Review of SOC Core Skills training by Antisyphon InfoSec
Last week I attended the SOC Core Skills training presented by Antisyphon InfoSec Training and Black Hills Information Security (BHIS). This is a 16-hour (4-days, 4-hour sessions) live, virtual, information security training course covering the core security skills all Security Operation Center (SOC) analysts need to have to work in the SOC at BHIS. This course is a great introduction to the more technical aspects of working as a SecOps analyst and as a preview to other Antisyphon training courses.
This course is taught by the owner and founder of BHIS, the legendary (and former) SANS instructor and InfoSec (and almost literally) rockstar John Strand. John is extremely knowledgeable, experienced, entertaining, and personable in a one-hour webcast, but 16x of him is almost astonishing to experience. John lives in South Dakota, vacations in Costa Rica, has played guitar for 35 years, is a Pop!_OS Linux user, dabbles in surfing, mountain biking, and beekeeping (not at the same time), and eats South Dakota sushi. Nuff sed.
This course uses the Pay What You Can model for pricing. You simply pay what you think you can afford for such training--including nothing. However, there are certain price-points that will get you extra stuff, such as 6-months access to the MetaCTF capture-the-flag competition and skill-building environment. (I took this option and will review MetaCTF in-future.) If you end up finding the SOC course even more valuable than you had anticipated, you can pay it forward by paying more for the next Antisyphon training course that you take.This course is designed around hands-on labs. The lab instructions are available to the public, as is the Win10 VM used to perform the labs. The more essential learning labs are worked during the course and given a walk-through by JS. Other labs you can do whenever you have time. The VM and lab material will continue to be available after the course is completed and possibly to the ends of time (a direct quote by JS).
Yes, you could simply download and try the labs yourself without attending the course, but you would miss the extra information, banter, and comradery that comes from your fellow classmates on Discord. Besides, the pay-what-you-can model allows you to attend for free, so why not? If you don't have the time for live training, Antisyphon InfoSec Training now has on-Demand training available for your convenience.Daily attendance in the course consists of watching JS in a remote meeting window, chatting in Discord channels, and putzing around in the VM labs (VMware Workstation Pro or Player preferred). The Antisyphon team is available in Discord and the remote meeting prior to the beginning of each class for “pre-show banter.” Anything can be discussed at this time from Malware to cookware, from washing machines to virtual machines, from job hunting to threat hunting to real hunting. Everyone has an opinion or advice about something, so never miss the pre-show.
Here is a rough itinerary of the four days of SOC training:Day 1
- Pre-show banter (1 hour)
- Windows Live Analysis
- Tcpdump vs Wireshark
- Ping, Port, Parse
Day 2 - Linux
- Linux and its CLI
- Labs and walk-throughs
Day 3 - Windows
- Pre-show Banter
- Windows CLI
- The Ladder of PID
- Labs and walk-throughs
- Advice, observation, history, getting women and minorities into cyber
Day 4 - Network Threat Hunting
- Labs and walk-throughs (lots of)
- Backdoors and Breaches
The labs do require some familiarity with the use of Windows 10 and Linux on the command line (CLI). If you don't know Linux--or loathe MS-DOS--you will have time to learn some basic commands to get you going on the labs. If you want to do the labs later that’s fine too. You have the Antisyphon staff and your fellow classmates in Discord to help you along the way. The video instruction ends precisely on time each day, but people stay in Discord to help are even posting stuff days after the course ends to help you with the labs. The course recording will be available for six months after the course ends.
Here are some related links that were posted in the course Discord chat. There doesn’t seem to be a way in Discord to save the contents of a channel to a file, but I had very good luck using DiscordChatExporter on Windows 10:Cyber Threat Hunting Training Course - Active Countermeasures
Infosec Job Hunting (Part 1 of 5): How to Locate the Work You Want
How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity
How to use a Raspberry Pi as a Network Sensor - Bill Stearns
- Detecting Network Attacks with Wireshark - InfosecMatter
11 Strategies of a World-Class Cybersecurity Operations Center
Antisyphon Merch
Above all, remember that “There is no blue; there is no red; we are all purple,” and Antisyphon doesn’t suck.
Comments
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□I did this class 1 year ago, and I would take it again. Just to see how entertaining John Strand is. He is an amazing instructor.
-
JDMurray Admin Posts: 13,099 AdminYes, it was mentioned that people do take this course multiple times. The labs are updated and I'm sure the stories told are different. It was a lot of fun.
-
chrisone Member Posts: 2,278 ■■■■■■■■■□The class was awesome. I had taken the "Active Defense & Cyber Deception" course a couple years ago. It is also a pay what you can course. I also took "Breaching the Cloud" (not a pay what you can course) in 2020, both courses are highly recommended.
I took the "SOC Core Skills" class to guide a junior SOC Analyst we just hired. The class provided many topics, technologies, stories, experiences, and labs. Both level 1 & 3 analysts benefited from this course. Please see original post for more in-depth review for "SOC Core Skills."
Other "Pay what you can" courses to look out for from BHIS:- Getting started in Security with BHIS & MITRE ATT&CK
- Active Defense & Cyber Deception
- Getting Started in Packet Decoding
- Regular Expressions your new lifestyle
Covers the following topics:- Build a managed secure Active Directory operational environment
- Deploy effective security controls and strategic change management
- Defend against the most common and effective adversarial techniques
- Prepare for an effective security penetration test
- Understand security risks and defensive mitigations
Black Hills Information Security is an awesome company. All their people have been amazing!Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX