Post

TCM SOC 101 - Notes

Posted
By Shervoni
8 min read
TCM SOC 101 - Notes

Part 1 - SOC Fundamentals

Context: This section covers the foundational concepts of Security Operations Centers (SOCs). Understanding these basics is essential for anyone entering cybersecurity operations, as it explains how organizations centralize their security monitoring and response capabilities.

SOC (Security Operations Center) - A centralized unit that monitors, detects, and responds to security incidents, threats, and system activities 24/7.

SOC Functions: Monitor, Detect, Protect, Respond

SOC Key Functions:

  • Reactive: Incident Response, Forensic Analysis, Malware Analysis
  • Proactive: Threat Intelligence, Threat Hunting, Vulnerability Management (VM)

SOC Core Components (People, Process, Technology):

  • People: Analysts, Responders, Engineers, etc.
  • Process: IR Plans, Playbooks, Procedures
  • Technology: SIEM, IDS/IPS, EDR, SOAR, etc.

SOC Responsibilities & Roles:

  • Alert Triage-
  • Incident Triage
  • First-Line Analysis and Investigation
  • Documentation and Reporting
  • Escalation and Collaboration
  • Continuous Improvement and Training

Incident Management Process: Incident Identification → Classification → Investigation → Containment → Eradication → Recovery

Detection Rule Outcomes:

  • True Negative: Legitimate user with multiple incorrect password attempts
  • True Positive: Correctly detected cyber-attack
  • False Negative: Attack occurred but was not detected by security tools
  • False Positive: Benign activity incorrectly flagged as an attack

Common SOC Tools: SIEM, SOAR, EDR, NSM, IDS/IPS, TIP

Common Threats:

  • Social Engineering: Phishing, Spoofing, Vishing, SMiShing, Quishing
  • Malware: Worms, Spyware, Adware, Ransomware, Trojans, Fileless Malware
  • Other Threats: Identity/Account Compromise, Insider Threats, APTs, DDoS, Data Breaches, Zero-days, Supply Chain Attacks

Part 2 - Phishing Analysis

Context: Phishing remains the most common attack vector, accounting for over 90% of data breaches. This section details how to analyze phishing attempts, understand attacker techniques, and implement both reactive and proactive defenses against email-based threats.

Email Protocols: SMTP, POP3/IMAP

Phishing Attack Types:

  • Information Gathering
  • Credential Harvesting
  • Malware Delivery
  • Spear Phishing
  • Whaling
  • Vishing, SMiShing, Quishing

Phishing Techniques:

  • Pretexting, Spoofing, Impersonation
  • URL Manipulation, Encoding
  • Malicious Attachments
  • Abuse of Legitimate Services
  • Pharming

Analysis Methodology:

  1. Initial Triage
  2. Header/Sender Examination
  3. Content Examination
  4. Web/URL Analysis
  5. Attachment Analysis
  6. Contextual Review

Email Header Analysis Elements:

  • Date, Time, Subject
  • Message ID, Send/Reply-To addresses
  • X-Sender-IP, Received Headers
  • Check if others received similar emails

Email Authentication: SPF, DKIM, DMARC

Email Content Analysis:

  • MIME types
  • Grammar and spelling errors
  • Urgency indicators
  • HTML entity encoding
  • Quoted-printable encoding

URL Anatomy:

  • Protocol
  • Hostname (Subdomain + Domain + TLD)
  • Path (Subdirectory/File + Parameters)

URL Analysis Techniques:

  • Hover over links to preview destinations
  • Check for quoted-printable encoding
  • Defang URLs (e.g., hxxps://)
  • Identify impersonation of legitimate domains

Attachment Analysis:

  • Calculate hashes (SHA256, SHA1, MD5)
  • Verify file integrity
  • Check file reputation

Dynamic Analysis (Sandboxing):

  • Monitor file behavior
  • Track process activity
  • Record registry changes
  • Analyze network traffic
  • Observe file activities

Static Analysis:

  • Manual extraction and inspection of files
  • PDF analysis for embedded URLs/URIs and files
  • Document analysis for malicious content

Automated Tools: PhishTool (supports .eml, .msg, .txt)

Reactive Phishing Defense:

  • Containment/Scope Analysis: Determine attack scope and potential targets
  • Email Headers: Analyze for spoofing indicators
  • Quarantine/Isolate: Remove malicious emails
  • Block Artifacts: Domain, subject lines, sender emails, IP addresses, URLs, file hashes, file names
  • Eradication: Delete all instances of malicious content
  • Report Abuse: Notify domain registrars
  • Recovery: Restore affected systems
  • Communication: Notify internal users
  • User Education: Reinforce security awareness

Proactive Phishing Defense:

  • Email filtering and tagging
  • URL scanning and blocking
  • Block recently registered domains
  • Attachment filtering
  • Ongoing user training

Documentation & Reporting: Collect all artifacts for comprehensive reports

Part 3 - Network Security

Context: Network security focuses on protecting the integrity, confidentiality, and availability of data as it traverses network infrastructure. This section covers essential concepts for monitoring and securing network communications, from packet analysis to intrusion prevention systems.

