Full, In-Depth SOC & Cybersecurity Notes (printable)

Quick navigation (use for printing)

1. Foundations & definitions

2. tty and Linux virtual consoles

3. Detection metrics & confusion matrix (TP, FP, FN, TN — formulas)

4. AAA — Authentication, Authorization, Accounting (with protocols)

5. Core threat concepts: threat actor, vulnerability, exploit, TTPs, IoC, IoA

6. MITRE ATT&CK — tactics, techniques, how to use it (authoritative) MITRE ATT&CK+1

7. Cyber Kill Chain — stages & defensive actions (Lockheed Martin model) Lockheed Martin+1

8. Incident Response (NIST SP 800-61r3): phases, checklist, playbooks NIST Computer Security
Resource Center

9. Threat Intelligence vs Threat Analysis vs Threat Detection vs Threat Response

10. Malware & virus types (categories, detection hints)

11. Malware analysis: static, dynamic, memory; tools & safe lab setup (Cuckoo, REMnux,
Volatility) cuckoo.readthedocs.io+1

12. SIEM / EDR / IDS / IPS: roles, differences, examples (Splunk, CrowdStrike) CrowdStrike+1

13. Common ports & services (cheat sheet) — authoritative registry references (IANA) IANA+1

14. Active Directory & common enterprise attack techniques (high level)

15. Useful logs & event IDs to collect (Windows, Linux, network devices)

16. Commands & tools quick reference (nmap, tcpdump, procmon, volatility, yara)

17. Interview prep checklist: top concepts + short answers to memorize

18. Post-incident: reporting, legal/comms, lessons learned

19. Further reading & references (official links)

1. Foundations & definitions (simple, precise)

 Asset: anything of value (data, servers, users, network devices).

 Threat: an actor or event that could harm an asset (hacker, malware, natural failure).

 Vulnerability: a weakness that can be exploited (unpatched CVE, misconfig).

 Exploit: the method or code that leverages a vulnerability.

 Risk: the combination of likelihood and impact (threat × vulnerability).

 Incident: a confirmed event that compromises security (breach, malware).

 IOC (Indicator of Compromise): artifact that shows a system was compromised (file hash,
malicious domain).

 IOA (Indicator of Attack): behavioral sign of an attack in progress (suspicious cmdline, new
scheduled task).

 Threat Intelligence (TI): Processed information about threats used to inform decisions.

 Types: Strategic (high level, trends), Operational (campaign-level), Tactical (TTPs, detection
rules), Technical (IoCs: hashes, domains, IPs).

 Sources: OSINT, vendor feeds, ISACs, internal telemetry.

 Threat Analysis: Evaluating threat intel and internal telemetry to determine relevance and
risk.

 Steps: ingest -> triage -> contextualize (assets, risk) -> prioritize -> action.

 Threat Detection: Methods to find malicious activity.

 Signature-based detection (IoCs), anomaly-based detection (baseline vs anomaly), behavior-

based detection (process, network, user behavior), correlation rules (SIEM), threat hunting
(proactive queries).

 Threat Response: Remediation and containment actions (part of Incident Response). Typical
actions:Isolate affected hosts, block C2 domains/IPs, revoke credentials, remove malicious
files, patch vulnerabilities, restore from clean backups, and communicate with stakeholders.

🔐 Information Security vs. Cybersecurity

Information Security (InfoSec):

 Scope: Encompasses the protection of all forms of information—digital, physical, and

intellectual property—across various environments.

 Focus: Ensures the confidentiality, integrity, and availability (CIA) of information, regardless
of its medium.

 Example: Implementing policies to safeguard physical documents, securing digital files, and
protecting verbal communications.

 Reference: Information Security vs Cybersecurity

Cybersecurity:

 Scope: A subset of information security dedicated to defending digital systems, networks,

and data from cyber threats.

 Focus: Protects electronic information and the infrastructure that stores, processes, and
transmits it.

 Example: Using firewalls, antivirus software, and intrusion detection systems to protect
against cyberattacks.

 Reference: Cybersecurity vs. Information Security

 Vulnerability vs. Threat vs. Risk

Vulnerability:

 Definition: A weakness or flaw in a system, application, or network that can be exploited by

threats.

 Example: Unpatched software or weak passwords.

 Reference: Vulnerability vs. Threat vs. Risk

Threat:

 Definition: A potential cause of an unwanted impact to a system or organization, often

exploiting a vulnerability.

 Example: Malware, hackers, or natural disasters.

 Reference: Vulnerability vs. Threat vs. Risk

Risk:

 Definition: The potential for loss or damage when a threat exploits a vulnerability. It
combines the likelihood of a threat occurring and the impact it would have.

 Example: The risk of a data breach due to unpatched software.

 Reference: Vulnerability vs. Threat vs. Risk

🧠 Exploit vs. Attack vs. Incident

Exploit:

 Definition: A piece of code or a sequence of commands that takes advantage of a

vulnerability to cause unintended behavior.

 Example: A script that leverages a buffer overflow to execute arbitrary code.

 Reference: What are Vulnerabilities, Exploits, and Threats?

Attack:

 Definition: The deliberate act of exploiting a vulnerability to compromise a system or

network.

 Example: A hacker deploying ransomware after exploiting a software flaw.

 Reference: What are Vulnerabilities, Exploits, and Threats?

Incident:

 Definition: An event that has actual or potential consequences for the security of an
information system. It may involve a breach or compromise.

 Example: A data breach where sensitive information is accessed without authorization.

 Reference: What are Vulnerabilities, Exploits, and Threats?

Keep these definitions crisp — interviewers often ask you to explain the difference between threat,
vulnerability, and risk.

2. tty and Linux virtual consoles (tty1)

 tty = teletype / terminal device. Modern Linux uses virtual terminals called tty1, tty2, etc.
tty1 is typically the first text console (login prompt).

 Switching: Ctrl+Alt+F1..F6 (GUI may be on F1 or F7 depending on distro). To return to GUI

use the key for the GUI VT (often Ctrl+Alt+F2 or F7).

 Commands:

o tty — shows current terminal.

o who or w — shows logged in users and ttys.

o chvt 1 (run as root) — switch VT programmatically.

o Check getty services: systemctl status [email protected].

 Practical use: use ttys to troubleshoot when GUI freezes or X fails. Useful for incident
response on Linux systems.

3. Detection metrics & confusion matrix (TP / FP / FN / TN)

A detection system (SIEM/EDR rule) can be evaluated with the confusion matrix:

Actual \ Predicted Alert = Yes Alert = No

Malicious (positive) TP (true positive) FN (false negative)

Benign (negative) FP (false positive) TN (true negative)

Formulas:

 Precision = TP / (TP + FP) — of alerts raised, how many are real.

 Recall (TPR) = TP / (TP + FN) — of all real attacks, how many did we detect.

 Accuracy = (TP + TN) / (TP + TN + FP + FN).

 F1 score = 2 × (Precision × Recall) / (Precision + Recall).

SOC priorities:

 False negatives are most dangerous (missed breaches).

 False positives waste analyst time — tune rules, add context, and create triage playbooks.
(Explanation & metrics examples from machine-learning resources). Google for Developers+1
4. AAA — Authentication, Authorization, Accounting

Authentication (who you are): password, certificate, SSH key, MFA (TOTP/push/hardware token).
Protocols: LDAP, Kerberos (Active Directory), RADIUS, SAML/OAuth2/OpenID Connect for web SSO.

Authorization (what you can do): access control — ACLs, RBAC (roles), ABAC (attributes). Principle:
least privilege.

Accounting (what you did): logging/auditing (login, commands, change records). Used for forensics,
billing, compliance.

Notes:

 RADIUS vs TACACS+: RADIUS commonly for network access (combines auth & authz),
TACACS+ separates AAA and gives more granular command accounting for device
management. Cisco docs cover practical config options. Cisco+1

5. Core threat concepts (TTPs, IoC, IoA, Threat Actor)

 TTP (Tactics, Techniques, Procedures): describes how adversaries operate (why and how).
Tactics = high-level objective (e.g., Initial Access), Techniques = methods (e.g., Phishing),
Procedures = exact steps/tools used. This is the basis of MITRE ATT&CK mapping.

 Threat actor: the individual or group performing the attack (script kiddie, cybercriminal,
APT).

 Why it matters: focusing on TTPs helps you detect behavioral patterns (IOA) rather than just
static signatures (IoCs). Mapping observed activity to ATT&CK helps prioritize detection and
response.

