Rod Soto - SOC 101 - SOC 1 Analyst Bootcamp $2,600 Early $2,150

Bio:

Rod Soto has over 15 years of experience in information technology and security. Has worked in Security Operations Centers as a support engineer, soc engineer, security emergency response, and incident response. Currently working as a detection engineer and researcher at Splunk Threat Research Team. Previously worked at Prolexic/AKAMAI, Splunk UBA, JASK (SOC Automation).
Rod Soto was the winner of the 2012 BlackHat Las Vegas CTF competition and Red Alert ICS CTF at DEFCON 2022 contest. He has spoken at ISSA, ISC2, OWASP, DEFCON,  RSA Conference,Hackmiami, DerbyCon, Splunk .CONF, Black Hat,BSides, Underground Economy and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision, BBC, Forbes, VICE, Fox News and CNN.

Trainer(s) social media links:  twitter.com/rodsoto

Training information:

Abstract
During this comprehensive course, tools and methodologies that are used in Security Operation Centers will be introduced and detailed. This course will provide students with extensive hands-on exercises and labs that emulate real-life security operation center tasks and related technologies.

From text handling, packet dissection, and analysis, to adversarial simulation and detection engineering, this course will provide students with a solid base of skills and a comprehensive understanding of a Security Operations Center (SOC) Analyst job.

The focus will be geared toward basic, hands-on skills that allow students to perform and excel at baseline SOC tasks.


Hardware & Minimum Course Requirements:
A laptop with 16GB of RAM and the ability to run Virtual Machines. Understanding of basic networking concepts and basic Linux comprehension.

Target Audience:
This training is geared towards Information Technology, Computer System, or Computer Network Professionals seeking to enter the Information Security Industry while enriching those who seek to develop the skills and knowledge necessary to work at a Security Operations Center.


Previous Trainings:

Rod Soto Udacity Instructor https://www.udacity.com/course/security-engineer-nanodegree--nd698
Rod Soto RSA Conference 2021
https://www.rsaconference.com/Library/presentation/USA/2022/Web%20Application%20Hacking%20101
Rod Soto - Red Team Village - Adversarial Simulation Workshop 2 hours. https://www.youtube.com/watch?v=YEnL8QfFlJI
Rod Soto - Linux Threat Detection using Attack Range - Texas CyberSummit 2022 https://www.youtube.com/watch?v=YEnL8QfFlJI
For new Trainers, so the Review Board is able to get a sense of your presentation style, do you have a video sample of any previous conference presentations or training? (Optional)
Rod Soto - Red Team Village - Adversarial Simulation Workshop 2 hours. https://www.youtube.com/watch?v=YEnL8QfFlJI

Skills that will be learned:
This course will provide students with the necessary skills and knowledge to work in a Security Analyst 1 job and understand the dynamics of a Security Operations Center

Outline – with Exercises:

Day 1
Introduction to SOC & SOC-related technologies (2 hours)
Whoami
What is a SOC
Types of SOC
What is expected of a SOC Analyst (SOC 101)
Security Principles
Access Controls
SOC Security Technologies
Principles of Defense in Depth
Defense in Depth technologies
SOC main focus - Endpoints (Linux - Windows)
Linux Access Controls (DAC, MAC), Access Log locations
Exercise 1. Linux Access Controls, Linux Access Logs (grep, awk, and cli tools)
Exercise 2. Windows Access Controls - NTFS & Active Directory
(SysIinternals AccessEnum, Powershell & Windows CLi commands)
User Groups, Permissions, NTFS folder and file permissions.


Security Events & Data Manipulation (2 hours)
What is a security event?
Security Event Types
Triage of Security Events/Incidents
Logs & Text manipulation
- Logs, metadata, management, ETL, storage
- Linux, PowerShell, Batch - GREP, AWK, SED, REGEX
- Log and Metadata Standards - CIM, WWW, JSON, XML, SYSMON, SYSLOG, CSV
    - Linux Logs → locations and structure
- Windows Logs → locations and structure
Exercise -
Use Regex against CSV, WWW, RAW logs to find security events relevant metadata
Use PowerShell to view, parse and find data in files
Use cat, grep, sed, and awk to manipulate, find data and understand the structure of log files (syslog, sysmon, json, xml)
Identify attack vector in logs

Networking   - Threat Detection & Analysis (2 hours)

Network Basics
Basic TCP/IP – OSI Layers, distribution by protocol RFCs
Netflow
Packet Capture
Wireshark, TCPDump
PCAP readers – Chaos Reader, Foremost, Network Miner, Arkime
Network Analysis and threat detection
Arkime
Suricata

Exercise -

Use TCPdump & Wireshark to find attack signatures in attack pcaps
Use NetworkMiner to mine and identify information
Use Arkime to capture and obtain pcaps
Replay pcap and visualize detection in Suricata





Vulnerabilities & Attacks (2 hours)
Vulnerabilities & Attacks SOCs are exposed
Endpoints
Servers
Applications
Cloud
Industry Nomenclature
Mitre CVEs, Mitre ATT&CK, OWASP TOP 10
TLP Protocol
CVSS
Industry Compliance Frameworks
Risk & Threat Modeling
Exercise -
Identify vulnerability, score RISK, and calculate CVSS
Identify APT 28 TTPs
Perform RDP attack against a windows host and find related policies and security logs
Identify OWASP Top 10 attack in a campaign (sqli / nginx logs)





Day 2

Management of logs (3 hours)

How to send logs to a centralized location 
→ syslog, rsyslog, netcat
-  Windows Event Subscription
– malware related logs
Malware-centric logs → registry, evtx/xml, json, www
Management of centralized logs

SIEM
SPLUNK
Elastic
Introduction to EDR
Wazuh
OpenEdr

Exercise
Use docker to create a Splunk Instance and upload data, find a threat in the uploaded data
Use docker to create Elastic instance upload data and find threat
Operate a Wazuh Instance to load data and discover and analyze threats
Install OpenEdr and detonate threats to verify detection
Use EICAR file to visualize windows defender and logs at endpoint and SIEM
Use Elastic EDR to find threats


Adversarial Simulation & Detection Engineering (3 hours)
Infrastructure as Code
Adversarial Simulation Frameworks
Atomic Red Team
Operator
Splunk Attack Range
Manual exploitation
Detection engineering Windows (Sysmon)
Detection Engineering Linux (Syslog)


Exercise

Execute Atomic Red Team atomics against a target
Device a detection from collected logs
Execute an attack on Linux host, detect an attack from collected logs 

SOC challenges and interactions (1 hour)
Cryptography and the SOC
Incident Response
SOC Periphery teams

CTF  (1 hour)


Technical difficulty of the class (Beginner, Intermediate, Advanced) and any required experience or skills needed (Such as Python, knowledge of specific deep-learning algorithms, TCP dump analysis, Ghidra, etc.)
Beginner, Need basic Linux, Windows, and Networking Skills

Suggested prerequisites:
Basic understanding of Windows and Linux Command Line, as well as basic networking (TCP/IP)

Items students will need to provide:

A laptop with 16GB of RAM and the ability to run Virtual Machines. Understanding of basic networking concepts and basic Linux comprehension.

DATE: April 13th-14th 2023
TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center Bellevue, WA
TRAINER: Rod Soto

- 16 hours of training with a certificate of completion.
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early.

- 2 coffee breaks are provided per day.
- Note: Food is not included.

Registration terms and conditions:

Trainings are refundable before March 1st, the processing fee is $250.

Trainings are non-refundable after March 10th, 2023.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.