Cybersecurity is critical in today’s digital world.

This book takes

Patch to SOC
A Complete guide

ABUBAKAR-SOC
Information Security Fundamentals
Definition:
Information Security (often called “InfoSec”) is the practice of protecting information—whether
it is stored, processed, or transmitted—from unauthorized access, disclosure, alteration, and
destruction. It ensures that data remains safe and trustworthy no matter where it lives: on a
computer, in the cloud, or even on paper.

Real-World Example:
Imagine a hospital’s patient database. If a hacker steals or alters medical records, it could harm
patients’ treatment. By applying information security—like encryption, access controls, and
regular monitoring—the hospital ensures that only doctors and authorized staff can access the
right patient records, and no outsider can tamper with them.

Risk, Threats, and Vulnerabilities

Definition:

 Risk: The potential for loss or damage when a threat exploits a vulnerability.
 Threat: Anything that can cause harm (hackers, malware, natural disasters, or even
careless employees).
 Vulnerability: A weakness in a system that could be exploited (outdated software, weak
passwords, or misconfigured servers).

Real-World Example:
Think of a house:

 A vulnerability might be an unlocked door.

 A threat could be a burglar passing by.
 The risk is the possibility that the burglar actually enters the house and steals valuables.

In cybersecurity, outdated software (vulnerability) can be attacked by malware (threat), which

leads to a data breach (risk).

Security Policies, Standards, and Procedures

Definition:

 Policy: High-level rules that guide security (e.g., “All employees must use strong
passwords”).
  Standard: Specific requirements to support policies (e.g., “Passwords must be at least 12
characters long”).
 Procedure: Step-by-step instructions on how to follow the standards (e.g., “How to reset
your password when forgotten”).

Real-World Example:
In an office:

 A policy might say, “The office must remain secure after hours.”
 A standard would be, “Doors should be locked by 9 PM, and CCTV must remain
active.”
 A procedure would explain how the security guard should check and lock each door
every night.

In cybersecurity, these three levels work together to ensure organizations remain safe and
compliant.

Access Control Models (DAC, MAC, RBAC, ABAC)

Definition:

 DAC (Discretionary Access Control): Owners decide who can access their resources.
 MAC (Mandatory Access Control): Access is decided by strict policies, often used in
government/military.
 RBAC (Role-Based Access Control): Access depends on a user’s role (e.g., “Manager”
vs “Intern”).
 ABAC (Attribute-Based Access Control): Access depends on multiple conditions
(time, location, device, etc.).

Real-World Example:

 DAC: You own a Google Doc and choose who to share it with.
 MAC: Classified government files—only those with top-secret clearance can access.
 RBAC: In a company, HR staff can access employee records, but engineers cannot.
 ABAC: You can access your bank account only if you log in from your registered device
and location.

Authentication, Authorization, and Accounting (AAA)

Definition:

 Authentication → Verifying who you are (proving your identity).

 Authorization → Deciding what you can access (your permissions).
  Accounting → Tracking what you did (logging and auditing your actions).

Real-World Example:
Think of logging into an online banking system:

 Authentication: You enter your username and password (maybe with OTP for extra
security). The system checks if you are really you.
 Authorization: Once logged in, you can see your account balance but cannot access the
bank’s admin controls.
 Accounting: The system logs that you checked your balance at 10:30 AM from your
device, so any suspicious activity can later be traced.

Identity & Access Management (IAM) Basics

Definition:
Identity & Access Management (IAM) is the framework of policies and tools that ensure the
right people get the right access to the right resources at the right time.

Key Functions:

 Single Sign-On (SSO): One login gives access to multiple systems (like Google or
Microsoft accounts).
 Multi-Factor Authentication (MFA): Adds extra steps (like SMS code or fingerprint).
 Provisioning & De-provisioning: Granting or removing access when employees join or
leave.

Real-World Example:
In a corporate office:

 An employee logs in to their work account using SSO → they can access email, cloud
storage, and internal apps without separate logins.
 If they leave the company, IAM ensures their access is revoked immediately so they
cannot log in anymore.

History of Cryptography
Definition:
Cryptography is the science of protecting information so only the intended people can read it.

 Ancient times: People used simple techniques like Caesar Cipher, where each letter was
shifted by a fixed number (A → D, B → E, etc.).
 Modern times: Uses complex math and computers to secure digital data like emails,
payments, and chats.
Real-World Example:
Julius Caesar used a shift cipher to send military orders that enemies couldn’t easily read. Today,
WhatsApp uses end-to-end encryption so only you and the person you’re chatting with can read
the messages.

Symmetric vs Asymmetric Encryption

Symmetric Encryption:

 Uses the same key to lock and unlock data.

 Fast but requires both sender and receiver to share the secret key securely.

Asymmetric Encryption:

 Uses two keys: a public key (shared with everyone) and a private key (kept secret).
 Public key locks the data, private key unlocks it.

Real-World Example:

 Symmetric: When you set a Wi-Fi password, everyone connects using the same key →
simple and fast.
 Asymmetric: When you shop online, your browser uses the website’s public key to
encrypt your credit card info, but only the website’s private key can unlock it.

Hashing & Digital Signatures

Hashing:

 Converts data into a fixed-length string (called a hash).

 One-way function: You cannot reverse it back.
 Used for verifying data integrity.

Digital Signatures:

 A way to prove that a message really came from the sender and was not changed.
 Combines hashing + encryption.

Real-World Example:

 Hashing: When you download a file, the website gives you a hash (like a fingerprint).
After download, your computer generates the hash and compares it. If they match → file
is safe.
  Digital Signatures: When software like Windows updates are released, they’re signed
digitally. If hackers tamper with the update, the signature check fails.

PKI & Certificates

Definition:
Public Key Infrastructure (PKI) is the system that manages digital certificates and encryption
keys.

 Certificates are like digital ID cards for websites, software, or people.

 They are issued by trusted organizations called Certificate Authorities (CAs).

Real-World Example:
When you visit https://www.google.com, your browser checks Google’s certificate. If valid and
signed by a trusted CA, you see the padlock icon. This proves you are really talking to Google,
not an imposter.

TLS/SSL, HTTPS in Action

Definition:

 SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that
secure communication over the internet.
 HTTPS is simply HTTP running over SSL/TLS.

Real-World Example:
When you enter your credit card on Amazon:

1. Your browser and Amazon’s server create a secure encrypted channel using TLS.
2. Data is scrambled before transmission.
3. Hackers listening on the network cannot read it.

Common Cryptographic Attacks

1. Rainbow Tables: Precomputed lists of hashes used to crack weak passwords quickly.
o Example: If your password is “123456”, hackers can instantly match it with a
rainbow table entry.
2. Collision Attacks: When two different inputs produce the same hash.
 o Example: If two files create the same hash, an attacker could replace a safe file
with a malicious one without detection.
3. Weak Ciphers: Using outdated algorithms like MD5 or DES makes encryption
breakable.
o Example: In 2012, LinkedIn passwords were stolen because they used unsalted
MD5 hashing. Hackers cracked millions of them easily.

Part 2 – Core Information Security

1. Operating Systems Basics

 Definition: An operating system (OS) is software that manages computer hardware and
provides services for applications. It acts as a bridge between users and machines.
 Real-world example: When you click an icon on Windows or type a command in Linux,
the OS handles memory, CPU, and disk usage to run that program. Without it, your
computer would just be raw hardware.

2. Windows Architecture & Security Concepts

 Definition: Windows uses layers like the Kernel (core system), User Mode, and
Security Subsystems to manage processes, memory, and permissions. Built-in features
like User Account Control (UAC) and Windows Defender protect the system.
 Real-world example: When you try to install new software, Windows asks for admin
permission (UAC). This prevents malicious apps from sneaking into the system.

3. Linux Basics for Security Professionals

 Definition: Linux is an open-source OS widely used in servers and security tools. It

provides strong command-line utilities for monitoring, permissions, and system control.
 Real-world example: A SOC analyst might use Linux tools like tcpdump or nmap to
investigate network traffic or scan systems for vulnerabilities.

4. File Systems & Permissions

 Definition: A file system organizes how data is stored and accessed. Permissions (Read,
Write, Execute) control who can do what with files.
 Real-world example: On Linux, a log file may only allow admins to write but let users
only read it. This prevents unauthorized tampering with sensitive records.
5. System Hardening Techniques

 Definition: Hardening means reducing the attack surface by disabling unnecessary

services, applying patches, using firewalls, and enforcing strong authentication.
 Real-world example: In a corporate network, disabling unused ports and removing
default admin accounts can prevent hackers from exploiting weak points.

6. Cryptography
a) History of Cryptography

 Definition: Cryptography is the practice of securing information by transforming it into

unreadable formats. Ancient ciphers (like Caesar cipher) evolved into modern digital
encryption.
 Real-world example: During World War II, the Germans used the Enigma machine.
Breaking it gave the Allies a massive advantage.

b) Symmetric vs. Asymmetric Encryption

 Symmetric: Same key is used to lock and unlock data. (Fast but requires secure key
sharing.)
 Asymmetric: Uses a public key (for encryption) and a private key (for decryption).
(Secure but slower.)
 Real-world example: When you zip a file with a password, it’s symmetric. When you
send an email with PGP, it’s asymmetric.

c) Hashing & Digital Signatures

 Hashing: Converts data into a fixed-length unique value. If the data changes, the hash
changes.
 Digital Signature: Verifies authenticity and integrity of data using cryptography.
 Real-world example: Websites store your password as a hash, not plain text. When you
log in, it compares hashes instead of storing your actual password.

d) PKI & Certificates

 Definition: Public Key Infrastructure (PKI) manages encryption keys and digital
certificates to establish trust.
 Real-world example: When you see a padlock in your browser, a certificate issued by a
trusted authority ensures the site is legitimate.

e) TLS/SSL & HTTPS in Action

 Definition: TLS/SSL are protocols that secure communication over the internet. HTTPS
is the secure version of HTTP using TLS.
  Real-world example: When you buy something online, your credit card details are
encrypted by HTTPS so hackers can’t read them.

f) Common Cryptographic Attacks

 Rainbow Table Attack: Uses precomputed hashes to crack passwords quickly.

 Collision Attack: Finds two different inputs that produce the same hash.
 Weak Cipher Attack: Exploits outdated encryption (like MD5, DES).
 Real-world example: Hackers may use rainbow tables to crack weakly hashed
passwords from a stolen database.

Part 3 – Cloud & SOC L1 Fundamentals

1. Cloud Security Basics

 Definition: Cloud security involves protecting data, applications, and resources stored on
cloud platforms like AWS, Azure, or Google Cloud.
 Real-world example: A company using AWS S3 buckets must configure access
properly. If left public, attackers can steal sensitive customer data (a mistake many firms
have made).

2. Shared Responsibility Model

 Definition: In the cloud, security is shared between provider and customer. The cloud
provider secures the infrastructure, while the customer secures applications, data, and
user access.
 Real-world example: Microsoft Azure ensures physical servers are safe, but if a
company stores passwords in plain text on Azure, that’s the company’s fault—not
Azure’s.

3. Virtualization & Containers

 Definition: Virtualization allows multiple virtual machines (VMs) on one physical

system. Containers (like Docker) provide lightweight, isolated environments for
applications.
 Real-world example: A SOC analyst may monitor multiple VMs in a cloud SOC lab,
each running different tools like Splunk, ELK, or Wazuh.

4. Cloud Threats & Attacks

 Data Breaches: Misconfigured storage buckets or weak passwords.

 Denial of Service (DoS): Overloading cloud services with traffic.
  Account Hijacking: Stolen credentials give attackers control.
 Real-world example: In 2019, Capital One suffered a major breach because of a
misconfigured AWS server.

5. Introduction to SOC (Security Operations Center)

 Definition: A SOC is a centralized unit that monitors, detects, and responds to security
incidents. Analysts work in tiers (L1, L2, L3).
 Real-world example: A bank’s SOC monitors ATM transactions and alerts if suspicious
activity (like 50 withdrawals in 5 minutes) occurs.

6. SOC Tier Roles

 Tier 1 (L1): Monitor alerts, triage incidents, escalate issues.

 Tier 2 (L2): Deep investigation, malware analysis, threat hunting.
 Tier 3 (L3): Advanced forensics, incident response, strategy.
 Real-world example: If a phishing email lands in an employee’s inbox, L1 analyst logs
and escalates it, L2 analyzes attachments, L3 handles containment if malware spreads.

7. Log Management & SIEM Basics

 Definition: Security Information and Event Management (SIEM) tools collect logs from
different sources, correlate them, and raise alerts.
 Real-world example: A SIEM like Splunk or Wazuh might detect 5 failed logins
followed by a successful login from a foreign country → triggers a brute force alert.

8. Common SOC Tools

 SIEM Tools: Splunk, ELK, Wazuh, QRadar.

 Threat Intelligence: VirusTotal, MISP.
 Network Monitoring: Wireshark, Zeek.
 Endpoint Protection: CrowdStrike, SentinelOne.
 Real-world example: A SOC analyst uses Wireshark to analyze suspicious network
packets and confirm if data exfiltration is happening.

9. Incident Response Basics (NIST Framework)

 Preparation: Policies, tools, training.

  Detection & Analysis: Identify suspicious activity.
 Containment, Eradication & Recovery: Stop the attack, remove malware, restore
systems.
 Post-Incident Activity: Lessons learned, reports.
 Real-world example: If ransomware hits a hospital, the SOC must detect quickly,
contain infected systems, and restore patient data from backups.

Part 4 – Network Security & Monitoring

1. Network Security Basics

 Definition: Protecting the integrity, confidentiality, and availability of data as it travels

across networks.
 Real-world example: Using firewalls to block unauthorized access to a company’s
internal network.

2. Firewalls

 Definition: A firewall filters incoming and outgoing traffic based on rules (e.g., blocking
suspicious IPs).
 Types: Packet-filtering, Stateful, Next-Gen (NGFW).
 Real-world example: A bank configures its firewall to block all traffic except from
trusted IP addresses.

3. Intrusion Detection & Prevention Systems (IDS/IPS)

 IDS: Detects suspicious traffic and alerts.

 IPS: Detects and blocks suspicious traffic in real-time.
 Real-world example: Snort IDS detecting SQL injection attempts in web traffic and
alerting SOC analysts.

