The field of Information Security deals with the ever-growing volume of threats to businesses and government entities. While hardening computer and network infrastructure with patching, firewalls, and intrusion protection systems is important, those tools will probably never stop the threats completely. Adept individuals are needed to monitor the security tools, watching for threats that bypass the automated protections. The analysts in the Security Operations Center (SOC) are the last line of defense. The SOC tries to detect and remediate threats that make it past the protections. The SOC analyst role has traditionally been an entry-level position, but a great deal of knowledge and skills are necessary for success.
The success of a SOC is difficult to measure since attackers and attacks never stand still: Everything is a moving target. Success is typically measured by reducing organizational risk by detecting, remediating, and automatically preventing future instances of known attacks. In reality, this is far beyond the capability of most SOCs today. And to make matters even worse, SOC analysts rarely have the tools, tactics, procedures, or training to deal with all the threats that can affect organizations today. Nobody wants to admit how difficult the struggle is, which means it’s difficult to even get the conversation going.
Qualifications for entry-level SOC analysts are problematic because most applicants have little if any training in information security. Realistically, an entry-level SOC analyst can only be expected to be passionate about security and have some networking background – which happen to be the prerequisites for this course.
In this course, you will be working as a Tier 1 SOC analyst for a managed security service provider (MSSP) that provides outsourced information security services to a range of clients. You will investigate alerts with a combination of packet captures (PCAPs) and also log files from servers and networking equipment. We have designed this course to help a beginning Tier 1 SOC Analyst become proficient at analyzing and understanding what alerts mean through a series of realistic hands-on tasks based on attackers attempting to gain initial access to a network. (Future courses will deal with lateral movement by an attacker after gaining initial access, command and control communication, and data exfiltration.)
What students will do
Security Operations Center Analyst, Tier 1 includes the following tasks:
- Investigate suspicious behaviorThe student receives a report that an IT support employees had unusual text on his screen that didn’t seem to be work related. His network traffic has been captured from that time period. The student will use NetworkMiner and then WireShark to open the packet capture (PCAP) file and analyze what the user was doing. Was his activity benign or was this evidence of an insider attack?
- Scanning activityAnalysts are asked to use the network pentesting tool Nmap to profile the attack surface of potentially-vulnerable Windows and Linux hosts within a client’s AWS VPS. Using Nmap’s output, they must identify and assess the severity of any vulnerabilities associated with the OS and services of profiled devices, then attempt to locate viable published exploits available on popular websites like exploit.db, GitHub, and Twitter. After successfully enumerating the VPS’s attack surface, analysts must devise a series of recommendations for the client: short term advice for immediate implementation as well as long-term recommendations for reducing the identified attack surface and improving detection visibility for what remains.
- Remote intrusion attemptA security operations center analyst has seen evidence of a password cracking attempt within a key network. Students analyze a PCAP and event logs within a security information and event management system (the Splunk SIEM) to determine whether or not any passwords were compromised, and if the network was breached as a result. The student must also identify which tools were used by the attacker, and which steps should be taken to safeguard specific hosts in the network from similar cracking attempts in the future.
- Antivirus alertA client of the MSSP was alerted to suspicious activity on one of their HR department computers by their antivirus application. At the time, the event was classified as benign, but now there are growing concerns that it may have been something more serious. The student will determine whether this was a false or true positive—and if further incident response is necessary.
- Suspicious web trafficStudents analyze a possible “watering hole” attack in which clicking on a malicious link embedded in an otherwise legitimate website launches an exploit kit that infects a user’s machine with a “trojan.” To accomplish this, they must analyze multiple logs within the Splunk SIEM
Skills students will learn
Cyber Phoenix courses are 100% hands-on, learn-by-doing. Mentors guide students through a learning experience in students solve difficult problems learning just enough, just in time to succeed. We focus on what students are able to do when they complete the program rather than on specific knowledge that traditional programs typically try to impart, which might not always be necessary in practice.
During this course you will learn and practice key SOC analyst skills including:
- Conducting online technical research
- Analyzing and verifying Snort alerts
- Distinguishing between true and false positive alerts
- Analyzing packet capture (PCAP) files
- Analyzing system and network logs using a SIEM
- Identifying OS/Application fingerprints
- Analyzing suspicious user behavior
- Identifying vulnerabilities based on vulnerability scans and proposing remediations
- Analyzing remote intrusion attempts
- Analyzing phishing attacks
- Analyzing watering hole attacks.
Applied knowledge of computer networks and protocols, knowledge of the Windows and Linux operating systems, and experience using command line interfaces.
Five weeks working 25 hours per week or 10 weeks working 15 hours per week.