Security Operations Center Analyst, Tier 2

Course Overview

A Tier 2 security operations center (SOC) analyst takes the lead investigating complex information security incidents, which are often escalated by more junior analysts.

Their work includes collecting, analyzing, and preserving digital evidence, as well as ensuring that incidents are appropriately recorded, tracked and reported. In many organizations their job also includes proactively hunting for threats that intrusion detection systems may have missed.

Current Status
Not Enrolled
Price
$5,200.00
Get Started

In this course, you will be working as a Tier 2 SOC analyst for a managed security service provider that provides outsourced information security services to a range of clients. During the course you will analyze and report on a single complex cyber attack, beginning with the detonation of ransomware in a client’s network and working backwards to determine the attack vector and true purpose of the attack.

What Students Will Do

Security Operations Center Analyst, Tier 2 includes the following tasks:

The student, working in the role of a tier 2 security operations center analyst, is assigned a traditional malware IR case involving a ransomware attack that compromised a client’s network. The student must determine the scope of the incident, identify the method by which the malware propagated throughout the network, and begin to answer the question of containment—only to discover that the clues don’t lead directly to an initial perimeter compromise.

Following the pivot of the compromised Active Directory account, the student will explore techniques for detecting several common methods of lateral movement as well as privilege escalation within AD. Students must profile the suspicious account, timeline both user and workstation activity, and pivot to any other potentially-compromised accounts, based on following the attacker’s tracks through the logs until “patient 0” is found, the site of initial access.

After identifying the original entry point into the network, the student will dive deep into answering the question of containment. Using primarily network-based logs, they will confirm a specifically targeted server and determine how it was successfully exploited. Then, they will dive deeply into host-based logs to determine what happened post-exploitation and begin to build a profile of the attacker’s motivations. By the conclusion of this task, students will have developed a much more accurate picture of the attacker’s motivations.

Now that it has become clear this is a targeted attack, students will take a higher-level view of their investigation thus far in order to reassess the evidence. They will reexamine their existing evidence, dive deeper into detection strategies for commonly-used living-off-the-land techniques, and elaborate the profile of the attacker’s motivations and intent.

Students will analyze several instances of proprietary data being transferred to different locations within the network and ultimately crossing the perimeter to be successfully exfiltrated to the attacker’s C2 server using a novel, difficult-to-detect technique.

Students will conclude their investigation by writing an appropriate report to the CISO and a more technical report to the incident responders. They will also write a non-technical, short executive summary for senior management of the company.

Skills students will learn

Socratic Arts courses are 100% hands-on, learn-by-doing.

Mentors guide students through a learning experience in which students solve difficult problems learning just enough, just in time to succeed. We focus on what students are able to do when they complete the program rather than on specific knowledge that traditional programs typically try to impart, which might not always be necessary in practice.

During this course, you will learn and practice key SOC analyst skills including:

Prerequisites

Successful completion of Security Operations Center Analyst, Tier 1 or equivalent professional experience working in a security operations center.

Duration

Five weeks working 25 hours per week or 10 weeks working 15 hours per week.

Get this Course

Subscribe & Start Learning

This course is part of our Premium collection of courses. This package is perfect for professionals and teams looking to take their skills to the next level. Gain access to a wide range of sophisticated courses.

Subscribe & Start Learning

Our Basic plan is perfect for students taking their first steps into leadership, IT management, or cybersecurity. Get comfortable. Feel it out. Learn what you love and what you don’t love. Start learning today with a 7 Day Free Trial!