Deutsche Telekom SOC Training Documentation

Summary:

This training program appears to be comprehensive and well-structured, covering a broad range of essential skills for SOC analysts, including threat detection, incident response, and network analysis. The focus on practical exercises and real-world scenarios is particularly valuable, as it allows participants to apply their knowledge in realistic contexts. Here’s a breakdown of the key aspects mentioned: 1. **Threat Intelligence**: Participants are engaged in data exfiltration exercises and anomaly detection exercises, which are crucial for understanding how to identify potential security threats within an organization's network. This includes analyzing network traffic to detect abnormal activities such as attempts to exfiltrate data or unusual system behaviors like the use of "spools.exe." 2. **Network Analysis**: The scenario involving RFC1918 broadcast traffic and TCP Port 49152 highlights the importance of understanding IP spaces, specifically RFC1918 (private IP addresses) versus public IP addresses. This helps in distinguishing between internal network communications and external threats that might require different handling or reporting procedures. 3. **SOC Tools**: Deep dive into SOC tools like ArcSight Navigation Suite is comprehensive, covering various modules such as event management, dashboarding, data monitoring, and report generation. This training ensures competency in using these tools to effectively monitor network traffic and detect potential security threats. 4. **Use Cases and Business Context**: Practical workshops involving scenarios help in understanding specific use cases and their implications on business operations. This includes handling malware events, failed logons, host communication with malicious URLs, and user account lockouts, which are all critical for incident response and threat management within an organization. 5. **SANS Training Preparation**: Reviewing SANS 503 material and preparing for quizzes indicates a strong commitment to enhancing knowledge in security event escalations and SIEM environment functions. This is crucial for proactive security operations. 6. **SOC Methodology**: Clear guidelines for security event escalation, including who to involve and when to take action based on identified risks, are essential for efficient incident handling. 7. **Continuous Learning and Improvement**: The program includes continuous review mechanisms such as written tests, ad-hoc questions, and feedback sessions, which help in assessing knowledge growth or gaps among participants. To summarize, this training program is designed to provide a holistic understanding of information security management, network administration, and SOC operations. It emphasizes practical skills development through real-world simulations and continuous evaluation mechanisms, ensuring that participants are well-prepared for roles in the field of cybersecurity.

Details:

