Security Event Triage

Paths

Security Event Triage

Authors: Aaron Rosenmund, Guillaume Ross, Daniel Lachance

Keeping up with advanced cyber threats and sifting through the insurmountable number of alerts available to security analysts is not sustainable without leveling up your security... Read more

What you will learn:

  • Network Traffic Analysis
  • Local Log and Authentication Analysis
  • Application Event Analysis
  • Endpoint OS Activity Analysis
  • Common Adversary Attack Techniques
  • Advanced Adversary Attack Techniques
  • Statistical and Behavioral Anomaly Detection
  • Correlation and Multi-Domain Event Detection in SIEM’s
  • Security Operations Case Creation

Pre-requisites

Viewers should have watched the Networking Fundamentals and Information Security Fundamentals skill path courses or have the equivalent knowledge and experience.

Beginner

In this section, you will be introduced to the concepts associated with security event triage. Then, you will cover how these concepts fit into the security operations life cycle of an organization, and what tools and methods are used to implement these capabilities. Finally, you will map the skills learned in this path to the NIST Cyber Security Workforce Framework Cyber Defense Analysis role and attack detections of Mitre ATT&CK techniques.

Security Event Triage: Operationalizing Security Analysis

by Aaron Rosenmund

Sep 3, 2019 / 54m

54m

Start Course
Description

Keeping up with advanced cyber threats and sifting through the insurmountable number of alerts available to security analysts is not sustainable without leveling up your security analysis skills to keep pace with modern security operations. In this course, Security Event Triage: Operationalizing Security Analysis, you will gain foundational knowledge of modern cybersecurity continuous monitoring techniques and processes. First, you will learn how the security analyst fits into the overall cybersecurity posture of an organization. Next, you will discover the technologies and methodologies covered in the security event triage path. Finally, you will map the knowledge, skills, and abilities taught in each of the security event triage courses to the MITRE ATT&CK techniques that comprise the chain of compromise used by the simulated threat actors. When you’re finished with this course, you will have the skills and knowledge of security analysis needed to identify and interrogate all manner of cyber threats.

Table of contents
  1. Course Overview
  2. Becoming the Cavalry
  3. Modernizing Security Operation
  4. Learning Security Event Triage

Intermediate

In this section, you will learn to leverage standard security analysis signature and event-based technologies to identify a wide variety of common attack techniques and reveal hints of more advanced activity waiting to be discovered. You will focus on understanding the difference between potentially malicious activity and standard environment events across network, machine, application and endpoint OS data sources.

Security Event Triage: Detecting Malicious Traffic with Signature and Session Analysis

by Guillaume Ross

Feb 28, 2019 / 1h 59m

1h 59m

Start Course
Description

Cyber attacks evolve constantly, and detecting them requires the use of different techniques, some of which are more useful for specific scenarios than others. In this course, Security Event Triage: Detecting Malicious Traffic With Signature and Session Analysis, you will gain the ability to detect those attacks by leveraging signature and session analysis. First, you will learn how to detect attacks with common, detectable characteristics using signature analysis with tools like Snort. Next, you will discover how session analysis, with tools like Zeek and Kibana, can allow you to detect attacks by spotting suspicious behavior, in a way that is much harder to evade than simple signatures. Finally, you will explore how to detect suspicious patterns even in encrypted traffic, without the need to decrypt it. When you are finished with this course, you will have the skills and knowledge of signature and session analysis needed to detect attacks using network data. This course is part of our Security Event Triage series which leverages MITRE ATT&CK to identify advance persistent threat tactics at all levels of the cyber kill chain.

Table of contents
  1. Course Overview
  2. Preparing for Signature and Session Analysis
  3. Performing Signature Analysis with Snort
  4. Understanding Suspicious DNS and HTTP(S) Traffic with Bro
  5. Analyzing Encrypted Sessions
  6. Reconstructing the Attack and Improving Defenses
  7. Wrapping Up

Security Event Triage: Monitoring Assets and Topology

by Daniel Lachance

May 17, 2019 / 1h 37m

1h 37m

Start Course
Description

Being able to identify what should and what shouldn't be on your network is the first step in identifying suspicious activity on your network. In this course, Security and Event Triage: Monitoring Assets and Topology, you will learn the techniques that can help you identify potential security breaches. First, you'll learn about the importance of continuously inventorying network devices so that you know what should be on your network. Next, you'll see how to analyze network device scans and network traffic patterns to establish a baseline and to identify anomalies. Finally, you'll explore how to analyze network vulnerability scans to identify weaknesses that require attention. When you're finished with this course, you'll know how to quickly and effectively identify network anomalies.

