Hello Folks,
In this blog, we will cover the concepts as well as the answers for the “SOC Fundamentals” room which is a part of the “Cyber Security 101” learning path. It will cover the fundamentals of Security Operations Center (SOC), including the purpose and components of it. In the end we’ll have a practical exercise, after completing which, we will find ourselves familiar with the operations performed in SOC.
You can access the room by clicking here.
Task 1 Introduction to SOC
This task introduces us with the basic concept of SOC which protects critical data from cyber threats. A Security Operations Center (SOC) is a 24/7 dedicated team that monitors networks to detect and respond to malicious activity protecting company’s assets.
Q 1.1- What does the term SOC stand for?
A 1.1- Security Operations Center
Task 2 Purpose and Components
In this section, we will dive deep into the purpose and components of SOC. The primary focus of SOC is Detection and Response. The effective SOC operations rely on people, process and technology which altogether creates an efficient environment for detection and response.
Q 2.1- The SOC team discovers an unauthorized user is trying to log in to an account. Which capability of SOC is this?
A 2.1- Detection
Q 2.2- What are the three pillars of a SOC?
A 2.2- People, Process, Technology
Task 3 People
Despite automation, skilled People in a SOC are essential for filtering out false alerts and identifying real threats. The SOC team includes roles like Level 1-3 Analysts for escalating threat detection, security and detection engineers for deploying and managing security solutions, and a SOC Manager who oversees processes and reports to the CISO on security posture.
Q 3.1- Alert triage and reporting is the responsibility of?
A 3.1- SOC Analyst (Level 1)
Q 3.2- Which role in the SOC team allows you to work dedicatedly on establishing rules for alerting security solutions?
A 3.2- Detection Engineer
Task 4 Process
SOC processes involve alert triage, where analysts assess alerts using the “5 Ws” (What, When, Where, Who, Why) to prioritize threats, and reporting, where critical findings are escalated as detailed tickets. For severe threats, the team conducts incident response and forensics to analyze and contain malicious activities, identifying root causes.
Q 4.1- At the end of the investigation, the SOC team found that John had attempted to steal the system’s data. Which ‘W’ from the 5 Ws does this answer?
A 4.1- Who
Q 4.2- The SOC team detected a large amount of data exfiltration. Which ‘W’ from the 5 Ws does this answer?
A 4.2- What
Task 5 Technology
In a SOC, technology encompasses security solutions that centralize threat detection and response, minimizing manual effort. Key tools include SIEM for log-based threat detection, EDR for endpoint visibility and response, and firewalls for network traffic filtering. These technologies, along with others like IDS/IPS and SOAR, are chosen based on organizational needs and resources to effectively safeguard the network.
Q 5.1- Which security solution monitors the incoming and outgoing traffic of the network?
A 5.1- Firewall
Q 5.2- Do SIEM solutions primarily focus on detecting and alerting about security incidents? (yea/nay)
A 5.2- yea
Task 6 Practical Exercise of SOC
In this section, a practical task is given to practice the things we have learnt in this room.
Q 6.1- What: Activity that triggered the alert?
A 6.1- Port Scan
Q 6.2- When: Time of the activity?
A 6.2- June 12, 2024 17:24
Q 6.3- Where: Destination host IP?
A 6.3- 10.0.0.3
Q 6.4- Who: Source host name?
A 6.4- Nessus
Q 6.5- Why: Reason for the activity? Intended/Malicious
A 6.5- Intended
Q 6.6- Additional Investigation Notes: Has any response been sent back to the port scanner IP? (yea/nay)
A 6.6- Yea
Q 6.7- What is the flag found after closing the alert?
A 6.7- THM{000_INTRO_TO_SOC}
Task 7 Conclusion
I understand the fundamentals of a SOC.
No answer needed
You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX