My Journey as a Mid-Level SOC Analyst through SOC Level1 and Leve2 TryHackMe certifications: Unveiling the Cybersecurity Toolkit

In my intensive 3-month training as a mid-level SOC (Security Operations Center) analyst, I’ve delved into a plethora of cybersecurity concepts, tools, and techniques. As I reflect on my journey, I can confidently say that the path I’ve taken has been both enlightening and rewarding. But is it worth it? Let’s explore the skills I’ve acquired and the certifications I’ve achieved to find out.

?

Building a Strong Security Posture

Understanding and implementing cyber defense frameworks is fundamental. These frameworks provide the scaffolding for a robust security posture. During my training, I’ve discovered various frameworks and policies that help organizations establish effective security measures. From The pyramid of pain, I’ve learned to tailor these.

Decoding Adversaries’ Motivations

The Pyramid of Pain is more than just a catchy name. It’s a concept that resonates deeply with SOC analysts. By categorizing indicators of compromise (IOCs) based on their difficulty to change, we gain insights into adversaries’ motivations. I’ve not only grasped this concept but also applied it practically to prioritize threat intelligence and incident response efforts.

Unraveling Adversarial Tactics

Understanding the Cyber Kill Chain is like deciphering an adversary’s playbook. From reconnaissance to exfiltration, each phase has distinct characteristics. I’ve studied how attackers progress through these stages, enabling me to anticipate their moves and bolster our defenses accordingly.

Bridging the Gap

The Unified Kill Chain (UKC) bridges the gap between frameworks. It helps us recognize risk and potential mitigations across different phases of an attack. In real-world scenarios, understanding the UKC allows us to respond effectively and minimize impact. I can identify different phases within this framework during real-world scenarios.

?

Analyzing Advanced Threats

When incidents occur, the Diamond Model provides a structured approach. I can create a Diamond Model to dissect events like breaches, intrusions, or attacks. Even when explaining to non-technical stakeholders, I can convey what happened during an event using this model.

?

My Swiss Army Knife

MITRE’s ATT&CK, CAR, ENGAGE, D3FEND, and AEP resources have become my go-to toolkit. Whether mapping adversary techniques or fine-tuning defenses, these tools empower SOC analysts like me.

Turning Knowledge into Action

Identifying and leveraging available security knowledge is crucial. I’ve honed my skills in threat intelligence, using OSINT (Open Source Intelligence) tools to assess risks and investigate potential threats.

My Signature Weapon

Yara is my Swiss Army knife for threat intelligence, forensics, and hunting. I craft Yara rules, utilize modules, and employ tools like LOKI, THOR, FENRIR, and YAYA. Advanced Yara rules? Absolutely!

Collaboration and Sharing

OpenCTI and MISP facilitate collaboration within the SOC team. Structured threat information sharing ensures we stay ahead of adversaries. I process threat intelligence and investigate incidents using OpenCTI.

Spotting Anomalies

Industry tools like Snort, NetworkMiner, Zeek, and Brim help me spot network anomalies. Whether detecting real-time threats or analyzing traffic files, I’m equipped to investigate.

Decrypting Network Secrets

Wireshark is my lens into live traffic. From packet dissection to actionable results, I hunt for anomalies, identify hosts, and analyze encrypted protocols.

?Where Adversaries Meet Their Match

Monitoring workstations is where adversaries spend their time. Understanding core Windows processes—what’s normal and what’s not—ensures we catch their every move.

?Windows Processes and Sysinternals

Understanding core Windows processes is essential for any SOC analyst. You’ve got a solid grasp of what’s normal and what’s not. Additionally, Sysinternals tools are your allies when it comes to analyzing Windows systems. From?Sigcheck?to?Process Monitor, you’re well-equipped to dissect system behavior.

Windows Event Logs and Sysmon

Windows Event Logs provide a wealth of information. Whether you’re using?Event Viewer,?wevtutil.exe, or?Get-WinEvent, you can query logs effectively. And let’s not forget?Sysmon—your go-to for monitoring and logging endpoints. Detecting Metasploit, hunting malware, and identifying evasion techniques? You’ve got it covered.

Osquery and Wazuh

Osquery?allows you to ask questions directly from the operating system. It’s like having a conversation with your endpoints. Meanwhile,?Wazuh?enhances threat detection and integrity monitoring. From deploying the server to auditing commands, you’re in control.

