1.

Introduction to Cybersecurity and SOC

• Cybersecurity vs. Information Security
o Cybersecurity is defined as the process by which digital assets are
protected. It specifically focuses on safeguarding digital data, such
as WhatsApp chats on a phone protected by a PIN.
o Information Security, on the other hand, is a broader process that
protects all types of data, including digital, physical, and verbal
assets. For example, protecting a phone in a physical locker with a
key and hiring a security guard falls under information security.
Cyber security is thus considered a part of information security.
o Information security has multiple verticals: offensive testing (e.g.,
pen testing), defensive security (protecting organisations,
investigating alerts), security governance (building processes), and
security products (implementing firewalls). The video focuses on
defensive content, specifically the Security Operations Centre
(SOC) analyst role.

• What is a SOC (Security Operations Centre)?

o A SOC is a centralised team of cybersecurity professionals whose
primary responsibilities are to monitor, detect, and respond to
potential security threats and incidents.
o An analogy given is a security guard or police officers monitoring a
society to prevent unauthorised access. Similarly, a SOC monitors
activities across a business's IT and processes to ensure no layer is
compromised, as a compromise could significantly impact the
organisation.
o The goal of a SOC is to respond to attacks as early as possible. A
threat is any action that could compromise security (e.g., a hacker
trying to hack a website), while an incident is a confirmed action
or compromise.
• Why Companies Need a SOC

1
 o Continuous Monitoring: To ensure no attacks occur.
o Early Threat Detection: To detect potential threats before they
escalate, such as a phishing email.
o Quick Incident Response: To respond swiftly when an incident
occurs, like isolating a system affected by a virus.
o Compliance and Reporting: To protect organisations from legal
authorities and meet regulatory requirements.
o Reputation Protection: To safeguard the company's image, as a
hack can severely impact reputation, especially for security service
providers.
o Cost Saving: Though discussed later in the video, it is a significant
benefit.
o SOCs also help monitor competitors' attacks to detect threats early
and enable quick incident response.
o SOCs can be in-house or provided as a third-party service
(Managed Security Service Provider or MSSP).
• SOC Team Architecture
o A typical SOC team structure includes:
▪ L1 (Level 1) Analyst / First Responder: Receives tickets,
monitors SIM tools, performs initial triage (identifying,
sorting, categorising alerts based on criticality), and
escalates critical issues to L2. This is often where freshers
begin their careers.
▪ L2 (Level 2) Analyst / Incident Responder: Investigates and
escalates incidents, conducts deeper analysis, and responds
by containing and mitigating threats. They are more senior
than L1.
▪ L3 (Level 3) Analyst / Threat Hunter & Advanced Analyst:
Performs advanced threat hunting and forensic
investigations, proactively identifies new threats (including

2
 malware and zero-day threats), and develops/fine-tunes
detection rules for the SOC Playbook. This is often
considered a "dream job".
▪ SOC Manager: Oversees the entire SOC team (L1, L2, L3),
manages processes, policies, and demonstrates team
effectiveness.
▪ Some companies also have an Incident Response Team that
works with the SOC during critical incidents to contain
breaches, recover, and provide recommendations.
• SOC Workflow & Day-to-Day Activities
The general SOC workflow involves:
1. Continuous Tracking/Monitoring: System activities are tracked using
tools like SIM (Security Information and Event Management), which collects
logs from various sources.
2. Detection: Identifying suspicious activities or anomalies.
3. Triage: Classifying and validating alerts, determining severity (criticality,
urgency, impact), often handled by L1 analysts following a Playbook.
4. Investigation: Deeper analysis to confirm and assess incidents, typically
by L2 analysts.
5. Response: Containing and mitigating threats, restoring operations,
handled by L2 and L3.
6. Post-Incident Improvement: Incident review to enhance defences and
update the Playbook.
o Day of a SOC L1 Analyst: Starts with handover notes, reviews
priority alerts, monitors SIM, classifies alerts (low, medium, high
severity), conducts basic investigation (validating alerts by
reviewing logs, identifying false positives), escalates important
issues, documents findings in a ticketing system, and collaborates
with L2 and other teams. Their focus is real-time monitoring, and

3
 challenges include handling high alert volumes and distinguishing
false positives from real threats.
o Day of a SOC L2 Analyst: Reviews incidents escalated by L1,
performs detailed investigations by analysing logs, network traffic,
and endpoint activity. They respond to incidents by isolating
compromised systems, work with L3 for advanced analysis, use
threat intelligence, review malware samples, follow incident
response Playbooks, provide remediation insights, and update
reports. Their focus is on detailed investigations and coordination
for incident response, handling high-critical incidents and
balancing investigations.
o Day of a SOC L3 Analyst: Reviews L2 findings, plans and performs
advanced threat hunting by analysing patterns in logs and traffic.
They conduct malware analysis (reverse engineering suspicious
files using tools like Ida Pro and Ghidra), fine-tune security tools
(SIM, EDR policies), collaborate with L1/L2, research new
attacks/vulnerabilities, and guide junior analysts. Their focus is on
advanced threat hunting, malware analysis, and tuning defences,
dealing with sophisticated attacks and zero-day exploits.
• Emerging Roles in Cybersecurity (2025)
o AI/ML Specialist: Uses artificial intelligence and machine learning
to detect new threats, requiring data science knowledge.
o IoT Security Analyst: Monitors alerts related to Operational
Technology (OT) and Internet of Things (IoT) devices.
o Cyber Threat Researcher: A dedicated profile (like an L3 analyst)
focused on researching new attack vectors, Techniques, Tactics,
and Procedures (TTPs), and creating innovative defences.
2. Networking Fundamentals
• Computer Networks

