Legitimized [GIAC Certified Intrusion Analyst Certification (GCIA)] Expert – Led Video Course – MASTERYTRAIL

Lesson 1: Introduction to GCIA

1.1 Overview of GIAC & SANS
1.2 Purpose of GCIA Certification
1.3 Intrusion Analyst Role
1.4 Core Competencies Required
1.5 Certification Exam Format
1.6 Study Resources & Tools
1.7 Relation to Other Security Certifications
1.8 Ethical Responsibilities of Analysts
1.9 Job Roles & Career Pathways
1.10 Preparing a Study Plan

Lesson 2: Network Fundamentals Refresher

2.1 OSI & TCP/IP Models
2.2 Ethernet Frames
2.3 IPv4 Packet Structure
2.4 IPv6 Fundamentals
2.5 Common Protocols (TCP, UDP, ICMP)
2.6 Ports & Services
2.7 ARP & RARP
2.8 Encapsulation & Decapsulation
2.9 Broadcast vs Multicast vs Unicast
2.10 End-to-End Communication

Lesson 3: TCP/IP Deep Dive

3.1 TCP Handshake & Termination
3.2 TCP Flags & Control Bits
3.3 Sequence & Acknowledgment Numbers
3.4 TCP Options & Window Size
3.5 Common TCP Attacks
3.6 UDP Characteristics & Use Cases
3.7 ICMP Types & Codes
3.8 Fragmentation & Reassembly
3.9 IPv4 Header Analysis
3.10 IPv6 Header Extensions

Lesson 4: Traffic Analysis Basics

4.1 Role of Traffic Analysis in Security
4.2 Packet Captures (PCAP)
4.3 Hexadecimal & Binary Views
4.4 Wireshark Fundamentals
4.5 Tcpdump Usage & Syntax
4.6 Analyzing Layer 2 Data
4.7 Identifying Layer 3 Protocols
4.8 Flow vs Packet Analysis
4.9 Extracting Metadata
4.10 Documenting Findings

Lesson 5: Intrusion Detection Systems (IDS) Overview

5.1 IDS vs IPS
5.2 Network-based IDS (NIDS)
5.3 Host-based IDS (HIDS)
5.4 Detection Methodologies
5.5 Signature-based Detection
5.6 Anomaly-based Detection
5.7 Stateful Protocol Analysis
5.8 IDS Components & Architecture
5.9 Placement in Network
5.10 Limitations & Challenges

Lesson 6: IDS Signatures

6.1 Signature Components
6.2 Rule Syntax Basics
6.3 Header Fields in Signatures
6.4 Content Matching
6.5 Regular Expressions in IDS Rules
6.6 Rule Actions (alert, log, drop)
6.7 Writing Effective Rules
6.8 Testing Rules on PCAPs
6.9 Reducing False Positives
6.10 Signature Maintenance

Lesson 7: Snort Basics

7.1 Snort Architecture
7.2 Modes of Operation
7.3 Configuration Files
7.4 Snort Preprocessors
7.5 Rule Sets Overview
7.6 Community vs Paid Rules
7.7 Running Snort in Inline Mode
7.8 Logging and Alerts
7.9 Performance Considerations
7.10 Updating Snort

Lesson 8: Snort Advanced

8.1 Advanced Rule Options
8.2 Variables and Metadata
8.3 Flow Keywords
8.4 Stream Preprocessor Usage
8.5 Frag3 Preprocessor
8.6 HTTP Inspect Preprocessor
8.7 Writing Custom Preprocessors
8.8 Benchmarking Snort
8.9 Tuning for Enterprise Networks
8.10 Advanced Troubleshooting

Lesson 9: Suricata Overview

9.1 Suricata vs Snort
9.2 Multithreading Capabilities
9.3 Suricata Configuration Files
9.4 Rule Compatibility
9.5 JSON Outputs
9.6 EVE Logging
9.7 Suricata Performance Tuning
9.8 File Extraction Features
9.9 Threat Hunting with Suricata
9.10 Suricata Updates & Management

