Basics Concepts for SOC

FUNDAMENTAL &

BASIC

CONCEPTS

OF

CYBER SECURITY

(SOC)

BY

KUMAR RAJA REDDY T

P a g e 1 | 131
 Basics Concepts for SOC

🌐 What Is the Internet?

📖 Definition:
The Internet is a global system of interconnected computer networks that
communicate using standardized protocols (primarily TCP/IP) to share
information and services across the world.
In simpler terms, it’s the infrastructure that connects computers,
smartphones, servers, and other devices—allowing them to exchange
data. It powers everything from emails and video calls to websites, social
media, cloud apps, and IoT devices.
Some key points:
 It's not the same as the World Wide Web—the web is just one
service that runs on the Internet.
 The Internet is made up of physical components like fiber-optic
cables, data centres, routers, and satellites.
 It supports diverse services: web browsing, email, file transfer,
online gaming, streaming, and more.

🌍 The Internet is one of humanity’s most transformative inventions—

changing how we work, learn, connect, and live.

🔍 What is IANA?

If you've ever wondered how the global Internet stays coordinated and
conflict-free—especially with billions of connected devices and
services—meet IANA: the Internet Assigned Numbers Authority.

📌 Definition:
IANA is a key organization responsible for managing and coordinating
some of the most fundamental elements that keep the Internet running
smoothly. It operates under ICANN (Internet Corporation for
P a g e 2 | 131
 Basics Concepts for SOC

Assigned Names and Numbers) and plays a behind-the-scenes role in

the stability of the global Internet.

🌐 What Does IANA Do?

1. IP Address Allocation
IANA allocates blocks of IP addresses (both IPv4 and IPv6) to
the Regional Internet Registries (RIRs). These RIRs then
distribute them to ISPs, organizations, and users within their
regions.

2. DNS Root Zone Management

IANA manages the DNS root zone, which is the top-level of the
Domain Name System (think .com, .org, .net, country codes like
.uk, .in, etc.). This ensures every domain name leads you to the
correct website.
3. Protocol Assignments
IANA maintains unique identifiers for Internet protocols, like
port numbers (e.g., HTTP uses port 80), protocol numbers, and
other technical standards—essential for interoperability across
the Internet.
4. Time Zone Database
It also maintains the Time Zone Database (used in many
computer systems globally), which tracks regional time changes
like daylight saving.

💡 Why Is IANA Important?

Without IANA’s centralized coordination:
 There would be conflicts in IP address usage.
 Domain names might not resolve correctly.
 Internet protocols would clash or fail, breaking communication
between systems.
P a g e 3 | 131
 Basics Concepts for SOC

In short, IANA is one of the silent pillars of the Internet—largely

invisible to the average user but absolutely essential to its operation.

🌍 What is ICANN?
When you type a web address into your browser or register a domain
name for your business, you're tapping into a system that’s globally
coordinated—not by governments, but by a nonprofit organization you
might not have heard of: ICANN.

📌 Definition:
ICANN stands for the Internet Corporation for Assigned Names and
Numbers. It is a non-profit organization responsible for managing and
coordinating the unique identifiers that keep the Internet functioning
globally and securely.

🌐 Why Does ICANN Matter?

 It ensures no single country or entity controls the Internet.

 It protects the stability and security of global online
communication.
 It supports a decentralized, open Internet that works
seamlessly for billions of users worldwide.
In a world where digital identity, security, and infrastructure are more
important than ever, ICANN’s quiet coordination ensures that the
Internet remains a trusted, global utility.

🚀 What is an Internet Protocol?

Whether you're streaming a video, sending an email, or browsing

LinkedIn right now — you're using Internet Protocol (IP). But what
exactly is it?

P a g e 4 | 131
 Basics Concepts for SOC

🔍 Internet Protocol (IP) is the foundational set of rules that enables

devices to communicate over the Internet. Think of it as the postal
system for the digital world. It ensures that data sent from one computer
gets to the right destination.
Here's how it works:

📦 1. Breaking Data into Packets

Any message or file you send is split into smaller chunks called packets.
Each packet contains two key things: the sender's IP address and the
receiver's IP address.

🗺️ 2. Addressing and Routing

Each device connected to the internet has a unique identifier – its IP
address (like 192.168.1.1 or IPv6 formats like 2001:0db8:85a3…).
Routers use these addresses to find the best path for the packets to travel
through the vast network of the internet.

🔁 3. Reassembly at the Destination

Once all packets arrive at the destination, the receiving device puts them
back together in the correct order to reconstruct the original data.
There are two main versions in use:
 IPv4 (e.g., 192.168.0.1) – still widely used, but limited in
address capacity
 IPv6 (e.g., 2001:0db8:85a3…) – developed to support the
massive growth of internet-connected devices

💡 Why it matters
Without IP, the internet simply wouldn’t work. It enables everything
from real-time communication to secure financial transactions — all
invisibly happening in milliseconds.

🔌 What Is a PORT?

P a g e 5 | 131
 Basics Concepts for SOC

When we talk about cyber threats, firewalls, or penetration testing, the

term “port” often comes up. But what exactly is a port

📌 Definition of a Port (in Cybersecurity)

In cybersecurity and networking, a port is a logical access point used by
computers to communicate over the Internet or a local network.
Think of an IP address as the street address of a device, and ports as
apartment numbers—directing traffic to the right service or application.
 Ports are identified by numbers (0–65535)
 Managed by the Internet Assigned Numbers Authority
(IANA)
 Work with protocols like TCP and UDP

⚙️ Types of Ports:

1. Well-Known Ports (0–1023)

2. Registered Ports (1024–49151)
3. Dynamic/Private Ports (49152–65535)

🌐 What is an ISP?

Every time you scroll through LinkedIn, stream your favorite show, or
send an email — there’s a key player working behind the scenes to make
it all happen: your ISP, or Internet Service Provider.
But what exactly is an ISP?

🔍 Definition:
An Internet Service Provider (ISP) is a company or organization that
provides individuals and businesses access to the Internet. Without an
ISP, your devices can’t connect to the global network.

💡 Here’s How ISPs Work:

P a g e 6 | 131
 Basics Concepts for SOC

📡 1. Connection Provider:
ISPs connect you to the internet through various technologies like:

 Broadband (Cable/DSL)
 Fiber-optic
 Satellite
 Mobile Data (4G/5G)
 Wireless broadband

🏢 2. Infrastructure Owner or Reseller:

Some ISPs own massive infrastructure — fiber cables, satellites, and data
centers. Others lease access from larger providers and resell it to end
users.

🔐 3. Assigning IP Addresses:
ISPs assign an IP address to your device or network, allowing you to
send and receive data.

🌐 4. Routing and DNS Services:

They help route your internet traffic and resolve domain names (e.g.,
linkedin.com) into IP addresses using DNS (Domain Name System)
services.

🛡️ 5. Security and Filtering:

Many ISPs provide additional features like firewalls, parental controls,
VPNs, and anti-malware services.

💼 6. Business vs. Residential Services:

 Residential ISPs focus on home internet access.

 Business ISPs offer dedicated bandwidth, static IPs, cloud
hosting, and enhanced security.

P a g e 7 | 131
 Basics Concepts for SOC

🚀 Why ISPs Matter:

ISPs are the gatekeepers of digital access. They control internet speed,
data limits, and service quality — making them critical to digital
inclusion, education, and innovation.
As technologies evolve — from 5G to satellite internet (like Starlink) —
ISPs are becoming more powerful players in shaping the future of
connectivity.

🛡️ What Is Cybersecurity?

In today’s digital-first world, cybersecurity isn’t just a technical

function—it’s a business necessity.

Let’s break it down 👇

🔐 What Is Cybersecurity?
Cybersecurity refers to the practices, technologies, and processes used
to protect systems, networks, and data from cyber threats such as
hacking, malware, phishing, ransomware, and insider attacks.
The goal? Ensure the confidentiality, integrity, and availability (CIA)
of digital assets.

🧩 Key Cybersecurity-Related Teams in an Organization

1.Network Team

📡 Focus: Securing the infrastructure that connects all systems.

💼 Responsibilities:

 Design and maintain secure network architecture

 Configure firewalls, routers, and VPNs

P a g e 8 | 131
 Basics Concepts for SOC

 Monitor for unusual traffic or intrusions

 Segment networks to limit attack spread
They are your first line of defense—controlling what comes in and out
of your network.

2.Server Team

🖥️ Focus: Managing the physical and virtual servers that host

applications and data.
💼 Responsibilities:

 Ensure secure server configurations

 Apply patches and updates regularly
 Maintain backup and disaster recovery systems
 Harden operating systems to reduce risk
They are responsible for the core machines that power your IT
infrastructure—keeping them stable and secure is vital.

