SOC Tier 1 Operations Zero to Hero

مهدی میرسلطانی

احسان مقدمیان

• پیشرفته متوسط
• مسیر آبی
• ۶ درس

دربارۀ این دوره

مخاطبان

• تحلیلگران و مهندسان لایۀ یک SOC
• علاقه‌مندان به امنیت سایبری
• دانشجویان و فارغ‌التحصیلان رشته‌های فناوری اطلاعات
• افراد فعال در موقعیت‌های شغلی Help Desk و ادمین شبکه

پیش‌نیازها

• آشنایی با مفاهیم حمله‌های سایبری
• آشنایی با مفاهیم سیستم‌عامل‌های ویندوز و لینوکس
• آشنایی با مفاهیم شبکه و پروتکل‌ها

• Incident Response and Cyber Investigations
  • Incident Response
    • Case study: Argous Corporation compromise
    • Dynamic Approach to Incident Response
    • Investigative analysis: Examining incident evidence
  • Digital Investigations
    • Techniques for digital investigation
    • Establishing an incident timeline
    • Investigation efficiency: Data reduction
  • Live Examination
    • Identifying suspicious Windows processes
    • Correlating network and persistence activity
    • Enumerating Windows auto-start extensibility points
    • Leveraging Sysinternals for live Windows examinations
  • Network Investigations
    • Identifying compromised host beaconing with proxy server logs
    • Filtering network activity to identify indicators of compromise
    • Assessing encrypted network traffic with multiple data sources
    • Building the incident timeline
  • Memory Investigations
    • Memory Investigations
    • Conducting offline analysis of attacker persistence Cyberscope and SCAP
    • Using Volatility to inspect attacker malware
  • Malware Investigations
    • Assessing attacker malware in a custom test environment
    • Using snapshot and continuous recording tools
    • Inspecting malware actions with RegShot and Procmon
    • Identifying malicious code on Windows
• Continuous Monitoring and Security Operations (Sec 511)
  • Current State Assessment, Security Operations Centers, and Security Architecture
    • Traditional Security Architecture
    • Introducing Security Onion 2.X
    • Modern Security Architecture Principles
    • Security Architecture – Key Techniques/Practices and Defensible Network Security Architecture Principles Applied
  • Network Security Architecture
    • SOCs/Security Architecture – Key Infrastructure Devices
    • Segmented Internal Networks
  • Network Security Monitoring
    • Evolution of NSM
    • The NSM Toolbox
    • NIDS Design
    • Analysis Methodology
    • Understanding Data Sources
    • Practical NSM Issues
    • Cornerstone NSM
    • Detecting Cobalt Strike
  • Endpoint Security Architecture
    • Endpoint Security Architecture
    • Endpoint Protection
    • Endpoint Detection Windows – Sysmon
    • Authentication Protection and Detection
  • Automation and Continuous Security Monitoring
    • Industry Best Practices
    • Winning CSM Techniques
    • Maintaining Situational Awareness
    • Host, Port, and Service Discovery
    • Vulnerability Scanning
    • Monitoring Patching
    • Monitoring Applications
    • Monitoring Service Logs
    • Monitoring Change to Devices and Appliances
    • Leveraging Proxy and Firewall Data
    • Configuring Centralized Windows Event Log Collection
    • Monitoring Critical Windows Events
    • Scripting and Automation
• Blue Team Fundamentals: Security Operations and Analysis (Sec 450)
  • Blue Team Tools and Operations
    • Introduction to the Blue Team Mission
    • SOC Overview
    • Defensible Network Concepts
    • Events, Alerts, Anomalies, and Incidents
    • Incident Management Systems
    • Threat Intelligence Platforms
    • SIEM
    • Automation and Orchestration
    • Who Are Your Enemies?
  • Understanding Your Network
    • Corporate Network Architecture
    • Traffic Capture and Analysis
    • Understanding DNS
    • DNS analysis and attacks
    • Understanding HTTP and HTTPS
    • Analyzing HTTP for Suspicious Activity
    • How SMTP and Email Attacks Work
    • Additional Important Protocols
  • Understanding Endpoints, Logs, and Files
    • Endpoint Attack Tactics
    • Endpoint Defense In-Depth
    • Network scanning and software inventory
    • How Windows Logging Works
    • How Linux Logging Works
    • Interpreting Important Events
    • Log Collection, Parsing, and Normalization
    • Files Contents and Identification
    • Identifying and Handling Suspicious Files
  • Triage and Analysis
    • Alert Triage and Prioritization
    • Perception, Memory, and Investigation
    • Perception, Memory, and Investigation
    • Mental Models for Information Security
    • Structured Analysis Techniques
    • Analysis Questions and Tactics
    • Analysis OPSEC
    • Intrusion Discovery
    • Incident Closing and Quality Review
  • Continuous Improvement, Analytics, and Automation
    • Improving Life in the SOC
    • Analytic Features and Enrichment
    • New Analytic Design, Testing, and Sharing
    • Tuning and False Positive Reduction
    • Automation and Orchestration
    • Improving Operational Efficiency and Workflow
    • Containing Identified Intrusions
• Splunk fundamental 1&2
  • Introduction
    • Overview of Buttercup Games Inc.
  • What is Splunk?
    • Splunk components
    • Installing Splunk
    • Getting data into Splunk
  • Introduction to Splunk’s User Interface
    • Understand the uses of Splunk
    • Define Splunk Apps
    • Customizing your user settings
    • Learn basic navigation in Splunk
  • Basic Searching
    • Run basic searches