4
 o A computer network is a group of interconnected devices that
communicate and share resources using wired or wireless
connections.
o Key components include computers, switches/hubs (to connect
multiple systems), and cables/wireless for connection.
o Types of Computer Networks:
▪ PAN (Personal Area Network): Small network for personal
devices (e.g., smartphones, tablets) connected via
Bluetooth or hotspots.
▪ LAN (Local Area Network): Confined to a small geographical
area, such as an office or home Wi-Fi network.
▪ MAN (Metropolitan Area Network): Covers a city or large
campus, connecting multiple LANs (e.g., citywide Wi-Fi).
▪ WAN (Wide Area Network): Spans large geographical areas,
connecting multiple LANs, with the internet as the best
example. SOCs monitor all these types of networks.
• Networking Devices
o Hub: A basic networking device that connects multiple devices. It
is a broadcast device, meaning if one system sends data, the hub
broadcasts it to all connected ports. It's considered a "non-
intelligent device".
o Switch: Connects multiple devices but performs unicasting (one-
to-one communication). It maintains MAC addresses (physical
addresses) of systems to send data to specific ports, unlike a hub's
broadcast.
o Firewall: A network security solution or device that monitors and
controls incoming and outgoing network traffic based on
predefined security rules. It acts like a "guard standing on the
main gate" to ensure only authorised traffic accesses the network.
o Router: A device used to connect two different networks.

5
• IP and MAC Addresses
o IP Address (Logical Address): Used to identify devices on a
network. It operates at Layer 3 (Network Layer) of the OSI model.
IP addresses are logically unique within a network and can be
changed.
▪ IPv4: 32-bit address, typically in dotted decimal format (e.g.,
192.168.1.1).
▪ IPv6: 128-bit address, typically in hexadecimal format,
preferred due to larger space.
▪ Public IP: An IP address that needs to be paid for, used to
access the internet.
▪ Private IP: An IP address used within a LAN, which does not
require payment.
o MAC Address (Physical Address): Used to identify devices on a
local network. It operates at the Data Link Layer. MAC addresses
are physically unique and are burned into the network interface
by the manufacturer, meaning they cannot be changed. MAC
addresses are 48 bits long.
o Importance for SOC: As a SOC analyst, understanding IP and MAC
addresses is critical for investigating attacks and identifying the
source and destination of traffic.
• Data Flow Types
o Simplex: One-way, unidirectional communication (e.g., radio
broadcasting, keyboard input to display). Efficiency is low.
o Half Duplex: Two-way communication, but only one direction at
a time (e.g., walkie-talkie).
o Full Duplex: Two-way communication simultaneously (e.g.,
telephone conversation, modern Ethernet). It offers the highest
efficiency.
• Network Topologies

6
 o Topology refers to the layout or architecture of a computer
network.
o Bus Topology: All systems connect to a single main cable. If the
cable is damaged, the entire network is impacted.
o Star Topology: All systems connect to a central device (Hub or
Switch). If the central device fails, the entire network fails.
o Tree Topology: A hierarchical structure combining bus and star
topologies.
o Ring Topology: Systems are connected in a ring, often using a
"token" for data transmission.
o Mesh Topology: Each system is directly connected to every other
system, making it highly secure and fault-tolerant. However, it
poses scalability challenges due to increased complexity with more
systems.
• Protocols and Ports
o A protocol is a set of rules and standards that define how devices
communicate and exchange data over a network. It ensures
different devices can understand and interact with each other.
o Ports are addresses within a system that allow communication
with specific applications or services. For example, HTTP typically
listens on port 80 or 443.
o TCP (Transmission Control Protocol): A connection-oriented
protocol that establishes a three-way handshake (SYN, SYN-ACK,
ACK) before data transmission, ensuring reliability. It is generally
slower than UDP. Examples include web browsing (initial page
load).
o UDP (User Datagram Protocol): A connectionless protocol that
sends data without establishing a handshake, making it faster but
less reliable. Examples include audio/video streaming (e.g., playing
YouTube videos).