Lesson 10: Zeek (Bro) Overview

10.1 Zeek Architecture
10.2 Event-driven Detection
10.3 Zeek Scripting Language
10.4 Log Types in Zeek
10.5 Policy Scripts
10.6 File Analysis in Zeek
10.7 Zeek & Threat Hunting
10.8 ZeekCut Utility
10.9 Correlating Zeek with SIEM
10.10 Zeek in Enterprise Deployment

Lesson 11: Logs in Intrusion Analysis

11.1 Importance of Logs for Analysts
11.2 Syslog Fundamentals
11.3 Host Logs vs Network Logs
11.4 Windows Event Logs
11.5 Linux System Logs
11.6 Firewall Logs
11.7 IDS/IPS Logs
11.8 Log Normalization
11.9 Correlating Logs with PCAPs
11.10 Documenting Log Findings

Lesson 12: NetFlow & Metadata

12.1 Introduction to Flow Data
12.2 NetFlow vs sFlow vs IPFIX
12.3 Flow Collectors and Tools
12.4 Interpreting Flow Records
12.5 Identifying Scans with Flows
12.6 Detecting DDoS with Flow Analysis
12.7 Combining PCAP & Flow Data
12.8 Metadata Extraction Techniques
12.9 Common Flow Analysis Mistakes
12.10 Flow Data in Threat Hunting

Lesson 13: Network Reconnaissance Detection

13.1 Reconnaissance Phases of Attacks
13.2 Ping Sweeps
13.3 Port Scanning Techniques
13.4 Service Fingerprinting
13.5 IDS Signatures for Recon Activity
13.6 Detecting Nmap Patterns
13.7 Banner Grabbing Detection
13.8 Slow Scan Detection
13.9 Passive Reconnaissance Indicators
13.10 Recon Detection Best Practices

Lesson 14: Malware Traffic Analysis

14.1 Characteristics of Malware Traffic
14.2 Malware Command & Control (C2)
14.3 HTTP-based Malware Indicators
14.4 DNS Tunneling Malware
14.5 Malware using ICMP or UDP
14.6 File Download & Dropper Traffic
14.7 Beaconing Behavior
14.8 Obfuscation in Malware Traffic
14.9 Extracting Malware from PCAPs
14.10 Correlating with Sandbox Data

Lesson 15: DNS Traffic Analysis

15.1 DNS Protocol Overview
15.2 DNS Header Fields
15.3 Common DNS Queries & Responses
15.4 Detecting DNS Tunneling
15.5 Fast Flux & Domain Generation Algorithms (DGAs)
15.6 Malicious Subdomains Indicators
15.7 NXDOMAIN Patterns
15.8 Exfiltration via DNS
15.9 Tools for DNS Analysis
15.10 Case Study: DNS C2 Traffic

Lesson 16: HTTP Traffic Analysis

16.1 HTTP Request & Response Basics
16.2 HTTP Headers Overview
16.3 Detecting Malicious User-Agents
16.4 Suspicious HTTP Methods (PUT, TRACE)
16.5 Web Shell Indicators
16.6 SQL Injection in HTTP Traffic
16.7 XSS Indicators in HTTP Streams
16.8 File Upload/Download Detection
16.9 Correlating HTTP Logs with IDS Alerts
16.10 Case Study: Malicious HTTP Session

Lesson 17: SSL/TLS Analysis

17.1 SSL/TLS Protocol Basics
17.2 Handshake Process
17.3 Certificates & Keys
17.4 Identifying Weak Ciphers
17.5 Detecting SSL Downgrade Attacks
17.6 JA3 Fingerprinting
17.7 Malicious Encrypted Traffic Indicators
17.8 SSL/TLS Decryption Options
17.9 Passive TLS Analysis
17.10 Challenges with Encrypted Traffic

Lesson 18: Email Protocol Analysis

18.1 SMTP Protocol Overview
18.2 POP3 and IMAP Basics
18.3 Email Header Analysis
18.4 Spam Detection Indicators
18.5 Phishing Campaign Patterns
18.6 Malicious Attachments in Traffic
18.7 Business Email Compromise Detection
18.8 Identifying Email Spoofing
18.9 Correlating Email with IDS/AV
18.10 Case Study: Phishing Email Attack

Lesson 19: File Transfer Protocols

19.1 FTP Protocol Basics
19.2 TFTP Overview
19.3 Secure File Transfer (SFTP/SCP)
19.4 Anonymous FTP Detection
19.5 Cleartext Credential Risks
19.6 Detecting Malicious File Uploads
19.7 Covert Channels via FTP
19.8 File Exfiltration Indicators
19.9 Tools for File Transfer Analysis
19.10 Case Study: Data Exfiltration via FTP

Lesson 20: ICMP Traffic Analysis

20.1 ICMP Basics
20.2 Echo Request/Reply Detection
20.3 ICMP Destination Unreachable
20.4 ICMP Redirect Attacks
20.5 ICMP Tunneling Techniques
20.6 Ping of Death
20.7 Smurf Attack Detection
20.8 Malicious ICMP Usage Indicators
20.9 IDS Signatures for ICMP Traffic
20.10 Case Study: ICMP Data Exfiltration

Lesson 21: Intrusion Detection Evasion

21.1 Concept of IDS Evasion
21.2 Packet Fragmentation Techniques
21.3 Overlapping Fragments
21.4 TCP Session Splicing
21.5 Obfuscation in Payloads
21.6 Protocol Violations
21.7 Evasion via Non-standard Ports
21.8 Timing-based Evasion
21.9 IDS Limitations & Blind Spots
21.10 Defensive Countermeasures

Lesson 22: Advanced IDS Evasion

22.1 Polymorphic Shellcode
22.2 Metamorphic Malware Techniques
22.3 Encoding & Encryption in Payloads
22.4 Covert Channels
22.5 DNS and HTTP Tunnels
22.6 Encrypted C2 Communication
22.7 IDS Flooding & Alert Exhaustion
22.8 Traffic Normalization Tools
22.9 Detecting Advanced Evasion Attempts
22.10 Case Study: IDS Evasion in the Wild

Lesson 23: Command & Control Detection

23.1 C2 Architectures (Centralized, P2P)
23.2 Beaconing Behaviors
23.3 HTTP/S-based C2 Channels
23.4 DNS-based C2 Indicators
23.5 IRC & Legacy C2 Traffic
23.6 Domain Generation Algorithms (DGAs)
23.7 Detecting Fast-Flux Networks
23.8 Threat Intel for C2 Detection
23.9 C2 Correlation with Host Logs
23.10 Case Study: Botnet C2 Traffic

Lesson 24: Attack Vectors Overview

24.1 Attack Lifecycle (Kill Chain)
24.2 Reconnaissance Techniques
24.3 Weaponization Phase
24.4 Delivery Mechanisms
24.5 Exploitation Methods
24.6 Installation of Malware
24.7 C2 and Communication
24.8 Actions on Objectives
24.9 Mapping Vectors to Network Indicators
24.10 Attack Vectors vs Detection Points

Lesson 25: Exploits in Traffic

25.1 Understanding Exploit Payloads
25.2 Buffer Overflow Indicators
25.3 Exploit Kits in Network Traffic
25.4 Drive-by Download Detection
25.5 Shellcode Patterns
25.6 Heap Spraying Indicators
25.7 Web Application Exploit Traffic
25.8 Exploits Targeting Protocols
25.9 IDS Signatures for Exploits
25.10 Case Study: Exploit in PCAP

Lesson 26: DoS/DDoS Attacks

26.1 DoS vs DDoS Concepts
26.2 SYN Flood Detection
26.3 UDP Flood Indicators
26.4 ICMP Floods & Amplification
26.5 Reflection Attacks (NTP, DNS)
26.6 Application-layer DDoS
26.7 Botnet-driven DDoS
26.8 Traffic Patterns of DoS
26.9 Mitigation Strategies
26.10 Case Study: Large-Scale DDoS

