SOC Analyst Online Training Course in Dubai
Read Reviews

Domain1: Security Operations Centre 

Introduction to SOC

• Building a successful SOC
• Functions of SOC
• Heart of SOC- SIEM
• Gartner’s magic quadrant
• SIEM guidelines and architecture 

ELK Stack:

• Introduction and an overview of Elastic SIEM
• User interface
• How to as a part of alert investigations or interactive threat hunting
• MDR vs. Traditional SIEM; and other various solutions
• Elasticsearch: Understanding of Architecture, curator fundamentals,
• Index template for routing, mapping
• KIBANA: Configuration, policies, visualization
• Deep-dive of Log architecture, parsing, alerts 

SecurityOnion

• What is Security Onion?
• Monitoring and analysis tools
• Security Onion Architecture
• Deployment types
• Installing a Standalone server: checking system services with sostat, security onion with web browser tools, security onion terminal
• Replaying traffic on a standalone server 

Splunk In-Depth

• Industrial requirements of Splunk in various fields
• Splunk terminologies, search processing language, and various industry use cases

AlienVault OSSIM fundamentals

• AlienVault fundamentals and architecture deployment
• Vulnerability scanning & monitoring with OSSIM 

Introduction to QRadar

• IBM QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

Fun with logs

• Working with offense triggered by events
• Working with offense triggered by flows

Monitoring

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

 Tools exposure provided in the above section:

• SecurityOnion
• ELK Stack
• SGUILD
• Wireshark
• Splunk
• AlienVault OSSIM
• IBM Qradar CE

Domain 2: Digital Forensics

 1) Introduction to Digital Forensics

• Section Introduction
• What is Digital Forensics?
  • Collecting evidence typically related to cybercrime
• Digital Subject Access Requests
• Computer Forensics Process
  • Identification, Preservation, collection, examination, analysis, reporting
• Working with Law Enforcement
  • The difference between an internal security issue and one that requires external assistance

2) Forensics Fundamentals

    Section Introduction

• Introduction to Data Representation
  • hexadecimal, octal, binary files vs. txt files, timestamp formats: UNIX epoch, MAC, Chrome, Windows, FILETIME
• Hard Drive Basics
  • Platters, sectors, clusters, slack space
• SSD Drive Basics
  • garbage, collection, TRIM, wear leveling
• File Systems
  • FAT16, FAT32, NTFS, EXT3/EXT4, HFS+/APFS
• Metadata & File Carving
• Memory, Page File, and Hibernation File
• Order of Volatility 

3) Evidence Forms

• Section Introduction
• Volatile Evidence
  • Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table, kernel statistics, temporary file
  • system/swap space
• Disk Evidence
  • Data on Hard Disk or SSD
• Network Evidence
  • Remotely Logged Data, Network Connections/Netflow, PCAPs, Proxy logs
• Web & Cloud Evidence
  • Cloud storage/backups, chat rooms, forums, social media posts, blog posts
• Evidence Forms
• Laptops, desktops, phones, hard drives, tablets, digital cameras, smartwatches, GPS

 4) Chain of Custody

• Section Introduction
• What is the Chain of Custody?
• Why is it Important?
  • In regard to evidence integrity and examiner authenticity
• Guide for Following the Chain of Custody
  • evidence collection, reporting/documentation, evidence hashing, write-blockers, working on a copy of original evidence

 5) Windows Investigations

• Section Introduction
• Artifacts
  • Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks, start-up files
• Limitations
• Example Investigations

 6) *nix Investigations

• Section Introduction
• Artefacts
• Limitations
• Example Investigations
• Artefact Collection
  • Section Introduction
  • Equipment
  • non-static bags, faraday cage, labels, clean hard drives, forensic workstations, Disk imagers, hardware write blockers, cabling, blank media, photographs
  • Tools
  • Wireshark, Network Miner, and others
  • ACPO Principles
  • Live Forensics
  • Fast acquisition of key files
  • How to Collect Evidence
  • Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social media posts, chat rooms
  • Types of Hard Drive Copies visible data, bit for bit, slackspace

 8) Live Forensics

• Section Introduction
• Live Acquisition
  • What is a live acquisition/live forensics? Why is it beneficial?
• Products
  • Carbon Black, Encase, memory analysis with agents, Custom Scripts
• Potential Consequences
  • Damaging or modifying evidence making it invalid

 9) Post-Investigation

• Section Introduction
• Report Writing
• Evidence Retention
  • Legal retention periods, internal retention periods
• Evidence Destruction
  • Overwriting, degaussing, shredding, wiping
• Further Reading

 Tools exposure provided in the above section:

• Command-LINE for Windows / Linux
• FTK IMAGER
• MAGNATE RAM CAPTURE
• AUTOPSY
• Volatility
• Volatility WorkBench
• ENCASE

Domain 3: Incident Response Domain

1) Introduction to Incident Response

• What is Incident Response?
• Why is IR Needed?
• Security Events vs. Security Incidents
• Incident Response Lifecycle – NIST SP 800 61r2
  • What is it, why is it used
• Lockheed Martin Cyber Kill Chain
  • What is it, why is it used
• MITRE ATT&CK Framework
  • What is it, why is it used

 2) Preparation

• Incident Response Plans, Policies, and Procedures
• The Need for an IR Team
• Asset Inventory and Risk Assessment to Identify High-Value Assets
• DMZ and Honeypots
• Host Defences
  • HIDS, NIDS
  • Antivirus, EDR
  • Local Firewall
  • User Accounts
  • GPO
• Network Defences
  • NIDS
  • NIPS
  • Proxy
  • Firewalls
  • NAC
• Email Defences
  • Spam Filter
  • Attachment Filter
  • Attachment Sandboxing
  • Email Tagging
• Physical Defences
• Deterrents
• Access Controls
• Monitoring Controls
• Human Defences
• Security Awareness Training
• Security Policies
• Incentives

 3) Detection and Analysis

• Common Events and Incidents
• Establishing Baselines and Behaviour Profiles
• Central Logging (SIEM Aggregation)
• Analysis (SIEM Correlation)

 4) Containment, Eradication, Recovery

• CSIRT and CERT Explained
  • What are they, and why are they useful?
• Containment Measures
  • Network Isolation, Single VLAN, Powering System(s) Down, Honeypot Lure
• Taking Forensic Images of Affected Hosts
  • Linking Back to Digital Forensics Domain
• Identifying and Removing Malicious Artefacts
  • Memory and disk analysis to identify artefacts and securely remove them
• Identifying Root Cause and Recovery Measures

 5) Lessons Learned

• What Went Well?
  • Highlights from the Incident Response
• What Could be Improved?
  • Issues from the Incident Response, and How These Can be Addressed
• Important of Documentation
  • Creating Runbooks for Future Similar Incidents, Audit Trail
• Metrics and Reporting
  • Presenting Data in Metric Form
• Further Reading

 Tools exposure provided in the above section:

• SYSINTERNAL SUITE
• Hash Calculator
• Online Sources
• CyberChef
• Wireshark
• Network Minor

Domain4: Threat Intelligence Domain

1) Introduction to Threat Intelligence

• Section Introduction
• Threat Intelligence Explained
  • What is TI, why is it used
• Why Threat Intelligence can be Valuable
  • Situational awareness, investigation enrichment, reducing the attack surface
• Criticisms/Limitations of Threat Intelligence
  • Attribution issues, reactive nature, old IOCs, false-positive IOCs
• The Future of Threat Intelligence
  • Tenable Predictive Prioritization (mixing threat intel with vulnerability management data to calculate dynamic risk scores)
• Types of Intelligence
  • SIGINT, OSINT, HUMINT, GEOINT

 2) Threat Actors

• Common Threat Agents
  • Cybercriminals, hacktivists, insider threats, nation-states
• Motivations
  • Financial, social, political, other
• Skill Levels/Technical Ability
  • Script Kiddies, Hackers, APTs
• Actor Naming Conventions
  • Animals, APT numbers, other conventions
• Common Targets
  • Industries, governments, organizations

 3) Advanced Persistent Threats

• What are APTs?
  • What makes an APT?, Real-world examples of APTs + their operations
• Motivations for Cyber Operations
  • Why APTs do what they do (financial, political, social)
• Tools, Techniques, Tactics
  • What do APTs actually do when conducting operations
• Custom Malware/Tools
  • Exploring custom tools used by APTs, why they’re used
• Living-off-the-land Techniques
  • What LOTL is, why it’s used, why it can be effective

 4) Operational Intelligence

• Indicators of Compromise Explained & Examples
  • What IOCs are, how they’re generated and shared, using IOCs to feed defences
• Precursors Explained & Examples
  • What precursors are, how they’re different from IOCs, how we monitor them
• TTPs Explained & Examples
  • What TTPs are, why they’re important, using to maintain defences (preventative)
• MITRE ATT&CK Framework
  • Framework explained and how we map cyber-attacks, real-world example
• Lockheed Martin Cyber Kill Chain
  • Framework explained and how we map cyber-attacks, real-world example
• Attribution and its Limitations
  • Why attribution is hard, impersonation, sharing infrastructure, copy-cat attacks
• Pyramid of Pain
  • You’ll wish we didn’t teach you this. It’s called the Pyramid of Pain for a reason.

5) Tactical Threat Intelligence

• Threat Exposure Checks Explained
  • What TECs are, how to check your environment for the presence of bad IOCs
• Watchlists/IOC Monitoring
  • What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
• Public Exposure Assessments
  • What PEAs are, how to conduct them, google dorks, harvester, social media
• Open-Web Information Collection
  • How OSINT data is scraped, why it’s useful
• Dark-Web Information Collection
  • How intel companies scrape dark web intel, why it’s useful, data breach dumps, malicious actors on underground forums, commodity malware for sale
• Malware Information Sharing Platform (MISP)
  • What is MISP, why is it used, how to implement MISP

 6) Strategic Threat Intelligence

• Intelligence Sharing and Partnerships
  • Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
• IOC/TTP Gathering and Distribution
• Campaign Tracking & Situational Awareness
  • Why we track actors, why keeping the team updated is important
• New Intelligence Platforms/Toolkits
  • Undertaking proof-of-value demos to assess the feasibility of new tooling
• OSINT vs. Paid-for Sources
  • Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter

 7) Malware and Global Campaigns

• Types of Malware Used by Threat Actors
  • Trojans, RATs, Ransomware, Backdoors, Logic Bombs
• Globally recognized Malware Campaigns
  • Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot

8) Further Reading

• Further Reading Material
  • Links to more resources that students may find helpful.

Tools exposure provided in the above section:

• AlienVAULT OTX
• MITRE & ATTACK
• MISP
• Maltego
• ONLINE SOURCES