About the course
Blue team analysts are specialists with a wide range of complex goals. Their role is to monitor for threats, quickly determine whether an incident is genuine, and enrich processes with TI. They do so with lightning efficiency thanks to their knowledge of the fundamentals of the incident response and remediation processes, including threat hunting, network forensics, and malware detonation. Such a comprehensive knowledge base is invaluable when handling emergencies.
Blue teams also possess an in-depth knowledge of the threat landscape, which they monitor and where they collect valuable information and indicators of compromise. By keeping up to date with the latest trends, the specialists help companies handle passive and active threats quicker and more effectively.
Group-IB’s three-day course addresses each of the above mentioned functions of a Blue Team member.
Key topics covered:
- Basics of security management and SOC operations
- Overview of cybersecurity solutions
- Monitoring and detection: signatures and rules
- Incident response: network and host analysis
- Fundamentals of malware analysis
- Basics of threat intelligence and threat hunting
Skills acquired:
- Monitoring all solutions to ensure that the organization is secure
- Quickly assessing security incidents and determining the main features of a cyberattack
- Supporting threat intelligence and threat hunting processes
Target participants:
- Technical specialists with experience in IS
- Information security specialists
- SOC/CERT employees
Requirement:
- A basic understanding of security controls and solutions
- A basic understanding of modern cyber threats
- Some experience in the field of cybersecurity and CTI
Course program
Day 1
Day one starts with a short introduction to cyber attack modeling to find out main steps that take place during an incident and the most popular techniques used. Next, we explain how security operations are structured, what functions SOC performs, and how it cooperates with other information security departments. We provide an overview of the modern classes of security solutions including NTA, IDS/IPS, EDR, SIEM, and TI.
The first security operation discussed is monitoring cyberthreats. We look at how various alerts are built, how to determine false positives, and practice developing detection logic using tools called Magma and Sigma.
Day 2
Given that Blue Team analysts serve as the first line of defense in security incidents, we explain the basic principles of incident response, including how to evaluate incident severity. The instructors give participants the tools and methods needed for triage creation, express analysis of hosts and network traffic, and developing YARA rules.
The last part of the day consists of practical exercises analyzing network traffic and triage copies from the hosts involved in the incident. Participants independently search for important artifacts, reconstruct event chronology, and draw up remediation and recovery plans.
Day 3
Understanding malware analysis is key to successfully protecting against modern attacks. As such, participants are introduced to sandboxes and how to use them to detect malicious activity. Attendees learn the basics of malware detonation and practice launching malware in a controlled environment to obtain IoCs. The instructor also gives recommendations on how to extract helpful IoCs from sandbox reports.
Lastly, we touch on threat hunting and how it is relevant — and important — for SOCs and Blue Teams. Participants are taught how to apply the scientific method (i.e. hypothesis testing) in threat hunting and which sources of events to search for (i.e. where to find additional information in the system to help with the hunt).
The day ends with an overview of Cyber Threat Intelligence, which is the main technology for achieving all the cybersecurity goals discussed throughout the course. The trainer shares examples of significant CTI sources, tools, and use cases.
