Security Event Triage

Paths

Security Event Triage

Authors: Aaron Rosenmund, Guillaume Ross, Daniel Lachance, Cristian Pascariu

Keeping up with advanced cyber threats and sifting through the insurmountable number of alerts available to security analysts is not sustainable without leveling up your security... Read more

What you will learn:

  • Network Traffic Analysis
  • Local Log and Authentication Analysis
  • Application Event Analysis
  • Endpoint OS Activity Analysis
  • Common Adversary Attack Techniques
  • Advanced Adversary Attack Techniques
  • Statistical and Behavioral Anomaly Detection
  • Correlation and Multi-Domain Event Detection in SIEM’s
  • Security Operations Case Creation

Pre-requisites

Viewers should have watched the Networking Fundamentals and Information Security Fundamentals skill path courses or have the equivalent knowledge and experience.

Beginner

In this section, you will be introduced to the concepts associated with security event triage. Then, you will cover how these concepts fit into the security operations life cycle of an organization, and what tools and methods are used to implement these capabilities. Finally, you will map the skills learned in this path to the NIST Cyber Security Workforce Framework Cyber Defense Analysis role and attack detections of Mitre ATT&CK techniques.

Security Event Triage: Operationalizing Security Analysis

by Aaron Rosenmund

Sep 3, 2019 / 54m

54m

Start Course
Description

Keeping up with advanced cyber threats and sifting through the insurmountable number of alerts available to security analysts is not sustainable without leveling up your security analysis skills to keep pace with modern security operations. In this course, Security Event Triage: Operationalizing Security Analysis, you will gain foundational knowledge of modern cybersecurity continuous monitoring techniques and processes. First, you will learn how the security analyst fits into the overall cybersecurity posture of an organization. Next, you will discover the technologies and methodologies covered in the security event triage path. Finally, you will map the knowledge, skills, and abilities taught in each of the security event triage courses to the MITRE ATT&CK techniques that comprise the chain of compromise used by the simulated threat actors. When you’re finished with this course, you will have the skills and knowledge of security analysis needed to identify and interrogate all manner of cyber threats.

Table of contents
  1. Course Overview
  2. Becoming the Cavalry
  3. Modernizing Security Operation
  4. Learning Security Event Triage

Intermediate

In this section, you will learn to leverage standard security analysis signature and event-based technologies to identify a wide variety of common attack techniques and reveal hints of more advanced activity waiting to be discovered. You will focus on understanding the difference between potentially malicious activity and standard environment events across network, machine, application and endpoint OS data sources.

Security Event Triage: Detecting Malicious Traffic with Signature and Session Analysis

by Guillaume Ross

Feb 28, 2019 / 1h 59m

1h 59m

Start Course
Description

Cyber attacks evolve constantly, and detecting them requires the use of different techniques, some of which are more useful for specific scenarios than others. In this course, Security Event Triage: Detecting Malicious Traffic With Signature and Session Analysis, you will gain the ability to detect those attacks by leveraging signature and session analysis. First, you will learn how to detect attacks with common, detectable characteristics using signature analysis with tools like Snort. Next, you will discover how session analysis, with tools like Zeek and Kibana, can allow you to detect attacks by spotting suspicious behavior, in a way that is much harder to evade than simple signatures. Finally, you will explore how to detect suspicious patterns even in encrypted traffic, without the need to decrypt it. When you are finished with this course, you will have the skills and knowledge of signature and session analysis needed to detect attacks using network data.

This course is part of our Security Event Triage series which leverages MITRE ATT&CK to identify advance persistent threat tactics at all levels of the cyber kill chain.

Table of contents
  1. Course Overview
  2. Preparing for Signature and Session Analysis
  3. Performing Signature Analysis with Snort
  4. Understanding Suspicious DNS and HTTP(S) Traffic with Bro
  5. Analyzing Encrypted Sessions
  6. Reconstructing the Attack and Improving Defenses
  7. Wrapping Up

Security Event Triage: Monitoring Assets and Topology

by Daniel Lachance

May 17, 2019 / 1h 36m

1h 36m

Start Course
Description

Being able to identify what should and what shouldn't be on your network is the first step in identifying suspicious activity on your network. In this course, Security and Event Triage: Monitoring Assets and Topology, you will learn the techniques that can help you identify potential security breaches. First, you'll learn about the importance of continuously inventorying network devices so that you know what should be on your network. Next, you'll see how to analyze network device scans and network traffic patterns to establish a baseline and to identify anomalies. Finally, you'll explore how to analyze network vulnerability scans to identify weaknesses that require attention. When you're finished with this course, you'll know how to quickly and effectively identify network anomalies.

