SOC Incident Responder

By the end of this training, you will have learnt how to correlate events by analysing multiple hosts’ data – by using PowerShell and other enterprise methodologies. This will ensure you can work as a valuable security practitioner within a SOC, able to interrogate data, analyse security events and respond effectively to incidents.

Intermediate-level cyber security practitioners who wish to learn the knowledge and skills required to analyse security datasets and adequately prepare for and perform incident response duties. Example roles might include:

• SOC Analysts
• Security Analysts
• Incident Response practitioners
• Digital Forensics practitioners
• Threat Hunters
• IT staff with incident response responsibilities

• Determine incident categories, incident responses and timelines for responses.
• Develop best practices for incident response and incident management.
• Measure the impact of signature implementation on viruses, malware, and attacks.
• Utilise malware analysis concepts and methodologies.
• Determine best practice auditing and logging procedures.
• Learn obfuscation techniques.
• Gain awareness of the applicable laws and your organisation’s policies and procedures relating to the collection and admissibility of digital evidence.
• Design and implement processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
• Understand anti-forensics tactics, techniques, and procedures.
• Recognise how and why adversaries abuse file type.
• Practice using malware analysis tools.
• Determine when malware evades virtual machine detection.
• Learn concepts and practices of processing digital forensic data.
• Identify, capture, contain and report malware.
• Use intrusion detection technologies to detect host and network-based intrusions.
• Conduct information security audits or reviews of technical systems.
• Identify common encoding techniques.
• Recognise vulnerabilities in security systems.
• Use security event correlation tools effectively.
• Analyse memory dumps to extract information.
• Identify and extract data of forensic interest in diverse media.
• Determine if anomalous code is malicious or benign.
• Analyse volatile data.
• Identify obfuscation techniques.
• Being able to analyse malware by triage.

Ideally, analysis experience working in a security operations centre (SOC) and digital forensics or incident response training/qualification.

Knowledge of:

• Network components, their operation and appropriate network security controls and methods.
• Capabilities and applications of network equipment.
• Host and network access control mechanisms.
• How network services and protocols interact to provide network communications.
• Host-based and network-based intrusion detection methodologies and techniques.
• Network traffic protocols, methods, and management.
• Packet-level analysis.
• Components of a network attack and their relationship to threats and vulnerabilities.
• Technology that can be exploited.
• Information security threats, risks and issues posed by new technologies and malicious actors.
• Common network layer attack vectors.
• Different classes of cyber-attacks.
• Different types of cyber attackers, their capabilities, and objectives.
• Stages of a cyber-attack.
• Network security architecture concepts.
• Encryption methodologies.
• Windows and Unix ports and services.
• OSI model and underlying network protocols.
• System administration concepts for operating systems used by your organisation.
• Payment Card Industry Data Security Standards (PCI-DSS).
• Data security standards relating to the sector your organisation operates in.
• Use of sub-netting tools.
• Network protocols and directory services.
• Command-line tools.
• Automated log analysis.
• Confidentiality, integrity, and availability principles.
• Hacker methodologies .
• Attack methods and techniques.
• Cyber threat intelligence sources and their respective capabilities.
• Different types of organisation, team and people involved in cyber threat intelligence collection.

Skills in:

• Using protocol analysers.
• Using virtual machines.
• Protecting a network against malware.
• Using one-way hash functions.
• Reviewing logs to identify evidence of intrusions and other suspicious behavior.
• Using multiple search engines and tools in conducting open-source searches.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Incident Response Methodologies and Concepts

• Effective Tactics
• Threat Briefing
• Exploring the Endpoint
• Anti-analysis Techniques
• Common Malware Features
• Application at Scale
• Incident Response Methodologies and Concepts

Living off the Land

• Leveraging Access
• Running the code
• Expanding Access
• Tracking the activity

Memory Theory

• Collecting Memory
• Analysing the memory
• Presenting memory-based findings

Going Prepared

• Hiding on an end user system
• Strategies for discovery
• Server Execution Artefacts
• Finding non-malware compromises

Timelines; How, what, why and when

• Memory Timelines
• Hard disk image Timelines
• Multi-source Timelines

Exam Preparation