7
 o Port Classification (by IANA):
▪ Well-known Ports (0-1023): Reserved for standard protocols
(e.g., HTTP 80, HTTPS 443, FTP 20/21, DNS 53).
▪ Registered Ports (1024-49151): Reserved for specific
applications, often vendor-specific (e.g., Microsoft SQL).
▪ Dynamic / Ephemeral Ports (49152-65535): Temporarily
assigned for outbound or inbound connections by clients
(e.g., source ports for web browsing).
• Remote Management Protocols
o SSH (Secure Shell): A secure protocol for remotely managing
servers and devices (e.g., firewalls). It uses encryption,
compression, and authentication, making it suitable for remote
command execution. Default port is 22.
o RDP (Remote Desktop Protocol): Used for graphical remote
access to Windows systems, often for incident investigation or
monitoring.
o VNC (Virtual Network Computing): A vendor-neutral protocol for
graphical remote access, compatible with both Microsoft and
Linux.
o Telnet: An older protocol for remote command access that sends
data in plain text, making it insecure for modern use.
o SNMP (Simple Network Management Protocol): Used for remote
monitoring and managing network devices. SNMPv3 is the most
secure version, offering authentication, encryption, and message
integrity. It typically uses ports 161 and 162.
o HTTPS (Hypertext Transfer Protocol Secure): Used for web-based
interface access (e.g., SIM dashboards, cloud management tools)
by providing TLS encryption.

8
 o PowerShell Remoting: A protocol for managing Windows systems
remotely via PowerShell, used for automating incident response
tasks and fetching logs from endpoints.
o NetFlow: A protocol for analysing network traffic and monitoring
anomalies (e.g., data exfiltration).
o RPC (Remote Procedure Call): A protocol for executing processes
on remote systems, exclusively used for managing Windows
services.
• Common Network & Web Application Protocols (expanded on use cases
for SOC)
o DNS (Domain Name System): Translates domain names to IP
addresses. Critical for SOC, as 90% of attacks target DNS to redirect
user traffic.
o FTP (File Transfer Protocol): Used for file transfer over the web.
FTP defaults to plain text, so FTPS (over SSL) or SFTP (on port 22,
over SSH) are preferred for security.
o SMTP (Simple Mail Transfer Protocol): Used for sending emails.
SOC analysts investigate SMTP traffic when attackers send data
outside or remote connect to mail servers.
o POP3 (Post Office Protocol 3): Used for receiving emails. SOC
analysts investigate POP3 logs for fishing emails.
o SMB (Server Message Block): Used for sharing files and printers
in Windows environments. SOC analysts investigate SMB logs for
lateral movement by attackers within internal networks.
o RDP (Remote Desktop Protocol): SOC analysts need to check RDP
ports for brute force attempts or suspicious remote connections,
as hackers often target them.
• Network Management & Troubleshooting Protocols/Utilities
o ICMP (Internet Control Message Protocol): Used for diagnostic
purposes like Ping (to test connectivity) and Tracert (to identify

9
 packet drops). It works on Layer 3 of the OSI model and is often
used in DoS attacks.
o SNMP (Simple Network Management Protocol): Already
discussed above; critical for monitoring and managing network
devices, with agents sending information to a manager.
o ARP (Address Resolution Protocol): Translates IP addresses to
MAC addresses within a local network. It works on Layer 2 and can
be a target for attacks.
o Utilities:
▪ Ping: Tests connectivity to specific IP or hostname.
▪ Tracert/Traceroute: Displays the path packets take to a
destination, identifying where packets might be dropped.
▪ NSLookup: Resolves domain names to IP addresses.
▪ Dig: Performs detailed DNS queries.
▪ Telnet: Used for remote commands (though insecure).
▪ Curl: Tests HTTPS connectivity and retrieves content from
URLs, used in malware investigations.
▪ Wget: Utility to download files or content from URLs.
▪ Sysinternals: Windows utilities for system monitoring and
troubleshooting.
• OSI Model (Open Systems Interconnection Model)
o A reference model that provides visibility into how two systems
communicate with each other. It was introduced to understand
how a destination receives data, starting from the physical layer.
o The model has seven layers, typically explained from source to
destination (top-down):
1. Application Layer (Layer 7): The layer where the user interacts with the
application (e.g., typing gmail.com in a browser). Data type: Message.
Application firewalls work here.

10
2. Presentation Layer (Layer 6): Responsible for presenting data to lower
layers, including encryption, encoding, and compression. Data type: Message.
3. Session Layer (Layer 5): Initiates and manages sessions between two
hosts. It handles full-duplex and half-duplex communications. Data type:
Message. Circuit-level proxies work here.
4. Transport Layer (Layer 4): Responsible for segmentation (dividing
messages into segments) and flow control. Each segment has a sequence
number for reassembly at the destination. Port addressing is done at this layer.
TCP and UDP protocols operate here. Data type: Segment. Stateful firewalls
work here.
5. Network Layer (Layer 3): Responsible for fragmentation (dividing
segments into packets) and logical addressing (Source IP and Destination IP).
Routing protocols (e.g., RIP, OSPF) and routed protocols (e.g., IP, IPX) work
here. Routers and firewalls operate at this layer. Smurf attacks occur on this
layer. Data type: Packet.
6. Data Link Layer (Layer 2): Has two sub-layers: LLC (Logical Link Control),
which coordinates with the Network Layer, and MAC (Media Access Control),
which adds Source MAC, Destination MAC, and a trailer (CRC check) to form a
frame. Switches operate at this layer. Data type: Frame.
7. Physical Layer (Layer 1): Converts data into binary format (electrical
signals) for transmission over the physical medium. Hubs and repeaters work
here. Data type: Binary.
o Encapsulation: At each layer, as data moves from source to
destination, respective headers are added (e.g., Application
Header, Presentation Header, Session Header, Transport Header,
Network Header, Data Link Header).
o De-encapsulation: At the destination, as data moves up through
the layers, headers are removed.
3. Cryptography
• Cryptography Fundamentals

11
 o Cryptography is defined as the science of writing data into secret
text (crypto: secret/encoded/unreadable; graphy: science of
writing).
o Encryption: The process of converting readable plain text data
into an unreadable cipher text format. Only authorised parties can
access it.
o Decryption: The reverse process, converting cipher text back to
plain text.
o Key: A specific piece of information used in conjunction with an
algorithm to perform encryption and decryption. Longer keys
generally produce stronger encryption but take more time.
o Algorithm (Cipher): The logic or mathematical process used to
encrypt and decrypt data.
o Cryptanalysis: The science of breaking codes, studying
cryptography systems, or finding weaknesses in algorithms.
o Classical Cryptography: More like encoding concepts.
▪ Substitution: Replacing characters with alternate values
(e.g., A+1=B).
▪ Transposition: Transparently changing the position of
characters.
o Modern Cryptography: Focuses on core encryption using keys and
algorithms. It's divided into Symmetric and Asymmetric.
o Encoding vs. Encryption: Encoding involves character-level
replacement, while encryption involves changes at the binary level
using a key, taking more processing time.
• Symmetric Encryption
o A two-way encryption scheme where the same key is used to
encrypt and decrypt data. This key is also known as a session key,
secret key, or private key.

12
 o Mechanism: The sender uses the symmetric key and an algorithm
to encrypt data into cipher text. The same key is then transmitted
to the receiver, who uses it with the algorithm to decrypt the data.
o Primary Use: Primarily used for data encryption due to its faster
processing speed. Examples include AES, DES, 3DES, RC4. AES
(Advanced Encryption Standard) is a commonly used modern
symmetric algorithm.
o Concerns:
▪ Key Exchange: The biggest concern is securely transmitting
the symmetric key to the receiver, as sending it over the
same channel as the encrypted data is risky. Solutions
include "out-of-band" methods (email, hard disk) or using
asymmetric encryption for key exchange.
▪ Scalability: As the number of users increases, a unique key
is needed for every pair of communicating parties, leading
to many keys to manage.
o Types:
▪ Stream-based: Encrypts digital data streams one bit or one
byte at a time, suitable for real-time applications like video
streaming.
▪ Block-based: Divides data into blocks and encrypts each
block, often used for data residing in storage.
• Asymmetric Encryption
o Uses a pair of keys: a public key (known to others) and a private
key (known only to the owner).
o Mechanism: If A wants to send encrypted data to B, A requests B's
public key. A then encrypts the data using B's public key. The
encrypted data is sent to B, who decrypts it using their private key.
An attacker intercepting the public key and encrypted data cannot
decrypt it without the private key.

13
 o Primary Use: Primarily used for key exchange (e.g., exchanging
symmetric keys) rather than bulk data encryption, as it is slower in
processing.
o Algorithms: RSA, ECC (Elliptic Curve Cryptography – takes less
compute than RSA), Diffie-Hellman.
o Integration with Symmetric: Asymmetric encryption is often used
to securely exchange the symmetric (session) key, which then
encrypts the bulk data.
• Cryptography Services
o Cryptography offers five major outcomes for information security:
▪ Confidentiality: Ensuring information is only accessible to
authorised individuals.
▪ Integrity: Ensuring data has not been altered in an
unauthorised manner.
▪ Authentication: Verifying the identity of the user or system.
▪ Authorisation: Granting access based on verified identity.
▪ Non-repudiation: Preventing a sender from denying their
actions.
• Hash Function
o A cryptographic hash function is an algorithm that takes an
arbitrary amount of data input and produces a fixed-size output
called a hash value. The hash value is a "digest" of the data.
o Purpose: Primarily used to provide data integrity. By comparing
the hash value of data before and after transmission or storage,
one can verify if the data has been modified. It's like a "seal" on a
package.
o Characteristics:
▪ Fixed Size Output: Regardless of input size, the hash output
is fixed.