6. MITRE ATT&CK — how to use it (in depth) MITRE ATT&CK+1

What it is: a curated, community-fed knowledge base of adversary behavior: tactics (columns) and
techniques/sub-techniques (cells) organized into matrices (Enterprise, Mobile, ICS). Each technique
links to real examples, mitigations, detections.

Core enterprise tactics (examples):

 Initial Access: phishing (T1566), drive-by, supply-chain.

 Execution: command-line (PowerShell T1059), scheduled tasks.

 Persistence: registry run keys, account creation.

 Privilege Escalation: token manipulation, exploits.

 Defense Evasion: obfuscation, disabling logging.

 Credential Access: credential dumping (LSASS/Proc), keylogging.

 Discovery: network scanning, AD enumeration.

 Lateral Movement: remote services, pass-the-hash/ticket.

  Collection & Exfiltration: staging data, DNS tunneling, cloud storage upload.

 Impact: ransomware, data destruction.

Practical uses in SOC:

 Map your detection coverage to ATT&CK techniques; identify gaps.

 Use ATT&CK for adversary emulation (red team) to test detection.

 Create detection rules that map to techniques rather than only to IoCs.

Tip: memorize common techniques for initial access, persistence, Lateral Movement, and exfiltration
— interviewers like concrete technique names mapped to defenses.

7. Cyber Kill Chain — stages & defensive actions (Lockheed Martin) Lockheed Martin+1

Stages (typical):

1. Reconnaissance — attacker gathers information (open sources, scanning). Defend: threat

intel, limit public exposure, detect scans.

2. Weaponization — attacker pairs exploit with payload (malicious doc, exploit kit). Defend:
sandboxing, macro policies.

3. Delivery — send payload (phishing, USB). Defend: email gateway controls, user training.

4. Exploitation — exploit a vulnerability to execute. Defend: patching, WAF, input validation.

5. Installation — persistent malware installed. Defend: endpoint protection, app whitelisting.

6. Command & Control (C2) — infected host connects out for instructions. Defend: egress
monitoring, block malicious domains, DNS logs.

7. Actions on Objectives — data exfiltration, lateral movement, encryption. Defend: DLP,

segmentation, backups.

Why use it with ATT&CK: Kill Chain gives stage-based view (good for planning detection points),
ATT&CK gives specific techniques/actions at each stage. Use both: one for timeline, one for
technique mapping. CrowdStrike

8. Incident Response (NIST SP 800-61 Rev 3) — detailed steps & checklists NIST Computer Security
Resource Center

NIST’s recommended phases (common best practice):

1. Preparation — policies, IR team, playbooks, tools, backups, tabletop exercises.

2. Detection & Analysis — monitoring, triage, containment decision, preserve evidence, assign
severity.

3. Containment, Eradication & Recovery — isolate hosts, remove malware, patch, restore
services from clean backups. Differentiate short-term containment (stop spread) vs long-
term (remove persistence).
 4. Post-Incident Activity (Lessons Learned) — root cause analysis, remediation plan, update
controls and playbooks.

Checklist for initial detection:

 Identify affected system(s) and scope.

 Capture volatile data (memory, active network connections).

 Collect logs (EDR, firewall, syslog, CloudTrail).

 Preserve disk images for forensics.

 Notify stakeholders and legal if required.

Evidence handling: keep chain of custody: who accessed what evidence and when. This is vital for
legal/regulatory actions.

9. Threat Intelligence, Threat Analysis, Detection, and Response

Threat Intelligence (TI): curated data about threats (IoCs, actors, campaigns, TTPs). Types:

 Strategic: high-level trends for leadership.

 Operational: campaign info (who is attacking, tools).

 Tactical: TTPs and detection rules.

 Technical: IoCs (IPs, domains, file hashes).

Threat Analysis: contextualizes TI against your org: Which assets are targeted? What’s the risk?
Prioritize alerts using asset criticality.

Threat Detection: signature-based (IoC), anomaly/behavioral (IOA), correlation-based (SIEM rules).

Use layered detection: network+endpoint+identity.

Threat Response: automated and manual playbooks to isolate, block, remediate. Automate low-risk
tasks (block known-malicious IPs) and human-review high-risk ones.

Operational tip: integrate TI into SIEM/EDR so detections use up-to-date IoCs and TTP mappings.

