Train smarter, respond faster: Close the skill gaps in your SOC

“In today’s fast-paced digital landscape” – as AI chatbots are fond of phrasing it – a cyber attack targeting your organization is a statistical certainty.

But is your security team ready to respond when it happens? Can they confidently determine what happened, and how? If the answer is “no” or “I’m not sure,” then TryHackMe is the workforce upskilling solution you didn’t know you needed.

What is TryHackMe?

TryHackMe is an interactive cybersecurity training platform that helps individuals and businesses build real-world skills through gamified lessons, hands-on labs, and practical challenges. Trusted by organizations to close workforce skill gaps, it empowers teams to strengthen their capabilities and elevate their overall security posture.

The platform is structured around learning paths, which can help users start or advance their specific cybersecurity career.

“For example, we have a path for becoming a SOC Level 1 analyst, one for developing into a SOC Level 2 analyst, and now we have launched the most advanced path for this career: Advanced Endpoint Investigations,” says Maksym, one of the platform’s Senior Content Engineers.

Each learning path is divided into modules/sections, and each module consists of different rooms/individual challenges. To go through them, you don’t have to set up a lab – you only need an account and a browser and the platform provides virtual environments for all of it.

Maksym himself is a testament to TryHackMe’s ease of use and effectiveness, as he kick-started and progressed his own career with it.

“The platform is educational (but not theory-heavy), highly practical and engaging,” he told us. “Most of the learning and training scenarios are inspired by attacks that have happened and are still happening, and the challenges are ‘gamified’ to make them extra fun.”

Advanced Endpoint Investigations

Maksym honed his SOC and forensics skills when working at a managed security services provider.

At TryHackMe, he used this experience to help refine a learning path for senior SOC analysts seeking to transition into senior IR or threat-hunting roles, and for experienced incident responders needing to build their skills in capturing, analyzing and tracing artifacts – whether they are on a Windows or Linux endpoint, a phone or a disk image, or in a system’s memory.

“SIEMs may surface alerts, and EDRs can highlight suspicious behavior, but they don’t always tell the full story,” he noted. “But you still need to investigate a compromise and find evidence, and for that you need practical forensic skills and hands-on experience that will allow you to pivot between different operating systems.”

The recently launched Advanced Endpoint Investigations learning path includes seven modules:

1. File System Analysis: Teaches users about disk partitioning schemes (MBR, GPT), file systems (FAT32, NTFS, EXT), extracting files from raw metadata without relying on file system metadata.

2. Linux Endpoint Investigation: Dives into into live analysis, process dissection/scrutiny, and log investigations.

3. Windows Endpoint Investigation: Different Windows components store information that can be useful during a digital investigation. This module teaches how to find attackers’ footprints in the registry, user accounts, network activity, etc.

4. macOS Forensics: Teaches how to discover and retrace user activity across different types of logs and application artefacts.

5. Mobile Analysis: Trains users to acquire/extract and preserve mobile evidence, understand the structure of Android and iOS filesystems and architecture, and identify valuable artefacts (e.g., message, location data, etc.)

6. Memory Analysis: Some threats are confined to the system’s volatile memory, and you need to know how to capture it, analyze it, and extract helpful information from it.

7. Disk Image Analysis: Sometimes, the only evidence pointing to a successful attack can be found on a “cold” system. This module teaches how to make an image of a system’s disk and how to sift through it for clues.

While going through the modules, users learn to use popular forensic tools such as Autopsy, Volatility, EZ Tools, mac_apt, and many others.

“Each module has engaging, realistic scenarios. For example, in the MacOS module, we have the “fake LinkedIn job interview” attack. In the Windows module, we explain a number of different recent APT attacks,” Maksym told us.

“In the ‘Logless Hunt’ room we explain how defenders can find and use unique artifacts in cases where the threat actor removed all security logs from the system. In the Memory Analysis module, we explain how to detect in-memory C2 and how to detect different lateral movement privilege escalation techniques solely via memory forensics. In the Disk Image module, users learn how to detect activity by a malicious insider by analyzing the disk image taken from that employee’s desktop.”

A godsend for businesses and employees

When SOC tools fail or are bypassed, many security teams lack the skills to move beyond basic, surface-level triage into deep investigations and evidence acquisition: their expertise is limited to certain operating systems and they have had insufficient practice in disk and memory analysis.

Incident containment and response is thus delayed and, inevitably, third-party experts have to be called in.

This learning path will allow your team to practice in structured labs that simulate incident response on real-world challenges, go through tool-guided workflows that will raise their readiness and confidence, and it will all take place in a consequence-free environment.

And your organization will have a well-rehearsed team of junior analysts that have been upskilled without unduly burdening your senior staff, and well-rounded incident responders and threat hunters who can grow into leadership positions.

TryHackMe is all about making cybersecurity training easy, enjoyable, and practical, and learning paths and content can be customized to fit organizations’ specific needs.

TryHackMe can be used for continuous training of all staff, including new employees. The content of each learning path is continuously updated to keep pace with real-world developments (e.g., new attack variants). Sometimes entire rooms are replaced with newer ones – for example, when a software tool used in them is no longer relevant – though the “older” room is still available to learners if they want to go through it.

The platform is also community-driven. “The community provides us with feedback to improve the rooms we have developed and published,” Maksym noted.

“And while most of the rooms are created by TrackHackMe, community members can generate new rooms themselves, either for their own private use or to be used and enjoyed by others. We also have a great number of write-ups as well as community channels where you can discuss your progress so you can recognize your mistakes and do better.”

Acquiring cybersecurity skills, it seems, has never been easier.