Introduction

We covered an introduction to security operations center and how it works, what are the different roles, responsibilities such as network monitoring and intrusion detection, incident response and vulnerability management. This was part of TryHackMe Introduction to Cybersecurity track.

What I Learned About SOCs

I discovered that a Security Operations Center (SOC) is essentially a dedicated team that works around the clock, often 24/7, to monitor networks for security threats. These teams can be in-house, protecting the company they work for, or they can be an agency, providing security services to multiple client companies.

Typical SOC Responsibilities

The video below detailed several crucial tasks that SOC teams perform:

  • Finding Vulnerabilities: I learned that SOCs regularly run vulnerability scans against the networks they protect. This involves using tools like Nessus and constantly staying updated on new zero-day vulnerabilities.
  • Detecting Unauthorized Activity: A core responsibility is to monitor logs closely to identify any suspicious logins or other abnormal behaviors that could indicate a breach.
  • Discovering Policy Violations: SOCs ensure that company or client security policies are strictly followed. This could involve preventing employees from downloading pirated media or sending confidential files insecurely.
  • Detecting Intrusions: This involves identifying any unauthorized access to the network, such as someone gaining a shell on a web server.
  • Supporting Incident Response: When an intrusion or compromise is detected, the SOC is responsible for triggering and supporting the entire incident response process.

Data Sources and Services in Security Operations

I also gained insight into the types of data SOC analysts work with and the services they provide:

  • Data Sources: SOC analysts deal with various logs, including server logs (like Apache, DNS, and IIS) and DNS activity. I learned that Security Information and Event Management (SIEM) systems, such as Splunk or IBM QRadar, are critical for gathering and analyzing these logs from diverse sources in one centralized location.
  • SOC Services:
    • Vulnerability Management: Continuously identifying and addressing security weaknesses.
    • Monitoring Security Posture: Keeping an eye on the overall security health of the network.
    • Malware Analysis: Often performed by more experienced Tier 2 or Tier 3 analysts, this involves dissecting malware found during an incident to understand its nature and origin.
    • Intrusion Detection: Actively identifying unauthorized access attempts.
    • Reporting to Clients: Providing regular security reports and updates.
    • Threat Hunting: Proactively searching for hidden threats within the network and understanding the root cause of incidents.
    • Threat Intelligence: Building comprehensive profiles of attackers, their tactics, techniques, and procedures (TTPs), often referencing frameworks like MITRE ATT&CK.
    • I also briefly heard the term Network Security Monitoring (NSM), which is closely related to these activities.

Practical SOC Scenario: Denial of Service Attack

The video below included a practical walkthrough of a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack scenario on a web server, which really helped me understand the process:

  • Detection: I learned that an Intrusion Detection System (IDS), like Snort or Wazuh, would typically alert the SOC about an abnormal number of packets hitting the server.
  • Incident Response Steps:
    1. Declare an Incident: The initial alert is escalated to a formal incident.
    2. Identify Type and Impact: The team determines it’s a DoS/DDoS attack and assesses the potential damage, such as a server crash or downtime.
    3. Isolate the Asset: If feasible, the next step is to cut internet access to the affected server to stop the malicious traffic.
    4. Block the Source: The attacking IP address(es) are then added to the firewall blocklist. In the TryHackMe example, this involved adding firewall rules through a simulated web interface.
    5. Containment & Eradication: After isolation and blocking, the compromised machine should be inspected for malware. In a real-world scenario, I learned that you’d typically clone the infected machine for in-depth analysis and restore the production server from a clean backup.

Conclusion

This room marked the successful completion of the “Intro to Cyber Security” pathway on TryHackMe for me. I’m now considering diving into the “Pre-Security” pathway next!

Regarding technical commands, I didn’t see any specific commands typed into a terminal during this video. The practical example involved interacting with a simulated web interface to configure firewall rules through clicks, not command-line inputs.

TryHackMe Room Answers

What does NSM stand for?
Add the necessary firewall rules to block the ongoing attack. What is the flag that you have received after successfully stopping the attack?

What does SOC stand for?

How many hours a day does the SOC monitor the network?

 

Video Walkthrough

 
 
About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles