SOC Analyst Foundation (S-SAF)

SOC Analyst Foundation Course Modules

Module 1 – Setting the Stage: The SOC and the Tier 1 Analyst

This module briefly introduces you to the processes, data flows and capabilities of a Security Operations Center. First, you will gain insight into the services that a SOC delivers, the technologies deployed in a SOC, and how SOC technologies interconnect. Next, you will grasp SOC roles, responsibilities and tasks from Tier 1 up to management. Following an overview of SOC processes, technologies and responsibilities, the module dives deep into the Tier 1 analyst role. You will understand Tier 1 SOC analyst tasks and the SOC KSA matrix (Knowledge, Skills, Abilities). Finally, you will get familiar with key tools and resources, the major challenges and pitfalls for a junior analyst, and how all of the above are addressed in the training process.

1.1. Introduction to SOC, SOC Services and Technology Based on the SOC Maturity Model (SOC-CMM)
1.2. Roles and Responsibilities in a SOC, SOC Escalation Processes and Career Paths
1.3. Tasks of the Tier 1 Analyst
1.4. Core Skills of the Tier 1 Analyst:
• Understanding attacker techniques and vulnerabilities;
• Ability to identify critical company assets and key systems;
• Knowing where and how to collect data and logs;
• Ability to analyse events and make decisions on whether to declare a security incident;
• Ability to report findings and escalate.
1.5. Key Toolset of the Tier 1 Analyst (SIEM, ITSM and SOC Ticketing System)
1.6. Key Data Sources Initiating Investigations:
• SIEM alerts
• IDS alerts, firewalls, network traffic logs, endpoints
• User reports
1.7. Key Data Sources Supporting Investigations:
• Vulnerability Management
• Threat Intelligence
• Malware Analysis

Module 2 – Key Toolset of the SOC Analyst: SIEM, ITSM, the SOC Ticketing System, and the SOC Analyst Mindset

This hands-on module introduces you to SIEM, ITSM and SOC Ticketing Systems. First, you will understand how SOC tools are used and how they work together. You will learn to use key SIEM technologies and data processing models, focusing on Elastic and Splunk, the currently most popular SIEM products on the market. Furthermore, you will experience the challenges SOC analysts face when working with different team members and transitioning from ITSM to more advanced SOC tools in order to deliver a high-quality service. In this module, you will also work on a business case: You will be assigned to process some tasks in a virtual SOC via a ticketing system. Your hands-on tasks will immerse you in the security analyst mindset and the analytical, step- by-step process of an investigation.

2.1. ITSM
2.2. SOC Ticketing System
2.3. SIEM
2.4. The Mindset of a Security Analyst – Introduction
2.5. Hands-on exercise integrating the use of SOC tools and mindset

Module 3: Log Collection, Use Cases, Threat Detection and Monitoring

This module immerses you in the theory behind log monitoring and security monitoring systems along with hands-on exercises in security logging and analysing log collections. You will learn the fundamentals of attacker techniques, vulnerability finding, critical asset identification and key systems identification. Subsequently, you will learn where and how to collect data (focusing on SIEM alerts, IDS alerts, firewalls, network traffic logs, endpoints and WAF), how to investigate and detect threats based on a large realistic dataset, and how use cases are applied to monitor the use of attack techniques. Module 3 aims to guide you step by step through the SOC analytical process, and help you understand what to look for when analysing log collections and key data sources that will support your investigations.

3.1. The Mindset of a Security Analyst – In Depth
3.2. Introduction to Attacker Techniques and Processes
3.3. Data Collection
• SIEM alerts
• IDS alerts
• Firewalls
• Network traffic logs
• Other data collection methods
3.4. Logs and Log Collection
3.5. Critical and Key IT Systems and Their Logs (exercise)
3.6. ITSM and SIEM (hands-on practice)
3.7. Event Analysis, Correlation and Attack Techniques (hands-on practice)
3.8. Alerting, Reporting and Dashboarding (hands-on practice)
3.9. Security Monitoring Use Cases, MaGMA and MaGMA UCF

Module 4: Threat Analysis In Depth, Fundamentals of Threat Intelligence and Threat Hunting, Incident Response

Module 4 starts with a high- level introduction to the threat intelligence process and how it is applied to obtain situational awareness. Following an overview of threat intelligence, we dive deeper into the Pyramid of Pain and using the MITRE ATT&CK framework for threat hunting and threat analysis. You will fully understand the incident declaration and escalation procedure as well as the overall incident response model and process. In the hands-on practice segment, you will analyse a dataset in order to find indications of threats. After that, you will work with your fellow participants on a business case focused on managing incidents from preparation to post-incident analysis.

The hands-on exercises in Module 4 prepare you for a complex homework assignment you will complete after this module. The homework assignment will be a part of your certification exam!

4.1. Introduction to Threat Intelligence; Situational Awareness and Attribution
4.2. Pyramid of Pain and the MITRE ATT&CK Framework
4.3. Threat Analysis versus Threat Hunting
4.4. Detection: Continuous Improvement and Intelligence Feedback
4.5. Incident Response Model and Process
4.6. Hands-On Threat Analysis Exercise and Incident Response Business Case
4.7. Homework Assignment and Exam Preparation

SOC Analyst Foundation Certification Exam

1. Hands-on homework assignment in Capture the Flag (CTF) format
   The hands-on section of your last course day prepares you for a complex, hands-on homework assignment (Capture the Flag). This CTF assignment will be a part of your certification exam. You must finalize your CTF homework assignment before you can schedule your exam!
2. Exam
   The certification exam is conducted by the SECO-Institute, Europe’s leading security and continuity certification body. The exam voucher is included in the course fee, but you need to schedule your exam with the SECO-Institute. Upon successful completion of the exam, you will receive an exam certificate and an invitation to register your official SECO- SOC Analyst Foundation (S-SAF) certification title free of charge. By activating your certification title, you will become a certified professional in your field and you will receive a shareable digital badge to verify your competence to clients, employers and fellow professionals.• Exam language: English
   • Exam delivery: Online exam with remote proctoring
   • Exam format: 40 multiple-choice questions (5 questions related to your CTF homework assignment)
   • Duration: 60 minutes