Security Operations (SOC) 101

This course aims to equip students with all of the fundamental security operations knowledge and practical skills needed in order to achieve and excel in a T1 or T2 SOC Analyst position. By covering topics such as phishing analysis, incident response procedures, threat detection techniques, log analysis, SIEM management, and security tool utilization, students will gain the essential competencies required to effectively monitor, analyze, and respond to security incidents within a SOC environment.

Students will be able to actively engage with the course material through bite-sized video demonstrations, written materials and references, quizzes to assess comprehension, and practical exercises that simulate real-world scenarios.

By the end of the course, participants will be proficient in using various common security tools, analyzing security events and artifacts, handling alert tickets, triaging, and responding effectively to incidents within a SOC. Additionally, the course aims to foster critical thinking skills and encourage both proactive and reactive methodologies, which are pivotal for skilled analysts.

• Security Operations Fundamentals
• Phishing Analysis
• Network Security Monitoring
• Network Traffic Analysis
• Endpoint Security Monitoring
• Endpoint Detection and Response
• Log Analysis and Management
• Security Information and Event Management (SIEM)
• Threat Intelligence
• Digital Forensics
• Incident Response

To get the most out of this course and follow along with the labs, there will be times where two virtual machines (VMs) need to be run simultaneously. If resources are limited, you can run one VM at a time and follow along with the course. Below are the recommended (ideal) specifications. Feel free to adjust based on your own system’s limitations, but these specs will ensure a smoother experience with the course labs.

Processor: 64-bit Intel i5 or i7, 2.0 GHz or higher.

RAM: At least 8 GB (ideally 8-12+ GB) to efficiently run multiple VMs.

Disk Space: 80-100 GB of free storage. SSDs are recommended for better performance.

Networking Fundamentals:

• Basic understanding of TCP/IP and OSI models.
• Knowledge of network concepts such as subnets, internal vs. external IP addresses, network address translation, and routing.
• Familiarity with common protocols (e.g., SSH, FTP, HTTP, HTTPS).

The foundations and network sections of the course will provide a refresher on these concepts and more, but it would be ideal to have these foundations coming into the course.

Operating System Fundamentals:

• Basic familiarity with Windows and Linux components.
• Working with the command-line and knowledge of basic commands and navigation (e.g., cd, ls, cat).
• Troubleshooting skills

Basic Information Security Concepts:

• Understanding of foundational security concepts such as the CIA triad, security controls, encryption, and hashing.
• Basic security appliances and controls (e.g., firewalls, proxies, VPNs, EDR)

The foundations section of the course will provide a comprehensive information security refresher.

This course will be aimed at individuals who are looking to pursue a career in cybersecurity (beginners with basic or little cybersecurity knowledge or experience), specifically focusing on defensive security operations within a Security Operations Center (SOC) environment.

This course aims to be extremely marketable, offering an all-encompassing curriculum and digestible content to help students secure and thrive in their first security role or advance to a T2 analyst position. The practical exercises included within the course provide students with tangible skills and experience to discuss during interviews, even if they have no direct experience in a professional SOC role.

