SIEM/SOC
Intermediate
NS107
Table of Contents
Description
The Security Operations Center (SOC) lies at the front line of malicious attacks against the organization’s network. Those responsible for the initial triage of an incident are the SOC analysts and incident responders.
This course covers the necessary skills and practices to train such SOC personnel and successfully operate a modern-day SOC. The training starts from a broad understanding of the various functions in a SOC and a thorough workout on its technologies, up to a real-time hands-on practice in a virtual simulation environment. The goal of this training is to develop a highly knowledgeable, practical, and skilled security team inside the organization to handle cybersecurity incidents regularly.
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories
- Self-work at home between lessons
- Repetition of materials, self-learning, performing tasks, etc…
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.
Target audience
The course targets participants with foundation knowledge in computer networking, who wish to operate a SOC on the analyst and incident responder levels, or individuals who serve as corporate security analysts.
- Incident responders
- System/network administrators
- IT security personnel
Objectives
- Provide participants with an understanding of the SOC environment, roles and functionalities
- Gain practical capabilities of working inside a SOC as Tier-1 analysts and incident responders
- Understanding the work of forensic investigators in a SOC
- Practicing the acquired knowledge in real-time through the simulation environment
- Becoming familiar with different attack scenarios
Pre-requisites
To be best prepared to succeed in this program, participants should have basic familiarity or experience with:
- Principles of network connectivity.
- Principles of IT systems
- Principles of Information Systems
- Basic operating system fundamentals including Windows or Linux.
Syllabus
Description
The first module will introduce participants to the technical environment of a security-operations-center and deepen their understanding of network processes, protocols, Firewalls, IDS/IPS, and more. Finally, they will become familiar with the various stages of the investigation process, which they will practice and implement at a later stage of the course.
Technical content
- Working with Linux
o Linux Directories
o Linux Users
o Packages
▪ Packages Commands
▪ Updating
▪ Installing and Managing
o File Manipulation Commands
o Variables
▪ Internal
▪ External
▪ Terminal
o Text and File Manipulation Technics - Networking
o Network Protocols & Data Communications
o The OSI Model
o Analyzing Packets using Wireshark and Tshark
▪ Sniffing the Network
▪ Analyzing Packets
▪ “Studying” the Network and Assets
o Crafting and Analyzing Packets using Scapy - Firewalls on Windows and Linux
o Firewall Types
▪ Rules-Based
▪ Next Generation
o Working with Firewalls
▪ Linux Firewall
o Iptables
o UFW
▪ Windows Firewall and Defender
▪ Setting Firewall Rules
▪ Understanding Firewall Permissions
Description
During this module, participants will learn about the different roles and functions that make up the SOC environment and, more importantly, will experience the various processes that are regularly running in a SOC. This knowledge will help the SOC staff to be better correlated between themselves to ensure the correct flow of procedures. By the end of this module, participants will know to handle an incident from A to Z.
Technical content
- SOC Fundamentals
o Roles and Responsibilities
o Network Events
Unsuccessful Activity Attempt
Non-Compliant Activity
Reconnaissance
Investigating
Explained Anomaly
o Security Incidents
Root Level Intrusion
User Level Intrusion
Denial of Service
Malicious Logic
Identifying External/Internal Intrusions
o Incident Response Tactics – the Phases of Incident Response
o Awareness and Communication - Monitoring the system
o Attacks Inside and Outside the Network
Phishing Attack
Social Engineering
Denial of Service Floods
o Identifying Malicious Traffic using Advanced Tshark Techniques
Description
During this module, participants will learn to inspect the network and the machines connected. Also, to explore different types of attacks, both internal and external. Participants will learn the differences between an event and an incident. By the end of this module, participants will be able to identify when a computer on the network is being compromised in real-time.
Technical content
- IDS And IPS Terminology
o Intrusion Detection System (IDS)
Network-Based
Host-Based
o Intrusion Prevention System (IPS)
Network-Based
Host-Based
o Deploying IDS & IPS
Using Tshark to Identify Network Anomalies - Hands-on PfSense
o Installation and Configuration
o Setting and Configuring Rules
Passing Traffic using the NAT Feature
Configuring Firewall Rules
o Managing Network Security
o Snort
Description
Companies regularly deploy a variety of security technologies designed to prevent and detect threats, as well as to strengthen and protect assets. During this module, we will go into detail about SOC environments and how they work, the participant will know to build and properly configure his SOC environment and learn to correlate it with other security products/ assets. Having a SOC allows you to have dynamic security that acts as a real bastion of analysis, monitoring, prevention, and remediation.
Technical content
- Preparing the Framework
o The Elastic Stack
▪ Introduction to ELK
▪ Deploying Beats
▪ Identifying Threats
▪ Aggregating Data
o Real-Time Monitoring - Reporting Methodology
o Post-incident Analysis
o Reporting Methodologies
o Designing Infrastructures
Labs
- Lab 1 Wireshark
- Lab 2 Iptables
- Lab 3 Basic Log Filtering
- Lab 4 Advanced Log Filtering
- Lab 5 Volatility
- Lab 6 Basic Tshark
- Lab 7 Advanced Wireshark
- Lab 8 Advanced Tshark
- Lab 9 Snort & Snort Alerts
- Lab 10 PfSense
- Lab 11 ELK Filtering
Real Cases Studies
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
- In situe classroom with proctored labs and scenarios executed in our Cyberium Arena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group: FOUNDATION
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.
CERTIFICATION
In conjunction with course NS108 Advanced SIEM/SOC, the present course prepares the participant to the following certifications:
- CISM (ISACA),
- GSEC (SANS),
- GMON (SANS)
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic