Security Operations Center Analyst, Tier 2

A Tier 2 security operations center (SOC) analyst takes the lead investigating complex information security incidents, which are often escalated by more junior analysts. Their work includes collecting, analyzing, and preserving digital evidence, as well as ensuring that incidents are appropriately recorded, tracked and reported. In many organizations their job also includes proactively hunting for threats that intrusion detection systems may have missed.

In this course, you will be working as a Tier 2 SOC analyst for a managed security service provider that provides outsourced information security services to a range of clients. During the course you will analyze and report on a single complex cyber attack, beginning with the detonation of ransomware in a client’s network and working backwards to determine the attack vector and true purpose of the attack.

What students will do

Security Operations Center Analyst, Tier 2 includes the following tasks:

1. Ransomware DetectionThe student, working in the role of a tier 2 security operations center analyst, is assigned a traditional malware IR case involving a ransomware attack that compromised a client’s network. The student must determine the scope of the incident, identify the method by which the malware propagated throughout the network, and begin to answer the question of containment—only to discover that the clues don’t lead directly to an initial perimeter compromise.
2. Lateral movement and privilege escalationFollowing the pivot of the compromised Active Directory account, the student will explore techniques for detecting several common methods of lateral movement as well as privilege escalation within AD. Students must profile the suspicious account, timeline both user and workstation activity, and pivot to any other potentially-compromised accounts, based on following the attacker’s tracks through the logs until “patient 0” is found, the site of initial access.
3. Initial access via compromise of an external serverAfter identifying the original entry point into the network, the student will dive deep into answering the question of containment. Using primarily network-based logs, they will confirm a specifically targeted server and determine how it was successfully exploited. Then, they will dive deeply into host-based logs to determine what happened post-exploitation and begin to build a profile of the attacker’s motivations. By the conclusion of this task, students will have developed a much more accurate picture of the attacker’s motivations.
4. Living off the LandNow that it has become clear this is a targeted attack, students will take a higher-level view of their investigation thus far in order to reassess the evidence. They will reexamine their existing evidence, dive deeper into detection strategies for commonly-used living-off-the-land techniques, and elaborate the profile of the attacker’s motivations and intent.
5. Data exfiltrationStudents will analyze several instances of proprietary data being transferred to different locations within the network and ultimately crossing the perimeter to be successfully exfiltrated to the attacker’s C2 server using a novel, difficult-to-detect technique.
6. Wrapping up the investigationStudents will conclude their investigation by writing an appropriate report to the CISO and a more technical report to the incident responders. They will also write a non-technical, short executive summary for senior management of the company.

Skills students will learn

Cyber Phoenix courses are 100% hands-on, learn-by-doing. Mentors guide students through a learning experience in students solve difficult problems learning just enough, just in time to succeed. We focus on what students are able to do when they complete the program rather than on specific knowledge that traditional programs typically try to impart, which might not always be necessary in practice.

During this course you will learn and practice key SOC analyst skills including:

• Enumerating and baselining the activity of all unique devices in an unknown network
• Gathering intelligence on and timelining user and workstation activity to discover anomalous behavior
• Distinguishing between benign and malicious activity when attackers “live off the land”
• Detecting different forms of privilege escalation within an Active Directory (AD) environment
• Detecting different forms of lateral movement within an AD domain
• Determining methods of malware propagation
• Identifying the scope and timeframe of a ransomware attack
• Identifying additional compromised user accounts or workstations through pivoting
• Detecting and identifying the exploitation of an internal server as the means of an attacker’s initial perimeter breach
• Examining post-exploitation recon and movement in order to profile attackers and determine intent
• Detecting several types of data exfiltration, including exfil over an alternative protocol (DNS)
• Appropriate collection of critical information, with whom to share it, and when to share it during phases of incident response.

Prerequisites

Successful completion of Security Operations Center Analyst, Tier 1 or equivalent professional experience working in a security operations center.

Duration

Five weeks working 25 hours per week or 10 weeks working 15 hours per week.