Defensive Go back to all


You need to know more than just a little about Linux #2 - Blue Team perspective

- By Leszek Miś

This is the 2nd short post talking about the need for Linux security skills from the Blue Team/SOC/DFIR perspective in the form of questions. All of these 3 posts together represent a full picture of the hands-on skills and experiences you can gain with PurpleLabs.

Every Blue Teamer/SOC DFIR analyst needs to know more than just a little about Linux, so if you always wanted to know, ex:

  • how to analyze /proc? 
  • how to trace process injection and execution from in memory?
  • how SELinux or other LSM can help mitigate remote exploitation and do early-level alerting?
  • what is a control flow integrity checking and how to use LKRG?
  • how to use runtime security tools for container/Kubernetes envs?
  • how to detect hooked functions?
  • how to detect hidden kernel modules and network connections?
  • how to track parent-child process relations?
  • how to Yara scan your Linux boxes at scale?
  • how to use different SIEM engines and how to find the hunting context?
  • how to run memory forensics?
  • why Sysmon/Falco telemetry works great with Zeek, Suricata, and Arkime (Moloch)
  • how to catch Sliver and other C2 frameworks
  • how to learn from Linux Sigma rules detection logic
  • see why depth/offense in depth is important?

then it means you've come to the right place. Grow up your skills with PurpleLabs!

Join PurpleLabs Linux Attack and Live Forensic course and get some real purple teaming experience which will greatly expand your general Linux knowledge and cyber security hands-on skills.