Network Layer Protocols: IP Addressing, IP Routing, TCP (Connection-Oriented), UDP (Connectionless)

Packet Capture & Flow Analysis:

  • Intercepting packets
  • PCAP file analysis
  • Flow records analysis
  • 5-Tuple: (Source IP, Source Port, Destination IP, Destination Port, Transport Protocol)

Tcpdump: Capture and analyze network traffic by host, port, or network

Wireshark Features:

  • Filter by protocol (e.g., http.request)
  • Export objects
  • Follow TCP streams
  • Calculate packet checksums
  • View comprehensive statistics

IDS/IPS Systems:

  • IDS (Intrusion Detection System): Passive monitoring, IOC matching, logging, alert generation
  • IPS (Intrusion Prevention System): Active traffic inspection, blocking/dropping malicious packets, terminating connections

Deployment Types:

  • NIDS/NIPS: Network-based, analyzes traffic flow
  • HIDS/HIPS: Host-based, monitors endpoint activity

Detection Methods:

  • Signature-Based: Comparison against known threat patterns
  • Behavior-Based: Anomaly detection (effective for unknown threats, may generate false positives)
  • Rule-Based: Customizable rules for specific organizational needs (requires regular updates)

Snort: Open-source IDS/IPS with customizable rules, suitable for smaller environments

Part 4 - Endpoint Security

Context: Endpoints (laptops, servers, mobile devices) are primary targets for attackers. This section explores how to secure these devices through various security controls, monitoring techniques, and forensic investigation methods, with a focus on Windows and Linux systems.

Endpoints: Any device connecting to an organization’s network:

  • Workstations (Desktops & Laptops)
  • Mobile Devices (Smartphones, Tablets)
  • Servers (Email, Web, Database, File)
  • IoT Devices (Printers, Cameras, ICS/SCADA Systems)
  • Networking Equipment (Routers, Switches, Firewalls)

Endpoint Security Controls:

  • Antivirus/Antimalware: Signature-based file and activity scanning
  • EDR (Endpoint Detection & Response): Real-time monitoring of processes, files, registry, and network activity
  • XDR (Extended Detection & Response): Integrated security across multiple platforms
  • DLP (Data Loss Prevention): Protection of sensitive data at rest, in transit, and in use
  • UEBA (User Entity Behavior Analytics): Detection of anomalous user behavior
  • HIDS/HIPS: Host-based intrusion detection/prevention
  • Host-based Firewalls: Control of inbound/outbound traffic

Endpoint Monitoring Areas:

  • Process Execution: Running processes, PIDs, command-line arguments, parent-child hierarchy
  • File System Changes: Creation, modification, deletion, File Integrity Monitoring (FIM)
  • Network Connections: Traffic analysis with associated processes
  • Registry Modifications: Detection of persistence mechanisms and evasion techniques

Basic Malware Analysis: Creating test malware with msfvenom to understand behavior

Windows Network Analysis:

  • netstat -anob for connections and processes
  • TCPView for graphical analysis
  • Verify process hashes and module names

Windows Process Analysis:

  • System Processes: Core OS functions (System, smss.exe, csrss.exe)
  • User Processes: Applications (chrome.exe, notepad.exe)
  • Service Processes: Background tasks (lsass.exe, Windows Update)
  • Process Hierarchy: Parent → Child relationships
  • Tools: tasklist, wmic, Process Explorer

Windows Core Processes:

  • System (PID 4): Kernel-mode threads managing hardware/resources
  • smss.exe: Session Manager, initiates user sessions
  • csrss.exe: Client/Server Runtime Subsystem, manages console/GUI
  • wininit.exe: Windows Initialization, spawns services.exe and lsass.exe
  • services.exe: Service Control Manager
  • svchost.exe: Service Host (multiple instances with -k parameters)
  • lsass.exe: Local Security Authority (authentication)
  • winlogon.exe: Manages login/logout procedures
  • explorer.exe: Windows shell/GUI interface

Process Investigation Checklist:

  • Verify parent/child process relationships
  • Check command-line arguments
  • Look for process name lookalikes or typos
  • Verify user account context
  • Validate image file paths

Windows Registry: Context: The Windows Registry is a hierarchical database that stores low-level settings for the Windows operating system and applications. Think of it as the central nervous system of Windows - when you change your desktop wallpaper, install software, or modify system settings, those changes are recorded in the registry. Attackers often target the registry to establish persistence or hide malicious activity.

