Review of SOC Core Skills training by Antisyphon InfoSec

JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+Surf City, USAAdmin Posts: 12,670 Admin
edited April 5 in Incident Response

Last week I attended the SOC Core Skills training presented by Antisyphon InfoSec Training and Black Hills Information Security (BHIS). This is a 16-hour (4-days, 4-hour sessions) live, virtual, information security training course covering the core security skills all Security Operation Center (SOC) analysts need to have to work in the SOC at BHIS. This course is a great introduction to the more technical aspects of working as a SecOps analyst and as a preview to other Antisyphon training courses.

This course is taught by the owner and founder of BHIS, the legendary (and former) SANS instructor and InfoSec (and almost literally) rockstar John Strand. John is extremely knowledgeable, experienced, entertaining, and personable in a one-hour webcast, but 16x of him is almost astonishing to experience. John lives in South Dakota, vacations in Costa Rica, has played guitar for 35 years, is a Pop!_OS Linux user, dabbles in surfing, mountain biking, and beekeeping (not at the same time), and eats South Dakota sushi. Nuff sed.

This course uses the Pay What You Can model for pricing. You simply pay what you think you can afford for such training--including nothing. However, there are certain price-points that will get you extra stuff, such as 6-months access to the MetaCTF capture-the-flag competition and skill-building environment. (I took this option and will review MetaCTF in-future.) If you end up finding the SOC course even more valuable than you had anticipated, you can pay it forward by paying more for the next Antisyphon training course that you take.

This course is designed around hands-on labs. The lab instructions are available to the public, as is the Win10 VM used to perform the labs. The more essential learning labs are worked during the course and given a walk-through by JS. Other labs you can do whenever you have time. The VM and lab material will continue to be available after the course is completed and possibly to the ends of time (a direct quote by JS).

Yes, you could simply download and try the labs yourself without attending the course, but you would miss the extra information, banter, and comradery that comes from your fellow classmates on Discord. Besides, the pay-what-you-can model allows you to attend for free, so why not? If you don't have the time for live training, Antisyphon InfoSec Training now has on-Demand training available for your convenience. 

Daily attendance in the course consists of watching JS in a remote meeting window, chatting in Discord channels, and putzing around in the VM labs (VMware Workstation Pro or Player preferred). The Antisyphon team is available in Discord and the remote meeting prior to the beginning of each class for “pre-show banter.” Anything can be discussed at this time from Malware to cookware, from washing machines to virtual machines, from job hunting to threat hunting to real hunting. Everyone has an opinion or advice about something, so never miss the pre-show.

Here is a rough itinerary of the four days of SOC training:

Day 1

  • Pre-show banter (1 hour)
  • Windows Live Analysis
  • Tcpdump vs Wireshark
  • Ping, Port, Parse

Day 2 - Linux

  • Linux and its CLI
  • Labs and walk-throughs

Day 3 - Windows

  • Pre-show Banter
  • Windows CLI
  • The Ladder of PID
  • Labs and walk-throughs
  • Advice, observation, history, getting women and minorities into cyber

Day 4 - Network Threat Hunting

  • Labs and walk-throughs (lots of)
  • Backdoors and Breaches
Once again, it may seem like you could just find all this material on YouTube and skip taking this course. However, the knowledge and wisdom expounded by JS gives insight and inspiration to even the most mundane of tasks.

The labs do require some familiarity with the use of Windows 10 and Linux on the command line (CLI). If you don't know Linux--or loathe MS-DOS--you will have time to learn some basic commands to get you going on the labs. If you want to do the labs later that’s fine too. You have the Antisyphon staff and your fellow classmates in Discord to help you along the way. The video instruction ends precisely on time each day, but people stay in Discord to help are even posting stuff days after the course ends to help you with the labs. The course recording will be available for six months after the course ends.

Here are some related links that were posted in the course Discord chat. There doesn’t seem to be a way in Discord to save the contents of a channel to a file, but I had very good luck using DiscordChatExporter on Windows 10:

Above all, remember that “There is no blue; there is no red; we are all purple,” and Antisyphon doesn’t suck.


Tagged:

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,064 ■■■■■■■■■□
    I did this class 1 year ago, and I would take it again. Just to see how entertaining John Strand is.  He is an amazing instructor. 
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,670 Admin
    Yes, it was mentioned that people do take this course multiple times. The labs are updated and I'm sure the stories told are different. It was a lot of fun.
  • SteveLavoieSteveLavoie Member Posts: 1,064 ■■■■■■■■■□
    Even at full price it is worth it
  • chrisonechrisone Senior Member Member Posts: 2,251 ■■■■■■■■■□
    edited April 8
    The class was awesome. I had taken the "Active Defense & Cyber Deception" course a couple years ago. It is also a pay what you can course. I also took "Breaching the Cloud" (not a pay what you can course) in 2020, both courses are highly recommended. 

    I took the "SOC Core Skills" class to guide a junior SOC Analyst we just hired. The class provided many topics, technologies, stories, experiences, and labs. Both level 1 & 3 analysts benefited from this course. Please see original post for more in-depth review for "SOC Core Skills."

    Other "Pay what you can" courses to look out for from BHIS:
    I am looking to take the "Defending the Enterprise" course. It is NOT a "pay what you can" course. This course that teaches you to secure AD.

    Covers the following topics:
    • Build a managed secure Active Directory operational environment
    • Deploy effective security controls and strategic change management
    • Defend against the most common and effective adversarial techniques
    • Prepare for an effective security penetration test
    • Understand security risks and defensive mitigations

    Black Hills Information Security is an awesome company. All their people have been amazing! 
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (Phase 1 - Passed, Phase 2 - awaiting results), eCPTXv2 (in progress), SC-300 (in progress), AZ-500, SC-100
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed)
Sign In or Register to comment.