Table of contents
  1. Course Overview
  2. Network Device Inventory
  3. Network Scanning
  4. Detecting Vulnerabilities

Advanced

In this section, you will apply machine assisted statistical analysis across all security data event sources to establish environmental baselines and discover associated behavioral anomalies to identify advanced and emerging attacker techniques. Then, you will prioritize and aggregate the data into a SIEM to perform cross data and alert source correlation, ensuring you are only focused on the most dangerous and highest likelihood events. Finally, having tracked down the full chain of compromise for both the common and advanced threat actors you will learn to utilize workflow management system to aggregate triage information and elevate the case.

Security Event Triage: Detecting Network Anomalies with Behavioral Analysis

by Aaron Rosenmund

Sep 6, 2018 / 2h 1m

2h 1m

Start Course
Description

Developing the skills necessary for a security analyst to properly detect and triage advanced network intrusion tactics and techniques requires experience and the use of advanced detection capabilities. Neither of which are easily obtained. In this course, Security Event Triage: Detecting Network Anomalies with Behavioral Analysis, you will learn foundational knowledge required to separate good network traffic from bad and identify a myriad threat actor activity on an enterprise network. First, you will learn how to use frequency analysis to detect command and control, automated logins, and beaconing. Next, you will learn to leverage protocol analysis to identify DNS tunneling, anomalous HTTPS traffic, authentication brute forcing, and DHCP abuse. Finally, you will explore the use of population analysis by harnessing machine learning to identify HTTPS exfiltration and connect the dots associated with enterprise network intrusions. When you are finished with this course, you will have the skills and knowledge of network behavioral analysis needed to detect and triage events found at multiple levels of the cyber kill chain. Create your own network behavioral analysis workstation to follow along using your own environments data using the guide located here: https://github.com/arosenmund/pluralsight/tree/master/NBAD. This course is part of our Security Event Triage series which leverages MITRE ATT&CK to identify advance persistent threat tactics at all levels of the cyber kill chain.

Table of contents
  1. Course Overview
  2. Introduction to Network Behavioral Analysis
  3. Frequency Analysis
  4. Protocol Analysis
  5. Population Analysis
  6. Detecting the Anomalies

Security Event Triage: Detecting System Anomalies

by Aaron Rosenmund

Jul 22, 2019 / 1h 48m

1h 48m

Start Course
Description

Developing the skills necessary for a security analyst to properly detect and triage advanced attacker intrusion tactics and techniques requires experience and the use of advanced detection capabilities. Neither of which are easily obtained. In this course, Security Event Triage: Detecting System Anomalies, you will learn foundational knowledge required to baseline different machine performance data and triage deviations from that baseline that can indicate a stealthy adversary’s presence in your environment when all other methods have failed. First, you will learn about CPU, RAM, and Hard drive metric data and how it can be used to detect anything from botnets to the use of hard drives as microphones for side-channel espionage. Next, you will discover the techniques used for “in-browser” crypto-jacking or malware delivered crypto mining activity by monitoring browser activity and GPU usage that stands out from the established baseline for normal applications. Finally, you will look at fan speeds and power usage to identify air-gapped network hopping techniques and hardware supply chain compromise. When you are finished with this course, you will have the skills and knowledge of not only how a multitude of advanced attacker techniques are performed, but also what they look like in a realistic environment and how to identify them as part of your security analyst operations.

Table of contents
  1. Course Overview
  2. Introduction to System Telemetry Analysis
  3. Analyzing the Computing Basics
  4. Leveraging Graphics Processing Indicators
  5. Uncovering Significance of Power and Fans, Lights
  6. Incorporating Telemetry Analysis in Triage Workflow
Offer Code *
Email * First name * Last name *
Company
Title
Phone
Country *

* Required field

Opt in for the latest promotions and events. You may unsubscribe at any time. Privacy Policy

By providing my phone number to Pluralsight and toggling this feature on, I agree and acknowledge that Pluralsight may use that number to contact me for marketing purposes, including using autodialed or pre-recorded calls and text messages. I understand that consent is not required as a condition of purchase from Pluralsight.

By activating this benefit, you agree to abide by Pluralsight's terms of use and privacy policy.

I agree, activate benefit