Cyber Defence

Contact information

For further information or to request a quotation, please contact the Professional Education Courses Unit on:

Enquiries Phone: 02 5114 5573

Enquiries Email:

In-house delivery

UNSW Canberra Professional Education Courses may be available for in-house delivery at your organisation's premises. In-house courses allow maximum attendance without the additional travel costs. Courses can be developed to suit the specific staff development and training needs of your organisation. Recommended for groups of 10 or more.

This course provides in-depth understanding of the techniques and policy used in computer and network defence. Cyber defenders learn the strategy and technical skills to protect and harden cyber systems, collect appropriate information through logging, detect attempted attacks, and respond to intrusions. Numerous cyber defence technologies and their effectiveness are discussed within this framework. This course will increase the competency of participants in building cyber resilience within an organisation.

Topics covered include:

  • Threat modelling
  • Network and host-based intrusion detection
  • Identifying malicious network and host-based activity
  • Linking malicious indicators of compromise to build an intelligence picture
  • Classifying intrusion, intent and damage
  • NSO theory, methodology and frameworks
  • Defensive techniques

Learning outcomes

On completion of this course, participants should be able to:

  • Conduct threat modelling.
  • Deploy network and host - based intrusion detection systems to identify malicious actors.
  • Link malicious indicators of compromise to build an intelligence picture.
  • Apply Network Security Operations (NSO) theory, methodology and frameworks to innovate defensive techniques.
  • Provide advice and briefings on threats to both technical and non - technical audiences.

Course Information

Day 1

Networking and Threat Modelling

Day 1 kicks off with a comprehensive introduction to Cyber Defence, The Information Environment and Network Centric Operations. Students will be introduced to ways of affecting the information environment, approaches to threat modelling, and will be stepped through examples of network attacks.


Situational awareness, Network Collection Value-Chain, Self-Synchronisation, Hardening, Obfuscation, Threat-Detected Protection, Anomaly Detection, Network Attacks.

Day 2


This session presents the concept of using protection techniques to proactively prevent or minimise the effect of a compromise or breach. Techniques covered include methods listed in the ASD Essential 8, architectural security design and vulnerability scanning.


User Application Hardening, Host-Based Hardening, Minimising Attack Surfaces, Linux Firewalls, Network Segmentation, Demilitarised Zones, LUN Masking, Encryption.

Day 3

Collection and Detection

Students will be introduced to collection methods such as the deployment and configuration of sensors, sensor data processing and aggregation for analysis. The session will also cover detection strategies, network and host based intrusion detection and honeypots.


Network Sensors, Fusion, IOCs and Signatures, Anomaly Detection, Security Onion Architecture, Open Threat Exchange, Honeypots.

Day 4 & Day 5

Incident Response

Day 4 & 5 will give an overview of orientation and investigation techniques. Students will understand how to make sense of observed information to assess the situation, identify indicators of compromise and the extent of threat activity. We will also cover how such indicators initiates incident response plans and look at writing, editing and proper formatting of intelligence reports.


Orientation, Investigation, Instigation, Association, Incident Response Planning, Intelligence Reporting.

This course maps to the following NICE Framework KSAs (Knowledge, Skills & Abilities):

K0041: Knowledge of incident categories, incident responses, and timelines for responses.

K0046: Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.

K0049: Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarised zones, encryption).

K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

K0106: Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities.

K0107: Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.

K0160: Knowledge of the common attack vectors on the network layer.

K0161: Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).

K0167: Knowledge of system administration, network, and operating system hardening techniques.

K0324: Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

S0025: Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).

A0128: Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

What is the NICE Framework?

The National Initiative for Cybersecurity Education (NICE) Cyber Security Workforce Framework developed by the National Institute of Standards and Technology (NIST) establishes a taxonomy and common lexicon that describes cyber security work and job roles.

To find out more about the NICE Framework, go to:


Courses will be held subject to sufficient registrations. UNSW Canberra reserves the right to cancel a course up to five working days prior to commencement of the course. If a course is cancelled, you will have the opportunity to transfer your registration or be issued a full refund. If registrant cancels within 10 days of course commencement, a 50% registration fee will apply. UNSW Canberra is a registered ACT provider under ESOS Act 2000-CRICOS provider Code 00098G.

UNSW Institute for Cyber Security is a unique, cutting-edge, interdisciplinary research and teaching centre, working to develop the next generation of cyber security experts and leaders.

The centre is based in Canberra at the Australian Defence Force Academy and provides professional, undergraduate and post graduate education in cyber security. Our air-gapped, state of the art cyber range offers a secure environment where we deliver a number of technical and highly specialised learning opportunities.

Our courses are designed to give the next generation of cyber security professionals the skill sets needed to thrive in the industry. We can also create bespoke professional education programs tailored to your organisation's needs.

Contact us at to discuss how.