10. Malware & virus types (with detection hints)

Categories & detection hints:

 Virus: attaches to executables/documents. Look for modified binaries, strange checksum

changes.

 Worm: propagates across network. Look for scanning behavior and rapid lateral traffic.

 Trojan: disguised app; detect via unusual behavior of benign-looking process.

 Ransomware: mass file encryption, ransom note files, sudden file renames. Detect with file
activity monitoring and backups.
  Rootkit: hides presence (hooks kernel). Detect via integrity checks and memory analysis.

 Backdoor / C2: unusual outbound connections, beaconing patterns.

 Botnet: periodic C2 check-ins, common process families across hosts.

 Fileless malware: lives in memory or uses legitimate tools (PowerShell, WMI). Detect via
process command-line logging, script block logging, AMSI telemetry.

 Polymorphic/metamorphic: signature evasion; focus on behavior and heuristics.

11. Malware analysis — static, dynamic, memory (tools & lab) cuckoo.readthedocs.io+1

Static analysis (no execution):

 Tools: file, strings, pefile, peframe, Ghidra/IDA for disassembly.

 Outputs: file type, imports, sections, suspicious strings, compile timestamps. Good for fast
triage.

Dynamic analysis (execute in sandbox):

 Tools: Cuckoo Sandbox, REMnux distributions, instrumented Windows VM (Procmon,

Process Explorer), Wireshark.

 Observations: created files, spawned processes, registry changes, network connections,

dropped payloads.

Memory forensics:

 Tools: Volatility, Rekall. Useful for detecting in-memory injection, dumped credentials,
rootkits.

Safe setup: Do analysis in isolated VLAN or offline VM cluster, snapshot before execution, no real
credentials on analysis host.

Flow to create IOCs: static strings/hashes → dynamic network indicators (IP/domain) → YARA rule
creation → push to SIEM/EDR.

12. SIEM / EDR / IDS / IPS differences & how they work together CrowdStrike+1

 SIEM (Security Information and Event Mgmt): central log aggregation, normalization,
correlation, long-term storage, dashboards, compliance reporting (e.g., Splunk, ELK/Elastic).
Good for long-term investigations, correlation of disparate logs.

 EDR (Endpoint Detection & Response): agent on endpoints capturing process, file, registry,
memory events and enabling containment (e.g., CrowdStrike, SentinelOne). Great for high-
fidelity endpoint telemetry and response actions.

 IDS (Intrusion Detection System): monitors network traffic for signatures/anomalies (Snort,
Suricata). Generates alerts.

 IPS (Intrusion Prevention System): can act on traffic (block/reset), inline prevention.
Best practice: Use EDR for endpoint telemetry/response, SIEM to aggregate and correlate many data
sources (including EDR), IDS/IPS for network signatures and perimeter detection.

13. Common ports & services (cheat sheet) — memorize the main ones (IANA authoritative)
IANA+1

Memorize these first:

 21 FTP, 22 SSH, 23 Telnet (plaintext), 25 SMTP, 53 DNS, 80 HTTP, 110 POP3, 123 NTP, 143
IMAP, 161/162 SNMP, 389 LDAP, 443 HTTPS, 445 SMB, 3389 RDP.

Important investigative notes:

 SMB (445) is often targeted for lateral movement and ransomware.

 DNS (53) logs are crucial for detecting DNS tunneling exfiltration.

 RDP (3389) exposed to internet is high risk — look for brute force attempts.

14. Active Directory (AD) & common enterprise attack techniques (high-level)

Common AD attacks:

 Pass-the-Hash / Pass-the-Ticket — attacker reuses authentication tokens to move laterally.

Detect with anomalous lateral logins, atypical credential usage, suspicious NTLM/RPC
activity.

 Golden Ticket / Silver Ticket — forged Kerberos tickets to impersonate accounts — detect
via unusual Kerberos events and mismatched logon locations.

 DC compromise — central control: look for abnormal service installs, unexpected user
creation, changes to group memberships.

Detection pointers: collect event logs from domain controllers (ticket events, account
creation/modification, replication changes), monitor privileged group changes and scheduled tasks.

15. Useful logs & event IDs to collect

Windows (important events):

 Process creation — modern Windows logging for commandline (EventID depends on audit
config, e.g. 4688 historically).