14
 ▪ Irreversible: Hashing is a one-way process; the original data
cannot be reversed from the hash value.
▪ Sensitivity to Change: Even a single bit change in the input
data will result in a completely different hash value.
o Examples: MD5, SHA (Secure Hash Algorithm) – SHA is considered
more secure due to longer hash values, reducing collision
probability.
• Digital Signatures
o Similar to handwritten signatures, digital signatures provide
electronic verification of the sender's identity.
o A digital signature is a hash value that has been encrypted with
the sender's private key.
o Mechanism: The sender generates a hash of the data, then
encrypts this hash with their private key to create the digital
signature. This digital signature is attached to the data and sent to
the receiver. The receiver uses the sender's public key to decrypt
the digital signature and obtain the hash. They then independently
calculate the hash of the received data and compare it with the
decrypted hash. If they match, it confirms the data's authenticity
and integrity.
o Services Provided: Digital signatures provide:
▪ Authentication: Verifies the sender's identity, as only the
sender possesses the private key used for encryption.
▪ Non-repudiation: The sender cannot deny having sent the
data, as their unique private key was used.
▪ Integrity: The hash comparison confirms that the data has
not been altered since it was signed.
4. Cybersecurity Concepts & Controls
• Virtualization (Sandbox)

15
 o Virtualization is the process of virtualizing hardware, allowing
multiple operating systems (virtual machines or VMs) to run on a
single physical hardware system.
o Purpose: To run multiple OS platforms simultaneously, utilise
hardware more efficiently, and provide isolated environments for
specific applications or testing.
o Types:
▪ Type 1 (Bare-metal / Hypervisor): The virtualization
software (e.g., VMware ESXi, Hyper-V, XenServer) is installed
directly on the physical hardware. This type is common in
enterprise data centres for high performance and is
considered more secure from a security perspective due to
fewer layers.
▪ Type 2 (Hosted): The virtualization software (e.g., VMware
Workstation, Oracle VirtualBox) runs on top of an existing
operating system. It's easier to install, common for personal
use, development, and testing, but less secure as a
compromise of the host OS can affect VMs.
o Sandbox: A secure, isolated virtual environment where suspicious
files or ransomware can be executed and observed without risking
the host system or network. SOC analysts often use virtual
environments.
• CIA Triad (Confidentiality, Integrity, Availability)
o The three fundamental pillars of cybersecurity and information
security:
▪ Confidentiality: Ensures that information is accessible only
to authorised individuals. It means protecting data from
unauthorised disclosure. Achieved through encryption and
access controls.
▪ Integrity: Ensures that information is accurate and
consistent, meaning it has not been altered in an

16
 unauthorised manner since it was created, transmitted, or
stored. Achieved through hashing and seals.
▪ Availability: Ensures that information and systems are
accessible and usable by authorised users whenever
required. This involves protecting against disruptions that
could make services unavailable.
o The priority of each principle varies by sector: Confidentiality is
critical for defence/healthcare, Integrity for banking, and
Availability for e-commerce.
• Key SOC Terminology
o Event: A sequence of activities observed in a system, application,
or device. Events are recorded in logs.
o Log: A detailed record of events generated by systems,
applications, or devices. Logs are crucial for monitoring,
troubleshooting, and forensic analysis, as they provide an
auditable timestamp.
o Incident: A confirmed security event that compromises the CIA
triad of an information system. It's an unexpected event that
negatively impacts business objectives.
o Threat: Any potential danger or malicious activity that could
exploit a vulnerability and harm an organisation's assets. Threats
are driven by Intent, Opportunity, and Capability. Threats are
dynamic.
o Vulnerability: A weakness or flaw in a system. Vulnerabilities are
static. Organisations can primarily control vulnerabilities, which
represent opportunities for attackers.
o Risk: The potential for loss or damage when a threat exploits a
vulnerability. Risk focuses on impact and likelihood. It is a
probability, not a confirmed action.
• Identification, Authentication, Authorisation (IAA)

17
 o Identification: The process where a user provides a claim of
identity (e.g., username, passport number).
o Authentication: The process of validating the claimed identity by
proving it (e.g., password, token, biometric). There are three
types:
▪ Something you know: Passwords, passphrases (more secure
against dictionary attacks).
▪ Something you have: Tokens, smart cards, OTP (One-Time
Password).
▪ Something you are: Biometrics (e.g., fingerprint, facial
recognition).
o Authorisation: The process of granting access to specific resources
or functionalities based on the authenticated identity. Strong
identification and authentication are needed for strong
authorisation.
• Security Controls
o Controls are measures introduced to manage the behaviour of
people, processes, and technology within an organisation.
o Types of Controls:
▪ Technical Controls: Implemented through hardware or
software mechanisms to manage access to resources and
provide protection. Examples include firewalls, antivirus,
encryption, and access control lists.
▪ Physical Controls: Implemented physically to block, detect,
or alert about physical access or activities. Examples include
physical locks, security guards, cameras, perimeter security,
and work area separation.
▪ Administrative Controls: Sets of instructions or policies
established by management to control the behaviour of
people. Examples include operational procedures (SOPs),

18
 user management processes, privilege management, and
separation of duties policies.
• Security Control Categories (Functions)
o Controls perform seven types of functions (categories), which can
be applied to any of the control types (technical, physical,
administrative).
▪ Directive Control: A mandatory control that gives
instructions or directions (e.g., speed limit sign, policy
stating no social media browsing during work hours).
▪ Deterrent Control: Deployed to discourage violations of
security functions by creating a sense of fear or
consequences (e.g., "Under CCTV monitoring" signs, strong
fences).
▪ Preventative Control: Introduced to avoid an incident from
occurring by stopping unwanted or unauthorised activity
(e.g., firewall blocking unauthorised access, physical locks).
▪ Compensating Control: Introduced to support existing
controls that may be weak or bypassed, acting as a
secondary measure (e.g., OTP complementing a weak
password policy).
▪ Detective Control: Deployed to discover unwanted or
unauthorised activity that has already occurred or bypassed
other controls (e.g., SIM alerts detecting suspicious activity,
RTPCR tests for COVID).
▪ Corrective Control: A temporary activity to remediate
circumstances or mitigate damage during an incident,
restoring the system to a partial normal state (e.g., isolating
an infected system from the network, seizing a laptop).
▪ Recovery Control: A permanent activity to restore
operating conditions back to normal after an incident (e.g.,

19
 reinstalling OS after virus removal, finding a new candidate
for a terminated employee).
o Data States: These controls are applied to data in three states:
▪ Data at Rest: Stored data (e.g., on hard drives, tapes, cloud
storage). Prone to extraction. Controls: storage-based
encryption.
▪ Data in Transit: Data traveling over a network. Prone to
eavesdropping. Controls: TLS/SSL.
▪ Data in Use (in processing): Data being actively processed
(e.g., a running application, a video being uploaded). Most
vulnerable. Controls: masking, tokenisation.
5. Threats & Attacks
• Malware Types
o Virus: Malware that replicates from one system to another with
human interference (e.g., via infected USB drive).
o Worm: Malware that replicates from one system to another
without human interference (e.g., across a network
automatically).
o Ransomware: Malware that hacks a system and encrypts its files,
then demands a ransom for decryption.
o Spyware: Malware that records keystrokes or monitors user
activity and sends information to a hacker.
o Trojan (Trojan Horse): Malware disguised as legitimate software to
gain unauthorised access to a system, creating a backdoor or
covert channel without requiring username/password.
o Rootkit: Malware that operates at the kernel level (backbone of
the OS), making it extremely difficult for antivirus software to
detect. Often requires a clean reinstallation to remove.
• Types of Attackers/Hackers

20
o Black Hat Hackers: Malicious hackers whose objective is always
offensive, seeking personal gain.
o White Hat Hackers: Ethical hackers or pentesters who use hacking
skills for defensive purposes, like finding vulnerabilities to secure
systems before actual attackers exploit them.
o Script Kiddies: Individuals who use predefined hacking tools
developed by others to perform attacks.
o Hacktivist: Hackers motivated by political, social, ideological, or
religious reasons to promote a cause by hacking websites and
publishing agendas.
o State-Sponsored Attacks / APT (Advanced Persistent Threat)
Groups: Hackers backed by governments. They are highly skilled,
organised, sophisticated, use zero-day exploits and custom
malware, and maintain persistent access to target networks for
extended periods (months or years). Their motivation is
geopolitical or economic espionage and disruption. Famous
examples include APT28 (Fancy Bear), APT41, and Lazarus Group.
o Cyber Criminals: Black hat hackers primarily motivated by
financial profit.
o Insider: An individual (e.g., employee, contractor) who uses their
authorised access to cause harm (e.g., data theft, sabotage) due to
fake data, unhappiness, or competitive advantage.
o Whistleblower: An individual who reveals unethical practices
within an organisation, sometimes using hacking techniques (e.g.,
Edward Snowden).
o Botmaster: A hacker who controls botnets (networks of
compromised systems) to launch large-scale attacks like DDoS,
spam, or cryptocurrency mining Less effective if passwords are not
in the dictionary.
o Password Spraying: Uses a single, commonly used password
across multiple user accounts to avoid triggering account lockout

21
 policies on a single user. Effective against organisations with weak
password policies.
• Cybercrime
o Cybercrime occurs when a computer is involved in committing a
crime. This can be from two perspectives:
▪ Computer as a Target: The computer system itself is the
target of the crime (e.g., hacking a server to shut it down,
causing business loss).
▪ Computer as a Mechanism: The computer is used as a tool
to commit a crime (e.g., using a laptop to send threatening
emails).
o Categories of Cybercrime:
▪ Cyber Trespass: Crossing boundaries of ownership in an
online environment or connecting to an unauthorised
network (e.g., hacking into a coffee shop's Wi-Fi to send
threatening emails).
▪ Cyber Deception: Using deceptive online tactics to gain
information (e.g., phishing campaigns to collect account
details).
▪ Cyber Violence: Disrupting networks or systems with the
intention to cause societal disruption or harm human life
(e.g., hacking industrial control systems to manipulate
power plants or water treatment facilities, DoS attacks).
6. Security Solutions & Operations
• Antivirus
o Tools designed to detect, prevent, and remove malicious software
from a system.
o Functionality: Sc basic firewall that inspects traffic based on IP
addresses and port numbers (Layer 3). It does not inspect content
or track sessions.