3.Security Team

🛡️ Focus: Designing and enforcing security policies across the entire

organization.
💼 Responsibilities:
 Conduct risk assessments and vulnerability scans
 Monitor logs and alerts (often from a SOC)
 Develop incident response plans
 Train staff on cybersecurity best practices

P a g e 9 | 131
 Basics Concepts for SOC

 Ensure compliance with regulations (like GDPR, HIPAA)

They are the strategists and defenders—ensuring that security is built
into every layer of your IT stack.

4.Resident Engineer Team

🛡️ Focus:
On-site or embedded engineers (often from vendors or partners) who
bridge the gap between in-house teams and third-party solutions.

💼 Responsibilities:
 Provides hands-on technical expertise for specific security
products
 Assists with deployment, configuration, and support
 Troubleshoots issues in real-time alongside internal teams
 Trains staff and transfers knowledge on evolving threats

🛠 Often specialists in specific vendor solutions (e.g., Cisco, Check

Point, Palo Alto)

🧩 Why All These Teams Matter

Cybersecurity is not a siloed effort. It’s a collaborative process where:
 Network teams control the entry points
 Server teams secure the backbone systems
 Security teams enforce policy and response
 RE teams provide deep technical threat analysis

P a g e 10 | 131
 Basics Concepts for SOC

Together, they create a resilient defense posture that protects businesses

from increasingly sophisticated threats.

🛡️ Ever Wondered What Makes Up a Cybersecurity Team? Here's a

Breakdown.
Cybersecurity is no longer just a “one-team” job. As cyber threats grow
in complexity, modern security departments are made up of specialized
teams, each focusing on different aspects of defense, detection, and
response.
Here’s a detailed look at the key players inside a typical security
operations ecosystem 👇

🔍 1. Vulnerability Assessment (VA) Team

Focus: Identifying weaknesses in systems before attackers do.
They scan networks, applications, and devices to find known
vulnerabilities (using tools like Nessus or Qualys), prioritize them by
risk, and report to relevant teams for remediation.
Purpose: Identifying system weaknesses before attackers do
🛠️ Tools:

 Nessus – Network vulnerability scanner

 Qualys – Cloud-based vulnerability management
 OpenVAS – Open-source scanning tool
 Nikto – Web server vulnerability scanner

🛠️ 2. Penetration Testing (PT) Team

Focus: Ethical hacking to simulate real-world attacks.
Pentesters go beyond scanning — they actively exploit vulnerabilities
(within legal and scoped boundaries) to see how far an attacker could go.
Goal: discover gaps before the bad guys do.

P a g e 11 | 131
 Basics Concepts for SOC

Purpose: Simulating real-world attacks to uncover security flaws

🛠️ Tools:

 Kali Linux – A toolkit for ethical hackers

 Metasploit – Exploitation framework
 Burp Suite – Web application security testing
 Nmap – Network scanning and reconnaissance

🎣 3. Phishing Team
Focus: User awareness and simulation.
They craft simulated phishing emails to test employee responses and
educate staff about common social engineering attacks. They also
investigate real phishing incidents.
Purpose: User testing and phishing attack simulation
🛠️ Tools:

 GoPhish – Open-source phishing toolkit

 KnowBe4 – Security awareness training platform
 PhishMe (Cofense) – Phishing simulation and reporting
 Microsoft Defender Attack Simulator – Built-in for M365
environments

🧩 4. Antivirus (AV) Team

Focus: Endpoint protection and virus detection.
This team manages and monitors antivirus/anti-malware solutions across
all devices to detect, quarantine, and remove known malicious software.
Purpose: Device-level malware protection and response
🛠️ Tools:

 Symantec Endpoint Protection

P a g e 12 | 131
 Basics Concepts for SOC

 CrowdStrike Falcon – Next-gen antivirus + EDR

 McAfee Endpoint Security
 Windows Defender – Built-in AV for Windows

🔬 5. Malware Analysis Team

Focus: Understanding how malware works.
They dissect malicious files (often using sandbox environments) to
understand behavior, indicators of compromise (IOCs), and develop
custom detections.
Purpose: Dissecting and reverse-engineering malicious code
🛠️ Tools:
 IDA Pro – Disassembler for reverse engineering
 Ghidra – Open-source reverse engineering tool (by NSA)
 Cuckoo Sandbox – Malware behavior analysis
 VirusTotal – Online file scanning and reputation checking

