They will identify where the initial targeted attack occurred and which systems were compromised. The workshop covers real-world use cases and works with the participants to implement them. This includes building and configuration of tools, creation of dashboards, guidelines and tips on processing pcaps, designing a system to scale, choosing hardware, and managing the lifecycle of network data captures.

• Understand main goals of network and host forensic • Provide an overview of network data analysis tools • See and do setting up of the tools • See and do network data analysis • Do malware and attack traffic examination • Provide an overview of memory and hard drive acquisition tools • See and do computer memory acquisition • See and do memory forensic analysis • Create a super timeline, and know to analyse output from timeline analysis • Provide an overview of the Windows operating system artefacts • Do analysis of Windows artefacts • Provide an overview of anti-forensic techniques • Detect anti-forensic techniques

Target Audience Technical IT staff who are used to working with IT, in roles that normal duties include forensic analysis and for those who would like to build efficient near real-time digital forensics solutions.

25

Outline

• Introduction o Overview of network forensics o Setting up tools

• Introduce and use tools (TCPDUMP, ElasticSearch, Kibana, BRO, Suricata, Moloch, … ) • Captured network data analysis • Known malware traffic investigation • Known attack traffic analysis • Overview of the host forensics techniques • Memory forensics

o Memory acquisition process o Windows memory investigation o Linux memory investigation

• Timeline analysis o Super timeline

• Windows host investigation o Windows registry o Volume Shadows Copies

• Anti-forensic techniques detection o Time stomping o Data hiding

Prerequisites

• Please be advised about the strong technical nature of this course: this course is NOT for decision makers, leaders, or administrative personnel. It is a highly technical course of instruction designed for technicians that actively engage in hands-on digital forensic activities as part of their duties.

• English language skill comparable to STANAG 6001, 3.2.3.2. is required. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

26

Introductory Digital Forensics (IDFC) Location: Tallinn, Estonia. Date: 23-27 November 2015 / Registration deadline: 12 October 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview The course is targeted to technical IT staff used to working with IT, in roles such as administrator, auditor, manager, etc. and whose normal duties do not include forensic analysis. Experienced digital forensic staff doing forensics on regular basis is not the target group and will receive only limited benefit from attending. Objectives

• Provide an introduction into the field of digital forensics, touching upon terminology, methodology, chain of custody, legal considerations, authority of investigation;

• Introduce the main sources to search for evidence (assuming exclusively Windows hosts);

• • Introduce and use primarily open source/free software (No Encase, limited FTK)

Linux- and Windows-based tools to show the students an example tool-set for conducting digital investigations;

• Provide exemplary experience in conducting forensic investigation through a number of hands-on sessions using a limited number of tools.

• Provide introduction to incident response. • Give guidance and recommendations for the writing of reports • Prepare course students for more in-depth forensics/reverse engineering training.

Target Audience

• Technical IT Staff, working in the IT area in roles like administrator, auditor, etc., whose normal duties do NOT include forensic analysis, but might be asked to support a forensic investigation. This course is introductory. Experienced digital forensic staff doing forensics on regular basis is not the target group and will receive only limited benefit from attending.

• The managers of IT security staff, who want to get an understanding about what digital forensics is about and capable of.

• Administrators or IT Security staff who might be first responders to security incidents and want to secure evidence for later analysis, while no forensic staff is available.

• The CNO officer, who wants to get a feeling about how forensics investigation is conducted.

• IT staff who shall get an initial skill set of how to conduct forensic investigation.

27

Outline

• Introduction to Digital Forensics • Forensic process and workflow (theory)

o Terminology, Methodology, Mindset, Note taking, Authority • Evidence Acquisition block (theory+hands-on)

o System description and verification o Different types of evidence and locations o Forensic software/hardware for evidence acquisition o Evidence handling o Acquisition process

• Analysis and legal issues (theory + hands-on) o Media analysis (file systems, listing, string/byte search, timeline, data

recovery, carving, hashing, etc.) o Reporting

• Legal issues and report analysis (theory) o EU Data Protection Directive o Legal aspects of Digital Forensics

• Windows registry and other artefacts (theory+hands-on) • Data carving and application fingerprinting (theory+hands-on) • Internet activities focus (theory+hands-on)

o (Browser, Email, Instant Messaging Forensics) • Real-Case Study presentation by external DF Expert (working at Estonian Forensic

Science Institute, EFSI) • Malware whole day Hands-on (theory+hands-on)

Added Value • IT staff without forensic knowledge can “understand” what digital forensics is about

and capable of, raising awareness and improving possible future support. • Basic knowledge to ensure that evidence is not spoiled by the acquisition process and

all available evidence is collected. • Security awareness training for staff to understand the traces left behind on a system

which can lead to intelligence gathered by others. • Practicing forensic methods on the basis of prepared, exemplary exercises.

