You have conquered the CompTIA Security+, and now you are starting the job hunt. You are worried that you have no idea how to use SOC Analyst tools or what they are.
This article will cover the top tools used in the SOC and places to get hands-on experience.
Most of these will be from HackTheBox and TryHackMe because I am familiar with the platforms, and they are the leading providers for cheap online labs at the moment.
If you find any other sites with high-quality labs, please let me know. I would love to share them with the world.
Note about other vendors: I have not included INE, Cybrary, or Infosec Institute because they are not as affordable as the labs mentioned here. Most entry-level people don’t yet have the budget to afford this training. Therefore, I have kept the options as low cost as possible.
Courses with an asterisk (*) are those I recommend that you prioritize.
This is by far the most common tool used by SOC analysts. Logs come in, and analysts can search them quickly to find clues to illuminate the cause of an alert.
A majority of your time will be spent on this tool while working in the SOC. The only question is, which tool will your future employer use?
Every organization is different. In my first role at an MSSP, I learned five different SIEMs. Yea, crazy I know. But, after I understood the logs, I could just Google how to use the SIEM.
During your studies, focus on the log sources versus the actual tool. Learn enough of the tool to get your searches working, then spend the rest of your time understanding what you are seeing. Network and Windows logs will be pretty much the same from company to company.
Splunk is one of the popular SIEMs used in the industry. From my experience as a baby analyst, this was the hardest out of the five I needed to learn. This is because you must understand the search syntax or the language used to search through the events.
Unfortunately, I could only find Splunk courses. But, don’t worry. Others are similar such as Kibana and Graylog. THM looks like they will add a Greylog course shortly.
*TryHackMe Splunk 101(THM VIP Access Only) – This course requires VIP access to TryHackMe. For most premium services, I would say skip. But this is THM. You should have a subscription and use the platform to train. This class goes through Splunk's must-have skills and a few others.
*TryHackMe Splunk 2 (THM VIP Access Only) – This course came from the Boss of the SOC content and will take you through an actual investigation using Splunk. You can’t get a much better experience than this before being on the job.
From my experience and participation in Boss Of The SOC, I can tell you that the scenarios are real world.
Splunk Fundamentals 1 (Free) – Only take this course if your employer uses Splunk. Otherwise, you will waste your time learning something you will not use. However, if your SOC uses Splunk, absolutely take this course.
As I said, you should be focusing on the different types of logs. If you can understand how to read them, you are golden.
I wish I could have included some options for Linux logs as well but, there just weren’t any. Fortunately, a majority of most networks are made up of Windows systems. Learn Windows now and pick up Linux on the job.
*Windows Event Logs (THM VIP Access Only) – A short course that takes you through using Windows logs and native tools to investigate. I did run into some issues with this one. If you have problems as well, use the guides to get over any speed bumps. This is still one of the better courses on this topic.
*Sysmon (THM VIP Access Only) – Sysmon is regular Windows logs on steroids. Many environments are now choosing to log these types of events as well. Pay attention to EventCodes 1 and 3. They will be your bread and butter for the SOC.
If you are in cyber security, you need networking skills. If you have gone through the security+ exam, it is time to get your hands dirty and expand on those fundamentals.
You will be asked several networking questions during the interview process. These courses will help solidify the information so that you are confident and can go a little deeper with your answers.
*Network Fundamentals (THM Free and VIP) – A module that reviews things you should already know, such as the concepts of network LAN and OSI Model. Then it expands on the topics of packets and expanding networks.
*How The Web Works (THM Free and VIP) – This is a module that takes you through the topics of DNS and web services. Both are topics people typically struggle with, and they will be in your interviews. Make sure you understand these to set yourself apart from other candidates.
Introduction to Networking (HTB Academy Freeish) – This covers many of the same topics as the THM course with a few exceptions. HTB also digs into areas such as proxies, subnetting and IPv6.
Web Requests (HTB Academy Freeish) – This course gets into the nitty-gritty details of how web requests work. If you are looking for further information on how web communications work, you will get that here.
Intro to Network Traffic Analysis (HTB Academy Freeish) – In some SOCs, you will have the ability to intercept and view traffic. This course teaches you the theory and tools needed to conduct those activities.
As an analyst, you need to have an understanding of operating systems. This is because every device on the network has one. Literally, every breach has touched one OS or the other. It’s just impossible to avoid touching a system with an operating system.
Windows and Linux are the two most common operating systems you will encounter. These courses will help you understand the fundamentals of how they work and how to investigate alerts within the OS.
*Active Directory Basics (THM) – Almost every network you will work in as an analyst will use Active Directory. This course teaches you the basics for this prevalent service to make investigation easier for you. I didn’t learn this topic until later in my career, and it fills me with regret. Do yourself a favor and start early.
Investigating Windows (THM Free) – This short course is a Windows investigation like the title says. You RDP to the system and look for clues to answer questions. I think this content provides an interesting perspective to the journeyman learner. I know when I first started out, I wish I was directly on the system to investigate. This is that scenario. Enjoy.
Windows Fundamentals (THM Free) – If you have limited experience with security in Windows consider starting here. This module will take you through 3 courses covering security features such as accounts, BitLocker, and various configurations.
Linux Fundamentals (THM Free) – If you are like most people getting into cyber security, you are not quite passable with Linux. This module of three courses will teach you the basics that you can use as a launching pad into growing your skills. Many tools I use are Linux-based. With little understanding at the beginning of my studies, I struggled to do anything on Linux OS.
Windows Fundamentals (HTB Academy Freeish) – Unlike THM, this course teaches you how to interact with Windows through the command line. For a more advanced look at the OS, take this course. By learning to interact with the OS through the command line, you will better understand the process logs on the job.
Many of your investigations will be centered around malware or a suspected malicious file. These courses will teach you the fundamentals of the malware investigation process. With these skills, you will be an effective analyst and be able to surprise your interviewer.
*MAL: Researcher (THM) – One of the everyday tasks for an analyst is to determine if a file is malicious or learn more information about a known malicious file. This course teaches you the concepts to do these tasks.
Malware Analysis (THM Free and VIP) – An entire module on investigating malware. This will be good information for your interview. Undoubtedly, you will get asked malware questions. With this lab, you will get hands-on experience so that your answer consists of more than just the typical response, “Run Antivirus.”
These are extra courses that you don’t necessarily need starting out. Still, they can benefit your overall growth as a practitioner. If you complete all the other courses, check these out.
Volatility (THM Free) – Volatility is the reigning tool for memory forensics. Although this isn’t something you should expect to be used early in your career, understanding what is stored in memory is good for your overall knowledge. With the prominence of fileless malware, you can expect to lose track of an adversary in the logs. Memory and EDR tools will help you pick up the lost trail.
MICS – Introduction to Cyber Security (Free) – This is a free course/certification from the Mosse Cyber Security Institute. I haven’t taken the material myself, but the curriculum covers many topics that would benefit a SOC Analyst. It’s just another option for you to explore, and it's an actual certification. It won’t have the same eye appeal as the SEC+, but it will bolster up your resume.
These courses should do the trick if you want to get hands-on experience. I have gone through many of these myself and can vouch for their effectiveness.
Keep growing as a practitioner, and make sure to add these courses to your resume once complete.
As another bonus benefit, after all of these courses, you should be in the top 20% or better on TryHackMe. Make sure to add that fun fact to your LinkedIn profile. Feel free to take any other course that seems interesting.