🧩 6. Threat Intelligence Team

Focus: Staying ahead of threats.
This team gathers, analyzes, and distributes information about emerging
threats, attacker tactics (TTPs), and indicators. They work closely with
SOC and incident response.
Purpose: Tracking attackers and anticipating threats
🛠️ Tools:

 MISP – Malware Information Sharing Platform

 Anomali ThreatStream – Threat intelligence platform
 Recorded Future – Real-time threat intel
 AlienVault OTX – Community threat intelligence feeds

P a g e 13 | 131
 Basics Concepts for SOC

📊 7. Security Operations Center (SOC) Team

Focus: 24/7 monitoring and incident response.
The SOC team watches for suspicious activity across networks and
systems, triages alerts, investigates incidents, and responds in real-time.
They are the front line of defense.
Purpose: 24/7 threat detection, alerting, and incident response
🛠️ Tools:
 Splunk – SIEM and log analytics
 IBM QRadar – Security event correlation and analysis
 Elastic SIEM (ELK Stack) – Open-source SIEM
 Azure Sentinel – Cloud-native SIEM

🔐 8. Data Loss Prevention (DLP) Team

Focus: Protecting sensitive data.
They implement policies and tools to prevent unauthorized access,
transfer, or leakage of confidential information — both from external
threats and internal misuse.
Purpose: Preventing leaks of sensitive information
🛠️ Tools:
 Symantec DLP – Data protection and policy enforcement
 Forcepoint DLP – Insider threat detection
 Microsoft Purview DLP – Integrated with Microsoft 365
 Digital Guardian – Endpoint and cloud DLP

✅ Why This Matters

Cybersecurity isn’t just a firewall and antivirus anymore. It’s an
ecosystem of collaborative, highly specialized teams working together
to safeguard digital assets, customer trust, and business continuity.

P a g e 14 | 131
 Basics Concepts for SOC

As threats become more sophisticated, so must our defense strategies —

and the experts behind them.
Each cybersecurity team has a mission — and the right tools are their
weapons. Together, they form a layered defense strategy that protects
organizations from every angle.

🌐 What Is an IP Address?
And why does every device you use—whether at home or work—depend
on it?
Every time you browse the web, send an email, stream a video, or join a
Zoom meeting, there’s one silent identifier working behind the scenes:
your IP address.

Let’s explore what it is and why it matters. 👇

📌 What Is an IP Address?
An IP address (Internet Protocol address) is a unique numerical
identifier assigned to every device connected to a network. It allows
devices to send and receive data on the Internet or a local network.
Think of it as a digital address—just like your home address allows mail
to reach you, an IP address ensures digital information reaches the right
destination.

🔢 Types of IP Addresses

1.IPv4 (Internet Protocol version 4)

 Format: 192.168.0.1 (four sets of numbers, 0–255)

P a g e 15 | 131
 Basics Concepts for SOC

 Still the most common, but limited to ~4.3 billion addresses.

2.IPv6 (Internet Protocol version 6)

 Format: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 Supports trillions of devices, built for the future of IoT and smart
cities.

🏠 Public vs. Private IPs

 Public IP Address: Assigned by your ISP; visible to the Internet.
 Private IP Address: Used within internal networks (like your
home Wi-Fi); not routable on the open Internet.

💡 Example: Your phone may have a private IP (192.168.x.x) within your

home, while your router has a public IP visible to the world.

🔐 Why IP Addresses Matter in Cybersecurity

 Tracking: Cybercriminals can be traced through their IP usage.

 Access Control: Firewalls use IP filtering to block or allow
traffic.
 Threat Detection: Anomalies in IP traffic can signal intrusions.
 Geolocation: IPs reveal user location for both personalization
and protection.
IP addresses may seem technical—but they are the foundation of how
we connect and communicate online.

🧩 IP Address Classes Explained

Here’s a breakdown of the 5 IP address classes:

🅰️ Class A

P a g e 16 | 131
 Basics Concepts for SOC

 Range: 1.0.0.0 to 126.255.255.255

 Default Subnet Mask: 255.0.0.0
 Supports: 128 networks, ~16 million hosts per network
 Use Case: Large enterprises and ISPs

🔹 If the first bit is 0, it’s Class A.