Investigating with ELK and Splunk

ElasticStack?(ELK) and?Splunk?are your investigative partners. Querying with KQL in Kibana? Creating visualizations and dashboards? Investigating potential C2 communications? You’re on the right track. And when it comes to incident handling, Splunk helps you dissect the Cyber Kill Chain step by step.

?Digital Forensics: Windows and Linux

You’re no stranger to forensic artifacts. In Windows, you gather evidence—user activity, executed programs, external devices. Recovering deleted files? Piece of cake. In Linux, you explore OS info, running processes, and logs. Your toolkit includes?Autopsy,?Redline, and?KAPE.

Memory Forensics and Endpoint Monitoring

Volatility?lets you extract memory secrets, identify processes, and delve into advanced forensics. Meanwhile,?Velociraptor?empowers you as an open-source endpoint monitor. And don’t forget?TheHive Project—your platform for reporting investigation findings.

Phishing Defense: Analyzing and Detecting

Phishing emails? You’re ready. Understanding email components, headers, and delivery? Check. Examining real-world phishing attempts? You’ve got the eye for indicators.

Phishing Analysis Tools: Unmasking Suspicious Emails

When it comes to phishing analysis, you wield an impressive arsenal of tools. From?Messageheader?and?mailheader.org ?for dissecting email headers to?urlscan.io ?and?virustotal?for scrutinizing URLs and attachments, you’re well-prepared. Don’t forget?CyberChef, your Swiss Army knife for data transformations. These tools empower you to unravel phishing attempts and protect against them.

?Phishing Prevention: SPF, DKIM, DMARC, and S/MIME

Defending against phishing emails requires proactive measures. You’re familiar with?SPF,?DKIM,?DMARC, and?S/MIME—the shields that safeguard your organization’s email ecosystem. By implementing these protocols, you thwart unauthorized senders and ensure message integrity.

Navigating the Labyrinth

Log operations are the heartbeat of any SOC. You understand the intricacies—from configuration options to planning and implementation. Avoid common pitfalls, and remember that effective log management is a cornerstone of security.

Your Sherlock Holmes Moment

Log analysis is where you don your detective hat. Whether automated or manual, you grasp the nuances. Command-line tools, regex,?CyberChef, and?Yara—they’re your magnifying glass. Dive into logs, spot anomalies, and uncover threats.

Query Wizardry

Splunk is your playground. Crafting complex search queries, applying regex, and creating insightful reports—your skills shine. And those dashboards? They’re your canvas for visualizing data and setting up alerts.

Splunk Edition

Installing Splunk on both Linux and Windows hosts? Check. Configuring Splunk to receive OS-based and web logs? You’ve got it covered. Your SOC lab is ready for action.

Event Surgery

Parsing, masking sensitive info, and custom event extraction—Splunk bends to your will. Configuration tweaks? Consider it done.

Fixit

When log parsing goes awry, you’re the troubleshooter. Fix those glitches and dive into the data.

Advanced ELK: Mastering the Stack

ELK—Elasticsearch, Logstash, Kibana—is your playground. Integrating components, creating alerts (hello,?Wazuh), and crafting advanced KQL queries—your log investigation game is strong.

Data Sorcery

Logstash transforms raw data into gold. Configuration files, input-filter-output magic, and running those pipelines—you’re the alchemist.

Custom Alert Rules in Wazuh:

Tailoring Defense

Wazuh rules? You’re the tailor. Custom-fit alerts for different environments—your SOC’s bespoke armor.

Kibana Sorcery

Large datasets? No problem. Your Kibana queries slice through noise like a laser. Efficiency is your mantra.

Slingshot: Rewinding the Attack

Retracing an attacker’s steps? With ELK, you rewind time. Enumerated web servers? You’ve got their playbook.

Your Rulebook

Threat detection methodologies, rule syntax, and SOC tools—you’re the strategist. Different frameworks? You’ve mapped them out.

Tactical Detection: Baseline Savvy

Baseline knowledge? You’ve got it. Tactical detection? Your compass points true.

Powering Up

Threat intel fuels your SOC engine. Classifications, producers, consumers, and practical prevention—you’re the conductor.

Your SIEM Signature

Sigma rules? You wield them like a maestro. Elastic Stack, investigations, and SecOps decisions—your symphony.

Tracking New Threats

Creating detection rules based on fresh intel? SigHunt is your hound. Stay ahead of adversaries.

