SOC-200 OSDA Review - Offensive Security Defense Analyst

Overview

This past week, I passed the Offensive Security Defense Analyst (OSDA) certification exam. True to form for OffSec, this was another practical 24-hour exam following the SOC-200 "Security Operations and Defensive Analysis" course. Bottom line: I think this is a fantastic foundational blue team certification that ensures students can identify, understand, track, and document attacker's TTPs through a SEIM.

I would highly recommend this course for anyone who is interested in maturing in or pursuing a role in blue team operations. It is also fantastic for red teamers looking to understand detection strategies. If I were leading a blue team, I would push for analysts to pursue a practical cert such as OSDA. It covers attacker TTPs, logging & monitoring concepts, and detecting attacks for web, AD, Windows & Linux. All of these topics are taught at a foundational level, and then this foundation is built on with modules covering ELK SIEM to rope it all together.

I did not feel this was as challenging as other OffSec courses, but this was the fifth OffSec exam I have attempted after I had been working on 300-level courses. If you're newer to security and this is your first security cert because you are looking to get hired on a SOC, YMMV. That being said, I think this is a fantastic entry-level cert for someone who's looking to pivot into security!

Course Content

SOC-200 is an introductory course that covers: attacker methodology, Windows endpoint logging & attacks (including Sysmon), Linux endpoint logging & attacks, network attacks, AV evasion, and of course Active Directory topics such as enumeration, lateral movement, and persistence.

I very much appreciated the foundational knowledge they built on. Knowing the different log sources and understanding how they are analyzed was a key strength. One note, however, is that I felt it got a bit repetitive with looking at an attack, checking the logs manually via e.g., PowerShell or Event Viewer, and then moving on to the next one. This process is repeated for most of the course until the end when the topics are aggregated in the ELK modules.

One major con of this approach (in my opinion) is that too much time was spent using painful PowerShell queries to look through logs when in the real world I'd be looking at a SIEM. I didn't want to waste my study time building PS functions to sift through logs when in the end I'd just be looking at ELK. I had the same concern with the non-Windows sections as well. Some extra miles revolved around crafting Python scripts to comb through e.g., Linux logs for suspicious behavior. It seemed more to be Python exercises in parsing logs rather than challenges to sharpen my skills for the exam (...and real life). I skipped many of the extra miles because I didn't think they were as necessary for this reason. My main feedback to OffSec would be to revamp some of these exercises and extra miles so they focus more on real-world and exam-relevant skills and move parsing logs to the 100-level content.

That being said, the content was very solid. I loved how they scripted out attacker TTPs and ran them in real time so that you could view the footprint left behind. The web attacks portion was great, although I wish it had covered more attacks. But the concepts taught can be built upon for things not covered in the content. The last few modules related to AD were really great, covering attacks such as Kerberoasting, pass-the-ticket, pass-the-hash, and much more. Finally, the course did well covering ELK SIEM and these sections were extremely helpful for me.

I have come out of this course with a much better foundation on logging, detection, and SIEM as well as an understanding of how a blue teamer would approach detecting the TTPs I use on the red team side.

Challenge Labs

Again, true to form for OffSec, this is where the course shines brightest. There are 12 challenge labs, and just like OSCP, they are really where you cut your teeth. Each of them are attack scenarios focusing on different areas covered in the course (web, AD, Linux, network, etc.). You are tasked with detecting malicious activity in each phase of the attack and tracking the attacker's activity. They build in complexity until the last few where they are a closer model to the exam. This is where I built most of the skill set from the course, and I'm glad I didn't get bogged down with some of the extra miles and other content in the course modules that weren't as pertinent. Target these labs!

I documented everything in Obsidian (I loved the "Obsidianite" theme), marking down when the attack phases started, which ELK or OSQuery queries were used, and my conclusions. This is similar to what goes on in the exam. If you can successfully complete these challenges and you are comfortable with your approach, you should be ready to go for the exam!

OffSec Academy (OSA)

I absolutely have to make a shout out to Gervin Appiah for his work on OffSec Academy! Gervin, you did an exceptional job with this and watching you really helped me sharpen my skills and get familiar with ELK.

OffSec provides recorded sessions "OSA - SOC - 200" in their LMS you can reference where they go over some of the challenges. I did several of these and really felt it should be part of the course. Gervin rocks it!

I would recommend giving the challenges an attempt, and THEN watching the related OSA video for anything you missed. This will help you get the most out of the content.

The Exam

I can't say much, but I actually loved the exam. I felt the difficulty level was just right for the course, and it was engaging throughout. I had a few head-scratcher moments, but overall it wasn't unreasonably difficult. I started on Wednesday around 8:45AM and worked (with a few sanity breaks) until 5PM when I took a long break until about midnight. I had a good feeling when I stopped that I could pass the exam. I worked from midnight until around 6:30AM the next day when I called it. I took a few hours of rest and then wrapped up my report and submitted midday on Thursday. I heard back on Sunday morning that I passed!

I recommend clearly marking where you begin each phase, and don't be afraid to move on to the next phase if you're a bit stumped. You can always come back to the time period of the phase you're stuck on. It may help you parse through a previous phase by looking at what the attacker does down the line. I actually put all my notes directly in the final document, reporting as I went. This saves so much time when you're exhausted from the exam and have to wrap up and submit the report. That's pretty much all I can say, though!

Conclusion

Overall, another great course from OffSec. This is great for anyone with IT experience looking to pivot to security, a SOC or threat analyst looking to bolster skills, and of course red teamers and pentesters looking to get a better feel for how their activities are seen by the blue team. Good luck!