4. Virtual Private Networks (VPNs)

 Definition: A VPN creates an encrypted tunnel between the user and the network, hiding
activity from attackers.
 Real-world example: Remote employees using VPNs to securely access company
servers during work-from-home.
5. Network Monitoring Tools

 Wireshark: Captures and analyzes network packets.

 Zeek (Bro): Detects network anomalies.
 Nagios / Zabbix: Monitors performance and uptime.
 Real-world example: A SOC analyst uses Wireshark to inspect suspicious DNS traffic
that may indicate data exfiltration.

6. Threat Intelligence & Feeds

 Definition: Collecting external threat data (IPs, domains, malware hashes) to detect
attacks.
 Real-world example: A SIEM detects an IP from a known threat feed blacklist trying
to access the corporate network → alert is triggered.

7. Endpoint Detection & Response (EDR)

 Definition: Tools that monitor endpoints (laptops, servers) for suspicious activity.
 Real-world example: CrowdStrike Falcon detects ransomware running on a
workstation and automatically kills the process.

8. Honeypots & Deception Technology

 Definition: Fake systems or services designed to attract attackers and study their
behavior.
 Real-world example: A honeypot simulating a vulnerable database is deployed;
attackers try to exploit it, and SOC learns their methods.

9. Network Segmentation

 Definition: Splitting networks into smaller zones to reduce attack spread.

 Real-world example: A hospital separates its patient database network from its public
Wi-Fi to prevent attackers from pivoting.

10. Common Network Security Attacks

 DoS/DDoS: Overloading systems with traffic → site becomes unavailable.

 MITM (Man-in-the-Middle): Attacker intercepts communication between two parties.
  ARP Spoofing: Attacker tricks devices into thinking they are the gateway.
 DNS Poisoning: Redirecting traffic to malicious websites.
 Real-world example: In 2016, a DDoS attack on Dyn DNS took down Twitter, Netflix,
and Reddit.

Part 5 – Malware, Threats & Vulnerabilities

1. What is Malware?

 Definition: Malicious software designed to disrupt, damage, or gain unauthorized access

to systems.
 Types: Virus, Worm, Trojan, Ransomware, Spyware, Rootkits, Botnets.
 Real-world example: WannaCry Ransomware (2017) spread globally and locked
thousands of computers until ransom was paid in Bitcoin.

2. Viruses

 Definition: Malicious code that attaches itself to files/programs and spreads when
executed.
 Real-world example: The ILOVEYOU Virus (2000) spread via email attachments and
caused $10B in damages.

3. Worms

 Definition: Self-replicating malware that spreads without user interaction.

 Real-world example: Morris Worm (1988) was the first major worm that slowed down
the early internet.

4. Trojans

 Definition: Malware disguised as legitimate software.

 Real-world example: Zeus Trojan stole online banking credentials and caused billions
in losses.

5. Ransomware

 Definition: Encrypts files and demands ransom to unlock them.

 Real-world example: Petya/NotPetya (2017) spread through fake software updates and
shut down major corporations.
6. Spyware & Keyloggers

 Spyware: Steals user activity without consent.

 Keylogger: Records keystrokes to capture passwords.
 Real-world example: Spyware FinFisher used in government surveillance to monitor
activists.

7. Rootkits

 Definition: Malware that hides in the OS to give attackers persistent access.

 Real-world example: Sony BMG Rootkit Scandal (2005) – Sony secretly installed
rootkits on music CDs, exposing users to hackers.

8. Botnets

 Definition: A network of infected devices controlled by attackers.

 Real-world example: Mirai Botnet (2016) hijacked IoT devices and launched the
largest DDoS attack at the time.

9. Zero-Day Exploits

 Definition: Attacks that exploit vulnerabilities before they are patched.

 Real-world example: Stuxnet (2010) used zero-day exploits to damage Iranian nuclear
centrifuges.

10. Vulnerability Management

 Steps:
Identify vulnerabilities (scans, reports).
o
Assess severity (CVSS score).
o
Patch or mitigate.
o
 Real-world example: Equifax Breach (2017) happened because a known vulnerability
in Apache Struts was left unpatched → 147M people’s data exposed.
11. Common Attack Techniques

 Phishing: Fake emails tricking users into giving credentials.

 Spear Phishing: Targeted phishing on specific individuals.
 Whaling: Attacks on executives.
 Insider Threats: Employees misusing access.
 Nation-State Attacks: Sponsored hacking groups targeting infrastructure.
 Real-world example: SolarWinds Supply Chain Attack (2020) – nation-state hackers
inserted malware into software updates, impacting U.S. government agencies.

📘 OWASP Top 10 Through the Years (2003 → 2021)

🔹 OWASP Top 10 – 2003 (First Version)

1. Unvalidated Input
o Definition: Applications accepting user input without verifying it.
o Example: A website search bar directly running whatever you type in the database
query.
o Real World: Early SQL Injection attacks where attackers typed "OR '1'='1" into
login forms.
2. Broken Access Control
o Definition: Users being able to access areas they should not.
o Example: A normal user typing /admin in the URL and accessing admin pages.
o Real World: Early e-commerce sites where customers could view other people’s
orders just by changing the URL order number.
3. Broken Authentication & Session Management
o Definition: Weak login, poor password storage, or session IDs exposed.
o Example: Session IDs in URL (example.com/home?sessionid=12345).
o Real World: Attackers stealing session cookies in early forums to hijack accounts.
4. Cross-Site Scripting (XSS)
o Definition: Malicious scripts injected into websites.
o Example: Attacker puts <script>alert("Hacked")</script> into a comment box.
o Real World: MySpace “Samy Worm” (2005) where one XSS attack spread to
over 1 million profiles.
5. Buffer Overflows
o Definition: When programs put more data into memory than allocated.
o Example: Sending 500 characters to a field meant for 50.
o Real World: Classic Windows worms exploiting buffer overflows to crash
systems.
6. Command Injection
o Definition: Attackers running system commands through vulnerable applications.
o Example: A form field that executes ping and attacker enters ; rm -rf /.
o Real World: Shellshock bug in 2014 (though after 2003 list, it’s a classic case).
7. Error Handling Problems
o Definition: Applications revealing too much info in error messages.
 o Example: “Database error: username field missing in table users.”
o Real World: Leaked SQL errors helping attackers craft injection payloads.
8. Insecure Storage
o Definition: Sensitive data stored without encryption.
o Example: Credit cards saved in plain text in database.
o Real World: Early retail breaches where customer data was dumped online
unencrypted.
9. Denial of Service (DoS)
o Definition: Flooding systems with traffic to make them unavailable.
o Example: Sending millions of requests per second.
o Real World: Early botnet attacks on Yahoo! and eBay (2000s).
10. Insecure Configuration Management

 Definition: Default settings, open admin panels, unnecessary services.

 Example: Admin panel left at admin/admin.
 Real World: Printers, routers, and cameras shipped with default passwords being hacked.

🔹 OWASP Top 10 – 2004

 Many categories stayed similar, but XSS, Injection, Broken Access Control, Insecure
Configurations, and Buffer Overflows remained strong concerns.
 Examples: SQL Injection remained a leading cause of data breaches.