🅱️ Class B

 Range: 128.0.0.0 to 191.255.255.255

 Default Subnet Mask: 255.255.0.0
 Supports: ~16,000 networks, ~65,000 hosts per network
 Use Case: Medium to large organizations

🔹 If the first two bits are 10, it’s Class B.

🅲️ Class C

 Range: 192.0.0.0 to 223.255.255.255

 Default Subnet Mask: 255.255.255.0
 Supports: 2 million+ networks, 254 hosts per network
 Use Case: Small businesses and private networks

🔹 If the first three bits are 110, it’s Class C.

🅳️ Class D (Multicast)
 Range: 224.0.0.0 to 239.255.255.255
 Use Case: Multicast communication, like streaming media,
conferencing

P a g e 17 | 131
 Basics Concepts for SOC

🔹 Not used for host addressing.

🅴️ Class E (Experimental)
 Range: 240.0.0.0 to 255.255.255.255
 Use Case: Reserved for research and future use. Not publicly
assigned.

🔐 What is a Private IP Address? Let’s Break it Down.

In the world of networking, not all IP addresses are created equal. Some
are meant for the public Internet, while others are reserved for internal
use only — and that’s where Private IP addresses come in.
A Private IP address is an IP address that’s used within a private
network (like your home, office, or internal company network). These
addresses are not routable on the public internet — meaning they’re
invisible and inaccessible from the outside world.
They’re like internal building room numbers: useful for navigation
inside, but meaningless to the world outside.

🌐 Why Use Private IPs?

 They conserve IPv4 address space

 Improve security by isolating internal devices
 Enable local communication between systems without using the
Internet
 Allow Network Address Translation (NAT), which lets
multiple private devices share a single public IP

P a g e 18 | 131
 Basics Concepts for SOC

# of
Class IP Range Use Case
Addresses

Class Large enterprises,

10.0.0.0 – 10.255.255.255 ~16 million
A ISPs

Class 172.16.0.0 – Medium-sized

~1 million
B 172.31.255.255 networks

Class 192.168.0.0 – Home and small

~65,000
C 192.168.255.255 networks

🛡️ Example: Your home Wi-Fi might assign your laptop a private IP like
192.168.1.10 — this keeps it hidden from direct access via the internet.

🔄 How They Work with Public IPs

Private IPs work behind the scenes. When you access the internet, your
router uses NAT (Network Address Translation) to convert your
private IP into the public IP assigned by your ISP.

🔍 Special IP Addresses

🧩 1. Loopback Address

 IP: 127.0.0.1 (or any 127.x.x.x)

 Purpose: Used to test the local system — often called localhost.
 Example Use: Ping 127.0.0.1 to check if your TCP/IP stack is
working.

🧩 2. Global IP Address

 IPv4: 0.0.0.0
P a g e 19 | 131
 Basics Concepts for SOC

 Purpose: Represents an unknown or unconfigured address.

 Often used during DHCP handshakes or to bind to all interfaces.

🚫 3. APIPA (Automatic Private IP Addressing)

 Same as Link-Local IPv4 (169.254.x.x), used in Windows
environments.
 Automatically assigned when DHCP fails.

🌐 Public vs Private IP Address

Feature Public IP Address Private IP Address

IP address assigned by
IP address used within
Definition ISP and accessible on
local/private networks
the Internet

Visible and reachable Not visible or routable on the

Visibility
on the global Internet Internet

Internet Service Network administrator or router

Assigned By
Provider (ISP) (automatically/manual)

Unique across the Unique only within its local

Uniqueness
entire Internet network

Internet-facing
Internal communication – LAN,
Usage Scope services, websites,
printers, IoT, internal apps
cloud apps

Higher exposure; needs Lower risk; protected by NAT and

Security Risk
firewall and monitoring firewall

P a g e 20 | 131
 Basics Concepts for SOC

Feature Public IP Address Private IP Address

Enables external
Enables internal device
Communication communication over
communication
the web

Required to access the Internet via

Need for NAT Not required
a public IP

May incur cost from

Cost Free to use in internal networks
ISP

Any IP not in private 10.0.0.0 – 10.255.255.255

IP Ranges ranges (except reserved 172.16.0.0 – 172.31.255.255
ranges) 192.168.0.0 – 192.168.255.255

🌐 IPv4 vs IPv6:

Feature IPv4 IPv6

Address Length 32-bit 128-bit

Address Format Decimal Hexadecimal

Total Addresses ~4.3 billion ~340 undecillion

NAT Required Yes No

Configuration Manual/DHCP Auto/SLAAC

Security Optional Built-in

Adoption Still dominant Growing steadily

🔐 What Is a Port Number in Networking & Cybersecurity?

