Blue Team Fundamentals: Security Operations and Analysis
This Course provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.
Course Key Learnings
If you are working in cyber defense operations, building a SOC, or want to improve the SOC you already with better data, workflow, and analysis technique, SEC450 is the course for you! By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.
Course Content:
Module1: Security Operations Teams, Tools, And Mission Overview
Overview
The course begins with laying the all-important foundations of a security team – understanding the mission of your SOC through the context of your organization and the external threat landscape. No matter where you are starting, this course emphasizes the big-picture thinking on how to strategize and prioritize SOC processes and data to best detect and half high-impact cyberattacks. This section of the course teaches these concepts from the top down, ensuring students understand the mindset of an analyst, the required workflow, and the monitoring tools used in the battle against attackers.
Exercises
- Using a SIEM for Log Analysis
- Advanced SIEM Log Searching
- Crafting SIEM Visualizations and Dashboards for Threat Hunting
- Using Threat Intelligence Platforms
- Incident Management Systems
Topics
- Welcome to the Blue Team
- SOC Foundations
- SOC Organization and Functions
- SOC Data Collection
- An Introduction to SIEM
- Building SIEM Queries
- SIEM Visualizations and Dashboards
- Knowing Your Enemy
- Threat Intelligence Platforms
- Alert Generation and Processing
- Incident Management Systems and SO
Module2: Network Traffic Analysis
Overview
To defend a network, you must thoroughly comprehend its architecture and the impact that it will have on analysis. After discussing network visibility points, zones, traffic capture types, and how your network setup will drive the speed at which your SOC will need to be able to respond, section 2 then goes in-depth on common network services. These sections provide a thorough explanation of the current and upcoming features of DNS, HTTP (versions 1.1, 2 and 3), TLS, and more, with a focus on the most important points security professionals need to understand. In each section there is a focus on what normal data looks like, as well as the common fields and areas that are used to spot anomalous behavior. This section’s goal is to give analysts the ability to quickly recognize common tricks used by attackers to turn these everyday services against us.
Exercises
- DNS Requests, Traffic, and Analysis
- Analyzing Malicious DNS
- Wireshark and HTTP/1.1 Analysis
- HTTP/2 and HTTP/3 Traffic Analysis with Wireshark
- Analyzing TLS Encrypted Traffic Without Decryption
Topics
- Network Architecture
- Traffic Capture and Analysis
- Understanding DNS
- DNS Analysis and Attacks
- Understanding HTTP
- HTTP(S) Analysis and Attacks
- How HTTP/2 and HTTP/3 Work
- Analyzing Encrypted Traffic for Suspicious Activity
- Common Protocols for Post-Exploitation
Module3: Endpoint Defense, Security Logging, and Malware Identification Overview
Overview:
This includes an in-depth overview of how security logging is set up on Linux and Windows, and the decisions that will drive whether you are able to collect the logs needed to spot attacks. These sections cover high-importance log events and provide an in-depth explanation of how to interpret the most important Windows and Linux security logs. This section also covers practical concerns about the quality of your telemetry and how to ensure that your logs come with the context, categorization, and normalization required for analysts to make quick sense of them. These sections give a complete view of the logging pipeline from the moment a log is generated to when it arrives in our security tools, ensuring analysts know which logs they are receiving and why.
Exercises
- Threat Hunting with a SIEM Using Windows Logs
- Log Enrichment and Visualization
- Dissecting Common Malware File Types
Topics
- Common Endpoint Attack Tactics
- Endpoint Defense in Depth
- How Windows Logging Works — formats, channels, audit policies and more
- How Linux Logging Works — syslog format, protocol, and daemons, log files, journald
- Interpreting Security-Critical Log Events
- Making Logs Usable – Log Collection, Parsing, and Normalization
- Identifying Potentially Malicious Files
- Dissecting Commonly Weaponized File Types
- Fast Identification and Safe Handling of Malicious Files
Module4: Efficient Alert Triage and Email Analysis
Overview
In this section of the course we turn the focus to understanding and mastering the process of analysis with a focus on how to avoid common mistakes and biases. The course teaches a clear and methodical approach for alert triage and how to quickly sort opportunistic from potentially targeted attacks.
In addition to analysis technique, this course covers both offensive and defensive mental models that are necessary to understand to perform high-quality analysis. Students will use these models to look at an alert queue and get a quick and intuitive understanding of which alerts may pose the biggest threat and need priority in investigation. It also covers cyber defense operational security (OPSEC) and safe investigation techniques to ensure that analysts do not tip their hand to attackers during the investigation process.
Exercises
- Alert Triage and Prioritization
- Structured Analysis Challenge
- High-Quality Incident Documentation
- Analyzing Phishing Email Content and Headers
Topics
- Alert Triage and Analysis
- Structured Analytical Techniques for Alert Investigation
- The Most Important Mentals Models for Security Analysts
- Incident Documentation, Closing and Investigation Quality
- Analysis OPSEC (Operational Security) for Defenders — How to Not Tip Off Attackers of Defense Action
- Detecting Malicious Emails through Email Header Analysis (SPF, DKIM, DMARC and more)
- Email Content, URL, and Attachment Analysis
Modue5: Continuous Improvement, Analytics, and Automation
Overview
Repetitive tasks, lack of empowerment or challenges, poorly designed manual processes – analysts know these pains all too well. While these are just some of the common painful experiences in day-to-day SOC work, they are also major contributing factors to unhappiness and burnout that can cause turnover in a SOC. Do things have to be this way? Of course not! But it will take some understanding and work on your part to do things differently.
Exercises
- Alert Tuning and False Positive Reduction
- SOC Automation – File Analysis
- SOC Automation – Incident Containment
Topics
- Reducing Burnout and Retention Issues in the SOC
- False Positive Reduction – Analytic Features and the Importance of Log Enrichment
- New Analytic Design, Testing, and Sharing
- Alert Tuning Methodology
- SOC Automation and Orchestration (with and without SOAR)
- Improving Analyst Efficiency and Workflow
- Methods for Quickly Containing Identified Intrusions
- Skill and Career Development for SOC staff
BUSINESS TAKEAWAYS
This course will provide:
- A turn-key solution for SOC analyst training needs – giving analysts the skills they need to understand the tools, data, and defensive priorities required to defend your network from high-impact cyber attacks
- How to derive clear strategic priorities for your security operations team
- Show you how to make the most of security telemetry including endpoint, network, and cloud-based sensors
- A battle-tested method to reduce false positives to the lowest possible level
- The techniques for quick and accurate security incident triage
- The methods to improve the effectiveness, efficiency, and impact of your SOC
Prerequisites
A basic understanding of TCP/IP and general operating system fundamentals is needed for this course. Being accustomed to the Linux command-line, network security monitoring, and SIEM solutions is a bonus. Some basic entry-level security concepts are assumed.
International Student Fee: 950 US$
Job Interview Preparation (Soft Skills Questions & Answers)
- Tough Open-Ended Job Interview Questions
- What to Wear for Best Job Interview Attire
- Job Interview Question- What are You Passionate About?
- How to Prepare for a Job Promotion Interview
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
- Join Internships and Referral Program (click for details)
- Work as Freelancer or Full-Time Employee (click for details)
Flexible Class Options
- Week End Classes For Professionals SAT | SUN
- Corporate Group Trainings Available
- Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
Practical Open-Source Intelligence (OSINT)
Advanced Security Essentials – Enterprise Defender
Securing Windows and PowerShell Automation
Automating Information Security with Python
Security Automation with PowerShell