Chaotic Security Blog

Going through Splunk and learning how to make use of the multitude of features it offers can be daunting. Agents can use Splunk to aggregate data, search, and analyze logs. You can use Splunk Processing Language to run specialized queries in the system. It can also produce reports with varying levels of detail depending on what a department might need. It is a tool that has a lot of versatility under the hood.

Decided to dive into some LinkedIn Learning modules, so focused a bit on learning more about Splunk. Splunk is a tool often referenced when discussing SIEM systems. So it is excellent for log analysis and investigation.

I am going through some of the Help desk courses on LinkedIn Learning. They also mention having a good grasp of Active Directory. Active Directory helps manage users and servers on a network. As a Help desk person, you would use it frequently to add new users, remove users, reset passwords, and manage groups and policies for an organization. I really enjoyed going through this course to get a feel for it.

As I have been looking for CyberSecurity positions, many people usually get their start in IT Help Desk positions, then work into Network positions, and then into Network Security, Information Security, and Cybersecurity roles. It can be a good place to start, where you can learn more about assisting users with everyday networking issues, troubleshooting user accounts, and more.

After finishing up the SIEM section, I moved on to Digital Forensics and Incident Response. 
This section deals a lot with the forensic aspect of Cybersecurity. So you spend a lot of time using forensic tools and reviewing artifacts to find key details. 

Part of Incident Response is to investigate the malware that has been discovered. Understanding how it works, what it is made of, and creating ways to prevent it in the future are key to this. In this section, you learn about various tools, such as using Autopsy to investigate disk images. How to extract forensic data using KAPE. 

It was quite a long section, but the rooms were well-detailed.

Continuing with my modules on the TryHackMe site for the SOC Level 1.

Learning more about the Hive Project. It is an open-source, freely available Security Incident Response Platform that can be used on-prem or in the cloud.

Designed to allow teams to collaborate on investigations quickly and easily.

This room gave a taste of using The Hive Project in a mini investigation, and it was a lot of fun.

Malware Analysis is another significant part of Cybersecurity, as many parties work to prevent attacks.

Attackers’ malware is constantly evolving. So you need a team that is good at analyzing what makes the malware tick, so to speak.

Malware Analysis is the use of tools, systems, and threat intelligence to identify malware and assess its potential impact on a system. Done after an incident occurs or as part of the investigation.

I went through the intro to Malware Analysis room, which introduced me to tools, sandboxes, and a few great sites that are valuable assets for your malware analysis toolkit.

Started work on the Security Information and Event Management section of the SOC Level 1. 

SIEMs are systems that collect and process logs from various systems, sources, and endpoints. This data can then be processed and output in an easy-to-view format, depending on the SIEM product. These systems can also be configured with rules that trigger alerts based on criteria that may require investigation. By freeing up an Analyst’s time from manually reviewing thousands of logs for an issue, the system can process this information and alert for further investigation as needed. 

This section covered SIEM systems such as ELK and Splunk, which are used in many companies for log aggregation and alerting. 

Learning about Endpoint Security Monitoring this time around. Endpoints are just about all your machines and devices on your network. It is essential to understand how to monitor these items. If you need to go over a system that may have triggered an alert, it is good to know which endpoint it references, as well as to make sure you understand the core processes running on the system.

This section covers Windows event logs and introduces SysInternal, a suite of programs that can help you monitor and investigate processes on Windows endpoints. 

Wazuh is an open-source SIEM that also offers Vulnerability Scanning capabilities. I have installed Wazuh on a small network setup that I had, and it is interesting to see it in action.

Worked through a fascinating part of TryHackMe, which is related to Network Security and Traffic Analysis. A big part of doing SOC analyst work will be monitoring traffic-related events and understanding how these items are processed and how to analyze them. In this section, you learn about open source firewall tools like Snort. How to configure rules for them.

Following up with Network Miner, which helps you to network for endpoints and run various scans for both diagnostic and forensics needs. 

It covers the basics of using Wireshark, analyzing PCAP files, and using Wireshark commands to dissect traffic streams and find key details. 

There was so much in this section that I know I will have to come back to review this again and again, but it was really fun to work with.