Prerequisites • Basic understanding of computing; • Good work/administration experience in the Linux and Windows environments,

especially command line; • Comfortable with using virtual machines for training environment (Virtual Box or

similar).

28

• English language skill comparable to STANAG 6001, 3.2.3.2. NB! This course will provide an overview and is not meant to provide an in-depth introduction of forensic methods or tools. One of the aims of this course is to help to prepare students for the more challenging reverse engineering training offered by the NATO CCD COE, the Botnet Mitigation Training. Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

29

Smartphone Security and Forensics (SSFC) Location: Tallinn, Estonia. Date: 7-11 December 2015 / Registration deadline: 26 October 2015. Course fee: 300 Euros (free for SNs, CPs and NATO bodies) Overview This 5 days course provides IT-specialists with an introduction into smartphone security and forensics as well as a good technical overview of challenges and solutions in countering threats from mobile devices. The course will focus mainly on Android and iOS mobile device platforms. It is built upon hands-on exercises with the practical part providing usage of open-source or non-commercial tools during the mobile phone analysis. Objectives The aim of the course is to explain security issues which mobile phones bring to the organisation. Understanding how attackers exploit devices helps to find the way how to secure them.

• Provide an overview of the mobile platform internals • Introduce security features of the mobile platforms • Understand signs and symptoms of mobile malware infection • See and do mobile malware static analysis • Understand how attackers exploit mobile phone weaknesses • Learn to recognise weaknesses in mobile applications • Conduct mobile device penetration test • Understand mobile phone forensic process • Explain different types of smartphone acquisition • Understand how to preserve mobile phone as an evidence • Understand SIM card security, do SIM card data analysis • See and do SD card acquisition • See and do Android mobile phone forensic analysis • See and do iPhone forensic analysis

Target Audience

• This course is introductory. • This course is for IT security managers, who want to get an understanding about

what mobile device security is about and capable of. In particular, for technical IT staff, working in the IT area in roles like administrator, auditor, etc., whose normal duties do NOT include smartphone security or smartphone analysis.

• This course is NOT for experienced staff doing smartphone pen testing or malware analysis at daily basis; they will receive only limited benefit from attending.

30

Outline

• Mobile platform internals and security features o Android internals and security features o iOS internals and security features

• Smartphone penetration testing • Smartphone malware analysis

o Types of mobile malware, potentially unwanted applications o Signs and symptoms of mobile malware infection o Mobile malware detection o Static analysis of .apk file

• Smartphone forensics in general o Mobile phone forensic process o Smartphone handling and evidence preservation o Acquisition process – manual, logical file system, physical

• SIM card forensics o SIM card examination o SIM card security

• SD card analysis o SD card acquisition

• Android forensics o Android forensic acquisition methods o Android file system structures o Android analysis and evidentiary locations

• iOS forensics o iOS forensic acquisition methods o iOS file system structures o iOS evidentiary locations o Advanced decoding and traces of the user activity

Prerequisites

• Basic understanding of computing and mobile phone platforms; • Good work experience in the Linux and Windows environments, especially command

line; • Comfortable with using virtual machines for training environment (Virtual Box or

similar). • English language skill comparable to STANAG 6001, 3.2.3.2. is required.

Registration To register for the course, a completed Joining Report (Annex B) is to be sent to events@ccdcoe.org before the deadline. * Before the registration, please check the up to date course information on the NATO CCD COE website.

31

In-house Courses Calendar 2015

Course Date Registration

deadline Venue Remarks

International Law of Cyber Operations

19-23.01.2015 22.12.2014 Tallinn €500 (1 free slot per Sponsoring Nation). €400 for students who do not attend Day 1 (tech)

Botnet Mitigation

09-13.02.2015 31.12.2014 Tallinn

Malware and Exploits Essentials

02-06.03.2015 19.01.2015 Tallinn

Cyber Defence Monitoring

25-27.03.2015 09.02.2015 Tallinn Starts on Wednesday

International Law of Cyber Operations

18-22.05.2015 03.04.2015 Tallinn €500 (1 free slot per Sponsoring Nation). €400 for students who do not attend Day 1 (tech)

Botnet Mitigation

6-10.07.2015 25.06.2015 Tallinn

IT Systems Attacks and Defence

31.08.-4.09.2015 20.07.2015 Tallinn

Network and Host Forensics

5-9.10.2015 17.08.2015 Tallinn

Malware and Exploits Essentials

9-13.11.2015 28.09.2015 Tallinn

Introductory Digital Forensics Course

23-27.11.2015 12.10.2015 Tallinn

Smartphone Security and Forensics

7-11.12.2015 26.10.2015 Tallinn

Please be aware that the course dates may be changed until 3 months before the particular course. Before the registration check the course dates on the NATO CCD COE website. (http://ccdcoe.org/events.html)

32

Mobile Courses During 2015, the Centre will deploy its trainers and training devices at the Centre’s member location(s) to provide 4 technical and 1 legal courses. Because of limitations of resources, NATO CCD COE can only provide 5 mobile courses during 2015: Botnet Mitigation, Introductory Digital Forensics (2 iterations), IT Systems Attacks and Defence, and International Law of Cyber Operations. The objectives, target audience, and outline of courses; and the prerequisites to join them are the same as those for in-house courses, mentioned in the previous chapter. Sponsoring Nations (SNs), Contributing Participants (CPs) and NATO bodies can request on-site course(s) delivered in national locations. The selection process will be conducted according with criteria established by the NATO CCD COE Steering Committee. Registration will be managed by the course host nation. The course’s host nation can share slots with other SNs or CPs.

33

Cyber Defence Awareness e-Course Overview To complement the courses offering, the Centre provides an online web-based course on cyber defence awareness. This course is open to all individuals from Sponsoring Nations, Contributing Participants and NATO; and it can be accessed through the NATO e-Learning Joint Advanced Distributed Learning Portal. The Cyber Defence Awareness e-Learning course aims to enhance the general user’s awareness of cyber security risks and measures to mitigate those risks. Objectives This course gives an introduction to general cyber security in order to aid familiarisation with attacks, terminology and defensive techniques. It gives an overview of the recent threat landscape. Target Audience The Cyber Defence Awareness e-course was developed with the goal to raise the awareness of the average use within the NATO community, covering the most relevant topics in the area. The training audience includes all users of NATO networks. Outline

• general cyber security terminology and categorisation • malware, viruses and spyware • anti-virus software • unauthorised system access and characteristics of a strong password • identity theft and compromise of classified data • risks regarding removable media • phishing • risks associated with emails (dangerous attachments, hoaxes, etc.) • threats to and from mobile devices • backing up systems and files • file sharing and copyright issues • the dangers of unsecured wireless networks • desktop security • social engineering and other human aspects • disposal of information

34

• the risks of social networking Prerequisites Basic computers user skills. Registration The course can be accessed through the NATO e-Learning Joint Advanced Distributed Learning portal and is available to all users of the portal. Once registered, users may access the course by navigating to the “Centres of Excellence” -> “COE Cyber Defence” -> “Cyber Defence Awareness” course listing.

35

Locked Shields Location: Tallinn and remote locations. Date: 20-24 April 2015. Overview Every year since 2010 the Centre has been organising successfully “Locked Shields”, a multinational and technical cyber exercise which brings together more than 300 subject-matter experts from Sponsoring Nations (SNs), Contributing Participants (CPs), NATO bodies and other Partners, and challenges them in the protection against highly advanced and innovative cyber attacks. Locked Shields is a real hands-on technical exercise where blue teams defend their systems, red team attack them and white team score the blue teams’ defence capabilities. Objectives The primary objective of the Locked Shields exercise is to test the individual and collective skills of IT specialists in preventing, detecting, responding to and reporting about full-scale cyber-attacks and, at the same time, train legal advisors in technical aspects of cyber defence. Target Audience Technical and legal experts from SNs, CPs, NATO bodies and other Partners. Outline Blue team experts can test and check their defence methods, try new concepts and test the legal framework regarding cyber security. CCD COE will provide detailed after action report which includes information how red team attacked the blue teams, which methods were successful and which not. Prerequisites According to Steering Committee decision, every nation participating with a Blue team has to support exercise organisation with, as minimum, 2 experts contributing into Green, Red and/or White Team. Registration SNs, CPs, NATO bodies and Locked Shields Partners can request participation in the exercise as a national or joint blue team; and as a supporter of the red, green or white teams. The selection process will be conducted according with criteria established by the NATO CCD COE Steering Committee. Registration will be managed by “Locked Shields” Director.

