Security Operations (SOC) 101

This course aims to equip students with all of the fundamental security operations knowledge and practical skills needed in order to achieve and excel in a T1 or T2 SOC Analyst position. By covering topics such as phishing analysis, incident response procedures, threat detection techniques, log analysis, SIEM management, and security tool utilization, students will gain the essential competencies required to effectively monitor, analyze, and respond to security incidents within a SOC environment.

Students will be able to actively engage with the course material through bite-sized video demonstrations, written materials and references, quizzes to assess comprehension, and practical exercises that simulate real-world scenarios.

By the end of the course, participants will be proficient in using various common security tools, analyzing security events and artifacts, handling alert tickets, triaging, and responding effectively to incidents within a SOC. Additionally, the course aims to foster critical thinking skills and encourage both proactive and reactive methodologies, which are pivotal for skilled analysts.

• Security Operations Fundamentals
• Phishing Analysis
• Network Security Monitoring
• Network Traffic Analysis
• Endpoint Security Monitoring
• Endpoint Detection and Response
• Log Analysis and Management
• Security Information and Event Management (SIEM)
• Threat Intelligence
• Digital Forensics
• Incident Response

To get the most out of this course and follow along with the labs, there will be times where two virtual machines (VMs) need to be run simultaneously. If resources are limited, you can run one VM at a time and follow along with the course. Below are the recommended (ideal) specifications. Feel free to adjust based on your own system’s limitations, but these specs will ensure a smoother experience with the course labs.

Processor: 64-bit Intel i5 or i7, 2.0 GHz or higher.

RAM: At least 8 GB (ideally 8-12+ GB) to efficiently run multiple VMs.

Disk Space: 80-100 GB of free storage. SSDs are recommended for better performance.

Networking Fundamentals:

• Basic understanding of TCP/IP and OSI models.
• Knowledge of network concepts such as subnets, internal vs. external IP addresses, network address translation, and routing.
• Familiarity with common protocols (e.g., SSH, FTP, HTTP, HTTPS).

The foundations and network sections of the course will provide a refresher on these concepts and more, but it would be ideal to have these foundations coming into the course.

Operating System Fundamentals:

• Basic familiarity with Windows and Linux components.
• Working with the command-line and knowledge of basic commands and navigation (e.g., cd, ls, cat).
• Troubleshooting skills

Basic Information Security Concepts:

• Understanding of foundational security concepts such as the CIA triad, security controls, encryption, and hashing.
• Basic security appliances and controls (e.g., firewalls, proxies, VPNs, EDR)

The foundations section of the course will provide a comprehensive information security refresher.

This course will be aimed at individuals who are looking to pursue a career in cybersecurity (beginners with basic or little cybersecurity knowledge or experience), specifically focusing on defensive security operations within a Security Operations Center (SOC) environment.

This course aims to be extremely marketable, offering an all-encompassing curriculum and digestible content to help students secure and thrive in their first security role or advance to a T2 analyst position. The practical exercises included within the course provide students with tangible skills and experience to discuss during interviews, even if they have no direct experience in a professional SOC role.