22
 o Circuit Level Proxy: Maintains information about network
connections at the session layer (Layer 5) but still cannot inspect
content.
o Application Level Firewall (Application Layer Gateway): Operates
at the application layer (Layer 7) and performs deep inspection of
data content. It's slower due to resource intensity Detection
System)**: A passive solution that detects and alerts on
suspicious activities. It operates in "out-of-line" mode.
▪ NIDS (Network-based IDS): Monitors network traffic for
suspicious patterns.
▪ HIDS (Host-based IDS): Monitors activities on individual
systems.
▪ Detection Methods:
▪ Signature-based: Matches known attack patterns.
▪ Anomaly-based: Detects deviations from a defined
baseline of normal behaviour. from leaving the
organisation** in an unauthorised manner.
o Functionality: Monitors data movement from internal to external
sources (e.g., email, USB drives, public portals) and blocks content
based on predefined rules.
o SOC Relevance: SOC teams monitor DLP alerts for potential insider
threats or data exfiltration.
• Honeypot
o A dummy system or server designed to attract and trap attackers.
o Purpose: To learn about attacker behaviours, tactics, techniques,
and procedures (TTPs) without risking actual production systems.
This information is then used to improve real defences.
o Concept: It's an "enticement" (to lure an attacker) rather than
"entrapment" (forcing an attacker into a crime they wouldn't
otherwise commit).

23
 o Honeypots are often placed in the DMZ (Demilitarised Zone), a
network segment used for public-facing servers, providing an
additional layer of security by isolating them from internal
networks.
• Log Management System (Syslog)
o Logs are detailed records of events generated by systems, serving
as digital footprints.
o Types of Logs: System logs (OS events), application logs (app/DB
failures), network logs (traffic flow), and security logs
(authentication, privilege changes, critical security events).
Security logs are especially important for SOC analysts.
o Importance: Troubleshooting, detecting and analysing security
incidents (IOCs), building defence, and meeting compliance
requirements.
o NeedSIEM (Security Information and Event Management)**
o A technology that provides real-time analysis, monitoring, and
management of security events and logs generated by various
devices.
o Functionality: Combines data collection with data analytics. It
ingests logs from firewalls, IDS, applications, servers, and
endpoints.
o Workflow:
1. Data Collection: Gathers logs from diverse sources.
2. Log Parsing: Converts raw, different-format logs into a consistent,
structured format (normalisation).
3. Log Correlation: Identifies patterns and relationships between seemingly
unrelated events (e.g., multiple failed logins followed by success indicates
brute force).
4. Real-time Alerts: Generates alerts based on predefined rules or
behavioural analysis.

24
5. Dashboard & Reporting: Provides visual dashboards and reports for
monitoring and compliance.
6. Incident Investigation: Allows SOC analysts to drill down into logs, track
attack chains, and identify root causes.
o Popular Tools: Splunk, IBM QRadar, Elastic Search (open source),
Microsoft Sentinel (cloud-native), Arcsight, LogRhythm.
o Log Investigation Steps: Define the incident, identify relevant logs,
search for key terms/IOCs using SIM, analyse patterns/anomalies,
document findings, and take action.
7. Threat Intelligence & Analysis
• Threat Intelligence: Definition, Importance, Beneficiaries
o Threat Intelligence is the.
▪ Helps security professionals understand the threat actor's
decision-making process, enabling proactive blocking of
sophisticated attacks (e.g., numerous login attempts) that
traditional firewalls might miss.
o Beneficiaries:
▪ SOC (Security Operations Centre): Prioritises incidents
based on risk and impact.
▪ Senior Management: Understands organisational risks and
options to address them.
▪ IT Analysts: Optimises prevention and detection
capabilities, strengthens defences.
▪ **V easy to change.
4. Network Artefacts / Host Artefacts: More difficult to
change.
5. Tools: Difficult for attackers to change, as they rely on
specific tools.

25
 6. TTPs (Tactics, Techniques, and Procedures): Most difficult
for attackers to change. If defences focus on TTPs, it causes
the most "pain" to the adversary.
o Threat intelligence primarily focuses on monitoring and blocking
based on attackers' tools and TTPs.
*ise)**: Artifacts or evidence that suggest a system has been breached or is
under attack. IOCs are reactive, focusing on post-attack evidence for detection
and investigation. * Examples: Hashes of malicious files, suspicious IP
addresses/domains, suspicious registry changes, log entries indicating a breach.
* IOA (Indicator of Attack): Focuses on detecting the intent of what an
attacker is trying to accomplish, regardless of the malware or exploit used.
IOAs are proactive, focusing on real-time malicious behaviour during an
attack. * Examples: Brute force attempts, lateral movement within a network. *
Key Difference: IOCs detect security events and compromises, while IOAs
detect the intent of the attacker. IOAs require IOC data for their database.
• Data vs. Information vs. Intelligence
o Data: Distinct facts and statistics, raw and without analysis (e.g., IP
addresses, URLs, hashes) [ risks, sourced from open-source data,
customer telemetry, and internet crawling. Integrity of the feed
(collecting from reliable sources) is crucial.
o Types of Threat Intelligence:
▪ Strategic Threat Intelligence: Focuses on the "who and
why" (adversary motives, geopolitical/business impacts,
competitive advantages). It helps senior management
understand broad risks.
▪ Operational Threat Intelligence: Focuses on adversary
capabilities and is used by threat hunters, SOC analysts,
type of intelligence needed.
2. Collection: Gathering information to address intelligence
requirements from internal logs, security devices, threat
data feeds, and expert conversations.

