سرفصل دوره اختصاصی مرکز عملیات امنیت

مدت دوره: 70 ساعت

عنوان دوره: مرکز عملیات امنیت

SOC Overview

What is a SOC? What is the mission?

Why are we being attacked?

Modern defense mindset

The challenges of SOC work

The people, process, and technology of a SOC

Aligning the SOC with your organization

SOC functional component overview

Tiered vs. tierless SOCs

Important operational documents

Defensible Network Concepts

Understanding what it takes to be defensible

Network security monitoring (NSM) concepts

NSM event collection

NSM by network layer

Continuous security monitoring (CSM) concepts

CSM event collection

Monitoring sources overview

Data centralization

Events, Alerts, Anomalies, and Incidents

Event collection

Event log flow

Alert collection

Alert triage and log flow

Signatures vs. anomalies

Alert triage workflow and incident creation

Incident Management Systems

SOC data organization tools

Incident management systems options and features

Data flow in incident management systems

Case creation, alerts, observables, playbooks, and workflow

Case and alert naming convention

Incident categorization framework

Threat Intelligence Platforms

What is cyber threat intelligence?

Threat data vs. information vs. intelligence

Threat intel platform options, features, and workflow

Event creation, attributes, correlation, and sharing

SIEM

Benefits of data centralization

SIEM options and features

SIEM searching, visualizations, and dashboards

Use cases and use case databases

Network Protocols and Analytics

Network Access/Link Layer: Layer 2

Address resolution protocol

ARP spoofing

IP Layer: Layer 3

Examination of fields in theory and practice

Checksums and their importance, especially for an IDS/IPS

Fragmentation: IP header fields involved in fragmentation, composition of the fragments, fragmentation attacks

TCP

Packet dissection

Checksums

Normal and abnormal TCP stimulus and response

UDP

Examination of fields in theory and practice

UDP stimulus and response

ICMP

Examination of fields in theory and practice

Normal ICMP

Malicious ICMP

Scapy

Packet crafting and analysis using Scapy

Writing a packet(s) to the network or a pcap file

Reading a packet(s) from the network or from a pcap file

Practical Scapy uses for network analysis and network defenders

DNS

DNS architecture and function

Malicious DNS, including cache poisoning

Microsoft Protocols

SMB/CIFS

MSRPC

Modern HTTP and TLS

Protocol format

Why and how this protocol is evolving

SMTP

Protocol format

STARTTLS

Sample of attacks

IDS/IPS

Identifying Traffic of Interest

Network Architecture

Instrumenting the network for traffic collection

IDS/IPS deployment strategies

Hardware to capture traffic

Introduction to IDS/IPS Analysis

Function of an IDS

Flow process for Snort and Bro

Similarities and differences between Snort and Bro

Snort

Introduction to Snort

Running Snort

Writing Snort rules

Tips for writing efficient rules

Zeek

Introduction to Zeek

Zeek Operational modes

Zeek output logs and how to use them

Practical threat analysis

Zeek scripting

Endpoint Analytics

Endpoint Defense In-Depth

Network scanning and software inventory

Vulnerability scanning and patching

Anti-exploitation

Whitelisting

Host intrusion prevention and detection systems

Host firewalls

File integrity monitoring

Privileged access workstations

Windows privileges and permissions

Endpoint detection and response tools (EDR)

File and drive encryption

Data loss prevention

User and entity behavior analytics (UEBA)

How Windows Logging Works

Channels, event IDs, and sources

XML format and event templates

Log collection path

Channels of interest for tactical data collection

How Linux Logging Works

Syslog log format

Syslog daemons

Syslog network protocol

Log collection path

Systemd journal

Additional command line auditing options

Application logging

Service vs. system logs

Interpreting Important Events

Windows and Linux login events

Process creation logs for Windows and Linux

Additional activity monitoring

Firewall events

Object and file auditing

Service creation and operation logging

New scheduled tasks

USB events

User creation and modification

Windows Defender events

PowerShell logging

Kerberos and Active Directory Events

Authentication and the ticket-granting service

Kerberos authentication steps

Kerberos log events in detail

Log Collection, Parsing, and Normalization

Logging pipeline and collection methods

Windows vs. Linux log agent collection options

Parsing unstructured vs. structured logs

SIEM-centric formats

Efficient searching in your SIEM

The role of parsing and log enrichment

Log normalization and categorization

Log storage and retention lifecycle

Files Contents and Identification

File contents at the byte level

How to identify a file by the bytes

Magic bytes

Nested files

Strings – uses, encoding options, and viewing

Identifying and Handling Suspicious Files

Safely handling suspicious files

Dangerous files types

Exploits vs. program “features”

Exploits vs. Payloads

Executables, scripts, office docs, RTFs, PDFs, and miscellaneous exploits

Hashing and signature verification

Signature inspection and safety of verified files

Inspection methods, detecting malicious scripts and other files

Threat Detection with Splunk

Splunk Overview

Splunk and Machine Data

Splunk Use Cases

Splunk Deployment (Single Instance and Distributed)

Getting Data In Splunk

Indexing Data With Splunk

Search Processing Language (SPL)

Types of SPL commands

Splunk search optimization

Filter commands

Report commands

Group commands

Field commands

Correlation commands

Basic Security Usecases

Brute Force Detection

Network Scan Detection

Baselining With Splunk

Advanced Security Use Cases

Lookup with Splunk

Regular Expression

Detecting DNS Based Threats

Malware Beaconing Detection

Malicious SSL Connections Detection

Detecting Malicious Windows Tools

Detecting Windows Lateral Movement

Situational Awareness