Sigma-Powered Sentinel

Aurora EDR, fueled by Sigma, detects suspicious events. User privileges and network anomalies? You’re on the hunt.

Orchestrating Defense

Security orchestration, automation, and response—your playbook. Workflows, threat intel, and practical execution—you’re the maestro.

Unmasking the Shadows

As a skilled threat hunter, you embrace the mindset of a digital detective. Your process involves practical application and clear goals. From identifying footholds (initial access, execution, defense evasion, persistence) to pivoting (discovery, privilege escalation, lateral movement), you’re relentless. And when it comes to endgame actions (collection, exfiltration, impact), you’re on the hunt.

Payment Collectors

Real-life phishing scenarios against a finance director? You’re up for the challenge. By analyzing logs, you determine the extent of the damage. Your keen eye spots the subtle indicators that others might miss.

Hunt Me II: Typo Squatters

Malicious software execution in a software developer’s organization? You trace back the root cause. Your persistence pays off as you uncover the hidden threats.

Adversarial Choreography

Threat emulation is your canvas. Whether through?Atomic Red Team?or?CALDERA, you execute adversarial activities. Purple team exercises? You’re orchestrating detection capability tests.

Building Cyber Resilience

MITRE ATT&CK, DREAD, STRIDE, PASTA—these models shape your cyber resiliency efforts. By modeling threats, you fortify defenses and anticipate adversaries’ moves.

Tactical Dissection

Incident response is your theater. From preparation (plans, people, technology) to identification and scoping, you dive in. Threat intel and containment? You gather intelligence and implement effective strategies.

Surgical Precision

Eradication techniques, recovery procedures—you wield them with precision. Scoping the eradication feedback loop? You leave no stone unturned.

The Crucible of Experience

From the SwiftSpend incident recap to executive and technical summaries, you extract valuable lessons. Unique threat intelligence? It shapes your future responses.

Persistence Unveiled

In the Linux realm, you uncover basic persistence mechanisms. Like a microscopic tardigrade, you adapt and survive.

Malware Analysis: Decrypting the Code

Malware authors beware! You analyze their creations, unraveling their intentions. Your tools reveal their secrets.

The CPU Symphony

The Von Neumann architecture, CPU components, registers, memory layout—it’s your symphony. Opcodes, instructions, conditionals—they dance to your tune.

Code Alchemy

From move instructions to stack manipulation, you’re fluent in assembly. Function calls? You orchestrate them like a maestro

?Unveiling the Core

Understanding Windows internals is like deciphering the OS’s DNA. From processes and threads to virtual memory and dynamic link libraries (DLLs), you’ve explored the very fabric of Windows. And the Portable Executable (PE) format? It’s your gateway to understanding executable files.

Decrypting the Blueprint

PE headers hold the secrets. You’ve mastered the art of reading them—the sections, entry points, and metadata. And when it comes to identifying packed executables, the PE header reveals the hidden layers.

Analyzing the Unknown

Unknown malware samples? You’re undaunted. By dissecting PE headers and applying static analysis, you unravel their mysteries. MalBuster, your trusty sidekick, aids in the quest.

Code Archaeology

Ghidra is your scalpel. Common APIs—the building blocks of malware—are your focus. Process hollowing? You peer into the assembly code, revealing the adversary’s tactics.

Running with the Shadows

Virtual machines become your playground. ProcMon filters out noise, leaving only the process of interest. API calls reveal behavior, and process masquerading or hollowing? You spot their tricks.

Debugging the Intricate

Debuggers—your magnifying glass. Evading static and basic dynamic analysis? Not on your watch. Changing runtime environments, patching malware—you’re the debugger’s maestro.

The Art of Obfuscation

Anti-reverse engineering techniques? You’ve seen them all. Whether it’s packing, encryption, or obfuscation, you pierce through the veil. Tools? Your arsenal is formidable.

Static Analysis of Deceptive Documents

Malicious documents—PDFs, DOC files, OneNote notebooks—they harbor threats. Your static analysis dissects their structure, revealing hidden payloads and traps.

In conclusion, my journey from novice to mid-level SOC analyst has been transformative. The certifications I’ve earned validate my expertise, but the real worth lies in the impact I can make—protecting organizations, thwarting threats, and securing our digital world. So, is it worth it? Absolutely!

?

Omid Rahimzadeh 2024/07/16

Reference: www.TryHackMe.com