Module 1: Blue Team Operations Architecture
- Building a successful SOC
- Functions of SOC
- SOC Models & Types
- SOC Teams & Roles
- Heart of SOC - SIEM
- Gartner’s magic quadrant - TOP SIEM
- SIEM guidelines and architecture
- Industrial requirements of Splunk in various fields
- Splunk terminologies, search processing language, and various industry use cases
- Splunk universal forwarder, data inputs, Correlating Events, Search fields
Module 2: SOC Tools
Splunk
- Industrial requirements of Splunk in various fields
- Splunk terminologies, search processing language, and various industry use cases
- Splunk universal forwarder, data inputs, Correlating Events, Search fields
Security Onion
- Introduction to Security Onion: NSM
- Security Onion Architecture
- Walkthrough to Analyst Tools
- Alert Triage and Detection
- Hunt with Onion
Module 3: DFIR
Fundamentals of Digital Forensics
- Forensics Fundamentals
- Introduction to Digital Forensics
- Hard Drive Basics
- Disk Evidence
- Network Evidence
- Web & Cloud Evidence
- Evidence Forms
- SSD Drive Basics
- File Systems
- Metadata & File Carving
- Memory, Page File, and Hibernation File
- Order of Volatility
- Evidence Forms
- Chain of Custody
- What is the Chain of Custody?
- Guide for Following the Chain of Custody – Evidence collection, reporting/documentation, evidence hashing, write-blockers, working on a copy of original evidence
- Windows Investigations
- Artifacts - Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks, start-up files
- Equipment - Non-static bags, faraday cage, labels, clean hard drives, forensic workstations, Disk imagers, hardware write blockers,
- Live Forensics
- Live Acquisition
- Products
- Potential Consequences
- Post-Investigation
- Report Writing
- Evidence Retention
- Evidence Destruction
- Further Reading
Tools exposure provided in the above section
- Command-LINE for Windows / Linux
- Network Analysis: Wireshark, Network Miner
- Disk Based Forensics: FTK IMAGER, AUTOPSY, Encase
- Memory Forensics: MAGNATE & BELKASOFT RAM CAPTURE, DumpIt, Volatility, Volatility WorkBench
- Email Forensics: Manual & Automated Analysis
Incident Response Basics
- Introduction to Incident Response
- What is an Incident Response?
- Why is IR Needed?
- Security Events vs. Security Incidents
- Incident Response Lifecycle - NIST SP 800 61r2
- Incident Response Plan: Preparation, Detection & Analysis, Containment, Eradication, Recovery, Lessons Learned
- Case Study: Cyber Kill Chain in Incident Response
- Lockheed Martin Cyber Kill Chain
- What is it, why is it used
- MITRE ATT&CK Framework
- What is it, why is it used
- Preparation
- Incident Response Plans, Policies, and Procedures
- The Need for an IR Team
- Asset Inventory and Risk Assessment to Identify High-Value Assets
- DMZ and Honeypots
- Host Defences
- Network Defences
- Email Defences
- Physical Defences
- Human Defences
- Detection and Analysis
- Common Events and Incidents
- Establishing Baselines and Behavior Profiles
- Central Logging (SIEM Aggregation)
- Analysis (SIEM Correlation)
- Containment, Eradication, Recovery
- CSIRT and CERT Explained
- Containment Measures
- Taking Forensic Images of Affected Hosts
- Identifying and Removing Malicious Artefacts
- Identifying Root Cause and Recovery Measures
- Lessons Learned
- What Went Well?
- What could be improved?
- Important of Documentation
- Metrics and Reporting
- Further Reading
Tools exposure provided in the above section
- SYSINTERNAL SUITE
- Hash Calculator
- Online Sources
- CyberChef
Module 4: TI
- Introduction to Threat Intelligence
- Threat Actors
- Types of Threat Intelligence:
- Operational Intelligence
- Strategical Intelligence
- Tactical Intelligence
- CTI Skills: NIST NICE - CTI Analyst
- OODA Loop, Diamond Model of Intrusion Analysis
- Unleashing Threat Intel with Maltego, AlienVault OTX
- LOTL Based Techniques
- Malware Campaigns & APTs
Join the program for Live instructor-led online classes by industry experts 