🔹 OWASP Top 10 – 2007

1. Cross-Site Scripting (XSS)

2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object References
5. CSRF (Cross-Site Request Forgery)
6. Information Leakage & Improper Error Handling
7. Broken Authentication & Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access

👉 Example: CSRF – Imagine a banking site where if you’re logged in and visit a malicious link,
it automatically transfers money without your permission.
🔹 OWASP Top 10 – 2010

1. Injection (SQL, OS, LDAP)

2. Cross-Site Scripting (XSS)
3. Broken Authentication & Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

👉 Example: Unvalidated Redirects – Clicking a link on a trusted site that secretly redirects you
to a phishing site.

🔹 OWASP Top 10 – 2013

1. Injection
2. Broken Authentication & Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. CSRF
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

👉 Example: Target Breach (2013) – Attackers exploited vulnerable components and poor
network segmentation.

🔹 OWASP Top 10 – 2017

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
 10. Insufficient Logging & Monitoring

👉 Example: Equifax Breach (2017) – Attackers exploited Apache Struts vulnerability (known
component issue).

🔹 OWASP Top 10 – 2021 (Latest)

1. Broken Access Control

2. Cryptographic Failures (Previously Sensitive Data Exposure)
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable & Outdated Components
7. Identification & Authentication Failures
8. Software & Data Integrity Failures
9. Security Logging & Monitoring Failures
10. Server-Side Request Forgery (SSRF)

👉 Example: Capital One Breach (2019) – SSRF vulnerability exploited to access AWS metadata
service and steal data of 100M+ customers.

Part 6 – Security Operations (SOC & SIEM)

1. What is a SOC?

 Definition: Security Operations Center – a team + technology setup that monitors,

detects, investigates, and responds to cyber threats 24/7.
 Functions:
o Continuous monitoring.
o Incident detection & response.
o Threat intelligence integration.
o Compliance & reporting.
 Real-world example: Large banks like JP Morgan operate SOCs to monitor millions of
daily transactions for fraud or cyberattacks.

2. SOC Roles & Levels

 Tier 1 (L1) – Monitoring & Triage: First line, analyzes alerts, escalates if suspicious.
 Tier 2 (L2) – Incident Response: Deeper analysis, containment, eradication.
 Tier 3 (L3) – Threat Hunting & Forensics: Advanced investigation, malware analysis.
 SOC Manager: Oversees operations, policies, compliance.
  Real-world example: During the SolarWinds Attack (2020), SOC analysts in U.S.
government agencies detected unusual network traffic and escalated it for deep
investigation.

3. What is SIEM?

 Definition: Security Information and Event Management – software that collects,

correlates, and analyzes logs from multiple systems.
 Key Features:
o Log management.
o Correlation rules.
o Dashboards & alerts.
o Compliance reporting.
 Popular SIEM Tools: Splunk, IBM QRadar, ArcSight, Wazuh, Azure Sentinel.
 Real-world example: A SIEM detected a mass login attempt from Russia on Office
365 accounts of a company, alerting the SOC to block access.

4. SOC vs SIEM

 SOC = People + Processes + Tools.

 SIEM = The tool that enables SOC operations.
 SOC uses SIEM for visibility, threat detection, and response.

5. Incident Response Lifecycle (NIST Model)

 Preparation: Policies, tools, training.

 Detection & Analysis: Identify suspicious activity.
 Containment: Limit attack spread.
 Eradication & Recovery: Remove threat, restore systems.
 Post-Incident Activity: Lessons learned, improvements.
 Real-world example: During WannaCry ransomware, SOC teams worldwide quickly
detected the spread, contained infected machines, and applied emergency patches.

6. Threat Hunting

 Definition: Proactive search for threats that evade detection tools.

 Methods: Hypothesis-based, anomaly detection, use of threat intel.
 Real-world example: Threat hunters discovered APT29 (Cozy Bear) activity in
networks months before the SolarWinds breach was fully exposed.
7. Use Cases of SIEM

 Brute-force attack detection.

 Phishing attempts.
 Insider threat monitoring.
 Malware outbreak detection.
 Compliance auditing (PCI-DSS, HIPAA, ISO 27001).
 Real-world example: A SIEM flagged unusual midnight logins from the CEO’s
account – later discovered as a phishing compromise.

8. Challenges in SOC

 Too many alerts (alert fatigue).

 Shortage of skilled analysts.
 Advanced persistent threats (APTs).
 Need for automation (SOAR tools).
 Real-world example: During Log4j Vulnerability (2021), SOCs faced thousands of
alerts daily from scanning bots, making it hard to prioritize real attacks.

Part 7 – Security Tools & Technologies

1. Firewalls

 Definition: A security device (hardware or software) that monitors and controls

incoming/outgoing traffic based on predefined rules.
 Types:
o Packet-filtering firewall.
o Stateful inspection firewall.
o Next-Generation Firewall (NGFW).
 Function: Blocks unauthorized access while permitting legitimate communication.
 Real-world example: A company blocks all traffic from North Korea IP ranges on its
firewall to reduce attack attempts.

2. IDS/IPS (Intrusion Detection/Prevention Systems)

 IDS (Detection): Monitors network/system traffic for suspicious activity and alerts SOC.
 IPS (Prevention): Detects and automatically blocks malicious traffic.
 Placement: Usually behind the firewall.
 Real-world example: An IPS blocked a SQL injection attempt targeting an e-commerce
site’s login page.
3. Endpoint Detection & Response (EDR)

 Definition: Security tool that monitors endpoint (laptops, servers, mobile) activities for
suspicious behavior.
 Features:
o Detects malware, ransomware, and abnormal processes.
o Provides visibility into endpoint activities.
o Allows remote isolation of infected machines.
 Popular EDR Tools: CrowdStrike, Carbon Black, Microsoft Defender for Endpoint.
 Real-world example: CrowdStrike EDR stopped Ryuk ransomware from spreading
across hospital endpoints in 2020.

4. Antivirus / Anti-malware

 Definition: Software that detects, quarantines, and removes known malware.

 Modern evolution: Signature-based + behavior-based detection.
 Real-world example: An antivirus detected a keylogger installed via phishing email
before it could steal login credentials.

5. Data Loss Prevention (DLP)

 Definition: A solution that prevents sensitive data (like credit card numbers, SSNs,
company secrets) from leaving the network.
 Use Cases:
o Email monitoring.
o Blocking USB transfers.
o Cloud storage monitoring.
 Real-world example: DLP blocked an employee from uploading customer credit card
data to Google Drive.

6. SIEM (already discussed in SOC section)

 Role here: Provides central visibility for firewall, IDS/IPS, EDR, DLP logs.
 Real-world example: SIEM correlates alerts from IDS + Firewall + EDR to detect a
coordinated attack.
7. SOAR (Security Orchestration, Automation & Response)

 Definition: Automates repetitive SOC tasks (alert triage, blocking IPs, quarantining
devices).
 Benefit: Reduces response time, helps SOC scale.
 Real-world example: A SOAR system auto-blocked an IP after detecting 3 failed logins
+ 1 phishing email + malicious DNS request from the same attacker.

8. Honeypots / Honeynets

 Definition: Decoy systems designed to lure attackers and study their techniques.
 Use: Threat intelligence, research, early warning.
 Real-world example: A honeypot server pretending to be a vulnerable database captured
ransomware samples used by attackers.

9. Vulnerability Scanners

 Definition: Tools that scan systems/networks for weaknesses.

 Popular Tools: Nessus, OpenVAS, Qualys.
 Real-world example: Nessus detected that a company web server was missing critical
Apache patch, preventing exploitation.