26
 3. Processing: Transforming collected raw data into a usable
format (e.g., normalising logs).
4. Analysis: The human process of turning processed
information into actionable intelligence to inform decisions
(e.g., whether to investigate, how to block an attack, justify
security investments).
5. ** and red teams to classify attacks, identify attack
attributions, assess organisational risk, identify security
gaps, and prioritise mitigation.
o It articulates how detection occurs rather than assigning scores to
vendor capabilities.
• Sources for Threat Hunting
o OSINT (Open Source Intelligence): Gathering information from
publicly available sources. Tools: Google, Bing, DuckDuckGo, social
media, threat intelligence platforms (VirusTotal, Threat Crowd,
Anomali OTX), security blogs.
o **Data Analysis Tools Denial of Service, Elevation of Privilege) to
identify potential threats before building.
o Conferences: Attending events like Defcon or Nullcon for market
trends and findings.
8. Incident Response & Forensics
• Malware Investigations (Static & Dynamic Analysis)
o Purpose: To understand malware, reduce its impact, remove it,
update defences, and provide actionable insights. Done primarily
by L2/L3 analysts.
o Initial Analysis: Determining if a suspicious file is determine if it's a
known threat and potentially find decryptors.
▪ String Analysis: Extracting readable strings from the
executable to find suspicious information like cryptography
terms (AES, RSA, encryption), file extensions targeted for

27
 encryption, URLs of remote servers (Command & Control
or C2), file paths, registry keys, and API calls.
o Dynamic Analysis: Observing the malware's runtime behaviour
by executing it in a controlled environment. deletion, and overall
system performance (memory/CPU spikes).
▪ Reverse Engineering: For advanced analysis, decompiling
malware using tools like Ida Pro or Ghidra to understand its
encryption methods and payloads.
• Digital Forensics: Introduction & Types
o Digital Forensics: A part of forensic science focused on identifying,
acquiring, processing, analysing, and reporting on data stored
electronically. It involves investigating cybercrime where
computers are used as a target or mechanism [11
o 1. Collection:
▪ Identifying data sources and acquiring all types of data.
▪ Prioritise volatile data first (data that will be lost if the
system is shut down, e.g., memory content, running
processes, open files, network configurations, system time).
▪ Then collect non-volatile data (e.g., hard disk images).
▪ Critical rule: Never shut down a live system during initial
data acquisition to avoid * Compiling all data, incidents, and
correlations into a complete report.
▪ The report should include tools used, roles of investigators,
issues encountered, and actionable information for future
improvements. Audience consideration is important
(technical vs. senior management).
• Chain of Custody & Evidence Principles
o Chain of Custody: A documented sequence of possession,
control, transfer, analysis, and disposal of evidence (physical or

28
 electronic). It proves who handled the evidence, when, and
where, ensuring its admissibility in court.
o Good Evidence Principles:
▪ Make a copy of the system: Never investigate on live
systems; always work on a copy.
▪ Bit-by-bit copy: Preferred over file-by-file, as it captures
deleted files, slack space, and hidden files.
▪ Use a write blocker: The media used for copying should
have a write blocker to prevent accidental modification of
the original evidence. , Mac, Network specialists) and
appropriate tools for the specific environment.
o Identify Potential Evidence Sources: Pinpoint where critical
evidence might be found (e.g., IP, laptop user).
o Estimate Value and Expense: Assess the reliability and cost of
obtaining evidence (direct vs. indirect evidence).
o Prioritise Evidence Gathering: Focus on the most important
evidence first.
o Plan Acquisition: Thoroughly plan the data acquisition phase to
ensure accuracy, as the entire investigation depends on it [ of
opening encrypted files and recovering deleted data.
o File Formats for Forensic Images:
▪ DD (Data Duplication): Used to copy Linux systems and
create raw images.
▪ AFF (Advanced Forensic Format): An extensible, open
format for storing disk images and metadata.
▪ Raw Image: Bit-by-bit copy capturing the entire volume,
including deleted and unhidden files.
▪ Memory Dump Data Formats: DMP, crash, Problem: An
underlying issue causing repeated incidents.

29
 o Disaster: A significant loss or impact due to unaddressed
problems, potentially losing customers.
o Crisis: A critical situation resulting from unaddressed disasters,
posing an existential threat to the organisation.
• Incident Response Process
o A structured process to handle security incidents:
1. Preparation: Establishing readiness, developing an Incident Response
Plan (IRP), conducting training/simulations, setting up tools, and defining
reporting procedures (SOPs) [1 or restoring from backups.
2. Lesson Learned: The final and crucial step, where the team reviews the
entire process to identify what went well, what could be improved, and
updates procedures or training for future incidents. This leads to overall
improvement of the IR process.

30