SOC Analyst Course Content v3
SOC Analyst Course Content v3
TRAINING
www.infosectrain.com | [email protected]
SOC ANALYST - TRAINING
• Dirbuster • Sqlmap
LEARNING PATH
• Hashcat • Hashclc
• SysInternals suite • FTK Imager
www.infosectrain.com | [email protected] 01
Objective
Our Certified SOC Training Program will help you to
master over trending and in-demand technical
skills. The program starts with intermediate-level
cybersecurity concepts and then proceeds to
advanced forensic, threat Intelligence, Security
incident, and Event Management Solutions. Infosec
Train’s SOC Training Course provides cybersecurity
professionals with advanced security skills and
certification. The training program will allow you to:
www.infosectrain.com | [email protected] 02
Why Certified SOC analyst?
SOC Analyst Certification serves as a launchpad for developing
security professionals. Its demand is continuously increasing in
the industry. The certified SOC analyst certification will not only
enhance your knowledge on various SOC operations but will also:
Help you to showcase your skills and working experience for the SOC Analyst job
position
Keep you updated with the latest skills necessary for L1/L2/L3 SOC Analyst job
positions
www.infosectrain.com | [email protected] 03
Prerequisite
Prior knowledge of Basic Networking knowledge,
OS basics, Troubleshooting is recommended
Target Audience
Technical Support Engineers
System Administrator
Security Consultants
www.infosectrain.com | [email protected] 04
SOC ANALYST
TOOLS
• GoPhish • Volatility
• Dirbuster • Sqlmap
• Splunk Enterprise • Maltego
• OSSIM • Keepnote
• Wireshark • Brup Suite
• Hashcat • Hashclc
• SysInternals suite • FTK Imager
OSSIM
www.infosectrain.com | [email protected] 05
Domain 1: Security Operations Centre
Introduction to SOC AlienVault OSSIM fundamentals
• Building a successful SOC • AlienVault fundamentals and architecture
• Functions of SOC deployment
• Heart of SOC- SIEM • Vulnerability scanning & monitoring with OSSIM
• Gartner’s magic quadrant
• SIEM guidelines and architecture
Introduction to QRadar
• IBM QRadar SIEM component architecture and
ELK Stack:
data flows
• Introduction and an overview of Elastic SIEM • Using the QRadar SIEM User Interface
• User interface
www.infosectrain.com | [email protected] 06
Domain 2: Digital Forensics
1: Introduction to Incident Response
• Section Introduction
• What is Digital Forensics?
- Collecting evidence typically related to cybercrime
• Digital Subject Access Requests
• Computer Forensics Process
- Identification, Preservation, collection, examination, analysis, reporting
• Working with Law Enforcement
- The difference between an internal security issue and one that requires external assistance
www.infosectrain.com | [email protected] 07
3: Evidence Forms
• Section Introduction
• Volatile Evidence
- Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table,
kernel statistics, temporary file
system/swap space
• Disk Evidence
- Data on Hard Disk or SSD
• Network Evidence
- Remotely Logged Data, Network Connections/Netflow, PCAPs, Proxy logs
• Web & Cloud Evidence
- Cloud storage/backups, chat rooms, forums, social media posts, blog posts
• Evidence Forms
- Laptops, desktops, phones, hard drives, tablets, digital cameras, smartwatches, GPS
4: Chain of Custody
• Section Introduction
• What is the Chain of Custody?
• Why is it Important?
- In regard to evidence integrity and examiner authenticity
• Guide for Following the Chain of Custody
- evidence collection, reporting/documentation, evidence hashing, write-blockers,
working on a copy of original evidence
5: Windows Investigations
• Section Introduction
• Artifacts
- Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious
locations, schedules tasks, start-up files
• Limitations
• Example Investigations
www.infosectrain.com | [email protected] 08
6: *nix Investigations
• Section Introduction
• Artefacts
• Limitations
• Example Investigations
• Artefact Collection
- Section Introduction
- Equipment
- non-static bags, faraday cage, labels, clean hard drives, forensic workstations,
Disk imagers, hardware write blockers, cabling, blank media, photographs
- Tools
- Wireshark, Network Miner, and others
- ACPO Principles
- Live Forensics
- Fast acquisition of key files
- How to Collect Evidence
- Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog
posts, social media posts, chat rooms
- Types of Hard Drive Copies visible data, bit for bit, slackspace
7: Live Forensics
• Section Introduction
• Live Acquisition
- What is a live acquisition/live forensics? Why is it beneficial?
• Products
- Carbon Black, Encase, memory analysis with agents, Custom Scripts
• Potential Consequences
- Damaging or modifying evidence making it invalid
8: Post-Investigation
• Section Introduction
• Report Writing
• Evidence Retention
- Legal retention periods, internal retention periods
• Evidence Destruction
- Overwriting, degaussing, shredding, wiping
- Further Reading
www.infosectrain.com | [email protected] 09
Domain 3: Incident Response Domain
1: Introduction to Incident Response
• What is Incident Response?
• Why is IR Needed?
