Threat Analyst

5 days

Deep dive in Active Defense, Rapid Response, APT’s, threat hunting, threat intelligence and incident response in a next generation SOC

Threat Analyst teaches advanced principles, tools and hands on techniques for a senior, pro- active defense role in a SOC or similar team. The course offers hands-on practice in a Next Generation SOC with the modern technology stack and evolved processes, and dives into practicalities of much discussed concepts like XDR, Rapid Response and Automation. You’ll conduct complex tier 2,3 escalated threat- and incidents investigations, practice advanced persistent threat analysis, and spend 3 dedicated ‘deep dive’ training days on Threat Intelligence, Threat Hunting and Incident Response investigations. The course covers active defense concepts and advanced hands on techniques and tools that will help you prioritize investigations, improve detection visibility and security monitoring capabilities. This is an advanced training and not suitable for early career SOC Analysts. If you’re looking for an entry level course, we’d advise to have a look at the Associate SOC Analyst Training

Authors & Lead Trainers

Carlos Valderrama
Author & Trainer

SOC Director
IoT Security Expert for ENISA

Rob van Os
Author & Trainer

Security Consultant
Creator SOC Maturity Model

Jeroen de Wit
Trainer

Manager Security Operations
KPMG EMEA Center of Excellence

At a Glance

Advanced level

Threat Analyst

5 days

Enterprise SOC-Teams, Managed Service and MDR- providers that want to set a baseline for their threat analysts. SOC Analysts, MDR Analysts, Threat Analysts, Threat Content Developers, Security Consultants, Incident Responders, security engineers and architects, red teamers going purple.

Prepares for a new SOC paradigm to work with the modern MDR technology stack, structures your mind to transition towards a senior, pro-active defense role.

Next Generation SOC with a Threat Intelligence platform, Incident Response Platform, Packet capture and analysis, Automation tools, CMDB, Network and Asset Modelling and XDR deployed and working together (in addition to 2 SIEMs and a SOC Ticketing System)

Master Attacker Techniques and Tactics. Perform Network and Asset Modelling and Risk Analysis as a basis for riskbased log ingestion strategies and investigation prioritization.

Deep dives in MAGMA, SIGMA, Snort, Zeek, YARA. Conduct blind spot detection assessments. Improve detection visibility and monitoring.

Deep investigations on escalated events, incidents, Advanced Persistent Threats Analysis.

3 full days in-dept, hands on training in Threat Intelligence, Threat Hunting and Incident Response investigations.

Syllabus

Day 1 – From Mindset to Toolset

This module offers students a strategic vision of a current SOC (Known as Next Generation SOC and lately, MDR), the different ways it can be structured and the actions to run and continuously improve a scalable and effective SOC. Students will get the mindset to work on a MDR SOC considering technology, processes, roles, tasks, services and will work on a business case, where they’re assigned to process tasks within a virtual SOC via ITSM in a “Capture the Flag” format. They’ll be asked to identify the SOC’s business drivers and customers, roles and responsibilities, utilize MDR components and technologies in order to accomplish the SOC’s mission and create relevant SOC metrics.

1.1. SOC Services evolution to MDR and the impact on the Threat Analyst role

  • Cloud SOC
  • On-prem SOC
  • Strategic SOC

1.2. MDR Service Operations

  • ITIL Service Management
  • Threat Modelling
  • Threat Analysis
  • Threat Hunting
  • Threat Intelligence
  • Create and improve security monitoring and threat detection use cases
  • Conduct blind spot detection assessments
  • Automate SOC processes
  • Respond rapidly to Incidents

1.3. Business

  • New Drivers
  • Customers
  • New governance
  • New privacy regulation
  • SOC Metrics

1.4. People

  • New roles and hierarchy
  • Training
  • Knowledge Management
  • SOC Career progression
  • Assessing the SOC team

Frameworks, best practices for this module (Hands-on):

SOC Maturity Model, SOC Implementation Model, The Library of Cyber Resilience Metrics, NIST NICE

This module introduces students hands on to the Virtual SOC that they will be working in throughout the course, and how the various tools and technologies deployed are working together. Throughout the module, students will work on a business case, where they are assigned to process some tasks.

2.1. ITSM and CMDB (Hands on)

2.2. SOC Ticketing System (Hands on)

2.3. SIEM (Hands on)

2.4. Threat Intelligence platform (Hands on)

2.5. Packet capture and analysis

2.6. Automation tools

2.7. Incident Response tool

2.8. Security Automation tool and scripts

Day 2 – Set the stage & Next level Threat Analysis

This module starts with an exercise in Network and Asset Modelling and Risk Analysis. Students will model the network that they’re assigned to monitor and protect on our Virtual SOC; label, classify and document the assets using the CMDB module on their ITSM, and conduct risk analysis on those assets. They’ll create log ingestion strategies to set up the best visibility to detect cyberattacks, and conduct detection assessments to help find detection blind spots. Students will ingest several types of logs into the SIEM instances to enable quick searches and investigation of events and configure ITSM modules to define SOC services.

3.1. Network Modelling, Asset Modelling, Risk Analysis (Hands- on)

3.2. Logging, Log sources, Log ingestion (Hands- on)

3.3. Blind Spot Detection Assessment (Hands- on)

3.4. ITSM and defining SOC Services conform ITIL (Hands-on)

While junior and medior SOC Analysts are expected to have a thorough understanding of Attacker Techniques, the Threat Analyst must master them! This module dives deep into MITRE ATTACK&CK Framework by understanding the different environments, its navigators, their associated tactics and techniques and how to work with them at the same time as the Cyber Kill Chain. Students will integrate and apply this knowledge during the course of the training.

4.1. MITRE ATTACK&CK Framework (Hands-on)

4.2. MITRE ATTACK&CK Navigator (Hands-on)

4.3. Cyber Kill Chain (Hands-on)

Modules 3 and 4 have set the stage for deep investigations on escalated threats and incidents. This is where we start confusing students a bit, pushing their boundaries to activate their analytical brain, trigger their curiosity and use their creativity during investigations. The module is delivered in a Capture the Flag format replicating the real workplace as much as possible: Students will work on both Splunk and Elastic SIEM environments for investigation, correlation, alerting, escalation and reporting purposes; get assignments on a virtual ITSM system as in a real SOC, and interact with their SOC mates on the investigation, escalation and hand-over activities. The hands on sections prepare for a complex homework assignment that they’ll receive on day 3.

5.1. Splunk and Elastic SIEM (Hands – on)

5.2. Threat Analysis , correlation and Attack Techniques (Hands – on)

5.3. Alerting, Reporting, Dashboarding and Escalating (Hands – on)

Day 3 – Adding some Intelligence to the Flavor

Students will create security monitoring and threat detection use cases in both Splunk and Elastic environments and will use MaGMA UCF to measure, maintain, improve, scale and manage the SOC use case library. They will analyse SIGMA Rules’ structure and create, maintain, scale and improve their own rules. They will dive into the Threat Intelligence process and use it in a real case scenario for situational awareness and threat investigation and detection using a real Threat Intelligence Platform (MISP). These investigations are extended to the fascinating world of the Dark Web for Threat Intelligence purposes. During the hands-on practice, students will discover, share, store and correlate Indicators of Compromise of targeted attacks, financial fraud information, vulnerability information and threat actors. The hands-on section prepares students for a complex homework assignment they will complete after this module.

6.1. MITRE ATTACK&CK applied to monitoring, detection and threat intelligence

6.2. Security Monitoring and Threat Detection Use Cases (Hands-on)

  • Security Monitoring
  • Threat Detection
  • Use Case Development
  • MaGMA UCF

6.3. SIGMA Rules (Hands-on)

6.4. Threat Intelligence (Hands-on)

  • Types
  • Protocols
  • Standards
  • Feeds
  • Platforms
  • STIX/TAXII/OpenIoC

6.5. Threat Intelligence on the Dark Web (Hands-on)

Frameworks, best practices for this module (Hands-on):

  • CSAN Threat Actors
  • Threat intelligence protocols and standards
  • Pyramid of Pain and TTP’s
  • Cyber Kill Chain versus MITRE ATT&CK
  • OODA loop Diamond model of intrusion analysis
  • Chatham House Rule.
  • MaGMa and MaGMa UCF Tool
  • MISP
  • NIST NICE

Day 4 – Hunt like a Ninja, Defend like a Samurai

Module 4 starts with TTP’s and MITRE ATT&CK Framework in in depth. Students will collect IoC’s and structure a full Threat hunting campaign, where they will create their own hypothesis and will either confirm or discard after being able to cross correlate events and determine their context, and identify and quantify vulnerabilities based on Splunk, Elastic and MISP. Students will track and document the entire process through their ITSM tool, just as next generation SOCs do. Once the threats are hunted, students will create their own rules to be shared and report the findings of their assignments. Finally, after an in- depth analysis, they will translate their technical findings to a management summary and deliver a board level presentation.

7.1. Pyramid of Pain (Hands-on)

7.2. TTPs (Hands-on)

7.3. Threat Hunting Methodologies (Hands-on)

  • Cyber Threat Hunting Framework
  • TaHiTI
  • The Hunting Loop

7.4. The Hunt Matrix (Hands-on)

7.5. The Defense Chain

7.6. Detection Feedback

7.7. Advanced Persistence Defense

7.8. Snort/Zeek Rules (Hands-on)

Frameworks, best practices, references for this module:

  • Threat intelligence protocols and standards
  • Pyramid of Pain and The Hunt Loop
  • Cyber Kill Chain versus MITRE ATT&CK Framework
  • The Defense Chain
  • OODA loop, Diamond model of intrusion analysis
  • MaGMa, MaGMa UCF Tool
  • MISP
  • NIST NICE

Day 5 – Department of Escalated Affairs

Our last module is led by the Incident Response PICERL model and the NIST Computer Security Incident Handling Guide. It evaluates the policies that govern incident response, incident response plans, the required procedures in place and the tools and technologies they need to handle an incident. From thereon, the incident response process and activities are practiced hands on with 2 exercises where students will be assigned on the ITSM tool to manage an incident from preparation to post-incident evaluation. The hands-on section uses a platform that provides endpoint driven information security tools and infrastructure to help them investigate, process and lead incident response in our virtual SOC. The hands on exercises prepare students for a complex homework assignment that will be part of the exam.

8.1. Preparation Phase (Hands-on)

  • Policies
  • IR Plan
  • IR procedures
  • Playbooks

8.2. Identification/Detection(Hands-on)

  • Memory Analysis
  • Disk Analysis
  • Malware Analysis (YARA)
  • Network Analysis

8.3. Containment

  • Systems
  • Network
  • Users
  • Services
  • Cloud

8.4. Eradication

  • Systems
  • Network
  • Users
  • Services
  • Cloud

8.5. Recovery

  • Systems
  • Data

8.6. Lessons Learned (Hands-on)

8.7. Dissemination and Security Awareness

Collect your badge of honor

1. Homework assignment in CTF format

The hands-on section on the last day of training prepares you for a complex, hands on homework assignment in a Capture the Flag format that will be part of your exam and certification. You must finalize your assignment before you can schedule your exam.

2. Exam

  • Language: English
  • Delivered: Online via a certified proctor
  • Questions: 40 multiple choice (5 questions related to your CTF homework assignment)
  • Time: 60 minutes

Dates & locations

Online Live

5 days

All day

Thu 30 April 2021

Find a Local Training Partner

Organize a class dedicated for your team