 Logon events: 4624 (successful logon), 4625 (failed logon) — watch for brute force and
lateral movement.

 Audit Policy changes, Privilege use events — track if an attacker modifies logging.

 Microsoft Defender/CrowdStrike EDR logs — process, file, detection events.

Linux:
  /var/log/auth.log or /var/log/secure — auth attempts.

 auditd logs — syscall audits (file access, use of execve).

 syslog, dmesg — kernel and system messages.

Network devices / cloud:

 Firewall logs (src/dst/port, bytes), Proxy logs (HTTP requests), IDS alerts, CloudTrail (AWS),
Azure Activity logs.

Tip: log rotation & retention policies matter for forensics — keep critical logs for a sufficiently long
period per policy/compliance.

16. Commands & tools quick reference (copy these into one-page cheat sheet)

Network:

 nmap -sS -Pn -T4 -p- <target> — TCP SYN scan all ports (authorized use only).

 tcpdump -i eth0 -w capture.pcap — capture traffic.

 tshark -r capture.pcap -Y "http.request" — filter.

Host / process:

 ss -tuln / netstat -tulnp — listening ports.

 ps aux --sort=-%mem — processes.

 Sysinternals (Windows): Procmon, Process Explorer, Autoruns.

Malware / forensics:

 strings sample.exe — quick textual artifacts.

 yara -r rules.yar sample — match sample to YARA rules.

 volatility -f memory.img pslist — list processes in memory image.

SIEM / logging: learn query languages: Splunk SPL, Elastic/Kibana KQL, Graylog.

17. Interview prep checklist: concepts + short answers to memorize

Memorize short, crisp definitions and examples for:

 CIA triad; AAA; difference between IDS & IPS; SIEM vs EDR; common ports; OSI model layers
& example attacks; Incident Response phases; MITRE ATT&CK high-level tactic names and a
few techniques (Phishing T1566, PowerShell T1059, Lateral Movement T1021, Credential
Dumping T1003). Use ATT&CK site as source for exact technique IDs. MITRE ATT&CK

Practice scenario answers:

 Ransomware response steps (detection → isolate → identify variant → restore from backups
→ lessons learned).
  Investigative steps for an outbound large data transfer (collect host logs, network flow, block
egress, preserve evidence).

🔐 SHA-256 vs. RSA: Understanding the Differences

🔹 SHA-256: A Cryptographic Hash Function

 Purpose: SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that
takes an input (or 'message') and returns a fixed-size string of bytes. The output is typically a
64-character hexadecimal number.

 Characteristics:

o One-Way Function: It's computationally infeasible to reverse the process and

retrieve the original input from the hash value.

o Deterministic: The same input will always produce the same output.

o Avalanche Effect: A small change in the input drastically changes the output hash.

o Collision-Resistant: It's highly unlikely that two different inputs will produce the
same hash output.

 Common Uses:

o Data Integrity: Verifying that data has not been altered.

o Digital Signatures: Ensuring the authenticity and integrity of messages.

o Password Storage: Storing passwords securely (often with added salt).

 Example: When you download software, the website might provide a SHA-256 hash of the
file. After downloading, you can hash the file on your system and compare it to ensure the
file hasn't been tampered with.

🔹 RSA: An Asymmetric Encryption Algorithm

 Purpose: RSA (Rivest–Shamir–Adleman) is an asymmetric encryption algorithm used for

secure data transmission. It uses a pair of keys: a public key for encryption and a private key
for decryption.

 Characteristics:

o Asymmetric: Different keys are used for encryption and decryption.

o Key Length: Typically uses key sizes of 2048 bits or more, providing a high level of
security.

o Based on Mathematical Problems: Security relies on the difficulty of factoring large

prime numbers.

 Common Uses:

o Digital Signatures: Verifying the authenticity of messages and documents.

o Secure Key Exchange: Safely exchanging symmetric keys over an insecure channel.
 o Encrypting Small Data: Encrypting small pieces of data, such as symmetric keys or
hashes.

 Example: In a secure email system, RSA can be used to encrypt the symmetric key used to
encrypt the email content, ensuring that only the intended recipient can decrypt it.

🔄 How They Work Together

In many security protocols, SHA-256 and RSA are used in tandem to provide both data integrity and
confidentiality.

