SEC450: Blue Team Fundamentals: Security Operations and Analysis™

Overview

The course begins with laying the all-important foundations of a security team - understanding the mission of your SOC through the context of your organization and the external threat landscape. No matter where you are starting, SEC450 emphasizes the big-picture thinking on how to strategize and prioritize SOC processes and data to best detect and half high-impact cyberattacks. This section of the course teaches these concepts from the top down, ensuring students understand the mindset of an analyst, the required workflow, and the monitoring tools used in the battle against attackers. Throughout this day, students learn how monitoring data and security tools fit together (including incident management systems, threat intelligence platforms, SIEMs, and more) and see how to best integrate these tools all for a seamless workflow that allows alert triage and response to flow smoothly.

Exercises

• Using a SIEM for Log Analysis
• Advanced SIEM Log Searching
• Crafting SIEM Visualizations and Dashboards for Threat Hunting
• Using Threat Intelligence Platforms
• Incident Management Systems

Topics

• Welcome to the Blue Team
• SOC Foundations
• SOC Organization and Functions
• SOC Data Collection
• An Introduction to SIEM
• Building SIEM Queries
• SIEM Visualizations and Dashboards
• Knowing Your Enemy
• Threat Intelligence Platforms
• Alert Generation and Processing
• Incident Management Systems and SOAR

Overview

Day 2 begins the journey of building a deep understanding of your network. To defend a network, you must thoroughly comprehend its architecture and the impact that it will have on analysis. After discussing network visibility points, zones, traffic capture types, and how your network setup will drive the speed at which your SOC will need to be able to respond, section 2 then goes in-depth on common network services. These sections provide a thorough explanation of the current and upcoming features of DNS, HTTP (versions 1.1, 2 and 3), TLS, and more, with a focus on the most important points security professionals need to understand. In each section there is a focus on what normal data looks like, as well as the common fields and areas that are used to spot anomalous behavior. This section's goal is to give analysts the ability to quickly recognize common tricks used by attackers to turn these everyday services against us.

Exercises

• DNS Requests, Traffic, and Analysis
• Analyzing Malicious DNS
• Wireshark and HTTP/1.1 Analysis
• HTTP/2 and HTTP/3 Traffic Analysis with Wireshark
• Analyzing TLS Encrypted Traffic Without Decryption

Topics

• Network Architecture
• Traffic Capture and Analysis
• Understanding DNS
• DNS Analysis and Attacks
• Understanding HTTP
• HTTP(S) Analysis and Attacks
• How HTTP/2 and HTTP/3 Work
• Analyzing Encrypted Traffic for Suspicious Activity
• Common Protocols for Post-Exploitation

Overview

Day 3 of course opens with a discussion and demonstration of common endpoint attack techniques and the security controls and features organizations can use to disrupt and detect them. This includes an in-depth overview of how security logging is set up on Linux and Windows, and the decisions that will drive whether you are able to collect the logs needed to spot attacks. These sections cover high-importance log events and provide an in-depth explanation of how to interpret the most important Windows and Linux security logs. This section also covers practical concerns about the quality of your telemetry and how to ensure that your logs come with the context, categorization, and normalization required for analysts to make quick sense of them. These sections give a complete view of the logging pipeline from the moment a log is generated to when it arrives in our security tools, ensuring analysts know which logs they are receiving and why.

Many new analysts struggle to understand how files are structured at a low level and therefore are hesitant when it comes to answering questions such as "could a file of type x be used for evil?" The second part of day 3 provides students with the concepts needed to reason through the answer, diving into files at the byte level. This section explains the difference between binary and text-based files, and what makes a file a valid document, PDF, executable, word document, or otherwise. Concepts such as strings, hashes, and file signatures are explained to show students how to quickly and accurately identify potentially malicious file samples. Students finish this day understanding how different common file formats can be identified, how they are typically weaponized, and how to quickly decide whether a given sample is likely to be malicious.

