TryHackMe: SOC Level 1
2024-09-07
This is an introduction to the defensive side of cybersecurity
This pathway literally took me years to complete. I started back in 2022 with the aim of getting a job in cybersecurity. I narrowly missed a job and it really set back my motivation to complete this pathway. At the beginning of 2024, I took it upon myself to dive back into my cybersecurity education and finish what I started. I nearly completed it and then the lovely people at TryHackMe decided to release even more content, setting my progress back by a month. That being said, I have now finished the pathway, and learnt so much along the way.
Cyber Defence Frameworks
This chapter covered frameworks and policies that help establish a good security posture. This includes things like the Pyramid of Pain, and the Cyber Kill Chain, which help the blue team to understand the actions of an attacker, and to begin to categorise their behaviours.
Cyber Threat Intelligence
This included how to identify and use available security knowledge to mitigate and manage potential adversary actions. The most helpful tool here was probably VirusTotal (at least according to me). This was definitely the tool I came back to most over the rest of the chapters, as it is a brilliant place to understand the malware on your system and what it is capable of doing.
Network Security and Traffic Analysis
This was an absolutely huge chapter covering the core concepts of network security and traffic analysis, and the skills needed to spot and probe network anomalies using industry tools and techniques. Some of the tools included Snort, NetworkMiner, Brim and Zeek, as well as 7 different rooms on Wireshark and TShark. This was definitely one of my preferred aspects of SOC, I find digging into packet captures more intuitive than some of the other aspects, and it just came a lot easier to me than some of the other stuff.
Endpoint Security Monitoring
Monitoring activity on workstations is essential, as this is where the attacker will be trying to achieve their objectives. A lot of this module focused on the behaviour of Windows machines, including explanations of core Windows processes and the logging systems that keep track of what goes on, including Sysmon. It then began to look at how all these logs could be collated and investigated with a room on Wazuh, a tool for monitoring multiple endpoints.
Security Information and Event Management
This chapter gave an insight into how SIEM works, and how to create seach queries to look for specific answers in ingested logs. It looked at two different SIEM tools, Splunk and ElasticStack, and guided you through investigating some incidents using these tools.
Digital Forensics and Incident Response
This chapter was all about what forensic artefacts are present in Windows and Linux Operating Systems, how to collect them, and leverage them to investigate security incidents. It started with an introduction to the concept of DFIR, as well as 3 rooms on the various forensic artefacts that appear on Windows and Linux systems. Then it went into the various different tools for DFIR, which included:
- Autopsy – Used for investigating artefacts from a disk image
- Redline – Used to give a high overview of an endpoint, allowing for quick examination of memory artefacts
- KAPE – Used to parse and extract Windows forensic artefacts from either a live system or a storage device
- Volatility – A memory forensics tool kit written in Python, used for extracting artefacts from RAM
- Velociraptor – An open-source endpoint monitoring, digital forensic, and cyber response platform
- TheHive Project – A scalable, open-source, and freely available Security Incident Response Platform used to assist in tracking and acting upon security incidents
Phishing
This looked at how to analyse and defend against phishing emails. It began by looking at the components that make up an email. It then moved on to the different indicators of phishing attempts by examining actual phishing emails, and the tools used to aid an analyst in investigating suspicious emails.