Become a SOC Analyst - Level 2

The Network Vulnerability Assessment Using Nmap Advanced IT pro Challenge from Learn on Demand challenges students to perform a variety of network vulnerability scans in Ubuntu against hosts and machines. This requires the installation of Nmap, Apache2 packages, and configuring the Linux Uncomplicated Firewall(ufw) to block ICMP ping requests.

In this IT Pro Challenge virtual lab, you will get hands-on experience using Wireshark to sniff network traffic and detect non-secure protocols being used in the environment. You will investigate evidence of secured versus non-secure traffic. The skills you will learn in this lab are essential for network security analysts and penetration testers.

In this lab we will replicate potentially malicious scans from the Internet against a corporate asset. Scans from the Internet are very common. An analyst should know how to identify this activity by artifacts that are present in the IDS as well as entries in the web logs.

The Centralized Monitoring Lab from CybrScore will introduce the student to centralized monitoring using Splunk. The lab covers importing existing data and doing a basic search. You will also set up a TCP/UDP input.

Students will walk through the creation of SIEM reports using the SPLUNK tool.

In this lab, students will learn to use the command line in Linux to parse log files by using commands lile gawk. Students will also use Splunk to analyze log files.

In this lab you will use Windows Event Viewer to view and filter the security event log on a Windows 7 client computer specifically for account logons.

This lab teach students how to extract various files from network traffic using Network Miner and Wireshark.

Students will participate in attack analysis/incident response, including root cause determination, to identify vulnerabilities exploited, vector/source and methods used (e.g., malware, denial of service).

This lab exercise is designed to allow the trainee to become familiar with using Network Miner.

Take on the role of the lead incident responder on a sysadmin team, and use incident response methodologies to: determine what happened, identify any malicious files found on the system, take the appropriate steps to resolve any discovered issues, and investigate critical system modifications to determine if a virus was installed on the machine.

When investigating a cybersecurity incident it's important to take memory snapshots of affected systems for further analysis. Students will conduct analysis and look for malicious network connections, processes, and other artifacts.

In this lab, you will get an opportunity to examine a system that was and is still actively compromised by an attacker. You have likely read articles in the news or heard from your professors about some of the various high-profile attacks where large companies had systems compromised. It is important to be able to look at a system and know how to examine it in order to determine if the system has been compromised. There are utilities that are built into the operating system as well as third-party utilities that can be utilized to help you determine if a system is compromised. Some of the common tasks that be performed to check for a system compromise include examining network connections, file time stamps, viewing the registry, and dumping and examining the RAM of the system. This lab will help you learn about the possible indications of a compromised system.

A network compromise is when your system is attacked and an attacker has a foothold over the operating system and has performed various actions such as installing back doors, modifying the file system, and created log file entries. It is critical for you to be able to know what the indicators of a network compromise are and know how to respond to one.

In this lab, students will examine two disk image files and their hashes using MD5 and SHA-1. Students will also use a tool called hashtab to verify the files have not been altered.

Students will detect malicious files and processes using various tools. Students will then remove the malicious files and/or processes.

Students will use Olly Debugger and Process Hacker to debug a suspect program and determine if any of the observed behavior is malicious or not. This lab shows one possible way malicious software hooks into legitimate programs and will provide an "under the hood" perspective on how programs work in the Windows environment.

The highest risk systems are the ones with Internet facing Applications. One an attacker from the Internet is able to compromise the internal network, then it is very likely they will attempt to move to other machines on the network.

This last lab is similar to the Windows Incident Response lab, but different in that this one requires you to run through the IR process in a Linux, more specifically a Red-Hat, environment.