Exercises

• Threat Hunting with a SIEM Using Windows Logs
• Log Enrichment and Visualization
• Dissecting Common Malware File Types

Topics

• Common Endpoint Attack Tactics
• Endpoint Defense in Depth
• How Windows Logging Works -- formats, channels, audit policies and more
• How Linux Logging Works -- syslog format, protocol, and daemons, log files, journald
• Interpreting Security-Critical Log Events
• Making Logs Usable - Log Collection, Parsing, and Normalization
• Identifying Potentially Malicious Files
• Dissecting Commonly Weaponized File Types
• Fast Identification and Safe Handling of Malicious Files

Overview

In this section of the course we turn the focus to understanding and mastering the process of analysis with a focus on how to avoid common mistakes and biases. The course teaches a clear and methodical approach for alert triage and how to quickly sort opportunistic from potentially targeted attacks.

In addition to analysis technique, this day covers both offensive and defensive mental models that are necessary to understand to perform high-quality analysis. Students will use these models to look at an alert queue and get a quick and intuitive understanding of which alerts may pose the biggest threat and need priority in investigation. It also covers cyber defense operational security (OPSEC) and safe investigation techniques to ensure that analysts do not tip their hand to attackers during the investigation process.

In the final section of this day, phishing email investigation is covered in depth. With email being a primary entry vector for intrusions, it's incredibly important that analysts are confident in understanding multiple ways to detect the signs of a malicious email. Email header analysis is and verification protocols (SPF, DKIM, and DMARC) are explained in detail with the goal of teaching analysts how to quickly identify and dispose of clearly malicious and spoofed email. In addition, safe investigation of attached files, URLs, and email content is also covered so that analysts are ready for anything when it comes to the phishing triage inbox.

Exercises

• Alert Triage and Prioritization
• Structured Analysis Challenge
• High-Quality Incident Documentation
• Analyzing Phishing Email Content and Headers

Topics

• Alert Triage and Analysis
• Structured Analytical Techniques for Alert Investigation
• The Most Important Mentals Models for Security Analysts
• Incident Documentation, Closing and Investigation Quality
• Analysis OPSEC (Operational Security) for Defenders -- How to Not Tip Off Attackers of Defense Action
• Detecting Malicious Emails through Email Header Analysis (SPF, DKIM, DMARC and more)
• Email Content, URL, and Attachment Analysis

Overview

Repetitive tasks, lack of empowerment or challenges, poorly designed manual processes - analysts know these pains all too well. While these are just some of the common painful experiences in day-to-day SOC work, they are also major contributing factors to unhappiness and burnout that can cause turnover in a SOC. Do things have to be this way? Of course not! But it will take some understanding and work on your part to do things differently.

This section of the course targets improving efficiency and team enthusiasm for SOC work by tackling the most common problems head-on. Through process optimization, careful analytic design and tuning, and workflow efficiency improvements, we can eliminate many of these common pain points. This frees us from the repetitive work we loathe and allows us to focus on what we do best - analysis! Having the time for challenging and novel work leads to a virtuous cycle of growth and engagement throughout the SOC - and improves everyone's life in the process.

This day will focus on tuning your tools using clever analysis techniques and process automation to remove the monotonous and non-value-added activities from your day. It also covers containment activities including the containment techniques teams can use, and how to decide which option is best to halt a developing incident or infection. We'll wrap up the day with recommendations on skill growth, long-term career development, and how to get more involved in the cyber defense community.

Exercises

• Alert Tuning and False Positive Reduction
• SOC Automation - File Analysis
• SOC Automation - Incident Containment

Topics

• Reducing Burnout and Retention Issues in the SOC
• False Positive Reduction - Analytic Features and the Importance of Log Enrichment
• New Analytic Design, Testing, and Sharing
• Alert Tuning Methodology
• SOC Automation and Orchestration (with and without SOAR)
• Improving Analyst Efficiency and Workflow
• Methods for Quickly Containing Identified Intrusions
• Skill and Career Development for SOC staff

Overview

The course culminates in a day-long, team-based capture the flag competition. Using network data and logs from a simulated network under attack, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will be challenged to detect and identify attacks to progress through multiple categories of questions designed to ensure mastery of the concepts and data covered during the course.