And why knowing common ports is critical for securing your network.

P a g e 21 | 131
 Basics Concepts for SOC

Every time you visit a website, send an email, or stream a video, you're
not just using an IP address — you're also communicating through port
numbers.

🌐 What Is a Port Number?

A port number is a logical endpoint for communication used in
networking. It helps identify specific services or processes running on a
device.
Think of your IP address as a building's address, and the port number
as the door number — each door leads to a different room or service
inside.

📦 Port numbers allow multiple services to run on the same device using
the same IP address — each service just listens on a different port.
📌 Most Common Port Numbers

Port Protocol Service

20/21 TCP FTP (File Transfer Protocol)

22 TCP SSH (Secure Shell)

23 TCP Telnet

25 TCP SMTP (Email Sending)

37 TCP/UDP TIME

53 TCP/UDP DNS (Domain Name System)

67/68 UDP DHCP (IP Address Assignment)

80 TCP HTTP (Web Traffic)

88 TCP/UDP Kerberos Authentication

P a g e 22 | 131
 Basics Concepts for SOC

Port Protocol Service

115 TCP SFTP (Secured File Transfer Protocol)

123 UDP NTP (Network Time Protocol)

143 TCP IMAP (Email Sync)

161 UDP SNMP (Simple Network Management Protocol)

389 TCP/UDP LDAP (Lightweight Directory Access Protocol)

443 TCP HTTPS (Secure Web Traffic)

3389 TCP RDP (Remote Desktop)

1433 TCP MySQL

1521 TCP Oracle

🔐 Why Port Numbers Matter in Cybersecurity

✅ Firewall Rules: Firewalls use port numbers to allow or block

specific traffic
✅ Intrusion Detection: Suspicious activity on ports (e.g., open Telnet
or RDP) may signal an attack
✅ Vulnerability Management: Some ports are tied to legacy or
insecure protocols
✅ Penetration Testing: Scanning open ports helps identify exposed
services

📌 Misconfigured or unnecessary open ports can be an open door for

attackers.

🧩 Quick Tips:

 🛡️ Close unused ports to minimize attack surface

P a g e 23 | 131
 Basics Concepts for SOC

 🔍 Use tools like Nmap to scan for open ports

 ✅ Enforce least privilege on firewall configurations

 🧩 Regularly audit network services and associated ports

🌐 What Is a Network — and What Are the Different Types?

Let’s break down one of the most essential pillars of modern technology:
Networking.

🤝 What is a Network?

A network is a group of two or more connected devices (like

computers, printers, or servers) that share data, resources, and services.
The process of creating, managing, and maintaining these connections
is called Networking.

🔧 It includes:
 Setting up devices and servers
 Managing routers, switches, and firewalls
 Ensuring secure and stable data flow

🧩 Types of Networks Explained:

Let’s explore the most common types of computer networks:

🏠 1. LAN (Local Area Network)

 Scope: Small, localized area — a single building or room

 Example: Home Wi-Fi, office network
 Speed: High-speed (up to 1 Gbps or more)

P a g e 24 | 131
 Basics Concepts for SOC

 Cost: Low
✅ Ideal for connecting nearby computers for file sharing,
printers, and internet access.

🏙️ 2. MAN (Metropolitan Area Network)

 Scope: Covers a city or large campus

 Example: A university or city-wide fiber network
 Speed: Medium to high
 Cost: Higher than LAN
✅ Useful for connecting multiple LANs within a geographic
region.

🌍 3. WAN (Wide Area Network)

 Scope: Covers large geographical areas — country or continent

 Example: The Internet is the largest WAN
 Speed: Varies (usually lower than LAN due to distance)
 Cost: High
✅ WANs connect remote branches, data centers, and offices
across the globe.

🏫 4. CAN (Campus Area Network)

 Scope: Limited to a campus or business park

 Example: A school district or corporate campus
 Speed: Similar to LAN
✅ Think of it as a LAN that connects multiple buildings in a
confined geographic area.

🕵️♂️ 5. VPN (Virtual Private Network)

P a g e 25 | 131
 Basics Concepts for SOC

 Scope: A secure connection over a public network

 Example: Remote employees securely accessing corporate
resources
 Function: Encrypts data between your device and the destination
✅ VPNs provide privacy, anonymity, and secure remote
access.

🔐 Why This Matters:

Understanding these network types is essential for:

 Building reliable IT infrastructure
 Managing business communications
 Designing scalable and secure systems

🌐 What Are HTTP Methods?

Understanding the Language of the Web 💬

If you’ve ever used a browser, you’ve used HTTP (Hypertext Transfer

Protocol). But behind every click, form submission, or API call, there's a
specific method at work — telling the server what to do.

📌 What Is an HTTP Method?

HTTP methods (also known as verbs) define the action a client wants to
perform on a server resource. They are used in web development, REST
APIs, and browser-server communication.
Think of them as instructions that guide how data should be requested
or modified.

🔐 Why HTTP Methods Matter in Cybersecurity

P a g e 26 | 131
 Basics Concepts for SOC

✅ Attackers often exploit poorly configured HTTP methods

✅ Misuse of PUT, DELETE, or TRACE can lead to unauthorized access or
data loss
✅ Penetration testers and tools like Burp Suite or OWASP ZAP scan for
dangerous methods
✅ Proper method validation prevents API abuse and injection attacks

🧩 Best Practice: Always restrict HTTP methods to only what's needed for your
application!

🧩 Example in REST API:

GET /users → Fetch list of users

POST /users → Create a new user

PUT /users/1 → Replace user with ID 1

PATCH /users/1 → Update specific fields of user 1

DELETE /users/1 → Delete user with ID 1

🧩 Most Common HTTP Methods

Method Action Use Case

Fetch data (e.g., a webpage, API

GET Retrieves data
data)

Sends data to the Submit forms, upload files, create

POST
server new records

Update or replace an entire

PUT Replaces existing data
resource (e.g., user profile)

P a g e 27 | 131
 Basics Concepts for SOC

Method Action Use Case

Updates part of the Modify one or more fields (e.g.,

PATCH
resource change email only)

Removes the specified

DELETE Delete a user, post, or file
resource

Like GET, but without Check if a resource exists or for

HEAD
the body testing

Lists supported Used in CORS and server

OPTIONS
methods introspection

Establishes a tunnel Used to initiate SSL/TLS

CONNECT
(e.g., HTTPS) connections via proxy

Echoes back request Rarely used—can be a security

TRACE
data risk if not disabled

📩 What is an HTTP Response?

An HTTP response is the reply sent by a server to the client (usually
your browser) after it receives a request (like loading a web page).
It contains:
 A status code (tells whether the request succeeded or failed)
 Headers (meta-information about the response)
 An optional body (like HTML content, JSON data, or error
messages)

P a g e 28 | 131
 Basics Concepts for SOC

🔢 Understanding HTTP Status Codes

Range Category Description Popular Status Codes

Request
- 100 Continue – Ready to
received,
receive request body - 101
continuing
1xx Informational Switching Protocols –
process (rarely
Switching to a different
used in
protocol
practice)

- 200 OK – Standard response

The request
for success - 201 Created –
was received,
2xx ✅ Success Resource successfully created -
understood,
204 No Content – Success, but
and accepted
no content to return

- 301 Moved Permanently –

Further action
Resource has a new permanent
🔁 is needed to
3xx URL - 302 Found – Temporary
Redirection complete the
redirection - 304 Not Modified
request
– Cached version is still valid

- 400 Bad Request –

The request
Malformed request - 401
contains bad
❌ Client Unauthorized – Authentication
4xx syntax or
Error required - 403 Forbidden –
cannot be
Access denied - 404 Not Found
fulfilled
– Resource not found

Server failed to - 500 Internal Server Error –

🛠️ Server
5xx fulfill a valid Generic server crash - 502 Bad
Error request Gateway – Invalid response
from upstream server - 503

P a g e 29 | 131
 Basics Concepts for SOC

Range Category Description Popular Status Codes

Service Unavailable – Server

temporarily overloaded or
under maintenance - 504
Gateway Timeout – Upstream
server didn’t respond in time

🌐 How Does DNS Work? Breaking Down the Internet’s Phonebook

Every time you visit a website, send an email, or watch a video online —
there’s a silent hero working behind the scenes: DNS (Domain Name
System). 🧩

📖 What Is DNS?
Think of DNS as the phonebook of the Internet.
It translates human-friendly domain names like www.linkedin.com
into IP addresses like 142.250.190.14 — which computers use to
identify each other.
Without DNS, we’d have to remember long strings of numbers just to
browse the web. Not fun, right?