Lesson 27: Insider Threat Detection

27.1 Insider Threat Categories
27.2 Unusual Login Behavior
27.3 Data Exfiltration Indicators
27.4 Misuse of Authorized Access
27.5 Email & File Transfer Monitoring
27.6 Privilege Escalation Indicators
27.7 Insider Collaboration with External Actors
27.8 Correlating Insider Activity with Traffic
27.9 Tools for Insider Threat Detection
27.10 Case Study: Insider Data Theft

Lesson 28: Web Attacks in Traffic

28.1 HTTP Exploits Overview
28.2 SQL Injection Traffic Indicators
28.3 Cross-site Scripting (XSS) in HTTP
28.4 Local File Inclusion (LFI) Detection
28.5 Remote File Inclusion (RFI) Detection
28.6 Directory Traversal Patterns
28.7 Web Shell Uploads
28.8 Brute Force Login Attempts
28.9 Application Layer DoS via HTTP
28.10 Case Study: Malicious Web Attack

Lesson 29: Credential Theft Detection

29.1 Credential Attacks Overview
29.2 Password Spray & Brute Force Indicators
29.3 Cleartext Password Exposure in Traffic
29.4 Kerberos-related Credential Attacks
29.5 NTLM Relay Detection
29.6 Credential Dumping Over the Network
29.7 Man-in-the-Middle Credential Theft
29.8 Credential Reuse Indicators
29.9 Tools for Detecting Credential Theft
29.10 Case Study: Password Exfiltration

Lesson 30: Endpoint Indicators in Network Data

30.1 Endpoint Detection via Traffic Patterns
30.2 Identifying Compromised Hosts
30.3 Endpoint Malware Communications
30.4 Abnormal DNS Requests from Hosts
30.5 Suspicious Outbound Connections
30.6 Lateral Movement Indicators
30.7 Beaconing to External IPs
30.8 Endpoint-to-Endpoint Suspicious Traffic
30.9 Correlation with Endpoint Logs
30.10 Case Study: Compromised Endpoint

Lesson 31: Security Monitoring Strategy

31.1 Role of Security Monitoring
31.2 SOC Structure and Functions
31.3 Monitoring Use Cases
31.4 Establishing Baselines
31.5 Key Metrics and KPIs
31.6 Continuous Monitoring Approaches
31.7 Monitoring Critical Assets
31.8 Detection Engineering Principles
31.9 Alert Prioritization
31.10 Documentation of Monitoring Processes

Lesson 32: SIEM Integration

32.1 What is a SIEM?
32.2 SIEM Architecture
32.3 Data Sources for SIEM
32.4 Normalization and Parsing
32.5 Correlation Rules in SIEM
32.6 Detecting Anomalies with SIEM
32.7 Use Case Development
32.8 Alerting and Dashboards
32.9 Integration with IDS and Logs
32.10 Case Study: SIEM-Driven Detection

Lesson 33: Threat Intelligence

33.1 Concept of Threat Intelligence
33.2 Types of Threat Intelligence (Strategic, Tactical, Operational, Technical)
33.3 Threat Feeds Overview
33.4 Indicators of Compromise (IOCs)
33.5 Using Threat Intelligence in IDS
33.6 Threat Intelligence Sharing Platforms
33.7 Threat Intelligence Lifecycle
33.8 Evaluating Threat Feed Quality
33.9 Threat Hunting with Threat Intel
33.10 Case Study: Threat Intelligence in Action

Lesson 34: Honeypots & Sandboxes

34.1 Honeypot Fundamentals
34.2 Types of Honeypots (Low, Medium, High Interaction)
34.3 Deploying Honeypots in Networks
34.4 Detecting Recon via Honeypots
34.5 Sandbox Basics
34.6 Malware Detonation in Sandboxes
34.7 Correlating Sandbox Output with Traffic
34.8 Threat Actor Behavior Insights
34.9 Ethical Use of Honeypots
34.10 Case Study: Honeypot-Captured Attack

