SOC Threat Analyst

Register nowBook as incompany

What will you learn?

  • 9Mindset of the SOC Analyst, the analytical process and collaboration skills fully integrated in the hands- on exercises
  • 9Real life experience in a Virtual SOC with SIEM, ITSM and CMDB, SOC Ticketing system, Network and Asset Modelling, SIEM (Splunk and Elastic), Threat Intelligence platform, Packet capture and analysis, Automation tools, Incident Response tool, XDR deployed and set up to work together
  • 9Deep investigations on escalated events and incidents and Advanced Persistent Threats Analysis
  • 9Perform Network and Asset Modelling and Risk Analysis
  • 9Improve threat detection and security monitoring capabilities and conduct blind spot detection assessments
  • 9Structure a full Threat Hunting campaign to detect threats that will inevitably slip through defenses and respond rapidly and accordingly
  • 9Use the knowledge of attacker techniques and discovered IOCs to create alerts and rules to proactively detect both in the future
  • 9Work with a real Threat Intelligence platform and use it for situational awareness
  • 9Dive deep into the Incident Response process with hands on investigation tasks

Information

  • 5 days of training
  • 24 hours of self -study

About the SOC Threat Analyst course

 The Threat Analyst was designed for SOC Analysts that are aiming to progress into a more senior role. More than just that, it is structured in a realistic way that will prepare you for a new SOC paradigm by developing dynamic learning, deploying top-notch automation and implementing ITIL-based SOC services. This course offers you the hands-on practice to work with the modern MDR technology stack and evolved processes, and structure your mind the right way to conduct deep investigations on escalated events and incidents and conduct Advanced Persistent Threats Analysis. It also aims to shift you towards a more pro-active defense role in the SOC: You will exercise Network and Asset Modeling as a basis for both risk-based log ingestion strategies and investigation prioritization. You’ll improve threat detection and security monitoring capabilities using MAGMA and SIGMA Rules, conduct blind spot detection assessments, structure full Threat Hunting campaigns to detect threats that will inevitably slip through defenses and respond rapidly and accordingly. You will close the loop by using the knowledge of attacker techniques and discovered IOCs from your investigations to create alerts and rules to proactively detect both in the future, and work with a real Threat Intelligence platform and use it for situational awareness. This course is extremely hands on driven, exercises are conducted in CTF format in a Virtual SOC environment. The SOC offers a fully integrated toolset set up to work with each other to re-create your workplace environment as closely as possible:

  • ITSM and CMDB
  • Network and Asset Modelling
  • A SOC Ticketing System
  • SIEM (Splunk and Elastic)
  • A Threat Intelligence platform
  • Packet capture and analysis
  • Automation tools
  • An Incident Response tool
  • XDR

Who should attend?

This training is designed for SOC Analysts that are aiming to progress into a more senior role and SOC Teams that want to set a baseline requirement for their Threat Analysts. This course offers a unique combination of the mindset, knowledge and skills required from a Threat Analyst, immediately applied in a realistic work environment. To join this class, we recommend you have a minimum of 1- year experience as SOC Analyst. If you don’t have this experience, we recommend you take the SOC Associate Analyst training. When in doubt, feel free to connect with us for advice.

What’s included?

• Training from some of the worlds’ most passionate and experienced experts in security operations
• Virtual SOC with ITSM, CMDB, SIEM, SOC Ticketing System, Threat Intel Platform, Packet capture and analysis, Automation Tools, Incident Response tool and XDR integrated and set up to work together
• Official SECO-Institute course materials
• Pre- course preparation kit
• Exam voucher

 Why SECO-Institute?

This training was developed by an international group of SOC Managers and the SOC Director of one of the world’s leading MDR SOC Providers and is based on the requirements that they have set for their own teams. Our accredited trainers have been involved in building, managing and maturing SOC/CSIRT Teams, worked on large-scale international cyber investigations, and participated in responding to attacks from renowned campaigns and cyber criminals. Equally important, they fully identify with SECO’s vision that passion, mindset and collaboration are crucial to the success of the SOC as a whole as well as the success and the satisfaction of the defenders employed.

 

Course modules

 

Module 1 – Setting the Stage: The MDR SOC and the Threat Analyst

This module will give the students a strategic vision of a current SOC (Known as Next Generation SOC and lately, MDR), the different ways a MDR SOC can be structured and the actions that must be taken to run and continuously improve a scalable and effective SOC based upon the SOC Implementation Model and SOC Maturity Model. Students will get the mindset to work on a MDR SOC considering technology, processes, roles, tasks, services and will work on a business case, where they’re assigned to process tasks within a virtual SOC via ITSM in a “Capture the Flag” format. You’ll be asked to identify the SOC’s business drivers and customers, roles and responsibilities as well as utilize MDR components and technologies in order to accomplish the SOC’s mission. You will create relevant SOC metrics.

