This workshop presents the core concepts of cyber intelligence development and the use of intelligence in SOC operations. The student will gain experience in third-party analysis tools, intelligence driven event analysis using RSA NetWitness Logs and Packets and RSA NetWitness Secops Manager, and in the development of a custom threat intelligence capability for their respective SOC operations.
This classroom-based workshop presents students with the groundwork information needed to establish a cyber-intelligence capability within a developing SOC program. Cyber security fundamentals are discussed, as well as new threats and attack vectors. Cyber intelligence capabilities are presented in a manner as to be reproducible in each student’s respective environment. Students will have an opportunity to use a combination of third-party security analysis tools, as well as RSA NetWitness Logs and Packets and RSA NetWitness SecOps Manager as they handle sample events using Intelligence based use cases and scenarios. The tool based analysis is instructor guided and provides students with the ability to experiment in active intelligence gathering. Tool usage will emulate real-world cyber research activities. An industry standard Intelligence Driven SOC operational framework is also presented and demonstrated with opportunities to practice incident handling and cyber-intel using RSA products.
Students who are establishing nascent intelligence capabilities within their SOC, or looking to learn more about cyber intelligence work in general. RSA NetWitness Logs and Packets will be used within the course as the primary packet capture and log analysis tool, yet the concepts conveyed in the class can be directly mapped to other SIEM/IDS-IPS platforms.
Students should have familiarity with the following RSA products and solutions prior to taking this training:
- RSA NetWitness Logs and Packets
- RSA Archer/RSA NetWitness SecOps Manager
- Third-party analysis and enumeration tools such as: Nmap, Dirbuster, Owasp ZAP, Burp proxy, Maltego, Metasploit, Kali Linux, Online information gathering tools, Nikto, etc.
Upon successful completion of this course, participants should be able to:
- Understand and map the cyber kill chain to their environments and systems
- Understand attack vectors and threat types
- Be able to work with intelligence sources and be able to develop custom intelligence and threat models
- Be able to manage threats facing their environment
- Be able to work with logs, packets, and third party analysis tools
- Have an understanding of industry practices regarding the cyber intelligence role in incident handling and response.
Day 1 morning
- Module 1: TI 1: threat overview
- IDEA 2: essentials of cyber security
Day 1 afternoon
- Module 2: TI 2: attack vectors and threat types
Day 2 morning
- Module 3: TI 3: cyber kill chain
- Module 4: TI 6: developing threat intelligence
- TI 4: intelligence sources
- TI 5: threat modelling
- TI 7: threat management
Day 2 afternoon
- Module 5: IDEA 5: data analysis tools
Day 3 All Day
- Module 6: New: Cyber Intelligence with NetWitness Logs and Packets
- IDEA 3: working with data logs
- IDEA 4: working with packets
- IDEA 6: correlating events
Day 4 All Day
- Module 7: New: Intelligence Driven SOC Operations
- IDEA 1: roles and responsibilities in a soc
- IDEA 7: triaging an incident
- IDEA 8: post triage analysis
- IDEA 9: escalation
- IDEA 10: documentation and communication