hr_training.md

SOC HR and training

This page deals with SOC HR and training topics.

ToC

• Must read
• HR roles and organization
• Recommended SOC trainings
• Recommended CERT/CSIRT trainings
• Recommended offensive security trainings
• Recommended CTI trainings
• Recommended VOC trainings
• Recommmend management trainings
• To go further

Must read

MITRE reference

• MITRE, 11 strategies for a world-class SOC, Strategy 4, pages 101-123

HR roles and organization

As per what is explained on the management page, I would recommend to make sure the following roles are being assigned to people:

• SOC analyst;
• SOC analyst lead;
• SOC detection engineer;
• Threat intel analyst;
• Threat intel lead (if several analysts)
• SIEM expert and data scientist;
• Pentester (offensive team);
• Incident handler;
• Incident manager;
• SOC/CSIRT tools admin;
• SecDevOps analyst;
• SOC/CERT/CSIRT deputy manager.
• SOC/CERT/CSIRT manager.

They can be FTE or outsourced, it will depend on your needs and constraints. My recommendations are explained in the RACI template that I propose.

NICE Framework

NIST 800-181 National Initiative for Cybersecurity Education Framework (NICE Framework) has done work to standardise job roles in the area. These roles have standardised descriptions with a list of Tasks that the role typically does, as well as Tasks, Knowledge and Abiltiy to undertake that role. It is mainly focused on US Government, and includes some roles which are typical for the defence or intelligence sector.

https://niccs.cisa.gov/workforce-development/nice-framework

These roles can be difficult to understand initially, but it is simple to map them through to your existing roles (for example, Cyber Defence Analyst = SOC Analyst, Cyber Defence Infrastructure Support = SOC Detection Engineer). Alternatively you can readily build custom job roles utilising the Tasks, Knowledge, Abilities, and Skills listed in the framework.

There is a reference spreadsheet that NIST released that can assist in building custom roles: https://www.nist.gov/document/supplementnicespecialtyareasandworkroleksasandtasksxlsx

Recommended SOC trainings

Regular trainings

• PaloAlto, Fundamentals of SOC, mainly modules 1 to 8 :) [free]
• LetsDefend, Fundamentals of SOC; [free]
• Cybrary, MITRE ATT&CK threat hunting; [free]
• ENISA trainings; [free]
• Active Directory specifics:
  • train on AD specific attacks, Orange Cyberdefense GOAD [free];
    • Populate AD with "real life" objects, in an automated way, Badblood.
• Microsoft, NIS2 webinar

Challenges

• BlueTeamLabs challenges and investigations, here are a few free trainings that I recommend:
  • https://blueteamlabs.online/home/challenge/the-report-ii-82ea7781c5;
  • https://blueteamlabs.online/home/challenge/the-report-a6dd340dba;
  • https://blueteamlabs.online/home/challenge/attck-0e4914db5d;
  • https://blueteamlabs.online/home/challenge/d3fend-6c9dcd4b79;
  • https://blueteamlabs.online/home/challenge/bruteforce-16629bf9a2;
  • https://blueteamlabs.online/home/challenge/phishing-analysis-f92ef500ce;
  • https://blueteamlabs.online/home/challenge/phishing-analysis-2-a1091574b8;
  • https://blueteamlabs.online/home/challenge/log-analysis-sysmon-fabcb83517;
  • https://blueteamlabs.online/home/challenge/meta-b976cec9e2;
  • https://blueteamlabs.online/home/challenge/follina-f1a3452f34;
  • https://blueteamlabs.online/home/challenge/powershell-analysis-keylogger-9f4ab9a11c;
  • https://blueteamlabs.online/home/challenge/secrets-85aa2bb3a9;
  • https://blueteamlabs.online/home/challenge/paranoid-e5e164befb;
  • https://blueteamlabs.online/home/investigation/deep-blue-a4c18ce507;
  • https://blueteamlabs.online/home/investigation/sam-d310695187.
• Cyberdefenders, here are a few free trainings that I recommend:
  • https://cyberdefenders.org/blueteam-ctf-challenges/91;
  • https://cyberdefenders.org/blueteam-ctf-challenges/47;
  • https://cyberdefenders.org/blueteam-ctf-challenges/77;
  • https://cyberdefenders.org/blueteam-ctf-challenges/73;
  • https://cyberdefenders.org/blueteam-ctf-challenges/67;
  • https://cyberdefenders.org/blueteam-ctf-challenges/68;
  • https://cyberdefenders.org/blueteam-ctf-challenges/60;
  • https://cyberdefenders.org/blueteam-ctf-challenges/32;
  • https://cyberdefenders.org/blueteam-ctf-challenges/17.
• SOC Vel.

SIEM

Splunk

• Trainings [free]:

  • Getting data into Splunk

  • Intro to SPL2

  • Comparing values

  • Working with time

  • Result modification

  • Scheduling reports & alerts

  • Visualizations

  • Using fields

  • Creating field extraction

  • Intro to dashboards

  • Intro to knowledge objects

  • Datamodels

  • Security operations and defense analyst

  • Intro to Splunk Security Essentials

  • Splunk Enterprise installation & configuration

  • Using the monitoring console

  • Attack simulation & investigation: Splunk attack range.