36

Workshops Red Teaming (RTW) Location: Tallinn. Date: 26-28 January 2015 / Registration deadline: 15 December 2014. Overview Red Teaming Workshop is a 3 day hands-on workshop aimed at penetration testers working as a single united team, accomplishing the laid out mission goals and technical challenges in a virtualized cyber environment. The main focus is tactical stealthy execution skill development in a responsive cyber defence scenario. Objectives

• To train the skills and tactical approaches required by a Red Team in a Responsive Cyber Defence scenario.

• To improve the readiness and sophistication of Red Team members and their ability to deliver increased performance.

Target Audience Sponsoring and partner nation governmental, national institutions, CERT teams, industry, and NATO NCIRC representatives. Outline The goal of the overall team is to follow scenario and choose the further action paths in order to gain initial access, and further escalate it to reach the overall mission goals and training objectives. Each sub team (e.g., network, client-side, web/database, and exploit development) is allocated to a specific area of expertise and is being supervised by assigned members from CoE or supporting entities. Sub teams formed according to the participant skillset should include:

• Web and DMZ service attacks • Client-side attacks • Network service and infrastructure attacks • Exploit development

Prerequisites Participants are expected to have principal skills and expertise in network- and client side based attacks, penetration testing and exploitation. Previous participation experience in technical cyber defence exercises is preferable. Previous Red Teaming experience will be considered as an advantage. Registration A detailed participant profile list will be sent to the nations directly.

37

LS15 Red Team Preparation (LS15RTPW) Location: Tallinn. Date: 29-30 January 2015 / Registration deadline: 15 December 2014. Overview Locked Shields exercise has become a very challenging event for everyone involved, including more than 50 read team’s members. Therefore, any new members volunteering for the Red Team must go through a 2 day on-site workshop to get familiar with "Locked Shields" specific Red Team approach, workflow and tooling.

Objectives

• To provide in-depth knowledge of Locked Shields technical environment and processes.

• To facilitate understanding of what is expected of a LS Red Team member. • To train and test communication and team-working abilities. • To identify existing skills for proper assignment into sub-teams (usually Client-side,

Web, Net) and roles (technical, reporting or management) WARNING: There is no "spoon feeding" - it is a full speed immersion into LS Red Team workflow and hands-on activities.

Target Audience Technical and legal experts from Sponsoring Nations (SNs), Contributing Participants (CPs), NATO bodies and other Partners. Outline

• LS essential collaboration tools • LS exercise environment • Roles and sub-teams • LS scenarios, RT attack campaigns and objectives • RT Workflow • RT specific tools • RT team working aspects • Attacks and objective walkthroughs

Prerequisites

• good spoken and written English • good technical skills (Red Team Leader will provide the requirements)

Registration SNs, CPs, NATO bodies and Partners can request participation in the workshop. Registration will be managed by Workshop Director.

38

LS15 Network Traffic Analysis (LS15NTAW) Location: Tallinn. Date: 04-08 May 2015 / Registration deadline: 13 March 2015. Overview Locked Shields technical environment is very complex and blue teams need network traffic overview to plan their strategy. This workshop will go through the execution network traffic and find answers to blue team questions. Objectives Train network traffic analysts and provide the overview about what happened in network during the execution. Target Audience Locked Shields Blue Team members and/or national representatives. Outline

• Methods used to conduct network traffic analyse. • Network traffic analyse performance.

Prerequisites

• The attendant must be a national or joint blue team member or national representative.

• The attendant must have sound knowledge about networking and data mining. Registration Sponsoring Nations, Contributing Participants, NATO bodies and Partners can request participation in the workshop. Registration will be managed by Workshop Director.