1.1. SOC Services evolution to MDR and the impact on the Threat Analyst role
• Cloud SOC
• On-prem SOC
• Strategic SOC
1.2. MDR Service Operations
• ITIL Service Management
• Threat Modeling
• Threat Analysis
• Threat Hunting
• Threat Intelligence to discover, share, store and correlate Indicators of Compromise or targeted attacks
• Create and improve security monitoring and threat detection use cases
• Conduct blind spot detection assessments
• Automate SOC processes
• Respond rapidly to Incidents
1.3. Business
• New Drivers
• Customers
• New governance
• New privacy regulation
• SOC Metrics
1.4. People
• New roles and hierarchy
• Training and Knowledge Management
• SOC Career progression
• Assessing the SOC team

Frameworks, best practices for this module (Hands-on):
• SOC Maturity Model
• SOC Implementation Model
• The Library of Cyber Resilience Metrics
• NIST NICE

Module 2 – Attacker Tactics and Techniques in- depth

While junior and medior SOC Analysts are expected to have a thorough understanding of Attacker Techniques, the Threat Analyst must master them! This module dives deep into MITRE Att&ck Framework by understanding the different environments, its navigators as well as their associated tactics and techniques and how to work with them at the same time as the Cyber Kill Chain. Students will integrate this knowledge and apply it during the course of the training.

2.1. MITRE Att&ck Framework (Hands-on)
2.2. MITRE Att&ck Navigator (Hands-on)
2.3. Cyber Kill Chain (Hands-on)

 

Module 3 – Key toolset of the Threat Analyst: Introduction to SECO-s Virtual SOC

This module introduces students hands on to the Virtual SOC that they will be working in throughout the course, and how the various tools and technologies deployed are working together. Throughout the module, students will work on a business case, where they are assigned to process some tasks.

3.1. ITSM and CMDB (Hands on)
3.2. SOC Ticketing System (Hands on)
3.3. SIEM (Hands on)
3.4. Threat Intelligence platform (Hands on)
3.5. Packet capture and analysis
3.6. Automation tools
3.7. Incident Response tool
3.8. Security Automation tool and scripts
3.9. Rapid Response

 

Module 4 – Network and Asset Modelling, Log Ingestion Strategies, SIEM and Threat Investigation

This module starts with an exercise in Network and Asset Modelling and Risk Analysis. Students will model the network that they’re assigned to monitor and protect on our Virtual SOC; label, classify and document the assets using the CMDB module on their ITSM, and conduct risk analysis on those assets. They will create log ingestion strategies in order to set up the best visibility to detect cyberattacks and conduct detection assessments to help find detection blind spots. Students will ingest several types of logs into the SIEM instances to enable quick searches and investigation of events, configure ITSM modules to define SOC services, investigate escalated threats and create alerts to proactively detect associated attacker techniques. Throughout the module, students will get assignments on a virtual ITSM system as in a real SOC, work on both Splunk and Elastic SIEM and interact with their SOC mates on the investigation, escalation and hand-over activities.

4.1. Network Modeling, Asset Modeling, Risk Analysis (Hands- on)
4.2. Logging, Log sources, Log ingestion (Hands- on)
4.3. Blind Spot Detection Assessment (Hands- on)
4.4. ITSM and defining SOC Services conform ITIL (Hands-on)
4.5. Threat Analysis (Hands-on)

• SIEM (Hands-on)
• Threat Analysis, correlation and Attack Techniques (Hands – on)
• Alerting, Reporting, Dashboarding and Escalating (Hands – on)

Frameworks, best practices for this module (Hands-on):
Students will explore in depth the different frameworks and best practices when investigating threats and will use their structure and naming convention when documenting investigations on the ticketing system. Students will understand how the process and labelling convention works in different SOC areas, services, modules and technologies and how to scale it up.

  • Cyber Kill Chain versus MITRE ATT&CK Framework
    • OODA loop
    • Diamond model of intrusion analysis
    • ITIL best practices for the SOC

Module 5 – Monitoring Use Cases and Threat Intelligence

Building on their acquired knowledge on Attack Tactics and Techniques, students will create security monitoring and threat detection use cases in both Splunk and Elastic environments and will use MaGMA UCF to measure, maintain, improve, scale and manage the SOC use case library. They will analyse SIGMA Rules’ structure and create, maintain, scale and improve their own rules. Students will dive into the Threat Intelligence process and use it in a real case scenario for situational awareness and threat investigation and detection using a real Threat Intelligence Platform (MISP). These investigations are extended to the fascinating world of the Dark Web for Threat Intelligence purposes. During the hands-on practice, students will discover, share, store and correlate Indicators of Compromise of targeted attacks, financial fraud information, vulnerability information and threat actors. The hands-on section prepares students for a complex homework assignment they will complete after this module.