Lesson 35: Incident Response Basics

35.1 Introduction to Incident Response
35.2 Incident Response Lifecycle
35.3 Preparation Stage
35.4 Identification Stage
35.5 Containment Strategies
35.6 Eradication and Recovery
35.7 Lessons Learned and Documentation
35.8 Role of Intrusion Analyst in IR
35.9 IR Communication and Escalation
35.10 Case Study: Network-Centric Incident

Lesson 36: Case Study ? Real Intrusion

36.1 Introduction to Case Study Analysis
36.2 Attack Background
36.3 Initial Reconnaissance Evidence
36.4 Exploitation Traffic
36.5 C2 Communication Patterns
36.6 Data Exfiltration Detected
36.7 IDS and SIEM Alerts Triggered
36.8 Analyst Response Steps
36.9 Lessons Learned from the Intrusion
36.10 Defensive Improvements

Lesson 37: Case Study ? Malware Infection

37.1 Malware Infection Overview
37.2 Initial Exploit Traffic
37.3 Malware Dropper Detection
37.4 C2 Beaconing Behavior
37.5 Malicious File Transfers
37.6 IDS and Flow Detection Points
37.7 Analyst Investigation Process
37.8 Host Forensics Correlation
37.9 Lessons Learned from Case Study
37.10 Strengthening Malware Defenses

Lesson 38: Case Study ? Insider Data Theft

38.1 Background of Insider Case
38.2 Detection Triggers
38.3 Unusual File Transfer Analysis
38.4 Suspicious Email/FTP Traffic
38.5 Privilege Escalation Detected
38.6 Use of Covert Channels
38.7 Analyst Investigative Actions
38.8 Correlating with HR/Legal Teams
38.9 Lessons Learned from Insider Case
38.10 Policy and Monitoring Improvements

Lesson 39: Case Study ? Web Attack

39.1 Web Attack Case Study Overview
39.2 Initial Reconnaissance in Logs
39.3 Exploit Delivery via HTTP
39.4 SQL Injection Attempt Analysis
39.5 Successful Exploitation Indicators
39.6 Malicious File Upload Detected
39.7 C2 Communication After Exploit
39.8 Analyst Response Activities
39.9 Lessons Learned from Web Attack
39.10 Web Application Security Improvements

Lesson 40: Case Study ? DoS Attack

40.1 DoS Attack Overview
40.2 Initial Attack Indicators
40.3 Traffic Volume Analysis
40.4 SYN Flood Detection in PCAP
40.5 UDP/ICMP Flood Evidence
40.6 Reflection Amplification Patterns
40.7 Analyst Response to DoS
40.8 Collaboration with ISPs/CDNs
40.9 Lessons Learned from DoS Attack
40.10 Mitigation Strategy Improvements

Lesson 41: Performance Tuning IDS

41.1 Importance of Tuning IDS
41.2 Identifying False Positives
41.3 Signature Optimization
41.4 Whitelisting Trusted Traffic
41.5 Thresholding Techniques
41.6 Load Balancing IDS Sensors
41.7 Hardware & Resource Optimization
41.8 Fine-Tuning Preprocessors
41.9 Reducing Alert Fatigue
41.10 Continuous Tuning Process

Lesson 42: Scaling IDS Deployments

42.1 IDS in Small vs Large Networks
42.2 Distributed IDS Architecture
42.3 IDS Sensor Placement Strategy
42.4 Redundancy & Failover Designs
42.5 Clustering IDS Sensors
42.6 Centralized Log Collection
42.7 Cloud-based IDS Scaling
42.8 Handling High Throughput Traffic
42.9 Integration with SIEM at Scale
42.10 Case Study: Large Enterprise IDS