1. Creating a Digital Signature:

o First, the message is hashed using SHA-256.

o Then, the hash is encrypted with the sender's private RSA key, creating a digital
signature.

2. Verifying a Digital Signature:

o The recipient decrypts the signature using the sender's public RSA key to retrieve the
hash.

o The recipient then hashes the received message using SHA-256.

o If the computed hash matches the decrypted hash, the message is authentic and
unaltered.

This combination ensures that the message has not been tampered with (integrity) and that it indeed
comes from the claimed sender (authenticity).

🧠 Summary Table

Feature SHA-256 RSA

Type Cryptographic Hash Function Asymmetric Encryption Algorithm

Key Usage None (hashes data) Public and Private Keys

Operation One-way (irreversible) Two-way (encryption and decryption)

Output Fixed-size hash value Variable-size encrypted data

Common Applications Data Integrity, Digital Signatures Secure Communication, Digital Signatures

Digital forensics is the process of investigating digital devices—such as computers, smartphones,

servers, and IoT devices—to uncover and analyze data that can serve as evidence in criminal, civil, or
corporate investigations. This field is pivotal in cases involving cybercrimes, data breaches,
intellectual property theft, and more.

Core Phases of Digital Forensics

The digital forensics process typically follows a structured sequence to ensure the integrity and
reliability of evidence:

1. Identification: Recognizing potential sources of digital evidence relevant to the investigation.

2. Preservation: Ensuring the integrity of the evidence by preventing any alteration or

tampering. This often involves creating forensic images of the original data.

3. Collection: Gathering the digital evidence in a manner that maintains its integrity, often
adhering to legal and procedural standards.

4. Examination: Analyzing the collected data to identify relevant information, such as deleted
files, logs, or artifacts.

5. Analysis: Interpreting the examined data to reconstruct events, identify perpetrators, and
establish timelines.

6. Reporting: Documenting findings in a clear and concise manner, often culminating in a report
that can be presented in legal proceedings.

7. Presentation: Delivering the findings in a court of law or to stakeholders, ensuring the

evidence is understood and its integrity is upheld.

🧰 Common Digital Forensics Tools

Digital forensics professionals utilize a variety of tools to aid in their investigations:

 The Sleuth Kit (TSK): A collection of command-line tools and libraries for analyzing disk
images.

 Autopsy: A graphical user interface (GUI) for TSK, facilitating easier analysis of digital
evidence.

 EnCase: A commercial tool widely used for acquiring, analyzing, and reporting on digital
evidence.

 FTK (Forensic Toolkit): A comprehensive suite for data analysis, including email and registry
analysis.

 Wireshark: A network protocol analyzer useful in network forensics to capture and analyze
network traffic.

 Volatility: An open-source memory forensics framework for analyzing RAM dumps.

🌐 Specialized Branches of Digital Forensics

Digital forensics encompasses several specialized areas:

 Computer Forensics: Focuses on data from computers and storage devices.

 Mobile Device Forensics: Deals with data extraction and analysis from smartphones and
tablets.
  Network Forensics: Involves capturing and analyzing network traffic to identify malicious
activities.

 Cloud Forensics: Addresses challenges in collecting and analyzing data stored in cloud
environments.

 IoT Forensics: Investigates data from Internet of Things devices, which may have limited
storage and processing capabilities.

⚠️Emerging Challenges in Digital Forensics

The field of digital forensics faces several evolving challenges:

 Encryption: Encrypted data poses significant hurdles in accessing and analyzing information
without proper decryption keys.

 Cloud Computing: Data stored across multiple jurisdictions complicates legal considerations
and data retrieval.

 AI-Generated Content: The rise of deepfakes and AI-generated media challenges the
authenticity and verification of digital evidence.

 Volume of Data: The sheer amount of data generated daily requires advanced tools and
techniques to process and analyze effectively.

🧭 Practical Applications of Digital Forensics

Digital forensics plays a crucial role in various scenarios:

 Cybercrime Investigations: Analyzing devices involved in hacking, malware distribution, or

unauthorized data access.

 Data Breach Analysis: Determining the cause and impact of unauthorized data disclosures.

 Corporate Investigations: Examining employee devices for policy violations or intellectual

property theft.

 Legal Proceedings: Providing digital evidence in court to support or refute claims.