5.1. MITRE [email protected] applied to monitoring, detection and threat intelligence
5.2. Security Monitoring and Threat Detection Use Cases (Hands-on)

• Security Monitoring
• Threat Detection
• Use Case Development
• MaGMA UCF
5.3. SIGMA Rules (Hands-on)
5.4. Threat Intelligence (Hands-on)

• Types
• Protocols
• Standards
• Feeds
• Platforms
• STIX/TAXII/OpenIoC
5.5. Threat Intelligence on the Dark Web (Hands-on)

Frameworks, best practices for this module (Hands-on):
• CSAN Threat Actors
• Threat intelligence protocols and standards
• Pyramid of Pain and TTP’s
• Cyber Kill Chain versus MITRE ATT&CK
• OODA loop
• Diamond model of intrusion analysis
• Chatham House Rule.
• MaGMa and MaGMa UCF Tool
• MISP
• NIST NICE

Module 6 – Threat Hunting and Defense

Module 4 starts with TTP’s and MITRE ATT&CK Framework in in depth. Students will collect IoC’s and structure a full Threat hunting campaign, where they will create their own hypothesis and will either confirm or discard after being able to cross correlate events and determine their context, and identify and quantify vulnerabilities based on Splunk, Elastic and MISP. Students will track and document the entire process through their ITSM tool, just as next generation SOCs do. Once the threats are hunted, students will create their own rules to be shared and report the findings of their assignments. Finally, after an in- depth analysis, they will translate their technical findings to a management summary and deliver a board level presentation.

6.1. Pyramid of Pain (Hands-on)
6.2. TTPs (Hands-on)
6.3. Threat Hunting Methodologies (Hands-on)

• Cyber Threat Hunting Framework
• TaHiTI
• The Hunting Loop
6.4. The Hunt Matrix (Hands-on)
6.5. The Defense Chain
6.6. Detection Feedback
6.7. Advanced Persistence Defense
6.8. Snort/Zeek Rules (Hands-on)

Frameworks, best practices, references for this module:
• Threat intelligence protocols and standards
• Pyramid of Pain and The Hunt Loop
• Cyber Kill Chain versus MITRE ATT&CK Framework
• The Defense Chain
• OODA loop, Diamond model of intrusion analysis
• MaGMa, MaGMa UCF Tool
• MISP
• NIST NICE

Module 7 – Incident Response

Our last module is led by the Incident Response PICERL model and the NIST Computer Security Incident Handling Guide. You will be able to evaluate the policies that govern incident response, incident response plans, the procedures you should have in place and the tools and technologies you need to handle an incident. From there on, the incident response process and activities are practiced, including declaration, analysis, escalation and reporting, with 2 exercises where students will be assigned on the ITSM tool to manage an incident from preparation to post-incident evaluation. The hands-on section will be based on the usage of a platform that provides endpoint driven information security tools and infrastructure to help you to investigate, process and lead incident response in our virtual SOC. We will prepare the students for a complex homework assignment they will complete after this module and that will be part of their exam.

9.1. Preparation Phase (Hands-on)
• Policies
• IR Plan
• IR procedures
• Playbooks
9.2. Identification/Detection(Hands-on)
• Memory Analysis
• Disk Analysis
• Malware Analysis (YARA)
• Network Analysis
9.3. Containment
Systems
Network
Users
Services
Cloud
9.4. Eradication
• Systems
• Network
• Users
• Services
• Cloud
9.5. Recovery
• Systems
• Data
9.6. Lessons Learned (Hands-on)
9.7. Dissemination and Security Awareness

About the Exam

  1. Homework assignment in CTF format
    The hands-on section on the last day of training prepares you for a complex, hands on homework assignment in a Capture the Flag format that will be part of your exam and certification. You must finalize your assignment before you can schedule your exam
  2. Exam
    Language: English
    Delivered: Online via a certified proctor
     10 multiple choice questions
     5 open questions related to your CTF homework assignment
     1 case
     Time: 120 minutes

Practical Information

  • Course times: 9 am to approximately 4:30 pm. The coffee is ready at 8:30.
  • Lunch is included and consists of a buffet with, among other things, fresh sandwiches. Do you have allergies or dietary requirements? Please communicate this in time.
  • Training location:
    Quinten Matsijslei 25
    2018 Antwerp
    Belgium
  • By participating in a course or training you agree with our terms and conditions

Register now

Book as incompany or stay up to date