The document titled "1.1.1.8 Deutsche Telekom Security Operations Center Training Records" is a training record for the security operations center at Deutsche Telekom, created by HP Enterprise on December 11, 2014. It details the version history and approval process of the document, which includes information about its creation, management, and review processes. The document was last revised in November 2014 and is stored in a specific location within the company's file system. The primary purpose of this document appears to be providing training materials related to security operations for Deutsche Telekom employees, though it does not explicitly state what those objectives are. The purpose of the "Deutsche Telekom Training Records Document" is to outline the curriculum for the Deutsche Telekom SOC (Security Operations Center) Training Program, which was directed by HP Professional Services from September 29th, 2014 through November 7th, 2014. This document aims to define the topics, lectures, assignments, exercises, and demonstrations that are part of the training program. The training took place at Deutsche Telekom Bremen location in various rooms, with sessions running from Monday to Thursday between 0930hrs-1130hrs and 1330hrs-1530hrs. This document outlines a comprehensive training program for Deutsche Telekom SOC employees focusing on enhancing their skills in Information Security Management, Security Operations Skills, and ArcSight SIEM technology. The primary goal is to empower current employees through knowledge acquisition and practical skill demonstration within specific modules. The target audience comprises current Deutsche Telekom SOC employees who are responsible for daily operations tasks and responsibilities related to security monitoring. This diverse group includes management, engineers, analysts, and others involved in developing and maturing the company's security monitoring capabilities. Participation is open to all eligible employees without minimum educational or aptitude requirements; selection is determined by Deutsche Telekom based on their needs. The learning objectives are focused on improving participants' skills in areas such as analytical thinking (including psychology), cognitive biases, network fluency, and understanding of cybersecurity threats, methodologies, tools like Wiki and SIEM, and practical intrusion analysis skills. The syllabus is structured to be flexible, allowing for adjustments based on the level of detail required or desired. The training program employs open-source materials and does not prescribe a strict educational path but rather aims to enhance knowledge and competency within defined topics tailored by Deutsche Telekom management and HP SIOC Professional Services consultants. The overall aim is to foster unguided growth and maturity in each participant's understanding of the subjects covered. This content outlines a structured educational program focused on enhancing analytical thinking, understanding of security events, adversary characterization, attack economics, cognitive biases, effective communication, and intrusion analysis. The modules include: 1. **Analytical Thinking**: Participants engage with the psychology behind intelligence analysis through lectures and classroom discussions, defining key steps in the process including escalation requirements and documentation. They differentiate between security events and incidents, learning to research for escalation and meet documentation requirements. 2. **Adversary Characterization**: The course provides examples of both human adversaries and automated attacks. Specific examples include a command line string used to install malware (demonstrated using pcap files) and practical demonstrations such as SYN floods or brute force attacks. This section helps participants identify high-value targets (HVTs) within companies, crucial for understanding potential adversaries in cyber threats. 3. **Attack Economics**: The lecture covers the HP Attack Life Cycle, breaking down stages of a data breach with practical examples. Participants learn to recognize and illustrate each stage using case studies. A detailed breakdown of this process is disseminated through an HP Whitepaper on Attack Life Cycle. 4. **Cognitive and Confirmation Bias**: The course addresses confirmation bias in security analysis, illustrating it with scenarios such as SYN floods versus legitimate TCP negotiations or malware events masquerading as normal system processes. This helps participants understand how to avoid biases that can affect judgment and decision-making in cybersecurity situations. 5. **Effective Communication**: Participants are guided through the creation of Executive Summaries, which serve as concise reports detailing cyber scenarios. They draft these summaries based on provided templates and present them either orally or in writing to management and HP consultants, enhancing their presentation skills while ensuring clear communication of complex security information. 6. **Intrusion Analysis & Research Skills**: This module covers the practical aspects of analyzing intrusion attempts using various tools including IP/URL reputation resources, Windows Event definitions, malware comprehension with IDS/IPS, high-fidelity indicators detection, and network tracing through advanced Google Tech. This comprehensive program is designed to equip participants with both theoretical knowledge and practical skills in cybersecurity analysis and response, essential for roles in threat intelligence, incident handling, and security operations. The provided summary outlines the various components and activities related to Information Security Management, Network Fluency, SOC Tools (specifically ArcSight Navigations), Use Cases and Business Context, SANS Training Preparation, and SOC Methodology. Key points include: 1. **Information Security Management**: Components such as supporting teams and functions were identified and discussed visually using a Visio diagram. The workflow was visualized to enhance understanding of how information security is managed within an organization. 2. **Windows Fluency**: Demonstrated command line tools proficiency with practical exercises including NSlookup, Netstat, Task Manager, and Windows Event Logs. This demonstrated skills in managing and troubleshooting Windows-based systems. 3. **Network Fluency**: Covered topics such as OSI Model, TCP/IP, ports (including well-known, registered, and ephemeral), TTL purpose, stateful vs. stateless firewalls, MACs, protocols (TCP, UDP, DNS), and understanding of RFC 1918 versus public IP spaces based on country. 4. **SOC Tools (ArcSight Navigations)**: Deep dive into SOC tools like ArcSight Navigation Suite with sessions covering ESM Overview, Event Schema, Event Lifecycle, ESM Console, Active Channels, Filters, Variables, Dashboards and Data Monitors, Reports, Query Views, and ESM Network Model. This includes creating and utilizing shift logs as well as modifying or creating new Wiki pages using tools like Twisty’s and rule response procedures. 5. **Use Cases and Business Context**: Defined use case methodology was demonstrated through practical workshops involving scenarios such as single malware events on a single machine, multiple malware events across machines, failed FTP logons, host communication with malicious URLs on specific ports, and user account lockouts. 6. **SANS Training Preparation**: Reviewed SANS 503 material and provided examples of SANS quizzes to prepare for the training. This ensured competency in understanding security event escalations and proper functions/purposes within a SIEM environment. 7. **SOC Methodology**: Clarified strategies for security event escalations, including who to escalate issues to, when to escalate them, and recommended actions based on identified risks. Overall, this summary highlights the comprehensive approach to enhancing skills in information security management, network administration, and SOC operations through practical training, tool usage, and real-world scenario engagement. The provided text outlines a training program for SOC (Security Operations Center) personnel, detailing the course content and methodology used to enhance their skills in threat intelligence, monitoring, alerting, response, and overall competency improvement. Key aspects of the training include practical exercises that reinforce learning in analytical thinking, presentation skills, research, and investigation abilities. The training program includes several hands-on exercises designed to simulate real-world scenarios: 1. Data Exfiltration Exercise - Rogue Consultant: Participants analyzed a pcap file containing network traffic from Deutsche Telecom, tasked with identifying how a consultant might be attempting to exfiltrate data. They were also challenged to create potential use cases that could alert them to such an incident. 2. Anomaly Detection Exercise - Spools.exe: This exercise focused on detecting anomalies in system behavior using the example of unusual activity from a file named "spools.exe." Participants had to investigate this anomaly and understand its implications for security measures. Throughout these exercises, participants were evaluated based on their performance and progress was continually assessed through written tests, ad-hoc questions, and homework assignments, with feedback provided directly by the participants themselves. This continuous review facilitated discussions about topics and allowed HP consultants to gauge the knowledge growth or lack thereof of the participants. The provided text discusses a scenario involving network traffic analysis within an organization's cybersecurity framework. Participants were tasked with identifying and investigating abnormal network activity, specifically RFC1918 broadcast traffic introduced into a public-to-public TCP connection. They were required to determine whether this event was due to a security incident or normal activities, using forensic tools and external threat intelligence sources such as The Hacker News and Twitter. The participants prepared Executive Summaries based on their findings, tailored for different audiences like System Admins, Legal Team, and Executive Management. These summaries were designed to help them understand the implications of their decisions regarding escalation or dismissal of the incident as normal activity. Another focus was the analysis of a potential malware threat detected through TCP Port 49152, demonstrating the ability to identify anomalies using external threat intelligence and applying investigative tools. This scenario aimed to improve the participants' skills in detecting threats within their environment and sharing this information across the enterprise. The educational program included tests based on the week's curriculum and objectives discussed during classroom training, as well as assignments designed to familiarize participants with routine SOC (Security Operations Center) tasks such as developing Threat & Reputational Intelligence Resources, which are crucial for day-to-day operations in a SOC setting. OC has a set group of vetted resources it uses consistently and pre-determinedly for various tasks. They created a Wiki Contacts Page which helps them keep a list of useful contacts to escalate information or inform other teams about security events/incidents. In the SOC training program, participants learned many things like identifying security events, investigating them, documenting actions, preparing summaries, updating knowledge bases, and following systematic operations for a functional SOC. To expand their knowledge, they can use self-paced learning resources like webinars and external social contacts. To enhance their understanding of information security, individuals aim to attain professional certification in the field through acquiring industry-recognized qualifications.