39

Workshops Calendar 2015

Workshop Date Registration deadline

Venue Remarks

Red Teaming Workshop

26.-28.01.2015 15.12.2014 Tallinn

Locked Shields LS15 Red-Team-Preparation Workshop

29.-30.01.2015 15.12.2014 Tallinn Locked Shields 15 20-24.04.2015

LS 15 Test-Run 11-12.03.2015 19.02.2015 Tallinn Locked Shields 15 20-24.04.2015

LS15 Network Traffic Analysis Workshop

4-8.05.2015 13.03.2015 Tallinn Locked Shields 15 20-24.04.2015

Please be aware that the workshop dates may be changed until 3 months before the particular course. Before the registration check the course dates on the NATO CCD COE website. (http://ccdcoe.org/events.html)

40

CyCon Location: Tallinn, Estonia. Date: 26-29 May 2015 / Registration deadline: 13 March 2015. Overview Every year since 2009, the Centre brings together in CyCon more than 400 experts from all over the world, to discuss on cyber security topics from technical, legal, political, ethical, sociological and economic standpoint. CyCon 2015 will focus on the construction of the Internet and its potential future development. 40 years ago, the main principles and foundations for the Internet were laid, and they have been used ever since. The “net” has been a tremendous success story and today it is much more than just a commodity. Looking at the figures (2.5 billion users today, 50 billion devices connected in 2020), one would think of the overwhelming influence that these technologies have and that we are only looking at the beginning of a revolution. Can the structures that we rely upon support the increasing demand and the different ways in which we want to use it? Human behaviours have changed, international politics has changed and our relationship to machines has changed. Therefore, this year’s topic, “Architectures in Cyberspace,” aims to approach what cyberspace is and will be in the coming years and to identify its unifying and coherent traits. Does it promise a shining future? Objectives CyCon is intended to provide a space for collective reflections on some of the most relevant and current issues in the cyber realm. It is an excellent opportunity to find out the state of art in cyber technology, and to keep abreast of the latest advances in terms of cyber strategy, law and policy. It is, as well, a good place for sharing information and keeping in touch with the international cyber community. Target Audience CyCon is addressed to a broad audience interested in some of the aspects that coexist within the cyber space. Technicians, strategists, sociologists, economists, journalists, lawyers, and so on, are welcome to participate.

41

Outline • International cooperation – International relations • Technical challenges/requirements • Conflict in Cyberspace • Regulation – standards • Virtualisation

Prerequisites There is no specific prerequisite to attend CYCON. Registration Registration to CyCon 2015 can be done through our web site www.ccdcoe.org. Registration will be open in spring 2015.

43

Administrative issues for in-house courses and workshops

Registration To register for a particular training activity of this catalogue, please follow the instructions specified in the paragraph “Registration” placed in the corresponding description. Before the registration, please check the up to date information on the NATO CCD COE website.

Entry to Estonia In 2014 there were several cases when members of Armed Forces of NATO CCD COE Sponsoring Nations arrived to Estonia without following Military Cooperation Act procedures. In order to have better overview of movement of foreign armed forces in the Republic of Estonia in accordance with Military Cooperation Act the Centre will pay more attention to the accuracy of provided information. Below you can find more detailed information about entrance rules. To enter Estonia, members of the armed forces (civilians and military component) must have with them a valid identification document – passport of the citizen of a given country or identity card of a member of the armed forces. Citizens of Member States of the European Union and the European Economic Area and of the Swiss Confederation are permitted to enter into Estonia with their identity cards. In all cases, members of the armed forces must have on them an individual or collective movement order (travel order) in English, issued by an appropriate agency of the sending state or of NATO and certifying the status of the individual or group as a member or members of the armed forces and the movement ordered. The International Military Cooperation Act prescribes that for arrival in Estonia a member of the armed forces of a foreign state or of the civilian component of the armed forces must have a permit which may be issued for single or multiple border-crossings. The grant of such a permit is decided by the Minister of Defence or an official authorised by the Minister of Defence. That permit constitutes the legal basis for stay in Estonia for members of the armed forces of foreign states or of civilian components of the armed forces. NB! For receiving a permit from Minister of Defence your sending institution must notify NATO Cooperative Cyber Defence Centre of Excellence at least 2 weeks before the intended entry to Estonia via e-mail (ccdcoe@ccdcoe.org), with the following information:

1. copy of identification document; 2. copy of travel order (including the dates of the stay in Estonia); 3. title of the event (course/conference etc.) where you are intended to participate.

44

To ensure that the CCD COE will receive the information the course Joining Report could be accepted only from the national training point of contact. During arrival at Tallinn Lennart Meri Airport, the Police and Border Guard Board representative will enter a notation in person’s passport concerning the basis and time of stay in Estonia. To enter Estonia, members of the private sector must have with them a valid identification document. Visa requirements for different countries are available at Estonian Ministry of Foreign Affairs homepage http://vm.ee/en/taxonomy/term/41.

Accommodation The most convenient accommodation we recommend for the students is the "Original Sokos Hotel Viru", which is located in the very centre of Tallinn within a few minutes walking distance from the old town and ca 20-25 minutes from the NATO CCD COE. The rate of a standard room for one person including breakfast: 66 € per night. The rate of a standard room for two persons including breakfast: 86 € per night. The rate of a superior room for one person including breakfast: 71 € per night. The rate of a superior room for two persons including breakfast: 91 € per night. For bookings please contact: E-mail: kirsika.leika@sok.fi or phone +372 6809 305 (Mon-Fri 09:00-17:00 local time) or E-mail: viru.reservation@sok.fi or phone: +372 6809 300 (24 hours) *Special discount code for the booking: NATO CCD COE. If you would like to make a booking in a different hotel, you can try http://www.booking.com, http://www.laterooms.com, or any other similar website.

Transportation Transportation will only be organised between “Original Sokos Hotel Viru” and the NATO CCD COE. If there is no any other particular instruction transportation departures are as following:

• From hotel: on Monday at 08:50 AM; and on Tuesday-Friday at 08:40 AM • From the NATO CCD COE: on Monday-Thursday around 5:00 PM; and on Friday

around 15:15 PM

There is no transportation provided by the NATO CCD COE between the airport and the hotel.

45

Getting to the Hotel Lennart Meri Tallinn International Airport is located about 4 km (2,5 miles) from the city centre. Transportation costs from the airport to the hotel are not covered by the NATO CCD COE. By taxi: To reach your hotel you can use taxi (approximately 10.- EUR) or public transportation. Tickets can be bought from the bus driver when entering the bus or from the “R-Kiosk” that is located in the passenger terminal. By bus: From Airport to “Original Sokos Hotel Viru” and/or the city centre take bus no 2 from the bus stop located in lower level of Arrivals terminal and exit at A.Laikmaa bus stop. More detailed information in this link.

Meals during the course/workshop Two coffee breaks are provided by the NATO CCD COE per day during the course free of charge. It is possible to pre-register for lunch in military canteen in the Joining Report. The cost for lunch is €5 per day (€25 per attendee for the whole week). The students, who are interested in this opportunity, have to pay for the lunch in advance by Credit Card or PayPal.

Dress code There is no strict dress code: smart casual and uniform are accepted.

General course schedule Day 1 - Day 4 (Monday – Thursday) 8:40 Bus from Original Sokos Hotel Viru to NATO CCD COE (Monday at 08:50 AM) 9:00 1st Session 10:30 Coffee Break 10:45 2nd Session 12:15 Lunch Break 13:30 3rd Session 15:15 Coffee Break 15:30 4th Session 17:00 Bus to the hotel (Remark: an overview of the NATO CCD COE is given on the first day) Day 5 (Friday) 8:40 Bus from Original Sokos Hotel Viru to NATO CCD COE 9:00 1st Session 10:30 Coffee Break 10:45 2nd Session 12:15 Lunch Break

46

13:30 3rd Session 15:15 Bus to the hotel and to the airport

47

General Information

Getting around in Tallinn Please find below link to web sites providing information you might need:

• Tallinn map • Public transportation timetable • Tallinn comprehensive overview • Digital tour around Tallinn • What to do • Weather

