In 2018 there were over 6,500 cyber incidents that resulted in the compromise of over 5 billion sensitive records, with the average cost of a single data breach at $3.9 million*. Malicious attacks were the root cause of almost 50% of these data breaches*. Rather than focusing on “toolset mastery”, Obscurity Labs’ Security Operations Center (SOC) Immersion Training (SIT) aims to disrupt the breach statistics by educating SOC analysts in critical analyst concepts and methodologies necessary to detect and respond to current real-world advanced persistent threat (APT) Tactics Techniques and Procedures (TTP) and Tradecraft Core Concepts (TCC). Instead of the traditional “lecture then static lab” concept, SIT utilizes a unique training model with hands-on, live attack scenarios performed by experienced Red Team Operators, to reinforce the SOC analyst’s understanding of lecture materials. Although there is a course certificate, there is no "certification", annual maintenance fees (AMF), or continuing professional education (CPE) gimmicks. This training course is designed to enrich and improve the intermediate SOC analyst's knowledge, skills, and abilities necessary to maintain a competitive edge within the career field and against their adversaries.
Course Core Objectives
SIT is designed for intermediate-level cybersecurity and hunt team analysts to increase their functional knowledge of analytical thinking and analysis concepts. By using demonstrated real-world attack methodologies in a step-by-step manner, SIT provides analysts with an in-depth understanding of how to analyze attack TTPs and the ability to construct complex IOCs derived from environment-specific threats and constraints. SIT will accomplish these course goals by providing labs taught from an attack specific perspective, coupled with well-designed detection and analysis capabilities to produce forensic evidence from multiple emulated advanced adversary attacks.
Day 1 - Introduction and Analysis Methodology
- Welcome and Team Introductions
- Lecture: Tactics, Tools, and Techniques
- Lecture: Layered Analysis Methodology
Day 2 - Detect and Respond to Adversary Initial Access
- Lecture: Initial Access Overview
- Lecture: HTML Application (HTA)
- Live Attack Labs: HTA
- Lecture: Microsoft Office Macros
- Live Attack Labs: Visual Basic for Applications (VBA)
- Lecture: Microsoft Silverlight
Day 3 - Detect and Respond to Adversary Persistence
- Lecture: Persistence Overview
- Lecture: Registry Modification
- Live Attack Labs: Registry Modification
- Lecture: Service Abuse
- Live Attack Labs: Service Abuse
- Lecture: Windows Management Interface (WMI) Subscriptions
- Live Attack Labs: WMI Subscriptions
Day 4 - Detect and Respond to Adversary Privilege Escalation
- Lecture: Privilege Escalation Overview
- Lecture: PowerUP
- Live Attack Labs: PowerUp
- Lecture: User Account Control (UAC) Bypass
- Live Attack Labs: UAC Bypass
- Lecture: Remote Privilege Escalation
- Live Attack Labs: Remote Privilege Escalation
Day 5 - Detect and Respond to Adversary Lateral Movement and Objective Achievement
- Lecture: Lateral Movement and Objective Achievement Overview
- Lecture: PsExec / PowerShell
- Live Attack Labs: PsExec / PowerShell
- Lecture: WMI Process Creation
- Live Attack Labs: WMI Process Creation
- Lecture: WMI Subscription
- Live Attack Labs: WMI Subscription
- Culmination Lab Exercise
Note: This outline (including lectures and labs) is subject to change (e.g. a specific technique lecture and/or lab may be added or removed).
SIT Core Concepts
Executing a Layered Analysis Methodology When analyzing an alert, it is important to follow a methodology that encourages analytical thought. This enables the SOC analyst to draw conclusions that transcend alerts generated by tools.
Creating Indicators of Compromise (IOC) Understanding the difference between hard and soft IOC allows an analyst to make tactical assumptions. This enables the SOC analyst to reduce the “mean-time-to-react” and improves their overall ability to detect and respond to malicious activity.
Identifying Artifact and Evidence Locations SOC analysts must use multiple data sources to create high fidelity alerts, correlate events, and focus their analysis. This enables SOC analysts to improve processes, reduce triage timing, and identify detection gaps.
- ElasticSearch, Logstash, and Kibana (ELK)
- Sysinternals Suite
- The Hive
- Microsoft ATA
Course Abbreviation: SIT
Course Length: 5 Days
Course Category: Intermediate SOC Training
Price Per Student: $2,995.00
Training Catalog: https://www.scribd.com/document/406726933/Obscurity-Labs-Training-Catalog-FY2019v1
Training Website and Curriculum: https://train.obscuritylabs.com/courses/sit-soc-immersion-training
Cyber Range: SIT provides the student with a custom range with complete coverage into each of the key data points of a representative enterprise security stack.
Lab Driven: SIT is focused around labs, providing short blocks of instruction followed by instructor-led demonstrations.
Tangible Metrics: Students will improve their "Mean-Time-to-Detection", "Mean-Time-to-React", and other SOC Key Performance Indicators (KPI).
Personnel: Each course will be taught with an active Red Team and Blue Team subject matter experts (SME).
A cancellation notice of 7 days must be given for any instructor-led, open enrollment class seat. Please contact Obscurity Labs via email at least seven days prior to your class start date, in order to cancel with a refund or to reschedule. For all Obscurity Labs classes, substitutions are allowed up to 48 hours prior to any class start. Contact Obscurity Labs via email at least 48 hours in advance of class start to arrange for a substitution. No refunds or rescheduling is permitted if you fail to contact Obscurity Labs within the described cancellation policy timeline. Obscurity Labs reserves the right to cancel or postpone a scheduled training based on minimum attendance requirements, instructor availability, or other reasons, at Obscurity Labs sole discretion. If your class is cancelled, you will be notified via email at least 48 hours in advance of the class start. We will make every effort to reschedule the class in a reasonable timeframe. If a class cannot be rescheduled in a reasonable timeframe, Obscurity Labs will refund the event registration/ticket fee. In the unlikely event that your class does not take place, Obscurity Labs is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be the refund of prepaid course fees.