• Course Introduction
  • Course Introduction
  • About the Instructor
  • The Modern Adversary
  • The SOC 201 Methodology
  • Course Support
  • ✏️ Quiz – Course Introduction
• Lab Setup
  • Lab Setup
  • Installing a Hypervisor
  • Installing Ubuntu
  • Configuring Ubuntu
  • Installing Windows
  • Configuring Windows
  • Installing Splunk
  • Configuring the Lab Network
• Introduction to Incident Response
  • Introduction to Incident Response
  • The Incident Response Process
  • Incident Response: Preparation
  • Incident Response: Identification
  • Incident Response: Containment
  • Incident Response: Eradication
  • Incident Response: Recovery
  • Incident Response: Lessons Learned
  • The OODA Loop
  • Incident Response vs. Threat Hunting
  • ✏️ Quiz – Introduction to Incident Response
• Introduction to Threat Hunting
  • Introduction to Threat Hunting
  • The Argument for Threat Hunting
  • Threat Hunting Teams
  • Threat Hunting Data Sources
  • The Hunting Maturity Model (HMM)
  • Cyber Threat Intelligence
  • The Cyber Kill Chain
  • The MITRE ATT&CK Framework
  • Exploring MITRE ATT&CK
  • Structured Threat Hunting
  • Unstructured Threat Hunting
  • MITRE ATT&CK Navigator
  • MITRE ATT&CK Navigator: Gap Analysis and Threat Hunting
• Data Transformation
  • Data Transformation
  • Data Transformation: Searching
  • Searching in the Command-Line
  • Searching in PowerShell
  • Searching in Splunk
  • Data Transformation: Aggregations
  • Aggregations in the Command-Line
  • Aggregations in PowerShell
  • Aggregations in Splunk
  • Data Transformation: Statistics
  • Statistics in the Command-Line
  • Statistics in PowerShell
  • Statistics in Splunk
  • Data Transformation: Visualizations
  • Visualizations in Splunk
  • ✏️ Quiz – Introduction to Threat Hunting
• Understanding Anomalies
  • Understanding Anomalies
  • Categorizing Anomalies
  • Masquerading
  • Ambiguous Identifiers
  • Frequency & Volume Anomalies
  • Temporal Anomalies
  • Location & Environment Anomalies
  • Structure & Format Anomalies
  • Obfuscated PowerShell Analysis
  • Entropy Analysis
  • Alternate Data Stream (ADS) Analysis
  • Absence & Suppression Anomalies
  • ✏️ Quiz – Understanding Anomalies
• Dissecting Threat Reports
  • Dissecting Threat Reports
  • Breaking Down Attack Steps
  • Mapping Steps to Artifacts
  • Mapping Artifacts to Evidence Sources
  • Visualizing with MITRE ATT&CK Navigator
  • Intrusion Analysis Resources
• Threat Hunting Lab
  • Tracing an Attack Chain
  • Hunting Execution Artifacts
  • Hunting PowerShell Execution
  • Hunting Cmd Execution
  • Hunting Process Trees
  • Hunting Persistence Artifacts
  • Hunting Persistence: Registry Run Keys
  • Hunting Persistence: Lookup Tables
  • Hunting Defense Evasion Artifacts
  • Hunting Command and Control (C2) Artifacts
  • Hunting C2: Ingress Tool Transfer (LOLBAS)
  • Hunting C2: Ingress Tool Transfer (File System Events)
  • Hunting C2: Ingress Tool Transfer (Network Connection Events)
  • Hunting Lateral Movement Artifacts
  • Hunting Lateral Movement: PsExec (Service Creation)
  • Hunting Lateral Movement: PsExec (Reversing Regex)
  • Hunting Lateral Movement: PsExec (Named Pipes)
  • Module Recap
• Collection at Scale
  • Introduction to Collection
  • Introduction to WMI
  • Collection with WMIC
  • WMIC Collection and Filter Examples
  • Remote Collection with WMIC
  • Scripting WMI Collection
  • WMI Automated Collection Frameworks
• PowerShell 101
  • Introduction to PowerShell
  • PowerShell 101
  • PowerShell 101: Cmdlets
  • PowerShell 101: Aliases
  • PowerShell 101: Objects and the Pipeline
  • PowerShell 101: Selecting, Sorting, and Formatting
  • PowerShell 101: Providers
  • PowerShell 101: Variables and Data Types
  • PowerShell 101: Control Flow
  • Working with WMI and CIM
  • ✏️ Quiz – PowerShell 101
• PowerShell for Incident Response
  • Live Incident Response Using PowerShell
  • PowerShell Incident Response Cheat Sheet
  • PowerShell Remoting
  • PS Remoting: One-to-One Remoting
  • PS Remoting: One-to-Many Remoting
  • PS Remoting: Script Execution at Scale
  • PowerShell Authentication
  • Malicious PowerShell Usage
  • Introduction to the Kansa IR Framework
  • Kansa: Modules
  • Kansa: Remote Collection (Part 1)
  • Kansa: Remote Collection (Part 2)
  • Kansa: Collection Analysis
  • Collection and Analysis Challenge
  • Collection Analysis Challenge Walkthrough
• Conclusion
  • Course Wrap Up
  • Next Steps: The Practical SOC Analyst Professional Certification