So you want to be a SOC Analyst? Intro
A blog series for someone wanting to get a start as a SOC Analyst
Over the years, I’ve had the fortune of mentoring many up-and-comers trying to get a foothold in the information security space. One of the most common questions I am asked is, “What should I do to improve my chances of landing an entry-level SOC analyst job?”
My answer to that question has changed over the years as technology and methodology have evolved. Back in the earlier days, when we walked uphill both ways to the SOC, I would’ve recommended a complex (but very rewarding) process of spinning up a mid-size virtual machine environment complete with a small firewall, (pfSense), a router (vyos) one or two Windows hosts, an attack box (Kali, etc), network monitoring (Arkime/Suricata), and most importantly a log aggregation tool (Graylog or ELK/OpenSearch). Once those systems were up and running, then begins the adventure of deploying agents (Sysmon, Beats) to generate and ship telemetry to the logging tool. Only then does it make sense to start practicing basic attacks against the Windows hosts in order to observe the telemetry and begin “detecting” threats. Just the lab build alone was a many-hour endeavor—it’s a long road before you’re actually doing SOC analyst stuff.
I was (and still am) a big fan of this approach because not only is it how I got my own start (which eventually led to the creation of OpenSOC), but also because there is so much indirect learning that takes place while trying to deploy and configure these systems, routers, firewalls, as well as fun side-quests like troubleshooting log parsers, tuning Sysmon, configuring audit policies, etc. etc. For these reasons and more, I still recommend this approach to anyone lacking general IT knowledge because it will help you gain knowledge needed to be a good security practitioner. If this approach sounds like something that would be beneficial to you, there are plenty of resources across the web to help you setup a test lab for defensive research. A book I have heard great things about is “Building Virtual Machine Labs: A Hands-On Guide” by Tony Robinson and you should absolutely check out Jeff McJunkin’s guide on Building Your Own Kickass Home Lab.
That said, technology has evolved drastically since those days and my new approach to “quickly getting up to speed for SOC work” has evolved as well. This series will focus on the new approach I recommend to up-and-comers.
Let me also clarify that I am not saying “this is all you need” — a strong working knowledge of general IT and some strong entry-level training (such as Antisyphon, Applied Network Defense, or SANS1) is a huge plus as well. However, I will say as a hiring manager and infosec startup founder, the direct and indirect skills you will gain with this approach are the ones I am personally looking for in a candidate, above and beyond what letters you put after your name. If you want to know more about what I (and many others) are looking for in a SOC analyst candidate, check out this interview I did with Gerry Auger on his “Simply Cyber” webcast: “Everything Security Operations Analyst Entry Level.”
So how do I get started with this new approach?
Glad you asked! It’s an approach I would’ve loved to have when I was getting started, but keep in mind, it’s a fast-track to the juicy SOC analyst stuff while also skipping over some of the things you may still need experience with (see above).
In the next few posts of this series, I’ll provide a guide that anyone can follow, starting from nothing but a computer and without needing to spend a dime. While my new approach does leverage a commercial offering (LimaCharlie), you’ll find that it 1) will save you a heap of time getting straight to the good stuff 2) won’t cost you anything for this level of use and 3) the approach/methodology you’ll learn from it are universally applicable to any other detection tooling you’ll encounter. You may just come to realize it’s one of the best kept (or lesser known) secrets in the industry — you’ll get to see for yourself soon enough.
Note: If you’d like to skip most of the setup or can’t run a VM on your system, check out So you want to be a SOC Analyst? 2.0 which features a fully cloud-hosted version of the VM, requiring only a remote desktop client to get through this lab series!
Part 1 - Set up a small virtualization environment (2 small VMs)
Part 2 - Put on your adversary hat, it's time to make (and observe) some noise
Part 3 - Emulating an adversary for crafting detections
Part 4 - Blocking an attack
Part 5 - Tuning false positives
Part 6 - Trigger YARA scans with a detection rule
Update, again! Gerry and I did a joint video together where we go through his walk-through video, but with commentary.