SOC Fundamentals and Tools

Overview

This lecture covers the foundational concepts, tools, and practical skills needed for entry-level roles in Security Operations Centers (SOC), focusing on phishing analysis, network security, and endpoint security monitoring using hands-on labs and real-world examples.

Course Introduction & Objectives

SOC 101 is an introductory course for aspiring or current security analysts.
The course emphasizes practical skills using realistic tools and scenarios for job readiness.
Topics include SOC fundamentals, phishing analysis, network and endpoint security, SIEM, and incident response.
Labs use virtual machines (Windows and Ubuntu) for hands-on activities.
Prior knowledge of basic IT, networking, and OS concepts is recommended.

Lab Setup & Prerequisites

Install Oracle VirtualBox as the hypervisor; recommended system: 64-bit CPU, 8GB+ RAM, 80-100GB storage.
Create both Windows 10 and Ubuntu VMs; install VirtualBox guest additions for usability.
Disable Windows Defender in labs to allow malware analysis.
Download course files using Git and organize them on VMs.
Set up a NAT network in VirtualBox to isolate lab environments and allow VM communication.

SOC Fundamentals

A SOC (Security Operations Center) is a centralized unit for monitoring, detecting, analyzing, and responding to security incidents.
Key SOC functions: monitoring, detection, analysis, response.
SOC structure: people (analysts, engineers), processes (playbooks, IR plans), technology (SIEM, IDS/IPS, EDR).
SOC supports the CIA triad: Confidentiality, Integrity, Availability.
SOCs can be internal, managed (outsourced), or hybrid.

Key Terms, Tools, & Concepts

Phishing is a prevalent attack targeting users via deceptive emails, URLs, and attachments.
Email analysis involves reviewing headers, sender authenticity, body content, URLs, and attachments.
Use tools like Thunderbird, Sublime Text, CyberChef, VirusTotal, URLScan.io, and Wireshark.
Network security covers protocols (TCP/IP), packet/flow analysis, and intrusion detection/prevention (IDS/IPS).
TCPDump and Wireshark are essential tools for both real-time and offline packet analysis.
Endpoint security involves monitoring systems for process, file, network, and registry changes using tools like EDR, antivirus, HIDS/HIPS.

Methodologies & Best Practices

Apply a structured methodology in investigations: triage, header/content/URL/attachment analysis, documentation, and response.
Use lab simulation tools (Metasploit) for safely generating attack scenarios.
Documentation should include evidence, analysis steps, verdict, and actions taken.

Action Items / Next Steps

Set up and configure both Windows and Ubuntu VMs as detailed.
Download and organize course files and bookmarks from the public repository.
Complete lab exercises on phishing analysis, network security, and endpoint monitoring.
Practice network and endpoint forensic analysis with provided tools.
Explore recommended resources for additional PCAPs, malware samples, and phishing case studies.

Key Terms & Definitions

SOC (Security Operations Center) — Central team that monitors and responds to security incidents.
Phishing — Social engineering attack using deceptive messages to steal information or deliver malware.
SIEM (Security Information and Event Management) — Platform for aggregating, correlating, and analyzing security logs/events.
IDS/IPS — Tools for detecting (IDS) or preventing (IPS) network threats.
Endpoint Security/EDR — Monitoring and protecting endpoint devices against threats.

Action Items / Next Steps

Set up the lab environment with Windows and Ubuntu VMs.
Download, organize, and extract course resources/bookmarks.
Complete each practical lab as instructed in the course.
Review phishing emails, analyze PCAP files, and practice writing detection rules.
Refer to additional online repositories for further practice with real-world samples.