• Security Events vs. Security Incidents
• Incident Response Lifecycle – NIST SP 800 61r2
- What is it, why is it used
• Lockheed Martin Cyber Kill Chain
- What is it, why is it used
• MITRE ATT&CK Framework
- What is it, why is it used
2: Preparation
• Incident Response Plans, Policies, and Procedures
• The Need for an IR Team
• Asset Inventory and Risk Assessment to Identify High-Value Assets
• DMZ and Honeypots
• Host Defences
- HIDS, NIDS
- Antivirus, EDR
- Local Firewall
- User Accounts
- GPO
• Network Defences
- NIDS
- NIPS
- Proxy
- Firewalls
- NAC
• Email Defences
- Spam Filter
- Attachment Filter
- Attachment Sandboxing
- Email Tagging
• Physical Defences
- Deterrents
- Access Controls
- Monitoring Controls
• Human Defences
- Security Awareness Training
- Security Policies
- Incentives
www.infosectrain.com | [email protected] 10
3: Detection and Analysis
• Common Events and Incidents
• Establishing Baselines and Behaviour Profiles
• Central Logging (SIEM Aggregation)
• Analysis (SIEM Correlation)
5: Lessons Learned
• What Went Well?
- Highlights from the Incident Response
• What Could be Improved?
- Issues from the Incident Response, and How These Can be Addressed
• Important of Documentation
- Creating Runbooks for Future Similar Incidents, Audit Trail
• Metrics and Reporting
- Presenting Data in Metric Form
• Further Reading
www.infosectrain.com | [email protected] 11
Domain 4: Threat Intelligence Domain
1: Introduction to Incident Response 3: Advanced Persistent Threats
• Section Introduction • What are APTs?
• Threat Intelligence Explained - What makes an APT?, Real-world exam-
- What is TI, why is it used ples of APTs + their operations
• Why Threat Intelligence can be Valuable • Motivations for Cyber Operations
- Situational awareness, investigation enrichment, - Why APTs do what they do (financial,
reducing the attack surface political, social)
• Criticisms/Limitations of Threat Intelligence • Tools, Techniques, Tactics
- Attribution issues, reactive nature, old IOCs, - What do APTs actually do when conduct-
false-positive IOCs ing operations
• The Future of Threat Intelligence • Custom Malware/Tools
- Tenable Predictive Prioritization (mixing threat - Exploring custom tools used by APTs, why
intel with vulnerability management data to calcu- they’re used
late dynamic risk scores) • Living-off-the-land Techniques
• Types of Intelligence - What LOTL is, why it’s used, why it can be
- SIGINT, OSINT, HUMINT, GEOINT effectivev
2: Threat Actors
• Common Threat Agents
- Cybercriminals, hacktivists, insider threats,
nation-states
• Motivations
- Financial, social, political, other
• Skill Levels/Technical Ability
- Script Kiddies, Hackers, APTs
• Actor Naming Conventions
- Animals, APT numbers, other conventions
• Common Targets
- Industries, governments, organizations 12
4: Operational Intelligence 6: Strategic Threat Intelligence
• Indicators of Compromise Explained & Examples • Intelligence Sharing and Partnerships
- What IOCs are, how they’re generated and shared, - Why sharing intel is important,
using IOCs to feed defences existing partnerships, US-CERT, NCCIC,
• Precursors Explained & Examples NCSC, ISACs
- What precursors are, how they’re different from • IOC/TTP Gathering and Distribution
IOCs, how we monitor them • Campaign Tracking & Situational
• TTPs Explained & Examples Awareness
- What TTPs are, why they’re important, using to - Why we track actors, why keeping
maintain defences (preventative) the team updated is important
• MITRE ATT&CK Framework • New Intelligence Platforms/Toolkits
- Framework explained and how we map cyber-at- - Undertaking proof-of-value demos
tacks, real-world example to assess the feasibility of new tooling
• Lockheed Martin Cyber Kill Chain • OSINT vs. Paid-for Sources
- Framework explained and how we map cyber-at- - Threat Intelligence Vendors, Public
tacks, real-world example Threat Feeds, National Vulnerability
• Attribution and its Limitations Database, Twitter
- Why attribution is hard, impersonation, sharing
infrastructure, copy-cat attacks 7: Malware and Global Campaigns
• Pyramid of Pain
You’ll wish we didn’t teach you this. It’s called the • Types of Malware Used by Threat
Pyramid of Pain for a reason. Actors
- Trojans, RATs, Ransomware, Back-
doors, Logic Bombs
5: Tactical Threat Intelligence
• Globally recognized Malware Cam-
• Threat Exposure Checks Explained paigns
- What TECs are, how to check your environment for - Emotet, Magecart, IcedID, Sodinikobi,
the presence of bad IOCs Trickbot, Lokibot
• Watchlists/IOC Monitoring
- What are watchlists, how to monitor for IOCs (SIEM, 8: Further Reading
IDPS, AV, EDR, FW)
• Public Exposure Assessments • Further Reading Material
- What PEAs are, how to conduct them, google dorks, - Links to more resources that
harvester, social media students may find helpful.
• Open-Web Information Collection
- How OSINT data is scraped, why it’s useful
• Dark-Web Information Collection
- How intel companies scrape dark web intel, why it’s
useful, data breach dumps, malicious actors on
underground forums, commodity malware for sale
• Malware Information Sharing Platform (MISP)
- What is MISP, why is it used, how to implement MISP
www.infosectrain.com | [email protected] 13
IND: 1800-843-7890 (Toll Free) / US: +1 657-207-1466 /
UK : +44 7451 208413
www.infosectrain.com