10. Patch Management Tools

 Definition: Tools to automate operating system and application updates.

 Use: Ensures vulnerabilities are fixed quickly.
 Real-world example: Microsoft SCCM pushed urgent Log4j patches to thousands of
company endpoints.

11. Security Gateways & Proxies

 Definition: Act as middlemen between users and internet, filtering traffic.

 Types: Web proxy, email gateway, secure web gateway (SWG).
 Real-world example: A web proxy blocked access to malicious phishing sites during
employee browsing.
Part 8 – Incident Response & Forensics
1. What is Incident Response (IR)?

 Definition: A structured approach to handle and manage security breaches or

cyberattacks.
 Goal: Minimize damage, recover quickly, and prevent future incidents.
 Real-world example: When Colonial Pipeline was hit by ransomware (2021), IR teams
isolated affected systems, restored backups, and rebuilt trust in operations.

2. NIST Incident Response Lifecycle

 Phases:
1. Preparation – Create IR policies, train staff, deploy tools (SIEM, EDR).
2. Detection & Analysis – Identify incidents using logs, alerts, threat intelligence.
3. Containment, Eradication & Recovery – Isolate infected systems, remove
malware, restore systems from backup.
4. Post-Incident Activity – Lessons learned, improve defenses.
 Real-world example: A SOC detected brute-force login attempts → contained by
blocking attacker IP → later reviewed logs to strengthen password policy.

3. Common Incident Types

 Malware outbreak (e.g., ransomware spreading across endpoints).

 Phishing attack (credential theft via fake emails).
 Insider threat (employee exfiltrating data).
 DDoS attack (flooding servers with traffic).
 Web application attack (SQL injection, XSS).
 Real-world example: Equifax breach (2017) was caused by an unpatched web app
vulnerability.

4. Digital Forensics Basics

 Definition: The process of collecting, analyzing, and preserving digital evidence.

 Key Principles:
o Maintain chain of custody (document who handled evidence).
o Ensure evidence integrity (no tampering).
o Use forensic tools to analyze safely.
 Real-world example: Forensics teams used hard drive images to uncover attacker tools
in the Sony Pictures hack (2014).
5. Forensic Process Steps

 Identification – Find potential evidence (logs, files, memory dumps).

 Collection – Securely gather evidence without altering it.
 Preservation – Store evidence with hash verification.
 Analysis – Use forensic tools to investigate.
 Presentation – Report findings clearly for legal/corporate purposes.
 Real-world example: During an insider fraud case, investigators collected Outlook
emails and USB logs to prove data theft.

6. Common Forensic Tools

 FTK (Forensic Toolkit): File recovery & analysis.

 EnCase: Disk imaging & evidence preservation.
 Volatility: Memory forensics (RAM analysis).
 Autopsy: Open-source forensic platform.
 Wireshark: Packet analysis.
 Real-world example: Investigators used Volatility to find a malware process hidden in
memory after a ransomware attack.

7. Evidence Sources in Security Incidents

 Logs: Windows Event Logs, Linux Syslogs, firewall logs, SIEM data.
 Network Data: Packet captures (PCAPs), NetFlow.
 Disk Data: Deleted files, hidden partitions.
 Memory: Running processes, encryption keys, malware traces.
 Cloud Data: SaaS access logs, API logs.
 Real-world example: During a bank fraud investigation, firewall logs revealed data
exfiltration to an IP in another country.

8. Chain of Custody (Very Important in Forensics)

 Definition: A documented history of evidence handling to prove integrity.

 Steps:
o Record who collected evidence.
o Record every transfer (date/time/person).
o Secure storage (evidence lockers, encrypted drives).
 Real-world example: If chain of custody breaks, evidence becomes inadmissible in
court.
9. Threat Intelligence in IR

 Definition: Information about attacker tools, techniques, procedures (TTPs).

 Use: Helps in quick detection and proactive defense.
 Sources: Dark web, threat feeds, ISACs (industry sharing groups).
 Real-world example: Using threat intel, SOC blocked an IP associated with APT29
(Russian state group) before it attacked.

10. Post-Incident Activity

 Actions:
o Review incident details.
o Update security controls (patching, new firewall rules).
o Improve policies (stronger MFA, new logging rules).
o Train staff on lessons learned.
 Real-world example: After Target’s 2013 breach, they improved vendor access
controls and hired a new CISO.

Part 9 – Cybersecurity Domains

1. Network Security

 Goal: Protect networks from unauthorized access, attacks, and misuse.

 Controls: Firewalls, IDS/IPS, VPNs, NAC (Network Access Control).
 Threats: DDoS, Man-in-the-Middle (MITM), ARP spoofing.
 Real-world example: In 2016 Dyn DNS attack, IoT devices were hijacked to launch a
massive DDoS that took down Twitter, Netflix, and GitHub.

2. Endpoint Security

 Goal: Protect individual devices like laptops, mobiles, and servers.

 Controls: Antivirus, EDR (Endpoint Detection & Response), disk encryption.
 Threats: Malware, ransomware, insider misuse.
 Real-world example: WannaCry ransomware (2017) spread via unpatched Windows
machines, showing weak endpoint patching.

3. Application Security

 Goal: Protect software and web apps from exploitation.

 Controls: Secure coding, WAF (Web Application Firewall), penetration testing.
  Threats: SQL injection, XSS, CSRF, broken authentication.
 Real-world example: Equifax breach (2017) → caused by an unpatched Apache Struts
vulnerability.

4. Cloud Security

 Goal: Secure data, apps, and workloads in cloud environments (AWS, Azure, GCP).
 Controls: IAM, encryption, monitoring, compliance checks.
 Threats: Misconfigurations, data breaches, API abuse.
 Real-world example: Capital One breach (2019) → hacker exploited AWS
misconfigured firewall and stole customer data.

5. Mobile Security

 Goal: Protect smartphones/tablets from malware, data theft, and unauthorized access.
 Controls: MDM (Mobile Device Management), app vetting, biometric authentication.
 Threats: Malicious apps, SIM swapping, mobile phishing.
 Real-world example: Pegasus spyware infected mobile devices of journalists and
officials through zero-click exploits.

6. IoT Security

 Goal: Secure smart devices (CCTV, smart meters, cars, medical devices).
 Controls: Device authentication, firmware updates, network segmentation.
 Threats: Botnets, default credentials, lack of patching.
 Real-world example: Mirai botnet (2016) → IoT devices were hijacked to launch
massive DDoS attacks.

7. Data Security

 Goal: Protect data integrity, confidentiality, and availability.

 Controls: Encryption, DLP (Data Loss Prevention), access controls, backups.
 Threats: Data breaches, insider threats, ransomware.
 Real-world example: Yahoo data breach (2013–2014) exposed 3 billion accounts due
to weak encryption.
8. Identity & Access Management (IAM)

 Goal: Ensure only authorized users access resources.

 Controls: MFA, SSO, RBAC (Role-Based Access Control).
 Threats: Credential theft, privilege escalation, weak passwords.
 Real-world example: Uber breach (2022) happened after an attacker stole employee
credentials through MFA fatigue attack.

9. Operational Security (OpSec)

 Goal: Protect processes, people, and technology in daily operations.

 Controls: Policy enforcement, incident response, monitoring.
 Threats: Social engineering, insider leaks, mismanagement.
 Real-world example: Military and intelligence agencies apply OpSec to hide sensitive
missions from adversaries.

10. Critical Infrastructure Security

 Goal: Secure power plants, transportation, healthcare, water supply systems.

 Controls: SCADA security, physical + cyber defenses.
 Threats: State-sponsored attacks, ransomware on hospitals, sabotage.
 Real-world example: Stuxnet (2010) targeted Iranian nuclear facilities by sabotaging
centrifuges.

Part 10 – Cybersecurity Tools & Technologies

1. Firewalls

 Purpose: Act as a barrier between trusted and untrusted networks.

 Types:
o Packet filtering firewall
o Stateful inspection firewall
o Next-Gen Firewall (NGFW)
 Controls: Filters traffic based on IP, port, and rules.
 Real-world example: A Next-Gen Firewall can block malicious traffic while allowing
business apps like Zoom or Office 365.

2. Intrusion Detection & Prevention Systems (IDS/IPS)

 IDS (Intrusion Detection): Monitors and alerts suspicious activity.

 IPS (Intrusion Prevention): Detects + blocks malicious activity in real time.
  Example Tools: Snort, Suricata, Zeek.
 Real-world example: A bank uses Suricata IPS to block brute-force login attempts
against its online banking system.

3. SIEM (Security Information & Event Management)

 Purpose: Collects logs from multiple systems and detects anomalies.

 Functions: Centralized log management, correlation, real-time alerts.
 Example Tools: Splunk, Wazuh, IBM QRadar, ELK Stack.
 Real-world example: A SOC team uses Wazuh SIEM to detect a compromised server
from unusual outbound traffic.

4. Endpoint Detection & Response (EDR)

 Purpose: Monitors endpoints for suspicious activities.

 Functions: Threat detection, investigation, response, forensic analysis.
 Example Tools: CrowdStrike Falcon, SentinelOne, Microsoft Defender ATP.
 Real-world example: CrowdStrike Falcon stopped the 2020 SolarWinds attack on
many organizations by isolating infected endpoints.

5. Vulnerability Scanners

 Purpose: Scan systems and apps for security weaknesses.

 Example Tools: Nessus, OpenVAS, Qualys.
 Real-world example: An e-commerce company uses Nessus to find outdated Apache
servers vulnerable to CVE-2021-41773.

6. Penetration Testing Tools

 Purpose: Simulate attacks to test defenses.

 Example Tools: Metasploit, Burp Suite, Nmap, Wireshark.
 Real-world example: A security team uses Burp Suite to find SQL injection in a
banking web application before hackers do.

7. Data Loss Prevention (DLP)

 Purpose: Prevent sensitive data from leaving the network.

 Controls: Content inspection, blocking email/file transfers with sensitive info.
  Example Tools: Symantec DLP, Digital Guardian.
 Real-world example: DLP prevents employees from sending credit card data via
personal email.

8. Identity & Access Management (IAM) Tools

 Purpose: Manage user authentication and authorization.

 Functions: MFA, SSO, RBAC.
 Example Tools: Okta, Microsoft Azure AD, Ping Identity.
 Real-world example: Okta ensures only authorized employees access corporate apps
with MFA.

9. Threat Intelligence Platforms

 Purpose: Gather and analyze data on emerging threats.

 Example Tools: MISP, Recorded Future, ThreatConnect.
 Real-world example: A SOC uses MISP to share IoCs (Indicators of Compromise) of
new ransomware variants.

10. Security Orchestration, Automation, and Response (SOAR)

 Purpose: Automates SOC workflows like phishing response, malware isolation.

 Example Tools: Palo Alto Cortex XSOAR, Splunk SOAR.
 Real-world example: A SOAR platform automatically quarantines an endpoint when
malware is detected by SIEM + EDR.

Part 11 – Incident Response & Digital Forensics

🔹 Incident Response (IR)

Definition:
Incident Response is the structured approach security teams use to detect, contain, and recover
from cyberattacks.

NIST 4 Phases of Incident Response:

1. Preparation
o Build IR policies, playbooks, and train SOC teams.
o Tools: SIEM, EDR, forensic kits.
 o Example: A financial company creates an IR playbook to respond to phishing
attacks.
2. Detection & Analysis
o Identify unusual activity via logs, alerts, user reports.
o Validate whether it’s a true incident.
o Example: SOC detects abnormal login attempts from Russia on a U.S.-only
company’s system.
3. Containment, Eradication & Recovery
o Containment: Stop the spread (e.g., isolate endpoints, block IPs).
o Eradication: Remove malware, patch systems.
o Recovery: Restore services and monitor.
o Example: During the WannaCry ransomware attack (2017), hospitals isolated
infected machines, patched SMB protocol, and restored backups.
4. Post-Incident Activity (Lessons Learned)
o Document root cause, update defenses, improve playbooks.
o Example: After a phishing breach, a company enforces multi-factor
authentication (MFA).

🔹 Common Incident Types

 Malware Infection
 Ransomware Attack
 Insider Threat
 Phishing & Social Engineering
 Data Breach / Credential Theft
 DoS / DDoS Attacks

Example: In 2013, Target’s data breach happened via a compromised HVAC vendor account.
Incident response teams later traced the intrusion to stolen credentials.

🔹 Digital Forensics
Definition:
Digital Forensics is the process of collecting, preserving, analyzing, and presenting digital
evidence in a legally acceptable way.

Key Phases of Digital Forensics:

1. Identification
o Recognize potential evidence (logs, disks, memory dumps).
o Example: Suspicious USB drive found in a compromised office computer.
 2. Preservation
o Ensure evidence is not tampered with (write blockers, hashing).
o Example: Creating a forensic image of a hard drive using FTK Imager.
3. Collection
o Gather evidence from endpoints, servers, network traffic.
o Example: Using Wireshark to capture malicious C2 traffic.
4. Examination
o Extract hidden, deleted, or encrypted files.
o Example: Recovering deleted ransomware executables with Autopsy/Sleuth Kit.
5. Analysis
o Correlate data, timelines, logs, and user activity.
o Example: Investigating insider data theft by analyzing USB connection logs and
file transfers.
6. Presentation
o Prepare reports and expert testimony for legal cases.
o Example: A forensic investigator presenting timeline evidence in court about an
employee who exfiltrated customer records.

🔹 Forensic Tools
 Disk Forensics: FTK Imager, Autopsy, EnCase.
 Memory Forensics: Volatility, Rekall.
 Network Forensics: Wireshark, Zeek.
 Mobile Forensics: Cellebrite, Oxygen Forensic Suite.

Example: In the 2014 Sony Pictures Hack, forensic investigators used network forensics to
trace data exfiltration routes linked to North Korea.

🔹 Why IR + Forensics Matter Together

 IR = Handle and stop the attack.
 Forensics = Find root cause + collect legal evidence.
 Example: In a ransomware case, IR isolates infected machines, while forensics
determines entry point (phishing email with malicious attachment).

Part 12 – Security Policies, Compliance & Risk Management

🔹 Security Policies
Definition:
Security policies are high-level rules that guide how an organization protects its information
systems and data.

