Description

This curriculum spans the design and execution of a full cybersecurity incident response lifecycle within a Security Operations Center, comparable to multi-phase advisory engagements that integrate technical tooling, cross-functional coordination, and continuous improvement processes across global enterprise environments.

Module 1: Establishing the SOC Foundation and Operational Model

Selecting between centralized, decentralized, or hybrid SOC staffing models based on organizational footprint and threat landscape.
Defining shift coverage requirements to ensure 24/7 monitoring, including handover protocols between regional teams.
Integrating the SOC with existing ITIL-based incident management workflows without duplicating ticketing efforts.
Establishing clear escalation paths between Tier 1 analysts, Tier 2/3 responders, and executive stakeholders.
Implementing secure, role-based access controls for SOC analysts on SIEM, EDR, and network monitoring tools.
Documenting and version-controlling standard operating procedures for common detection and response activities.

Module 2: Threat Detection Architecture and Tool Integration

Configuring log forwarding from firewalls, endpoints, and cloud workloads to ensure normalized ingestion in the SIEM.
Designing correlation rules that reduce false positives while maintaining detection sensitivity for lateral movement.
Integrating EDR telemetry with the SIEM to enable automated triage and response workflows.
Deploying network detection and response (NDR) sensors at key network segmentation boundaries for east-west visibility.
Validating API connectivity and authentication between SOAR platforms and identity providers for automated user lockouts.
Assessing the performance impact of full packet capture on network infrastructure and determining retention thresholds.

Module 3: Incident Triage, Classification, and Prioritization

Applying the MITRE ATT&CK framework to map observed behaviors and prioritize incidents by adversary tactic.
Implementing a risk-based scoring model that factors in asset criticality, exploit availability, and data exposure.
Distinguishing between benign anomalies and malicious activity in cloud access logs using behavioral baselines.
Standardizing incident classification codes to ensure consistency across analyst teams and reporting systems.
Validating alert context by enriching with threat intelligence feeds without introducing latency in triage.
Managing alert fatigue by tuning detection thresholds and establishing suppression rules for known false positives.

Module 4: Containment and Eradication Procedures

Executing network-level containment by reconfiguring firewall rules to isolate compromised subnets.
Disabling compromised user accounts through automated scripts while preserving audit trail integrity.
Removing persistence mechanisms such as scheduled tasks, registry run keys, or malicious cloud IAM roles.
Coordinating endpoint isolation across multiple EDR platforms in a heterogeneous environment.
Preserving volatile memory and disk images from affected systems before initiating remediation.
Assessing the impact of containment actions on business operations and obtaining approvals for disruptive measures.

Module 5: Forensic Investigation and Evidence Handling

Creating forensic images of physical and virtual machines using write-blockers and verified hashing methods.
Extracting and analyzing Windows event logs for signs of credential dumping or pass-the-hash activity.
Reconstructing attacker command sequences from PowerShell transcript logs or bash history files.
Handling cloud-native evidence such as AWS CloudTrail logs or Azure Activity Logs with chain-of-custody documentation.
Using memory analysis tools like Volatility to detect hidden processes or injected code in RAM dumps.
Storing forensic artifacts in encrypted, access-controlled repositories with audit logging enabled.

Module 6: Cross-Functional Coordination and Stakeholder Communication

Initiating communication with legal counsel when personal data or regulated information is involved in a breach.
Coordinating with public relations to align external messaging with investigation status and legal constraints.
Providing technical briefings to executives using non-technical summaries of impact and recovery progress.
Engaging third-party forensic firms under NDAs while maintaining oversight of investigation scope.
Reporting incidents to regulatory bodies within mandated timeframes, such as 72 hours under GDPR.
Facilitating tabletop exercises with IT, legal, and business units to validate incident response coordination.

Module 7: Post-Incident Review and Continuous Improvement

Conducting blameless post-mortems to identify process gaps, tool limitations, or detection blind spots.
Updating detection rules and playbooks based on attacker techniques observed during recent incidents.
Measuring mean time to detect (MTTD) and mean time to respond (MTTR) across incident types for performance tracking.
Revising asset criticality rankings based on actual breach impact to improve future prioritization.
Implementing compensating controls for vulnerabilities that cannot be immediately patched.
Archiving incident data in compliance with data retention policies while enabling future threat hunting queries.

Module 8: Threat Hunting and Proactive Detection Engineering

Developing custom detection queries to identify living-off-the-land binaries (LOLBins) in process execution logs.
Using Sigma rules to standardize detection logic across multiple SIEM platforms.
Conducting hypothesis-driven hunts based on threat intelligence about emerging adversary campaigns.
Automating repetitive data collection tasks using Python scripts to query endpoints at scale.
Validating detection efficacy through red team engagements and purple team exercises.
Integrating threat actor TTPs into the SOC’s detection roadmap to close known coverage gaps.