SIEM/SOC

Intermediate

NS107

Table of Contents

Description

The Security Operations Center (SOC) lies at the front line of malicious attacks against the organization’s network. Those responsible for the initial triage of an incident are the SOC analysts and incident responders.

This course covers the necessary skills and practices to train such SOC personnel and successfully operate a modern-day SOC. The training starts from a broad understanding of the various functions in a SOC and a thorough workout on its technologies, up to a real-time hands-on practice in a virtual simulation environment. The goal of this training is to develop a highly knowledgeable, practical, and skilled security team inside the organization to handle cybersecurity incidents regularly.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

The course targets participants with foundation knowledge in computer networking, who wish to operate a SOC on the analyst and incident responder levels, or individuals who serve as corporate security analysts.

  • Incident responders
  • System/network administrators
  • IT security personnel

Objectives

  • Provide participants with an understanding of the SOC environment, roles and functionalities
  • Gain practical capabilities of working inside a SOC as Tier-1 analysts and incident responders
  • Understanding the work of forensic investigators in a SOC
  • Practicing the acquired knowledge in real-time through the simulation environment
  • Becoming familiar with different attack scenarios

Pre-requisites

To be best prepared to succeed in this program, participants should have basic familiarity or experience with:

  • Principles of network connectivity.
  • Principles of IT systems
  • Principles of Information Systems
  • Basic operating system fundamentals including Windows or Linux.

Syllabus

Description

The first module will introduce participants to the technical environment of a security-operations-center and deepen their understanding of network processes, protocols, Firewalls, IDS/IPS, and more. Finally, they will become familiar with the various stages of the investigation process, which they will practice and implement at a later stage of the course.

Technical content

  • Working with Linux
    o Linux Directories
    o Linux Users
    o Packages
    ▪ Packages Commands
    ▪ Updating
    ▪ Installing and Managing
    o File Manipulation Commands
    o Variables
    ▪ Internal
    ▪ External
    ▪ Terminal
    o Text and File Manipulation Technics
  • Networking
    o Network Protocols & Data Communications
    o The OSI Model
    o Analyzing Packets using Wireshark and Tshark
    ▪ Sniffing the Network
    ▪ Analyzing Packets
    ▪ “Studying” the Network and Assets
    o Crafting and Analyzing Packets using Scapy
  • Firewalls on Windows and Linux
    o Firewall Types
    ▪ Rules-Based
    ▪ Next Generation
    o Working with Firewalls
    ▪ Linux Firewall
    o Iptables
    o UFW
    ▪ Windows Firewall and Defender
    ▪ Setting Firewall Rules
    ▪ Understanding Firewall Permissions

Description

During this module, participants will learn about the different roles and functions that make up the SOC environment and, more importantly, will experience the various processes that are regularly running in a SOC. This knowledge will help the SOC staff to be better correlated between themselves to ensure the correct flow of procedures. By the end of this module, participants will know to handle an incident from A to Z.

Technical content

  • SOC Fundamentals
    o Roles and Responsibilities
    o Network Events
    ▪ Unsuccessful Activity Attempt
    ▪ Non-Compliant Activity
    ▪ Reconnaissance
    ▪ Investigating
    ▪ Explained Anomaly
    o Security Incidents
    ▪ Root Level Intrusion
    ▪ User Level Intrusion
    ▪ Denial of Service
    ▪ Malicious Logic
    ▪ Identifying External/Internal Intrusions
    o Incident Response Tactics – the Phases of Incident Response
    o Awareness and Communication
  • Monitoring the system
    o Attacks Inside and Outside the Network
    ▪ Phishing Attack
    ▪ Social Engineering
    ▪ Denial of Service Floods
    o Identifying Malicious Traffic using Advanced Tshark Techniques

Description

During this module, participants will learn to inspect the network and the machines connected. Also, to explore different types of attacks, both internal and external. Participants will learn the differences between an event and an incident. By the end of this module, participants will be able to identify when a computer on the network is being compromised in real-time.

Technical content

  • IDS And IPS Terminology
    o Intrusion Detection System (IDS)
    ▪ Network-Based
    ▪ Host-Based
    o Intrusion Prevention System (IPS)
    ▪ Network-Based
    ▪ Host-Based
    o Deploying IDS & IPS
    ▪ Using Tshark to Identify Network Anomalies
  • Hands-on PfSense
    o Installation and Configuration
    o Setting and Configuring Rules
    ▪ Passing Traffic using the NAT Feature
    ▪ Configuring Firewall Rules
    o Managing Network Security
    o Snort

Description

Companies regularly deploy a variety of security technologies designed to prevent and detect threats, as well as to strengthen and protect assets. During this module, we will go into detail about SOC environments and how they work, the participant will know to build and properly configure his SOC environment and learn to correlate it with other security products/ assets. Having a SOC allows you to have dynamic security that acts as a real bastion of analysis, monitoring, prevention, and remediation.

Technical content

  • Preparing the Framework
    o The Elastic Stack
    ▪ Introduction to ELK
    ▪ Deploying Beats
    ▪ Identifying Threats
    ▪ Aggregating Data
    o Real-Time Monitoring
  • Reporting Methodology
    o Post-incident Analysis
    o Reporting Methodologies
    o Designing Infrastructures

Labs

The following labs are part of the actual NS107 course:
  • Lab 1 ​Wireshark
  • Lab 2 Iptables
  • Lab 3 Basic Log Filtering
  • Lab 4 Advanced Log Filtering
  • Lab 5 Volatility
  • Lab 6 Basic Tshark
  • Lab 7 Advanced Wireshark
  • Lab 8 Advanced Tshark
  • Lab 9 Snort & Snort Alerts
  • Lab 10 PfSense
  • Lab 11 ELK Filtering

Real Cases Studies

Case Study #1( SCCA001)
During the coronavirus, a medical research university suffered a data breach. Criminal groups seek to exploit the crisis for financial gain. We need to track down their actions to understand what was stolen. Our tech engineer captured the network traffic during the attack; you have the task to solve the incident.
Reference
Case Study #2 (SCCA002)
Recently a large insurance company called VitaLife has suffered a severe breach. The SOC team that worked on that breach that day are still investigating the scene. You have been asked to filter through those logs to find the possible cause of the attack.
Reference
Case Study #4 (SCCA004)
Financial company in Asia suffered from a ransomware attack, which made them pay $1 million in bitcoin to restore encrypted files. They hired you as a specialist to help them find any traces. The SOC team was able to monitor some of that traffic that might contain valuable information related to the attack.
Reference
Case Study #5 (SCCA005)
A company suspects it has been attacked and needs your help in finding network traces left by a group of hackers that are targeting several businesses and organizations in Germany.
Reference
Previous
Next
NS107 SIEM/SOC Intermediate

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group: FOUNDATION

LEVEL
0%
1
HOURS

 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Hands-on
1
Labs
1
Case Studies

CERTIFICATION

In conjunction with course  NS108 Advanced SIEM/SOC, the present course prepares the participant to the following certifications:

  • CISM (ISACA),
  • GSEC (SANS),
  • GMON (SANS)

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details

Subscribe