  • HKCR: File associations and COM objects
  • HKCU: Current user settings
  • HKLM: System-wide settings
  • HKU: All user profiles
  • HKCC: Current hardware configuration

Windows Autoruns: Common persistence locations:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\SYSTEM\CurrentControlSet\Services

Windows Service Analysis: Use services.msc to examine service details

Task Scheduler: Review scheduled tasks for malicious activities

Windows Event Logs: Key Security Event IDs:

  • 4720: User account created
  • 4688: New process created
  • 1102: Audit log cleared
  • 7045: Service installed

Sysmon (System Monitor): Enhanced logging tool

  • Event ID 1: Process Creation
  • Event ID 3: Network Connection
  • Event ID 11: File Create
  • Event ID 22: DNS Query

Linux Analysis:

  • Network: netstat, ss
  • Processes: ps, pstree, top, htop
  • Scheduled Tasks: cron jobs

Part 5 - SIEM Fundamentals

Context: Security Information and Event Management (SIEM) systems are the central nervous system of modern SOCs. They collect, correlate, and analyze security data from across an organization. Understanding SIEM principles is crucial for effective threat detection, incident investigation, and compliance reporting.

Core Principle: Understanding SIEM functionality is essential for effective troubleshooting and security.

SIEM Components: Data collection, normalization, correlation, analysis, reporting

Log Types:

  • System Logs: Windows Events, Sysmon, Linux logs
  • Network Logs: Firewall, Proxy, DNS logs
  • Application Logs: Database, Web Server, Application logs
  • Security Logs: Authentication, IDS/IPS, Endpoint logs
  • Cloud Logs: AWS CloudTrail, Azure Activity Logs
  • Audit Logs: Compliance and audit trails

Log Formats:

  • Unstructured: Plain text, Common Log Format (CLF)
  • Semi-Structured: Syslog, Windows EVT/EVTX
  • Structured: JSON, XML, CSV, TSV

Common Attack Signatures:

User Behavior Analysis:

  • Multiple failed login attempts
  • Abnormal login times
  • Unusual geographic locations
  • Anomalous file access patterns
  • Suspicious User-Agent strings

SQL Injection Indicators:

  • SQL keywords: SELECT, UNION, FROM, WHERE
  • Injection characters: ', --, ;
  • URL-encoded SQL commands
  • Database error messages

Cross-Site Scripting (XSS) Indicators:

  • <script> tags
  • Event handlers: onload, onclick, onmouseover
  • Special characters: <, >, ", '
  • URL-encoded script content

Command Injection Indicators:

  • Command separators: ;, |, &&, ||
  • Common utilities: cmd.exe, bash, curl, wget
  • System commands in input fields

Path Traversal/LFI Indicators:

  • Directory traversal sequences: ../, ..\
  • References to sensitive files
  • Attempts to access system directories

Command-Line Log Analysis:

  • file [logfile] - Identify file type
  • ls -lh [logfile] - Check file size
  • wc -l -w -c [logfile] - Count lines, words, characters
  • head/tail -n [number] [logfile] - View file beginnings/ends
  • more/less - Paginated file viewing

Structured Log Analysis: Use jq for JSON data: jq . filename.json

Part 6 - Threat Intelligence

Context: Threat intelligence involves collecting and analyzing information about potential attackers and their methods to proactively defend against future attacks. This knowledge helps organizations anticipate threats, understand adversary tactics, and make informed security decisions before incidents occur.

Objectives:

  • Identify threat actors and intelligence sources
  • Understand the intelligence cycle
  • Recognize TTPs (Tactics, Techniques, Procedures)
  • Learn intelligence frameworks and models
  • Detect malware using pattern rules

Types of Threat Intelligence:

  • Strategic: High-level analysis of threat actor motives, goals, capabilities
  • Tactical: Focus on TTPs and methodologies
  • Operational: Specific impending attacks, plans, timelines
  • Technical: IOCs (Indicators of Compromise)

The Intelligence Cycle:

  1. Planning & Direction: Define requirements
  2. Collection: Gather data (OSINT, etc.)
  3. Processing & Analysis: Analyze collected information
  4. Dissemination: Share findings with stakeholders
  5. Feedback: Refine processes based on results
Courses, TCM 101
TCM Blue Teaming
This post is licensed under CC BY 4.0 by the author.