A Security Operations Center Analyst (SOC Analyst) stands as a front line of Defense against the ever present cyber threats faced by organizations today. A SOC team ensures an organization’s digital assets remain secure and protected from unauthorized access by monitoring and responding to massive amounts of data in record time. In this role, you will protect your organization’s infrastructure by monitoring data to identify suspicious activity, then mitigating risks before a breach occurs. Other responsibilities of a SOC analyst include log analysis, reporting the ongoing or potential security threats, and creating disaster recovery plans as per the organization’s need. Become a SOC Analyst - Level 1 career path will equip you to break into the field with skills aligned to the US National Institute of Standards and Technology's Cyber Defense Analyst NICE work role.
Course Objectives:
In this course, you will learn to:
- Perform technical strategies, tools, and techniques to secure data for your organization
- Understanding the threats and providing countermeasures
- Understand network forensics and incident response in depth
- Cybersecurity industry knowledge
- Analyze and Classify Malware
Course content
1. Security Operations Centre
Introduction to SOC
- Building a successful SOC
- Functions of SOC
- Heart of SOC- SIEM
- Gartner’s magic quadrant
- SIEM guidelines and architecture
ELK Stack:
- Introduction and an overview of Elastic SIEM
- User interface
- How to as a part of alert investigations or interactive threat hunting
- MDR vs. Traditional SIEM; and other various solutions
- Elasticsearch: Understanding of Architecture, curator fundamentals,
- Index template for routing, mapping
- KIBANA: Configuration, policies, visualization
- Deep-dive of Log architecture, parsing, alerts
Security Onion
- What is Security Onion?
- Monitoring and analysis tools
- Security Onion Architecture
- Deployment types
- Installing a Standalone server: checking system services with sostat, security onion with web browser tools, security onion terminal
- Replaying traffic on a standalone server
Splunk In-Depth
- Industrial requirements of Splunk in various fields
- Splunk terminologies, search processing language, and various industry use cases
AlienVault OSSIM fundamentals
- AlienVault fundamentals and architecture deployment
- Vulnerability scanning & monitoring with OSSIM
Introduction to QRadar
- IBM QRadar SIEM component architecture and data flows
- Using the QRadar SIEM User Interface
Fun with logs
- Working with offense triggered by events
- Working with offense triggered by flows
Monitoring
- Monitor QRadar Notifications and error messages.
- Monitor QRadar performance
- Review and interpret system monitoring dashboards.
- Investigate suspected attacks and policy breaches
- Search, filter, group, and analyze security data
Tools exposure provided in the above section:
- SecurityOnion
- ELK Stack
- SGUILD
- Wireshark
- Splunk
- AlienVault OSSIM
- IBM Qradar CE
2. Digital Forensics
Introduction to Digital Forensics
- Section Introduction
- What is Digital Forensics?
- Collecting evidence typically related to cybercrime
- Digital Subject Access Requests
- Computer Forensics Process
- Identification, Preservation, collection, examination, analysis, reporting
- Working with Law Enforcement
- The difference between an internal security issue and one that requires external assistance
Forensics Fundamentals & Section Introduction
- Introduction to Data Representation
- hexadecimal, octal, binary files vs. txt files, timestamp formats: UNIX epoch, MAC, Chrome, Windows, FILETIME
- Hard Drive Basics
- Platters, sectors, clusters, slack space
- SSD Drive Basics
- garbage, collection, TRIM, wear leveling
- File Systems
- FAT16, FAT32, NTFS, EXT3/EXT4, HFS+/APFS
- Metadata & File Carving
- Memory, Page File, and Hibernation File
- Order of Volatility
Evidence Forms
- Section Introduction
- Volatile Evidence
- Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table, kernel statistics, temporary file
- system/swap space
- Disk Evidence
- Data on Hard Disk or SSD
- Network Evidence
- Remotely Logged Data, Network Connections/Netflow, PCAPs, Proxy logs
- Web & Cloud Evidence
- Cloud storage/backups, chat rooms, forums, social media posts, blog posts
- Evidence Forms
- Laptops, desktops, phones, hard drives, tablets, digital cameras, smartwatches, GPS
Chain of Custody
- Section Introduction
- What is the Chain of Custody?
- Why is it Important?
- In regard to evidence integrity and examiner authenticity
- Guide for Following the Chain of Custody
- evidence collection, reporting/documentation, evidence hashing, write-blockers, working on a copy of original evidence
Windows Investigations
- Section Introduction
- Artifacts
- Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks, start-up files
- Limitations
- Example Investigations
*nix Investigations
- Section Introduction
- Artefacts
- Limitations
- Example Investigations
- Artefact Collection
- Section Introduction
- Equipment
- non-static bags, faraday cage, labels, clean hard drives, forensic workstations, Disk imagers, hardware write blockers, cabling, blank media, photographs
- Tools
- Wireshark, Network Miner, and others
- ACPO Principles
- Live Forensics
- Fast acquisition of key files
- How to Collect Evidence
- Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social media posts, chat rooms
- Types of Hard Drive Copies visible data, bit for bit, slackspace
Live Forensics
- Section Introduction
- Live Acquisition
- What is a live acquisition/live forensics? Why is it beneficial?
- Products
- Carbon Black, Encase, memory analysis with agents, Custom Scripts
- Potential Consequences
- Damaging or modifying evidence making it invalid
Post-Investigation
- Section Introduction
- Report Writing
- Evidence Retention
- Legal retention periods, internal retention periods
- Evidence Destruction
- Overwriting, degaussing, shredding, wiping
- Further Reading
Tools exposure provided in the above section:
- Command-LINE for Windows / Linux
- FTK IMAGER
- MAGNATE RAM CAPTURE
- AUTOPSY
- Volatility
- Volatility WorkBench
- ENCASE
3. Incident Response Domain
Introduction to Incident Response
- What is Incident Response?
- Why is IR Needed?
- Security Events vs. Security Incidents
- Incident Response Lifecycle – NIST SP 800 61r2
- What is it, why is it used
- Lockheed Martin Cyber Kill Chain
- What is it, why is it used
- MITRE ATT&CK Framework
- What is it, why is it used
Preparation
- Incident Response Plans, Policies, and Procedures
- The Need for an IR Team
- Asset Inventory and Risk Assessment to Identify High-Value Assets
- DMZ and Honeypots
- Host Defences
- HIDS, NIDS
- Antivirus, EDR
- Local Firewall
- User Accounts
- GPO
- Network Defences
- NIDS
- NIPS
- Proxy
- Firewalls
- NAC
- Email Defences
- Spam Filter
- Attachment Filter
- Attachment Sandboxing
- Email Tagging
- Physical Defences
- Deterrents
- Access Controls
- Monitoring Controls
- Human Defences
- Security Awareness Training
- Security Policies
- Incentives
Detection and Analysis
- Common Events and Incidents
- Establishing Baselines and Behaviour Profiles
- Central Logging (SIEM Aggregation)
- Analysis (SIEM Correlation)
Containment, Eradication, Recovery
- CSIRT and CERT Explained
- What are they, and why are they useful?
- Containment Measures
- Network Isolation, Single VLAN, Powering System(s) Down, Honeypot Lure
- Taking Forensic Images of Affected Hosts
- Linking Back to Digital Forensics Domain
- Identifying and Removing Malicious Artefacts
- Memory and disk analysis to identify artefacts and securely remove them
- Identifying Root Cause and Recovery Measures
Lessons Learned
- What Went Well?
- Highlights from the Incident Response
- What Could be Improved?
- Issues from the Incident Response, and How These Can be Addressed
- Important of Documentation
- Creating Runbooks for Future Similar Incidents, Audit Trail
- Metrics and Reporting
- Presenting Data in Metric Form
- Further Reading
Tools exposure provided in the above section:
- SYSINTERNAL SUITE
- Hash Calculator
- Online Sources
- CyberChef
- Wireshark
- Network Minor
4. Threat Intelligence Domain
Introduction to Threat Intelligence
- Section Introduction
- Threat Intelligence Explained
- What is TI, why is it used
- Why Threat Intelligence can be Valuable
- Situational awareness, investigation enrichment, reducing the attack surface
- Criticisms/Limitations of Threat Intelligence
- Attribution issues, reactive nature, old IOCs, false-positive IOCs
- The Future of Threat Intelligence
- Tenable Predictive Prioritization (mixing threat intel with vulnerability management data to calculate dynamic risk scores)
- Types of Intelligence
- SIGINT, OSINT, HUMINT, GEOINT
Threat Actors
- Common Threat Agents
- Cybercriminals, hacktivists, insider threats, nation-states
- Motivations
- Financial, social, political, other
- Skill Levels/Technical Ability
- Script Kiddies, Hackers, APTs
- Actor Naming Conventions
- Animals, APT numbers, other conventions
- Common Targets
- Industries, governments, organizations
Advanced Persistent Threats
- What are APTs?
- What makes an APT?, Real-world examples of APTs + their operations
- Motivations for Cyber Operations
- Why APTs do what they do (financial, political, social)
- Tools, Techniques, Tactics
- What do APTs actually do when conducting operations
- Custom Malware/Tools
- Exploring custom tools used by APTs, why they’re used
- Living-off-the-land Techniques
- What LOTL is, why it’s used, why it can be effective
Operational Intelligence
- Indicators of Compromise Explained & Examples
- What IOCs are, how they’re generated and shared, using IOCs to feed defences
- Precursors Explained & Examples
- What precursors are, how they’re different from IOCs, how we monitor them
- TTPs Explained & Examples
- What TTPs are, why they’re important, using to maintain defences (preventative)
- MITRE ATT&CK Framework
- Framework explained and how we map cyber-attacks, real-world example
- Lockheed Martin Cyber Kill Chain
- Framework explained and how we map cyber-attacks, real-world example
- Attribution and its Limitations
- Why attribution is hard, impersonation, sharing infrastructure, copy-cat attacks
- Pyramid of Pain
- You’ll wish we didn’t teach you this. It’s called the Pyramid of Pain for a reason.
Tactical Threat Intelligence
- Threat Exposure Checks Explained
- What TECs are, how to check your environment for the presence of bad IOCs
- Watchlists/IOC Monitoring
- What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
- Public Exposure Assessments
- What PEAs are, how to conduct them, google dorks, harvester, social media
- Open-Web Information Collection
- How OSINT data is scraped, why it’s useful
- Dark-Web Information Collection
- How intel companies scrape dark web intel, why it’s useful, data breach dumps, malicious actors on underground forums, commodity malware for sale
- Malware Information Sharing Platform (MISP)
- What is MISP, why is it used, how to implement MISP
Strategic Threat Intelligence
- Intelligence Sharing and Partnerships
- Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
- IOC/TTP Gathering and Distribution
- Campaign Tracking & Situational Awareness
- Why we track actors, why keeping the team updated is important
- New Intelligence Platforms/Toolkits
- Undertaking proof-of-value demos to assess the feasibility of new tooling
- OSINT vs. Paid-for Sources
- Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter
Malware and Global Campaigns
- Types of Malware Used by Threat Actors
- Trojans, RATs, Ransomware, Backdoors, Logic Bombs
- Globally recognized Malware Campaigns
- Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot
To see the full course content Download now
Course Prerequisites
- Prior knowledge of Networking fundamentals, OS basics, Troubleshooting is recommended
- Experience as an entry-level SOC Analyst / Cyber Security Analyst / Information Security role
- Knowledge of all security policies
- Training or educating network users about security protocols
- Administration of network firewalls
- Troubleshooting and problem-solving skills
- Identification of security areas that can be improved, and the implementation of solutions to those areas
- Dependability and flexibility, being on-call or available outside of regular work hours
- Security Information and Event Management (SIEM)
- SQL
- TCP/IP, computer networking, routing and switching
- C, C++, C#, Java or PHP programming languages
- IDS/IPS, penetration and vulnerability testing
- Firewall and intrusion detection/prevention protocols
- Windows, UNIX and Linux operating systems
- Network protocols and packet analysis tools
- Anti-virus and anti-malware
- Various certifications including Security+, CEH, GIAC, CASP, CISSP
Who can attend
- System Administrators
- Technical Support Engineers
- Security Consultants
- Cyber Security Analysts
- Security System Engineers
Number of Hours: 40hrs
Certification
Key features
- One to One Training
- Online Training
- Fastrack & Normal Track
- Resume Modification
- Mock Interviews
- Video Tutorials
- Materials
- Real Time Projects
- Virtual Live Experience
- Preparing for Certification
FAQs
DASVM Technologies offers 300+ IT training courses with 10+ years of Experienced Expert level Trainers.
- One to One Training
- Online Training
- Fastrack & Normal Track
- Resume Modification
- Mock Interviews
- Video Tutorials
- Materials
- Real Time Projects
- Materials
- Preparing for Certification
Call now: +91-99003 49889 and know the exciting offers available for you!
We working and coordinating with the companies exclusively to get placed. We have a placement cell focussing on training and placements in Bangalore. Our placement cell help more than 600+ students per year.
Learn from experts active in their field, not out-of-touch trainers. Leading practitioners who bring current best practices and case studies to sessions that fit into your work schedule. We have a pool of experts and trainers are composed with highly skilled and experienced in supporting you in specific tasks and provide professional support. 24x7 Learning support from mentors and a community of like-minded peers to resolve any conceptual doubts. Our trainers has contributed in the growth of our clients as well as professionals.
All of our highly qualified trainers are industry experts with at least 10-12 years of relevant teaching experience. Each of them has gone through a rigorous selection process which includes profile screening, technical evaluation, and a training demo before they are certified to train for us. We also ensure that only those trainers with a high alumni rating continue to train for us.
No worries. DASVM technologies assure that no one misses single lectures topics. We will reschedule the classes as per your convenience within the stipulated course duration with all such possibilities. If required you can even attend that topic with any other batches.
DASVM Technologies provides many suitable modes of training to the students like:
- Classroom training
- One to One training
- Fast track training
- Live Instructor LED Online training
- Customized training
Yes, the access to the course material will be available for lifetime once you have enrolled into the course.
You will receive DASVM Technologies recognized course completion certification & we will help you to crack global certification with our training.
Yes, DASVM Technologies provides corporate trainings with Course Customization, Learning Analytics, Cloud Labs, Certifications, Real time Projects with 24x7 Support.
Yes, DASVM Technologies provides group discounts for its training programs. Depending on the group size, we offer discounts as per the terms and conditions.
We accept all major kinds of payment options. Cash, Card (Master, Visa, and Maestro, etc), Wallets, Net Banking, Cheques and etc.
DASVM Technologies has a no refund policy. Fees once paid will not be refunded. If the candidate is not able to attend a training batch, he/she is to reschedule for a future batch. Due Date for Balance should be cleared as per date given. If in case trainer got cancelled or unavailable to provide training DASVM will arrange training sessions with other backup trainer.
Your access to the Support Team is for lifetime and will be available 24/7. The team will help you in resolving queries, during and after the course.
Please Contact our course advisor +91-99003 49889. Or you can share your queries through info@dasvmtechnologies.com