Five weeks working 25 hours per week or 10 weeks working 15 hours per week.
In this course, you will be working as a Tier 2 SOC analyst for a managed security service provider that provides outsourced information security services to a range of clients. During the course you will analyze and report on a single complex cyber attack, beginning with the detonation of ransomware in a client’s network and working backwards to determine the attack vector and true purpose of the attack.
The student, working in the role of a tier 2 security operations center analyst, is assigned a traditional malware IR case involving a ransomware attack that compromised a client’s network. The student must determine the scope of the incident, identify the method by which the malware propagated throughout the network, and begin to answer the question of containment—only to discover that the clues don’t lead directly to an initial perimeter compromise.
Following the pivot of the compromised Active Directory account, the student will explore techniques for detecting several common methods of lateral movement as well as privilege escalation within AD. Students must profile the suspicious account, timeline both user and workstation activity, and pivot to any other potentially-compromised accounts, based on following the attacker’s tracks through the logs until “patient 0” is found, the site of initial access.
After identifying the original entry point into the network, the student will dive deep into answering the question of containment. Using primarily network-based logs, they will confirm a specifically targeted server and determine how it was successfully exploited. Then, they will dive deeply into host-based logs to determine what happened post-exploitation and begin to build a profile of the attacker’s motivations. By the conclusion of this task, students will have developed a much more accurate picture of the attacker’s motivations.
Now that it has become clear this is a targeted attack, students will take a higher-level view of their investigation thus far in order to reassess the evidence. They will reexamine their existing evidence, dive deeper into detection strategies for commonly-used living-off-the-land techniques, and elaborate the profile of the attacker’s motivations and intent.
Students will analyze several instances of proprietary data being transferred to different locations within the network and ultimately crossing the perimeter to be successfully exfiltrated to the attacker’s C2 server using a novel, difficult-to-detect technique.
Students will conclude their investigation by writing an appropriate report to the CISO and a more technical report to the incident responders. They will also write a non-technical, short executive summary for senior management of the company.
Successful completion of Security Operations Center Analyst, Tier 1 or equivalent professional experience working in a security operations center.
Five weeks working 25 hours per week or 10 weeks working 15 hours per week.
This course is part of our Premium collection of courses. This package is perfect for professionals and teams looking to take their skills to the next level. Gain access to a wide range of sophisticated courses.
Our Basic plan is perfect for students taking their first steps into leadership, IT management, or cybersecurity. Get comfortable. Feel it out. Learn what you love and what you don’t love. Start learning today with a 7 Day Free Trial!