Lunch possibilities near the NATO CCD COE

48

A. NATO CCD COE – Filtri tee 12 B. Hinkaali Maja – Jakobi 28 The menu is simple and is specializing in khinkali (Georgian dumplings) but they also have other meals in the menu. C. Peetri Pizza – Odra 16 In addition to pizzas different pancakes, hot bruschetta’s, soups and salads are served. D. New York Pizza – Tartu mnt. 73 Specializes in pan pizzas but wraps are also available. E. Mac Bar-B-Que – Tartu mnt. 63 American-style BBQ restaurant that serves soups, salads, pastas, sandwiches, burgers, pizzas, grilled & BBQ meals. F. Vana Villemi Pubi – Tartu mnt. 50 A cozy pub serving delicious meals and daily specials. G. Seiklusjutte Maalt ja Merelt (Traveler’s Pub) – Tartu mnt. 44 A pub with cozy and intimate atmosphere serving sandwiches, salads, soups, pastas, woks and daily specials. H. Fahle Restaurant & Caffee – Tartu mnt. 84a A stylish restaurant featuring a café where daily special are served. I. Food Court in Sikupilli Shopping Centre – Tartu mnt. 87 • Basiilik – Italian-style restaurant serving food with Mediterranean touch. • Hesburger – fast food restaurant chain serving burgers, salads and desserts. J. Tallinn Central Bus Station Cafeteria – Lastekodu 46 A simple cafeteria serving simple meals – soups, main courses, sandwiches, pies and desserts. K. Cafeteria of the Estonian Defence Forces HQ – Juhkentali 58

Contact For more detailed information please contact to events@ccdcoe.org

49

About NATO CCD COE The NATO Cooperative Cyber Defence Centre of Excellence is a NATO-accredited research and training facility dealing with education, consultation, lessons learned, research and development in the field of cyber security. Our mission is to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation. Our vision is to be the main source of expertise in the field of cooperative cyber defence by accumulating, creating and disseminating knowledge in related matters within NATO, NATO nations and partners. Membership at the Centre is open to all NATO nations but cooperation projects are also conducted jointly with NATO partner countries, academia and the private sector. The Centre’s current Sponsoring Nations are Czech Republic, Estonia, France, Germany, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, United Kingdom and the USA. In addition Austria has joined the Centre as a Contributing Participant. Organisation’s budget and personnel is composed of contributions from these nations. The organisation is funded, directed and tasked by the multinational Steering Committee consisting of the representatives of the Sponsoring Nations. NATO does however task the Centre via Allied Command Transformation (ACT) and all products of the Centre are available to NATO nations unless restricted by the organisation requesting that product. Becoming a Sponsoring or Contributing Nation gives a nation the possibility to contribute and shape the understanding of cyber security in NATO and among NATO nations. Representatives of the Sponsoring Nations also receive premium access to the Centre’s products, trainings and events.

NATO Cooperative Cyber Defence Centre of Excellence Filtri tee 12, Tallinn 10132, Estonia Phone: +372 7176 800 E-mail:ccdcoe@ccdcoe.org Web: www.ccdcoe.org

51

Annex A. 2015 NATO CCD COE Training Calendar

53

Annex B. Student Joining Report NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) Filtri tee 12, 10132 Tallinn, Estonia E-Mail: events@ccdcoe.org Tel: +372 717 6800 Fax: +372 717 6308

STUDENT JOINING REPORT(will be accepted only from the national training Point of Contact)

Course Name of the course:

Date:

Applicant data1 First Name

ID/Passport Number

Last Name Date of birth (DD/MM/YYYY)

Nationality

Place of birth

Former Visitor ☐ Yes ☐ No ☐ Unknown

Service ☐ Army ☐ Air Force ☐ Marines ☐ Other:

☐ Navy ☐ Civilian ☐ Gendarmerie

Military Rank NATO Grade Organisation

Military Organisation

Applicant contact data Applicant Email

Organisation Email

Address

City, Post Code

Country2

Phone

Fax

Logistics Hotel3 ☐ Sokos Hotel Viru

☐ Other (please specify): ☐Transportation is needed from Sokos Hotel Viru

Lunch4 ☐ Pre-register for the whole course (5 EUR per day) ☐ Individually

1 The attendee’s personal information will be processed and stored in the NATO CCD COE data management system. Upon completion of the registration, a confirmation message containing detailed administrative information will be sent to the applicant. 2 Three letter ISO code 3 Transportation is provided by the centre ONLY from the Sokos Hotel Viru. A standard room (for one or two) is ca. 85 € per night (special price). Students are responsible for booking their own accommodation. 4 The pre-regisered students will be sent a PayPall/Credit card payment link. A soup, a main dish and a dessert is included in the indicated price.

54