    • Use autocomplete to help build a search
    • Set the time range of a search
    • Identify the contents of search results
    • Refine searches
    • Use the timeline
    • Work with events
    • Control a search job
    • Save search results
  • Using Fields in Searches
    • Understand fields
    • Use fields in searches
    • Use the fields sidebar
  • Search Language Fundamentals
    • Review basic search commands and general search practices
    • Examine the search pipeline
    • Specify indexes in searches
    • Use autocomplete and syntax highlighting
    • Use SPL search commands to perform searches
  • Using Basic Transforming Commands
    • The top command
    • The rare command
    • The stats command
  • Creating Reports and Dashboards
    • Save a search as a report
    • Edit reports
    • Create reports that include visualizations such as charts and tables
    • Create a dashboard
    • Add a report to a dashboard
    • Edit a dashboard
  • Datasets and the Common Information Model
    • Naming conventions
    • What are datasets?
    • What is the Common Information Model (CIM)?
  • Creating and Using Lookups
    • Describe lookups
    • Create a lookup file and create a lookup definition
    • Configure an automatic lookup
  • Creating Scheduled Reports and Alerts
    • Describe scheduled reports
    • Configure scheduled reports
    • Describe alerts
    • Create alerts
    • View fired alerts
  • Using Pivot
    • Describe Pivot
    • Understand the relationship between data models and pivot
    • Select a data model object
    • Create a pivot report
    • Create an instant pivot from a search
    • Add a pivot report to a dashboard
• SIEM with Tactical Analytics (Sec 555)
  • SIEM Architecture
    • State of the SOC/SIEM
    • Log Monitoring
    • Logging architecture
    • SIEM platforms
    • Planning a SIEM
    • SIEM Architecture
    • Ingestion techniques and nodes
    • Data queuing and resiliency
    • Storage and speed
    • Analytical reporting
  • Service Profiling With SIEM
    • Detection methods and relevance to log analysis
    • Analyzing common application logs that generate tremendous amounts of data
    • DNS
    • HTTP
    • HTTPS
    • SMTP
    • Apply threat intelligence to generic network logs
    • Active Dashboards and Visualizations
  • Advanced Endpoint Analytics
    • Endpoint logs
    • Understanding value
    • Adding additional logging
    • Windows filtering and tuning
    • Analyze critical events based on attacker patterns
    • Host-based firewall logs
    • Credential theft and reuse
    • Monitor PowerShell
    • Containers
  • Baselining and user Behavior Monitoring
    • Identify authorized and unauthorized assets
    • Active asset discovery
    • Passive asset discovery
    • Combining asset inventory into a master list
    • Adding contextual information
    • Identify authorized and unauthorized software
    • Source collection
    • Baseline data
    • Network data (from netflow, firewalls, etc)
    • Monitor logons based on patterns
    • Time-based
    • Concurrency of logons
    • Endpoint baseline monitoring
  • Tactical SIEM Detection and Post-Mortem Analysis
    • Centralize NIDS and HIDS alerts
    • Analyze endpoint security logs
    • Augment intrusion detection alerts
    • Analyze vulnerability information
    • Correlate malware sandbox logs with other systems to identify victims across enterprise
    • Monitor Firewall Activity
    • SIEM tripwires
    • Configure systems to generate early log alerts after compromise
    • Post mortem analysis
    • Re-analyze network traffic
• Introduction and Configuration Splunk Enterprise Security (SIEM)
  • Getting Started with ES
    • Describe the features and capabilities of Splunk Enterprise Security (ES)
    • Explain how ES helps security practitioners prevent, detect, and respond to threats
    • Describe correlation searches, data models, and notable events
    • Describe user roles in ES
  • Security Monitoring and Incident Investigation
    • Use the Security Posture dashboard to monitor ES status
    • Use the Incident Review dashboard to investigate notable events
    • Take ownership of an incident and move it through the investigation workflow
    • Create notable events
    • Suppress notable events
  • Risk-Based Alerting
    • Give an overview of Risk-Based Alerting
    • View Risk Notables and risk information on the Incident Review dashboard
    • Explain risk scores and how to change an object’s risk score
    • Review the Risk Analysis dashboard
    • Describe annotations
    • Describe the process for retrieving LDAP data for an asset or identity lookup
  • Investigations
    • Use investigations to manage incident response activity
    • Use the Investigation Workbench to manage, visualize and coordinate incident investigations
    • Add various items to investigations (notes, action history, collaborators, events, assets, identities, files and URLs)
    • Use investigation timelines, lists and summaries to document and review breach analysis and mitigation efforts
  • Using Security Domain Dashboards
    • Use ES to inspect events containing information relevant to active or past incident investigation
    • Identify security domains in ES
    • Use ES security domain dashboards
    • Launch security domain dashboards from Incident Review and from action menus in search results

گواهینامه‌ی دوره