I recently passed the Offensive Security Defense Analyst (OSDA) exam, this is OffSec’s first and only course for defensive security and it is aimed at analysts working in a SOC and threat hunters.
The Course
At time of writing the SOC-200: Foundational Security Operations and Defensive Analysis course is composed of 19 modules including the labs, the course is heavily weighted towards Windows with six modules on identifying attacks against Windows Systems and an additional two modules on Active Directory. There are only two modules for identifying attacks against Linux systems and no modules for macOS. In addition to this there are also modules on Network Detections, Antivirus Alerts and Evasion (again Windows) and Network Evasion and Tunnelling.
The modules all have a similar structure, each module provides and introduction to the topic and then details anywhere from five to fifteen attack methods grouped into categories and then they show you where and how to identify these attacks in the logs. For example the Windows Server Side Attacks module, is divided into three categories, Credential Abuse, Web Application Attacks and Binary Exploitation and within each of those categories there are multiple attack methods, Web Application Attacks provides an overview of IIS and then details Local File Inclusion, Command Injection and File Upload attacks. As with other OffSec courses, the explanations of the attacks are very good and I found the videos to be a good way to consolidate my knowledge at the end of each Module. The level of detail was more than sufficient to understand and identify the attacks within the exam. That said, anyone coming to this after passing the OSCP will find the course material to be very familiar and should not expect to learn a huge amount of new information. The exception to this are the Windows Persistence and Antivirus Alerts and Evasion modules, that both greatly expanded upon what I had learned in PEN-200.
I read all of the course material and watched all of the videos at least once, but I didn’t complete any of the labs or Extra Miles in the first 16 modules. I didn’t complete any of these labs because they mostly focus on using Powershell to query the logs which in my opinion is a huge waste of time and effort. The ELK SIEM is introduced in modules 17 and 18 and this is where I focused a lot of my attention because I use a different SIEM at work and I was not familiar with Kibana Query Language. I am going to say it now, because it’s worth saying, Kibana Query Language is terrible, it lacks so many of the functions that the other, better query languages have. The ELK SIEM however is good, it has a nice UI and the accesible time chart that provides an easy way to narrow down your search window. That said, the ability to only display the first 500 results for your search query was very frustrating but it did force me to iteratively refine my searches. I also found the introduction and use of osquery to be beneficial and I used it both in the Challenge Labs and on the exam. For those of you that are unfamiliar with osquery it is an agent based utility that allows you to query for and retrieve system information from numerous endpoints simultaneously. It is particularly useful for retrieving information about listening ports and network connections. It has recently been added into the Crowdstrike platform as part of the IT Module.
Challenge Labs
I spent around 3 weeks completing all of the Challenge Labs around full time work. The Challenge Labs are exceptionally good and they made the course feel like a worthwhile use of my time. There are 13 labs that consist of 3-8 phases each and on average it took me 1 hour to complete each phase. The labs feature the majority of the attacks covered in the course and I thought that the tactics and techniques used were realistic when compared with what I’ve seen at work in the SOC. When you start a phase, it triggers a scripted attack that takes no more than 10 minutes to complete, so it is advisable to note down the time when triggering a phase, waiting 10 minutes and then time bound your searches to that 10 minute window. I would also advise trying to complete the phases for each lab in one session, because I found that replaying the phases without waiting the allotted amount of time led to confusion and attacker actions occurring in the wrong order.
When going through the labs, try to treat every lab like a mock exam, because these labs are you only opportunity to practice. This exam isn’t like the OSCP where you get 50 machines in the labs, and over 100 more in proving grounds, there are no other labs like this for you to practice on. Take comprehensive notes and screenshots and turn every set of notes into a mock report. Like with OSCP I used Gitbook for all of my course and lab notes as I prefer having my notes accessible online.
The Exam
The exam is A 23 hour and 45 minute proctored exam and it consists of a simulated corporate environment, including a SIEM with endpoint integration. The exam is divided into 10 phases, and each phase contains a number of attacker actions that must be detected, understood, and documented. A further 24 hours is allotted to complete and submit your report, like other OffSec exams.
I booked my exam to start at 1200hrs and based on my experience in the labs I assumed that each phase would take 1 hour to complete. This assumption was correct and I finished at around 2230hrs having taken a 30 minute break after Phase 5. Whilst going through the phases I made comprehensive notes and took screenshots of everything I did. I got a full nights sleep and awoke at around 0700hrs to start my report this took around 3 hours and by 1000hrs I had submitted my final report. There were no surprises in the exam and you can definitely pass only using the material provided in the course.
Closing Thoughts
The SOC-200 course and OSDA exam are really good for aspiring and junior SOC analysts particularly those that use the ELK stack as their SIEM. The course taught all of the attacks very well and would be sufficient to pass the exam for those who haven’t engaged in any penetration testing or done any other 200 level OffSec Courses previously. There is a sizeable amount of assumed knowledge but completing all of the free 100 level courses contained within Learn One would provide the knowledge necessary to understand the course material. My only criticism of the course is that ELK isn’t introduced until Module 17, prior to that you manually retrieve information from the logs using PowerShell which is something that you would rarely do if ever in a real enterprise. ELK should be used from the start and it would give time for students to learn syntax of Kibana Query Language. That said, I enjoyed the course, especially the Challenge Labs and I would recommend that people take this course. I hope it is given further investment and development from OffSec and I would like to see it become the de facto standard for blue team certifications like the OSCP has become for penetration testing. I also hope they make a SOC-300 course, which I would definitely take.