• Challenges:

  • CTF: BOTS [free]:
    • https://cyberdefenders.org/search/labs/?q=splunk

Microsoft (Defender XDR / Sentinel)

• Become an Azure Sentinel Ninja [free];
• Incident Response with alerting on Azure

Certifications

Free certifications:

• LetsDefend, SOC Fundamentals;
• PaloAlto, PAN, Fundamentals of SOC;
  • NB: you'll need to log-in first!
• CrowdSec, cybersecurity fundamentals;
• FIRST, CVSS v4;
• PaloAlto, Fundamentals of network security;
• Cybrary, Log analysis;
• Cybrary, Host analysis;
• Cybrary, Digital forensics;
• Cybrary, Network communication analysis;
• Cybrary, CyberSecurity Fundamentals;
• Cybrary, Defensive Security Fundamentals;
• Microsoft, Microsoft Sentinel Ninja;
• Amazon, AWS Security Fundamentals.

Paid certifications:

• BlueTeamLabs, BTL (level 1 & 2);
• SANS SEC555: SIEM with tactical analytics;
• SANS, SEC450: Blue Team Fundamentals: Security Operations and Analysis;
• Microsoft, SC-200: Microsoft Security Operations Analyst;
• EC-Council, CEH;
• OffensiveSecurity, OSDA SOC-200;
• XMCyber, Exposure Management;
• Microsoft, SC-100: Cybersecurity Architect;
• Splunk, Certified Power User;
• Splunk, Certified Cyberdefense Analyst;
• SANS, SEC587: Advanced Open-Source Intelligence (OSINT) gathering and analysis;
• SANS, SEC501: Advanced Security Essentials - Enterprise Defender;
• SANS, SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection;
• SANS, SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection.

Not working anymore ATOW: EthicalHackersAcademy, SOC & SIEM Security program: L1, L2, L3.

Recommended CERT/CSIRT trainings

Must read/watch:

• Microsoft, New threat actor naming taxonomy
• Mariusz Banach, Techniques Across the Kill-Chain
• DFIRReport, Cobalt Strike Defender's guide
• NATO, reverse engineering handbook

Regular trainings & challenges [Free]

• ENISA, trainings;
• FIRST, trainings;
• Malware Traffic Analysis;
• Microsoft, Become a Microsoft Sentinel Ninja;
• A. Borges, MAS series;
• Hack The Box;
• Root-me, "Entretien avec l'ANSSI"-named challenges;
• Sleuthkit, Investigating data exfiltration"
• Embee Research, Unpacking .Net malware.

Certifications

Paid certifications:

• GIAC, GCIH;
• SANS, SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection;
• SANS, FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics;
• SANS, SEC555: SIEM with tactical analytics;
• SANS, FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response;
• SANS, FOR578: Cyber Threat Intelligence;
• SANS, FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.

Free certifications:

• EC-Council, Digital Forensics Essentials
• CrowdSec, CrowdSec Fundamentals [free];
• Splunk, free training.

Challenges

• LetsDefend, here are a few free trainings that I recommend:
  • https://app.letsdefend.io/challenge/conti-ransomware/;
  • https://app.letsdefend.io/challenge/IcedID-Malware-Family/;
  • https://app.letsdefend.io/challenge/shellshock-attack/;
  • https://app.letsdefend.io/challenge/phishing-email/;
  • https://app.letsdefend.io/challenge/investigate-web-attack/;
  • https://app.letsdefend.io/challenge/infection-cobalt-strike/;
  • https://app.letsdefend.io/challenge/malicious-chrome-extension.

Recommended CTI trainings

Certifications

• RecordedFuture, Cyber Threat Intelligence Fundamentals

Recommended VOC (Vulnerability management) trainings

Certifications

• XM Cyber, Exposure Management Certification

Recommended offensive security trainings

NB: this is mainly for red/purpleteaming activities.

Regular trainings

• Mariusz Banach, Evasion in Depth - Techniques Across the Kill-Chain;
• Cybrary, MITRE ATT&CK threat hunting;
• HackTheBox;
• CybersecurityUp, OSCE complete guide;
• RTFM.

Certifications

• SkillsForAll, Ethical Hacker;
• Offensive Security OSCP;
• SANS, SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection;
• SANS, SEC565: Red Team Operations and Adversary Emulation;
• SANS, SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection;
• SANS, SEC760: Advanced Exploit Development for Penetration Testers.

Recommended management trainings

Paid certifications

• SANS, MGT512: Security Leadership Essentials for Managers;
• SANS, SEC450: Blue Team Fundamentals: Security Operations and Analysis;
• ISC2, CISSP;
• NIST, Risk management framework

To go further

• The best BlackHat and DefCon talks of all time
• Paul Jerimy, Security certification roadmap
• List of the expected legit system services to be found on a Windows 10/11 box, my Git page

End

Go to main page.