Review
This previous week, I passed the Offensive Protection Defense Expert (OSDA) accreditation exam. True to create for OffSec, this was an additional sensible 24 -hour test complying with the SOC- 200 “Protection Procedures and Defensive Evaluation” program Bottom line: I think this is an amazing fundamental blue team qualification that ensures pupils can recognize, recognize, track, and file attacker’s TTPs through a SEIM.
I would highly recommend this program for anybody who is interested in maturing in or pursuing a role in blue group operations. It is also superb for red teamers seeking to understand discovery methods. If I were leading a blue group, I would push for analysts to go after a practical cert such as OSDA. It covers attacker TTPs, logging & & keeping track of ideas, and identifying assaults for web, AD, Windows & & Linux. Every one of these subjects are instructed at a fundamental degree, and after that this structure is built on with components covering ELK SIEM to rope it all with each other.
I did not feel this was as challenging as various other OffSec programs, however this was the fifth OffSec test I have actually tried after I had been servicing 300 -degree programs. If you’re more recent to security and this is your very first protection cert due to the fact that you are aiming to get worked with on a SOC, YMMV. That being claimed, I think this is a great entry-level cert for somebody who’s seeking to pivot into safety!
Program Material
SOC- 200 is an introductory training course that covers: attacker method, Windows endpoint logging & & strikes (including Sysmon), Linux endpoint logging & & assaults, network strikes, AV evasion, and certainly Active Directory subjects such as list, lateral motion, and perseverance.
I very much appreciated the foundational expertise they improved. Recognizing the different log resources and understanding how they are analyzed was a key toughness. One note, nonetheless, is that I felt it got a bit recurring with taking a look at an attack, inspecting the logs by hand through e.g., PowerShell or Event Visitor, and then going on to the following one. This process is duplicated for the majority of the program till the end when the subjects are accumulated in the ELK components.
One significant con of this approach (in my point of view) is that excessive time was invested using painful PowerShell questions to check out logs when in the real world I ‘d be looking at a SIEM. I really did not intend to lose my research time developing PS operates to sift through logs when ultimately I ‘d just be taking a look at ELK. I had the same worry about the non-Windows areas also. Some added miles revolved around crafting Python scripts to comb with e.g., Linux logs for dubious actions. It appeared more to be Python exercises in parsing logs rather than difficulties to develop my abilities for the test (… and the real world). I missed most of the added miles because I didn’t believe they were as needed because of this. My main responses to OffSec would certainly be to revamp several of these workouts and added miles so they focus extra on real-world and exam-relevant abilities and relocate parsing logs to the 100 -degree content.
That being stated, the web content was very solid. I enjoyed just how they scripted out opponent TTPs and ran them in genuine time to make sure that you could view the footprint left. The internet attacks part was great, although I desire it had covered extra assaults. However the concepts showed can be built on for points not covered in the content. The last couple of components associated with AD were truly fantastic, covering attacks such as Kerberoasting, pass-the-ticket, pass-the-hash, and much more. Finally, the program succeeded covering ELK SIEM and these areas were extremely valuable for me.
I have appeared of this course with a far better foundation on logging, discovery, and SIEM in addition to an understanding of exactly how a blue teamer would come close to detecting the TTPs I utilize on the red team side.
Difficulty Labs
Once more, real to create for OffSec, this is where the training course radiates brightest. There are 12 difficulty laboratories, and just like OSCP, they are really where you cut your teeth. Each of them are attack circumstances focusing on different areas covered in the training course (web, AD, Linux, network, and so on). You are entrusted with detecting harmful activity in each phase of the assault and tracking the assaulter’s task. They build in intricacy up until the last couple of where they are a closer version to the exam. This is where I built a lot of the capability from the training course, and I rejoice I didn’t obtain bogged down with a few of the additional miles and various other content in the program modules that weren’t as important. Target these laboratories!
I documented every little thing in Obsidian (I enjoyed the “Obsidianite” style), discounting when the assault phases started, which ELK or OSQuery queries were made use of, and my final thoughts. This is similar to what takes place in the exam. If you can efficiently complete these difficulties and you are comfortable with your method, you need to prepare to go for the exam!
OffSec Academy (OSA)
I absolutely need to make a proclaim to Gervin Appiah for his work on OffSec Academy! Gervin, you did an exceptional work with this and enjoying you truly assisted me sharpen my skills and get knowledgeable about ELK.
OffSec provides recorded sessions “OSA– SOC– 200 in their LMS you can reference where they discuss a few of the obstacles. I did numerous of these and actually felt it ought to be part of the training course. Gervin rocks it!
I would recommend offering the difficulties an attempt, and after that viewing the related OSA video clip for anything you missed. This will assist you obtain the most out of the web content.
The Exam
I can not state a lot, yet I actually loved the test. I felt the difficulty level was just right for the program, and it was engaging throughout. I had a few head-scratcher moments, however in general it wasn’t unreasonably difficult. I started on Wednesday around 8: 45 AM and functioned (with a few sanity breaks) up until 5 PM when I took a long break until concerning twelve o’clock at night. I had a good feeling when I quit that I might pass the test. I functioned from twelve o’clock at night till around 6: 30 AM the next day when I called it. I took a couple of hours of remainder and afterwards finished up my record and submitted noontime on Thursday. I listened to back on Sunday early morning that I passed!
I advise clearly marking where you start each stage, and do not be afraid to move on to the following phase if you’re a little bit stumped. You can always come back to the time period of the stage you’re stuck on. It might aid you parse via a previous phase by taking a look at what the aggressor does down the line. I actually placed all my notes directly in the final document, reporting as I went. This conserves a lot time when you’re tired from the exam and have to wrap up and send the report. That’s virtually all I can say, though!
Conclusion
In general, an additional terrific program from OffSec. This is great for any person with IT experience seeking to pivot to protection, a SOC or threat analyst aiming to boost skills, and naturally red teamers and pentesters aiming to get a much better feel for exactly how their activities are seen by the blue team. All the best!