• Introduction
  • Course Introduction
  • Prerequisites and Course Resources
  • Course Discord and Support
  • Join the TCM Discord
• Lab Setup
  • Installing Oracle VM VirtualBox
  • Installing Windows
  • Configuring Windows
  • Installing Ubuntu
  • Configuring Ubuntu
  • Configuring the Lab Network
• Security Operations Fundamentals
  • The SOC and Its Role
  • Day in the Life of a SOC Analyst
  • Information Security Refresher
  • SOC Models, Roles, and Organizational Structures
  • Incident and Event Management
  • SOC Metrics
  • SOC Tools
  • Common Threats and Attacks
  • ✏️ Quiz – Security Operations Fundamentals
• Phishing Analysis
  • Introduction to Phishing
  • Email Fundamentals
  • Phishing Analysis Configuration
  • Phishing Attack Types
  • Phishing Attack Techniques
  • Email Analysis Methodology
  • Email Header and Sender Analysis
  • Email Authentication Methods
  • Email Content Analysis
  • The Anatomy of a URL
  • Email URL Analysis
  • Email Attachment Analysis
  • Dynamic Attachment Analysis and Sandboxing
  • Static MalDoc Analysis
  • Static PDF Analysis
  • Automated Email Analysis with PhishTool
  • Reactive Phishing Defense
  • Proactive Phishing Defense
  • Documentation and Reporting
  • Phishing Analysis Challenge 1
  • Phishing Analysis Challenge 2
  • Phishing Analysis Challenge 3
  • Additional Practice
  • ✏️ Quiz – Phishing Analysis
• Network Security
  • Introduction to Network Security
  • Network Security Theory
  • Packet Capture and Flow Analysis
  • Introduction to tcpdump
  • tcpdump: Capturing Network Traffic
  • tcpdump: Analyzing Network Traffic
  • tcpdump: Analyzing Network Traffic (Sample 2)
  • tcpdump Challenge 1
  • Introduction to Wireshark
  • Wireshark: Capture and Display Filters
  • Wireshark: Statistics
  • Wireshark: Analyzing Network Traffic
  • Wireshark Challenge 1
  • Intrusion Detection and Prevention Systems
  • Introduction to Snort
  • Snort: Reading and Writing Rules
  • Snort: Intrusion Detection and Prevention
  • Snort Challenge 1
  • Additional Practice
  • ✏️ Quiz – Network Security
• Endpoint Security
  • Introduction to Endpoint Security
  • Endpoint Security Controls
  • Creating Our Malware
  • Windows Network Analysis
  • Windows Process Analysis
  • Windows Core Processes (Part 1)
  • Windows Core Processes (Part 2)
  • The Windows Registry
  • Windows Autoruns (Part 1)
  • Windows Autoruns (Part 2)
  • Windows Service Analysis
  • Windows Scheduled Tasks
  • Windows Endpoint Analysis Challenge 1
  • Windows Event Logs
  • Windows Events Challenge 1
  • Introduction to Sysmon
  • Sysmon Events
  • Linux Network Analysis
  • Linux Process Analysis
  • Linux Cron Jobs
  • Linux Endpoint Analysis Challenge 1
  • Introduction to LimaCharlie
  • LimaCharlie: Endpoint Detection and Response
  • LimaCharlie: Deploying Endpoint Agents
  • ✏️ Quiz – Endpoint Security
• Security Information and Event Management (SIEM)
  • Introduction to SIEM and Log Management
  • SIEM Architecture
  • SIEM Deployment Models
  • Log Types
  • Log Formats
  • Common Attack Signatures: User Behavior
  • Common Attack Signatures: SQL Injection
  • Common Attack Signatures: Cross-Site Scripting
  • Common Attack Signatures: Command Injection
  • Common Attack Signatures: Path Traversal and Local File Inclusion
  • Command Line Log Analysis
  • Pattern Matching
  • Structured Log Analysis
  • Log Analysis Challenge 1
  • Introduction to Splunk
  • Splunk: Initial Walkthrough
  • Splunk: Importing and Exploring Events
  • Splunk: Search Processing Language (SPL)
  • Splunk: Search Commands
  • Splunk: Reports and Alerts
  • Splunk: Creating Dashboards
  • [Live] Splunk: Website Defacement Investigation
  • Splunk: Ransomware Challenge
  • Splunk: Deploying a Forwarder and Generating Real-Time Alerts
  • Section Cleanup
  • ✏️ Quiz – SIEM
• Threat Intelligence
  • Introduction to Threat Intelligence
  • Types of Threat Intelligence
  • The Threat Intelligence Cycle
  • The Diamond Model of Intrusion Analysis
  • The Cyber Kill Chain
  • The Pyramid of Pain
  • MITRE ATT&CK
  • MITRE ATT&CK Challenge 1
  • Introduction to YARA
  • YARA: Reading and Writing Rules (Part 1)
  • YARA: Reading and Writing Rules (Part 2)
  • YARA Challenge 1
  • Introduction to MISP (Malware Information Sharing Platform)
  • MISP: Event Management
  • MISP: Ingesting Threat Intelligence Feeds
  • ✏️ Quiz – Threat Intelligence
• Digital Forensics
  • Introduction to Digital Forensics
  • The Digital Forensics Investigation Process
  • Order of Volatility
  • Chain of Custody
  • Introduction to FTK Imager
  • FTK Imager: Forensic Image Acquisition
  • FTK Imager: Memory Acquisition
  • Common Windows Forensic Artifacts
  • Windows Forensic Artifacts: User and System
  • Windows Forensic Artifacts: Files
  • Windows Forensic Artifacts: Program Execution
  • LNK Files, Prefetch Files, and Jump Lists
  • Windows Forensic Artifact Triage
  • ✏️ Quiz – Digital Forensics
• Incident Response
  • Introduction to Incident Response
  • Incident Response Frameworks
  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned
  • ✏️ Quiz – Incident Response
• Conclusion
  • Course Wrap Up
  • Next Steps: Practical SOC Analyst Associate (PSAA)