Lesson 43: Cloud Traffic Analysis

43.1 Cloud Network Models (IaaS, PaaS, SaaS)
43.2 IDS Challenges in Cloud Environments
43.3 Virtual IDS Solutions
43.4 AWS Traffic Monitoring Tools
43.5 Azure Traffic Monitoring Tools
43.6 GCP Traffic Monitoring Tools
43.7 Cloud-native Flow Logs (VPC, NSG)
43.8 Detecting Cloud Misconfigurations
43.9 Cloud Attack Indicators in Traffic
43.10 Case Study: Cloud Intrusion

Lesson 44: Container & Kubernetes Monitoring

44.1 Containers vs Virtual Machines
44.2 Kubernetes Networking Basics
44.3 IDS/IPS in Containerized Environments
44.4 Service Mesh Traffic Monitoring
44.5 East-West vs North-South Traffic
44.6 Detecting Lateral Movement in Containers
44.7 Kubernetes Audit Logs
44.8 Tools for Container IDS (Falco, Cilium)
44.9 Challenges in Microservice Detection
44.10 Case Study: Kubernetes Intrusion

Lesson 45: Encrypted Traffic Challenges

45.1 Encryption Adoption Trends
45.2 Visibility Gaps in Encrypted Traffic
45.3 SSL/TLS Inspection Pros & Cons
45.4 JA3 Fingerprinting for Encrypted Sessions
45.5 Metadata-based Detection
45.6 Machine Learning for Encrypted Traffic
45.7 Detecting Encrypted Malware C2
45.8 Regulatory & Privacy Concerns
45.9 Alternatives to Full Decryption
45.10 Case Study: Encrypted Attack

Lesson 46: Machine Learning in IDS

46.1 Introduction to ML in Security
46.2 Supervised Learning Approaches
46.3 Unsupervised Learning Approaches
46.4 Feature Engineering from Traffic
46.5 Training ML Models with PCAPs
46.6 Detecting Anomalies via ML
46.7 False Positive Reduction using ML
46.8 ML in Modern IDS Tools
46.9 Limitations of ML Approaches
46.10 Future of AI in Intrusion Detection

Lesson 47: Legal & Ethical Issues

47.1 Legal Responsibilities in Network Monitoring
47.2 Privacy Concerns in Traffic Capture
47.3 Data Protection Regulations (GDPR, HIPAA)
47.4 Consent & Authorization for Monitoring
47.5 Chain of Custody in Evidence Collection
47.6 Ethical Hacking vs Malicious Activity
47.7 IDS Logs as Legal Evidence
47.8 Compliance Frameworks for IDS
47.9 Corporate Monitoring Policies
47.10 Case Study: Legal Implications of IDS

Lesson 48: GCIA Exam Prep I ? Core Concepts Review

48.1 TCP/IP Refresher
48.2 Protocol Headers Recap
48.3 IDS/IPS Fundamentals
48.4 Packet Capture Tools Summary
48.5 Signature Writing Basics
48.6 Traffic Analysis Quick Review
48.7 Common Attack Indicators
48.8 IDS Deployment Scenarios
48.9 Log Correlation Techniques
48.10 Memory Aids & Mnemonics

Lesson 49: GCIA Exam Prep II ? Practice Drills

49.1 Sample Packet Capture Exercises
49.2 IDS Signature Writing Scenarios
49.3 Reconnaissance Detection Quiz
49.4 Malware Traffic Identification Drill
49.5 DNS & HTTP Case Scenarios
49.6 SSL/TLS Analysis Practice
49.7 DDoS Detection Challenge
49.8 Web Attack Traffic Review
49.9 Insider Threat Analysis Practice
49.10 Mock Exam Review Session

Lesson 50: GCIA Final Review & Strategy

50.1 Study Plan Finalization
50.2 Prioritizing Weak Areas
50.3 Practice Question Strategies
50.4 Time Management for the Exam
50.5 Troubleshooting Practice PCAPs
50.6 Reviewing Case Studies
50.7 Quick Reference Cheat Sheets
50.8 Exam-day Preparation Tips
50.9 Post-exam Certification Steps
50.10 Continuing Education After GCIA