Adept individuals are needed to monitor the security tools, watching for threats that bypass the automated protections. The analysts in the Security Operations Center (SOC) are the last line of defense. The SOC tries to detect and remediate threats that make it past the protections. The SOC analyst role has traditionally been an entry-level position, but a great deal of knowledge and skills are necessary for success.
The success of a SOC is difficult to measure since attackers and attacks never stand still: Everything is a moving target. Success is typically measured by reducing organizational risk by detecting, remediating, and automatically preventing future instances of known attacks. In reality, this is far beyond the capability of most SOCs today. And to make matters even worse, SOC analysts rarely have the tools, tactics, procedures, or training to deal with all the threats that can affect organizations today. Nobody wants to admit how difficult the struggle is, which means it’s difficult to even get the conversation going.
Qualifications for entry-level SOC analysts are problematic because most applicants have little if any training in information security. Realistically, an entry-level SOC analyst can only be expected to be passionate about security and have some networking background – which happen to be the prerequisites for this course.
In this course, you will be working as a Tier 1 SOC analyst for a managed security service provider (MSSP) that provides outsourced information security services to a range of clients. You will investigate alerts with a combination of packet captures (PCAPs) and also log files from servers and networking equipment. We have designed this course to help a beginning Tier 1 SOC Analyst become proficient at analyzing and understanding what alerts mean through a series of realistic hands-on tasks based on attackers attempting to gain initial access to a network. (Future courses will deal with lateral movement by an attacker after gaining initial access, command and control communication, and data exfiltration.)
The student receives a report that an IT support employees had unusual text on his screen that didn’t seem to be work related. His network traffic has been captured from that time period. The student will use NetworkMiner and then WireShark to open the packet capture (PCAP) file and analyze what the user was doing. Was his activity benign or was this evidence of an insider attack?
Analysts are asked to use the network pentesting tool Nmap to profile the attack surface of potentially-vulnerable Windows and Linux hosts within a client’s AWS VPS. Using Nmap’s output, they must identify and assess the severity of any vulnerabilities associated with the OS and services of profiled devices, then attempt to locate viable published exploits available on popular websites like exploit.db, GitHub, and Twitter. After successfully enumerating the VPS’s attack surface, analysts must devise a series of recommendations for the client: short term advice for immediate implementation as well as long-term recommendations for reducing the identified attack surface and improving detection visibility for what remains.
A security operations center analyst has seen evidence of a password cracking attempt within a key network. Students analyze a PCAP and event logs within a security information and event management system (the Splunk SIEM) to determine whether or not any passwords were compromised, and if the network was breached as a result. The student must also identify which tools were used by the attacker, and which steps should be taken to safeguard specific hosts in the network from similar cracking attempts in the future.
A client of the MSSP was alerted to suspicious activity on one of their HR department computers by their antivirus application. At the time, the event was classified as benign, but now there are growing concerns that it may have been something more serious. The student will determine whether this was a false or true positive—and if further incident response is necessary.
Students analyze a possible “watering hole” attack in which clicking on a malicious link embedded in an otherwise legitimate website launches an exploit kit that infects a user’s machine with a “trojan.” To accomplish this, they must analyze multiple logs within the Splunk SIEM
Applied knowledge of computer networks and protocols, knowledge of the Windows and Linux operating systems, and experience using command line interfaces.
Five weeks working 25 hours per week or 10 weeks working 15 hours per week.
This course is part of our Premium collection of courses. This package is perfect for professionals and teams looking to take their skills to the next level. Gain access to a wide range of sophisticated courses.
Our Basic plan is perfect for students taking their first steps into leadership, IT management, or cybersecurity. Get comfortable. Feel it out. Learn what you love and what you don’t love. Start learning today with a 7 Day Free Trial!
