DOMAIN 1 : SOC Operations & Architecture

• Functions of SOC
• SOC Models
• SOC Types
• SOC Team Hierarchy & Roles
• SOC Maturity Model, SOC-CMM
• SOC Services: Security Monitoring, Incident Response, Security Analysis, Threat Hunting, Vulnerability Management, Log Management
• Heart of SOC- SIEM
• SIEM guidelines and architecture
• Traditional SIEM vs Cloud native SIEM
• XDR, SOAR, MSSP

Domain 2: Vulnerability Management and Endpoint Analysis

• Concept of VAPT
• Nessus Vulnerability Scanning and Management
• System Hardening and Audits of Endpoints
• Patch Management

Domain 3: Advance SIEM Concepts

ELK Stack Primer

• Installing Elastic
• Installing Logstash
• Creating Visualizations with Kibana
• Collecting Logs from Windows Servers with Winlogbeat
• Collecting Logs from Linux Servers with Filebeat
• Collecting Network Traffic with Packetbeat
• Getting Elastic Stack Production Ready

IBM QRadar

Introduction to Qradar

• QRadar SIEM component architecture and data flows
• Using the QRadar SIEM User Interface

Working with logs

• Working with offense triggered by events
• Working with offense triggered by flows
• Working with events of an offense

Monitoring

• Monitor QRadar Notifications and error messages.
• Monitor QRadar performance
• Review and interpret system monitoring dashboards.
• Investigate suspected attacks and policy breaches
• Search, filter, group, and analyze security data

Intercept

• Investigate the vulnerabilities and services of assets
• Investigate events and flows
• Developing custom rules
• Use index management
• Index and Aggregated Data Management
• Use AQL for advanced searches
• Creating Alerts for intrusions
• Explain error messages and notifications
• Analyze a Real-world scenario
• Creating Reports
• Case Studies

DOMAIN 4 : Threat Hunting

Threat Hunting Terminology

– What is Threat, its Types

– Incident Response & Threat Hunting Relationship

– APT : Advanced Persistent Threat

– Tactics, Techniques, and Procedure

– Pyramid of Pain

Hash values , Ip address , Domain names , Network /Host artifacts , tools , TTP’s.

– Cyber Kill Chain

– Diamond Model Analysis

Threat Hunting Hypothesis

– MITRE ATT&CK Framework

– Pre and Post Compromise Detection with Mitre ATT&CK

– Mitre D3fend

– Hunting Hypothesis and Methodology

A.Pick a Tactic and Technique

1. find procedure(s)
2. perform a attack simulation
3. Identify evidence to collect
4. Set scope.

Network Traffic Hunting

– ARP Traffic

– ICMP traffic

– TCP and UDP Analysis

– HTTP and HTTPS traffic suspects

– Detecting SQL Injection,Command injection  From Network Traffic

– Network Hunting and Forensics

– Wireshark, Network Miner

Endpoint Hunting

– Introduction

– Windows Processes

• smss.exe
• Winlogon.exe
• Wininit.exe
• Services.exe
• Lsass.exe
• Svchost.exe
• Taskhost.exe
• explorer.exe

– Endpoint Baselines

– Threat Hunting with PowerShell

– Registry Analysis

Malware Hunting

– Malware Overview

– Redline :

• Collector
• Usage
• File Analysis
• Detection Code Injection

– Memory Forensics Analysis for Threat Hunting

• Understanding Common Windows Services and Processes
• Identify Rogue Processes
• Analyze Process DLLs
• Review Network Artifacts
• Check for Signs of a Rootkit
• Acquire Suspicious Processes
• Memory analysis using Volatility
• Steganography, ADS ,Overwriting Metadata – Anti Forensics Detection
• Corporate Case Study
• Case Study : Ransomware as a Service