Table of contents
  1. Course Overview
  2. Network Device Inventory
  3. Network Scanning
  4. Detecting Vulnerabilities

Security Event Triage: Leveraging Existing Security Device Alerts

by Daniel Lachance

Dec 30, 2019 / 1h 18m

1h 18m

Start Course
Description

Identifying suspicious activity on your network can be achieved by analyzing security device logs. In this course, Security Event Triage: Leveraging Existing Security Device Alerts, you'll learn how to analyze security device logs looking for security problems. First, you'll learn about network security devices and the relationship between the OSI model and the ability to decipher the meaning of network traffic captures. Next, you'll see how to analyze firewall logs to identify abnormal activity which could indicate a security compromise, and how analyzing network access control (NAC) logs can identify questionable host and network connectivity for unauthenticated as well as authenticated devices. Finally, you'll explore how to use cloud-based methods such as cloud packet capturing and centralized security monitoring to identify potential security problems in the cloud. When you're done with this course, you'll have the foundational knowledge of continuous monitoring and interpretation of correlated log events needed to gain the best possible picture of network security events.

Table of contents
  1. Course Overview
  2. Network Security Devices
  3. Identifying Threats Using Firewall Logs
  4. Identifying Network Threats Using NAC Logs
  5. Security in the Cloud

Advanced

In this section, you will apply machine assisted statistical analysis across all security data event sources to establish environmental baselines and discover associated behavioral anomalies to identify advanced and emerging attacker techniques. Then, you will prioritize and aggregate the data into a SIEM to perform cross data and alert source correlation, ensuring you are only focused on the most dangerous and highest likelihood events. Finally, having tracked down the full chain of compromise for both the common and advanced threat actors you will learn to utilize workflow management system to aggregate triage information and elevate the case.

Security Event Triage: Detecting Network Anomalies with Behavioral Analysis

by Aaron Rosenmund

Sep 6, 2018 / 2h 50s

2h 50s

Start Course
Description

Developing the skills necessary for a security analyst to properly detect and triage advanced network intrusion tactics and techniques requires experience and the use of advanced detection capabilities. Neither of which are easily obtained. In this course, Security Event Triage: Detecting Network Anomalies with Behavioral Analysis, you will learn foundational knowledge required to separate good network traffic from bad and identify a myriad threat actor activity on an enterprise network. First, you will learn how to use frequency analysis to detect command and control, automated logins, and beaconing. Next, you will learn to leverage protocol analysis to identify DNS tunneling, anomalous HTTPS traffic, authentication brute forcing, and DHCP abuse. Finally, you will explore the use of population analysis by harnessing machine learning to identify HTTPS exfiltration and connect the dots associated with enterprise network intrusions. When you are finished with this course, you will have the skills and knowledge of network behavioral analysis needed to detect and triage events found at multiple levels of the cyber kill chain. Create your own network behavioral analysis workstation to follow along using your own environments data using the guide located here: https://github.com/arosenmund/pluralsight/tree/master/NBAD.

This course is part of our Security Event Triage series which leverages MITRE ATT&CK to identify advance persistent threat tactics at all levels of the cyber kill chain.

Table of contents
  1. Course Overview
  2. Introduction to Network Behavioral Analysis
  3. Frequency Analysis
  4. Protocol Analysis
  5. Population Analysis
  6. Detecting the Anomalies

Security Event Triage: Statistical Baselining with SIEM Data Integration

by Cristian Pascariu

Feb 6, 2020 / 1h 31m

1h 31m

Start Course
Description

As businesses innovate and make ground-breaking developments in the markets they operate within, successes can become reasons for advanced cyber threats to target your organization. In this course, Security Event Triage: Statistical Baselining with SIEM Data Integration, you will gain the ability to perform detection and analysis of threats at scale. First, you will learn which leg events to look for to identify suspicious activity. Next, you will discover how to pivot between indicators to find the root cause of the incident. Finally, you will explore how to correlate events from multiple sources across your estate to identify the actions on objective of the attacker as well as the impact. When you’re finished with this course, you will have the skills and knowledge of data analysis and baselining needed to detect threats at scale.

Table of contents
  1. Course Overview
  2. Investigating Security Incidents with the Elastic SIEM
  3. Detecting Suspicious Network Traffic
  4. Investigating File-less Malware Attacks
  5. Performing Behavioral Analysis
  6. Correlating Related Events

Security Event Triage: Revealing Attacker Methodology in Web Application Events

by Aaron Rosenmund

Feb 12, 2020 / 2h 8m

2h 8m

Start Course
Description

Developing the skills necessary for a security analyst to accurately detect and triage adversary tactics and techniques applied to web applications requires experience with web application's baseline behavior and the use of advanced detection capabilities. Neither of which are easy to obtain. In this course, Security Event Triage: Revealing Attacker Methodology in Web Application Events, you will gain the foundation knowledge and experience with web application technologies and attacker methodologies required to protect your vital business functions. First, you will monitor the front door of applications for common attacks with web application firewalls on-premises and on major cloud platforms. Next, you will learn the logic behind hunting for behavioral anomalies generated by more advanced attacker activity and how to create machine learning jobs to identify this behavior in an automated way. Finally, you will discover how to leverage the same tools the attackers use to actively spot holes in your applications that pop up as new builds are released and mitigate the associated risk. When you finish this course, you will have the skills and knowledge of web application attack detection needed to implement continuous monitoring capabilities that protect the enterprise applications on which your organization depends.

Table of contents
  1. Course Overview
  2. Defending Against Web Application Attack Techniques
  3. Detecting Attackers with Web Application Firewalls
  4. Log Collection and Analyzing Application Behavior with Logs
  5. Integrating Web Vulnerability Scanning Detections
  6. Operationalizing Web Application Attack Detection

Security Event Triage: Detecting System Anomalies

by Aaron Rosenmund

Jul 22, 2019 / 1h 47m

1h 47m

Start Course
Description

Developing the skills necessary for a security analyst to properly detect and triage advanced attacker intrusion tactics and techniques requires experience and the use of advanced detection capabilities. Neither of which are easily obtained. In this course, Security Event Triage: Detecting System Anomalies, you will learn foundational knowledge required to baseline different machine performance data and triage deviations from that baseline that can indicate a stealthy adversary’s presence in your environment when all other methods have failed. First, you will learn about CPU, RAM, and Hard drive metric data and how it can be used to detect anything from botnets to the use of hard drives as microphones for side-channel espionage. Next, you will discover the techniques used for “in-browser” crypto-jacking or malware delivered crypto mining activity by monitoring browser activity and GPU usage that stands out from the established baseline for normal applications. Finally, you will look at fan speeds and power usage to identify air-gapped network hopping techniques and hardware supply chain compromise. When you are finished with this course, you will have the skills and knowledge of not only how a multitude of advanced attacker techniques are performed, but also what they look like in a realistic environment and how to identify them as part of your security analyst operations.

Table of contents
  1. Course Overview
  2. Introduction to System Telemetry Analysis
  3. Analyzing the Computing Basics
  4. Leveraging Graphics Processing Indicators
  5. Uncovering Significance of Power and Fans, Lights
  6. Incorporating Telemetry Analysis in Triage Workflow
Offer Code *
Email * First name * Last name *
Company
Title
Phone
Country *

* Required field

Opt in for the latest promotions and events. You may unsubscribe at any time. Privacy Policy

By providing my phone number to Pluralsight and toggling this feature on, I agree and acknowledge that Pluralsight may use that number to contact me for marketing purposes, including using autodialed or pre-recorded calls and text messages. I understand that consent is not required as a condition of purchase from Pluralsight.

By activating this benefit, you agree to abide by Pluralsight's terms of use and privacy policy.

I agree, activate benefit