Review of SOC Core Skills training by Antisyphon InfoSec

JDMurray

Last week I attended the SOC Core Skills training presented by Antisyphon InfoSec Training and Black Hills Information Security (BHIS). This is a 16-hour (4-days, 4-hour sessions) live, virtual, information security training course covering the core security skills all Security Operation Center (SOC) analysts need to have to work in the SOC at BHIS. This course is a great introduction to the more technical aspects of working as a SecOps analyst and as a preview to other Antisyphon training courses.

This course is taught by the owner and founder of BHIS, the legendary (and former) SANS instructor and InfoSec (and almost literally) rockstar John Strand. John is extremely knowledgeable, experienced, entertaining, and personable in a one-hour webcast, but 16x of him is almost astonishing to experience. John lives in South Dakota, vacations in Costa Rica, has played guitar for 35 years, is a Pop!_OS Linux user, dabbles in surfing, mountain biking, and beekeeping (not at the same time), and eats South Dakota sushi. Nuff sed.

This course uses the Pay What You Can model for pricing. You simply pay what you think you can afford for such training--including nothing. However, there are certain price-points that will get you extra stuff, such as 6-months access to the MetaCTF capture-the-flag competition and skill-building environment. (I took this option and will review MetaCTF in-future.) If you end up finding the SOC course even more valuable than you had anticipated, you can pay it forward by paying more for the next Antisyphon training course that you take.

This course is designed around hands-on labs. The lab instructions are available to the public, as is the Win10 VM used to perform the labs. The more essential learning labs are worked during the course and given a walk-through by JS. Other labs you can do whenever you have time. The VM and lab material will continue to be available after the course is completed and possibly to the ends of time (a direct quote by JS).

Yes, you could simply download and try the labs yourself without attending the course, but you would miss the extra information, banter, and comradery that comes from your fellow classmates on Discord. Besides, the pay-what-you-can model allows you to attend for free, so why not? If you don't have the time for live training, Antisyphon InfoSec Training now has on-Demand training available for your convenience. 

Daily attendance in the course consists of watching JS in a remote meeting window, chatting in Discord channels, and putzing around in the VM labs (VMware Workstation Pro or Player preferred). The Antisyphon team is available in Discord and the remote meeting prior to the beginning of each class for “pre-show banter.” Anything can be discussed at this time from Malware to cookware, from washing machines to virtual machines, from job hunting to threat hunting to real hunting. Everyone has an opinion or advice about something, so never miss the pre-show.

Here is a rough itinerary of the four days of SOC training:

Day 1

• Pre-show banter (1 hour)
• Windows Live Analysis
• Tcpdump vs Wireshark
• Ping, Port, Parse

Day 2 - Linux

• Linux and its CLI
• Labs and walk-throughs

Day 3 - Windows

• Pre-show Banter
• Windows CLI
• The Ladder of PID
• Labs and walk-throughs
• Advice, observation, history, getting women and minorities into cyber
  

Day 4 - Network Threat Hunting

• Labs and walk-throughs (lots of)
• Backdoors and Breaches

Once again, it may seem like you could just find all this material on YouTube and skip taking this course. However, the knowledge and wisdom expounded by JS gives insight and inspiration to even the most mundane of tasks.

The labs do require some familiarity with the use of Windows 10 and Linux on the command line (CLI). If you don't know Linux--or loathe MS-DOS--you will have time to learn some basic commands to get you going on the labs. If you want to do the labs later that’s fine too. You have the Antisyphon staff and your fellow classmates in Discord to help you along the way. The video instruction ends precisely on time each day, but people stay in Discord to help are even posting stuff days after the course ends to help you with the labs. The course recording will be available for six months after the course ends.

Here are some related links that were posted in the course Discord chat. There doesn’t seem to be a way in Discord to save the contents of a channel to a file, but I had very good luck using DiscordChatExporter on Windows 10:

• Cyber Threat Hunting Training Course - Active Countermeasures

• Attack Tactics 5: Zero to Hero Attack

• How to Job Hunt Like a Hacker (Social Engineer) 

• Infosec Job Hunting (Part 1 of 5): How to Locate the Work You Want

• Backdoors & Breaches

• How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity

• OWASP ZAP Full Scan

• How to use a Raspberry Pi as a Network Sensor - Bill Stearns

• Detecting Network Attacks with Wireshark - InfosecMatter
  

• Intro to Network Traffic Analysis : HTB Academy 

• Case 001 PCAP Analysis - DFIR Madness

• RITA - Active Countermeasures

• Real Intelligence Threat Analytics (RITA)

• 11 Strategies of a World-Class Cybersecurity Operations Center

• SANS Webcast: Building Your Own Super Duper Home Lab

• Antisyphon Merch

Above all, remember that “There is no blue; there is no red; we are all purple,” and Antisyphon doesn’t suck.

SteveLavoie

I did this class 1 year ago, and I would take it again. Just to see how entertaining John Strand is.  He is an amazing instructor. 

JDMurray

Yes, it was mentioned that people do take this course multiple times. The labs are updated and I'm sure the stories told are different. It was a lot of fun.

SteveLavoie

Even at full price it is worth it

chrisone

The class was awesome. I had taken the "Active Defense & Cyber Deception" course a couple years ago. It is also a pay what you can course. I also took "Breaching the Cloud" (not a pay what you can course) in 2020, both courses are highly recommended. 

I took the "SOC Core Skills" class to guide a junior SOC Analyst we just hired. The class provided many topics, technologies, stories, experiences, and labs. Both level 1 & 3 analysts benefited from this course. Please see original post for more in-depth review for "SOC Core Skills."

Other "Pay what you can" courses to look out for from BHIS:

• Getting started in Security with BHIS & MITRE ATT&CK
• Active Defense & Cyber Deception
• Getting Started in Packet Decoding
• Regular Expressions your new lifestyle

I am looking to take the "Defending the Enterprise" course. It is NOT a "pay what you can" course. This course that teaches you to secure AD.

Covers the following topics:

• Build a managed secure Active Directory operational environment
• Deploy effective security controls and strategic change management
• Defend against the most common and effective adversarial techniques
• Prepare for an effective security penetration test
• Understand security risks and defensive mitigations

Black Hills Information Security is an awesome company. All their people have been amazing!