Types of Security Policies:

 Acceptable Use Policy (AUP): Defines how employees can use company devices &
networks.
o Example: Employees cannot install unauthorized apps on company laptops.
 Password Policy: Rules for strong passwords & MFA.
o Example: Minimum 12 characters, include upper/lowercase, numbers, and
symbols.
 Data Classification Policy: Defines data sensitivity levels (Public, Confidential,
Restricted).
o Example: Credit card data = Restricted.
 Incident Response Policy: Steps for handling security breaches.
 Remote Work Policy: Secure VPN, no public Wi-Fi without encryption.

🔹 Compliance Standards
Organizations must follow global compliance frameworks depending on industry.

1. ISO/IEC 27001
o International standard for Information Security Management Systems (ISMS).
o Focus: Confidentiality, Integrity, Availability (CIA Triad).
o Example: A bank implements ISO 27001 controls like access management &
encryption.
2. GDPR (General Data Protection Regulation – EU)
o Protects personal data of EU citizens.
o Requires consent, right to be forgotten, breach notifications.
o Example: Facebook fined €1.2B in 2023 for transferring EU user data to the U.S.
without proper safeguards.
3. PCI-DSS (Payment Card Industry Data Security Standard)
o For organizations handling credit/debit cards.
o Example: An e-commerce store must encrypt cardholder data & pass PCI scans.
4. HIPAA (Health Insurance Portability and Accountability Act – U.S.)
o Protects patient health information (PHI).
o Example: Hospitals must encrypt patient records & restrict access.
5. SOC 2 (System and Organization Controls)
o Focus: Security, Availability, Processing Integrity, Confidentiality, Privacy.
o Example: Cloud service providers use SOC 2 audits to prove trustworthiness.
🔹 Risk Management
Definition:
Risk Management is identifying, assessing, and mitigating threats to an organization’s assets.

Steps in Risk Management:

1. Identify Risks
o Example: Weak password policy, outdated servers, insider threats.
2. Analyze Risks
o Assess likelihood (High/Medium/Low) and impact (Severe/Moderate/Minor).
o Example: Ransomware = High likelihood + Severe impact.
3. Mitigation Strategies
o Avoid: Remove risky process.
o Reduce: Apply controls (patching, MFA).
o Transfer: Buy cyber insurance.
o Accept: Live with the risk if impact is small.
4. Monitor & Review
o Regular audits, penetration testing, vulnerability scanning.

🔹 Real-World Examples of Risk Failures

 Equifax Breach (2017):
o Cause: Unpatched Apache Struts vulnerability.
o Impact: 147M people’s data stolen.
o Lesson: Patch management & risk monitoring failed.
 Capital One Breach (2019):
o Cause: Misconfigured AWS firewall.
o Impact: 100M+ records exposed.
o Lesson: Cloud risk management is critica

Part 13 – Threat Intelligence & SOC Operations

🔹 Threat Intelligence (TI)

Definition:
Threat Intelligence is the collection, analysis, and sharing of information about potential or
current threats to help organizations defend proactively.

Types of Threat Intelligence:

 Strategic Intelligence: High-level insights for executives.

 o Example: Reports on ransomware trends in the financial sector.
 Tactical Intelligence: Info on adversary TTPs (Tactics, Techniques, Procedures).
o Example: MITRE ATT&CK techniques used by APT29.
 Operational Intelligence: Real-time details of ongoing attacks.
o Example: Phishing campaign indicators from security vendors.
 Technical Intelligence: Low-level data like IOCs.
o Example: Malicious IPs, file hashes, domain names.

🔹 Indicators of Compromise (IOCs)

Definition:
Artifacts that indicate a system may be compromised.

Examples of IOCs:

 File Hashes (MD5, SHA256): Known malware samples.

 IP Addresses/Domains: Command & Control servers.
 Registry Changes: Persistence techniques in Windows.
 Unusual Network Traffic: Large outbound traffic to unknown servers.

Real-world Example:
In the SolarWinds Hack (2020), IOCs included malicious DLL file hashes and suspicious
domain names used by attackers.

🔹 Security Information & Event Management (SIEM)

Definition:
SIEM tools collect, correlate, and analyze logs from multiple sources for threat detection and
compliance.

Popular SIEM Tools:

 Splunk
 IBM QRadar
 Microsoft Sentinel
 Elastic SIEM
 Wazuh (open source)

Functions of SIEM:

 Log collection & normalization

  Real-time alerting
 Correlation rules (failed logins + data exfiltration)
 Compliance reporting

Real-world Example:

 A SIEM detects 50 failed logins on an admin account followed by a successful login →

flags brute force attempt.

🔹 SOC (Security Operations Center)

Definition:
A SOC is a centralized team responsible for monitoring, detecting, analyzing, and responding to
cybersecurity incidents.

SOC Structure (Levels):

 Tier 1 (L1 – Monitoring):

o Initial triage, alert monitoring, escalate if needed.
o Example: Analyst notices unusual DNS traffic and opens a case.
 Tier 2 (L2 – Investigation):
o Deeper analysis, correlation, use threat intelligence.
o Example: Confirms the DNS traffic is linked to known malware.
 Tier 3 (L3 – Hunting & Incident Response):
o Advanced forensics, threat hunting, remediation.
o Example: Removes malware, patches systems, improves detection rules.
 SOC Manager:
o Oversees operations, reports to leadership, ensures compliance.

🔹 MITRE ATT&CK Framework

Definition:
A knowledge base of real-world adversary tactics, techniques, and procedures (TTPs).

Why It’s Important:

 Helps SOC map attacker behavior.

 Improves detection and response strategies.

Examples:
  Initial Access: Phishing emails with malicious attachments.
 Execution: PowerShell script execution.
 Persistence: Registry Run Keys.
 Exfiltration: Data over HTTPS.

Real-world Example:
During the Colonial Pipeline Attack (2021), MITRE ATT&CK techniques like credential
access and lateral movement were identified.

🔹 Real-World SOC Example

 Target Breach (2013):
o Hackers entered via a third-party HVAC vendor.
o SIEM generated alerts, but SOC analysts ignored them due to alert fatigue.
o Impact: 40M credit/debit cards stolen.
o Lesson: SOC processes & escalation must be strong.

🔹 Part 14 – Incident Response & Digital Forensics

1. What is Incident Response (IR)?

 Definition: A structured approach taken by SOC teams to detect, investigate, and

respond to cyber incidents.
 Goal: Minimize damage, reduce recovery time, and prevent similar attacks in the future.
 Example: If a company’s website is under a DDoS attack, the SOC team will identify the
attack, mitigate traffic using firewalls/CDNs, and restore normal service quickly.

2. Incident Response Lifecycle (NIST Model)

 Preparation → Building policies, tools, playbooks.

o Example: A bank pre-defines steps for ransomware attacks.
 Detection & Analysis → Identifying anomalies and confirming incidents.
o Example: SOC alerts show multiple failed logins from Russia at 3 AM.
 Containment, Eradication & Recovery → Isolating the system, removing malware,
restoring services.
o Example: Disconnecting infected laptops, wiping malware, reimaging devices.
 Post-Incident Activity → Lessons learned, documentation, reporting.
o Example: After phishing attack, company trains employees better.
3. Key Tools Used in IR

 SIEM (Splunk, Wazuh, ELK Stack) → Log monitoring & correlation.

 EDR (CrowdStrike, SentinelOne, Microsoft Defender ATP) → Endpoint detection.
 Forensics Tools (Autopsy, FTK, EnCase, Volatility) → Deep investigation.
 Packet Analysis (Wireshark, Zeek) → Network traffic examination.

4. Digital Forensics Basics

 Definition: The process of collecting, preserving, and analyzing digital evidence in a way
that is legally acceptable.
 Goal: Understand how an attack happened, identify the attacker, and ensure evidence is
valid in court.
 Example: After a ransomware attack, forensic experts analyze logs, memory dumps, and
disk images to trace the origin.

5. Types of Forensics

 Disk Forensics: Analyzing hard drives for deleted files, malware, or hidden data.
o Example: Restoring deleted emails to investigate insider fraud.
 Memory Forensics: Analyzing RAM to detect running malware.
o Example: Catching fileless malware (lives in memory only).
 Network Forensics: Investigating traffic captures for suspicious patterns.
o Example: Detecting data exfiltration over unusual ports.
 Mobile Forensics: Extracting evidence from smartphones (calls, chats, GPS).
o Example: Law enforcement retrieving WhatsApp data in a cybercrime case.

6. Chain of Custody in Forensics

 Definition: Documentation of who handled the evidence, when, and how.

 Why important? Maintains trustworthiness of evidence in legal cases.
 Example: If a USB drive is collected as evidence, every person who touches it signs the
log to ensure no tampering.

7. Common Incident Scenarios & Response

 Phishing Attack: Block sender domain, reset compromised accounts, awareness training.
 Malware Infection: Isolate infected host, remove malware, patch vulnerability.
 Data Breach: Identify leaked data, notify impacted users, strengthen access control.
  DDoS Attack: Use traffic filtering, cloud mitigation (Cloudflare/Akamai), contact ISP.

🔹 Part 15 – Future of SOC (AI/ML, SOAR, XDR & Career Path)

1. The Future of SOC

 SOCs are evolving rapidly due to the volume of threats and shortage of skilled
analysts.
 Traditional manual monitoring is not enough → automation & AI are the future.

2. AI & Machine Learning in SOC

 Use Cases:
o Detect anomalies in network traffic.
o Predict attacks using historical data.
o Automate triage of alerts.
 Example: ML model detects unusual login from China at midnight and flags it before the
attacker escalates privileges.

3. SOAR (Security Orchestration, Automation & Response)

 Definition: Platforms that automate repetitive SOC tasks.

 Benefits:
o Faster incident response.
o Reduced human fatigue.
 Example: If phishing email detected → SOAR automatically quarantines email, blocks
domain, resets password without analyst intervention.

4. XDR (Extended Detection & Response)

 Definition: Unified security platform that combines endpoint, network, cloud, and email
security.
 Why useful? Provides a single pane of glass view instead of multiple tools.
 Example: If attacker compromises endpoint → XDR shows related network traffic,
cloud logins, and email compromise in one dashboard.

5. Zero Trust Security (Future Approach)

 Principle: “Never trust, always verify.”

 How it works: Every request (even inside company network) must be verified.
  Example: An employee cannot access HR files without MFA, even when already logged
into corporate VPN.

6. SOC Career Path (L1 → L2 → L3)

 L1 – SOC Analyst:
o First line of defense.
o Monitors alerts, escalates real incidents.
o Example: Sees brute-force alerts in SIEM and escalates.
 L2 – Incident Responder:
o Investigates incidents in-depth, performs containment.
o Example: Analyzes malware samples, isolates affected machines.
 L3 – Threat Hunter/Forensics Expert:
o Proactively hunts threats, does malware reverse engineering.
o Example: Finds an advanced persistent threat (APT) in network before it causes
damage.
 Future Roles: AI Security Engineer, Cloud SOC Analyst, Red Team Operator integrated
into SOC.

🔹 SOC L1 Analyst Duties & Tools

1. Primary Duties of L1 SOC Analysts

 Monitor Alerts
o Watch SIEM dashboards for security events.
o Example: Multiple failed login attempts trigger an alert.
 Triage Incidents
o Determine if an alert is a real threat or false positive.
o Example: Email flagged as phishing but sender is internal → false positive.
 Escalation
o Pass confirmed incidents to L2 analysts for deeper investigation.
o Example: Malware detected on endpoint → L2 investigates file behavior.
 Basic Endpoint & Network Investigation
o Check logs, endpoint status, and network activity.
o Example: Check Wireshark capture for unusual outbound traffic.
 Maintain Documentation
o Record alerts, actions taken, and escalations.

2. Tools L1 Analysts Commonly Use

 SIEM Platforms: Splunk, IBM QRadar, Microsoft Sentinel, Wazuh

 o Aggregate logs, alert analysts, and track incidents.
 EDR (Endpoint Detection & Response): CrowdStrike, SentinelOne, Defender ATP
o Detect malware, lateral movement, and suspicious endpoint activity.
 XDR (Extended Detection & Response): Unified view of endpoint, network, and cloud
events.
o Example: See correlated alerts for the same attacker across multiple systems.
 SOAR Platforms: Palo Alto Cortex XSOAR, Splunk SOAR
o Automate response workflows (e.g., quarantining devices, blocking IPs).
 Ticketing Systems: ServiceNow, Jira, Remedy
o Track incidents from detection to resolution.

3. Benchmarks and KPIs for L1 SOC Analysts

 Mean Time to Detect (MTTD): Time taken to spot an incident.

 Mean Time to Respond (MTTR): Time taken to escalate or mitigate.
 Alert Accuracy: Percentage of alerts correctly classified as true positives.
 Ticket Resolution Rate: Number of tickets successfully escalated or closed.

4. Vulnerability Reporting

 Process:
1. Identify potential vulnerabilities (via SIEM, vulnerability scanners, or EDR).
2. Validate severity (Critical, High, Medium, Low).
3. Document details (system, vulnerability type, impact, proof of concept).
4. Report to L2/L3 or vulnerability management team.
 Example: L1 detects outdated SSL version on server → reports to L2 → patch applied.

5. Real-World Example of L1 Workflow

1. SIEM triggers an alert for multiple failed logins.

2. L1 reviews logs → confirms unusual IP addresses.
3. Checks endpoint EDR for malware → nothing found.
4. Opens a ticket in ServiceNow → escalates to L2 analyst.
5. L2 investigates → finds compromised credentials → containment begins.

✅ Summary

 L1 SOC analysts are the first line of defense, monitoring alerts, triaging, and escalating
incidents.
  They use SIEM, EDR/XDR, and SOAR tools to identify threats quickly.
 Proper documentation and vulnerability reporting is key to keeping SOC operations
effective.
 KPIs like MTTD, MTTR, and ticket resolution rate help measure performance.

7. Big Challenges Ahead for SOC

 Alert Fatigue: Too many false positives → analysts overwhelmed.

 Skill Shortage: Lack of trained professionals worldwide.
 Advanced Attacks: AI-powered malware and deepfake-based social engineering.
 Cloud Security: More companies moving to AWS, Azure, GCP → SOC must adapt.

8. The Final Word

 SOCs will become AI-driven, automated, and proactive instead of reactive.

 Cybersecurity professionals who understand AI, threat intelligence, cloud security, and
automation will be in high demand.
 The journey from SOC basics to advanced AI-powered defense is continuous learning.