🔄 How DNS Works (Step-by-Step):

Let’s say you type www.example.com into your browser. Here’s what
happens behind the scenes::
1. Browser Cache Check
First, your browser checks if it already knows the IP address for the
domain. If cached, it skips the rest.

P a g e 30 | 131
 Basics Concepts for SOC

2. Operating System Cache:

If not in the browser, your computer checks its own OS-level DNS cache.
3. DNS Resolver (ISP):
If still unresolved, your device contacts your ISP’s DNS resolver, which
starts the lookup process.
4. Root DNS Server:
The resolver contacts a root server, which doesn’t know the exact IP, but
directs it to the TLD server (like .com or .org).
5. TLD Server:
This server responds with the address of the Authoritative DNS Server
for the domain.
6. Authoritative DNS Server:
This server knows the actual IP address for the domain (e.g.,
www.google.com → 142.250.190.14).
7. Back to You:
The resolver sends this IP address back to your browser, which then
connects to the website.🚀

🧩 Types of DNS Servers Involved:

 Recursive Resolver: Handles the full query process on behalf of

the user
 Root Name Server: Directs to TLD servers
 TLD Name Server: Directs to authoritative servers for specific
domains
 Authoritative Name Server: Holds the actual IP address for the
domain

🧩 Popular DNS Tools & Services:

 Public DNS Providers: Google DNS (8.8.8.8), Cloudflare

(1.1.1.1), OpenDNS
 Tools: nslookup, dig, whois, DNSVi
P a g e 31 | 131
 Basics Concepts for SOC

🔒 DNS Security Matters:

 DNSSEC: Protects against forged DNS data

 DoH/DoT: Encrypt DNS queries to ensure privacy (DNS over
HTTPS/TLS)

🧩 What Is a DNS Root Server?

A DNS Root Server is the starting point of the Domain Name System
(DNS), the system that translates human-readable domain names (like
www.google.com) into IP addresses (like 142.250.195.68).
Think of the DNS like a giant phonebook of the internet. The root
servers are the index page—they don’t hold the actual numbers (IP
addresses), but they tell your computer where to look next.
The Journey of a DNS Query:

1.You type www.example.com into your browser.

2.Your computer asks a DNS resolver (usually from your ISP) for the IP
address.

3.The resolver doesn’t know the answer, so it asks a Root Server.

4.The Root Server doesn’t know the exact IP, but it tells the resolver,
"Hey, ask the .COM server."

5.The resolver follows that lead to the .COM Top-Level Domain (TLD)
server.

6.The TLD server replies with, "Ask the server responsible for
example.com."

7.Finally, the resolver gets the IP address from the authoritative server
and passes it back to your browser.

P a g e 32 | 131
 Basics Concepts for SOC

🛠️ What Does a Root Server Actually Do?

When your computer needs to find the IP address for a domain, it starts
by querying a DNS resolver, which then asks a Root Server:
1. The Root Server doesn’t know the final IP, but it responds with
the location of the correct Top-Level Domain (TLD) server
(e.g., for .com, .org, .net).
2. The resolver then contacts the TLD server, and the journey
continues until the final IP address is found.

🌍 How Many Root Servers Are There?

📌 There are 13 root server identifiers, labeled A through M, each

operated by different organizations:
 Example:
o A-root: operated by Verisign
o B-root: operated by University of Southern California
(ISI)
o J-root: operated by Verisign
o L-root: operated by ICANN

📌 But there are over 1,000 actual root server instances deployed
worldwide, thanks to a routing technique called anycast. This means
multiple physical servers share the same IP address and respond to
queries from the nearest location.

🔐 Why Are Root Servers So Important?

 They are the first point of contact in every DNS resolution

process.

P a g e 33 | 131
 Basics Concepts for SOC

 Without them, the internet’s naming system would collapse—

browsers wouldn’t know where to go.
 They’re designed with high availability, redundancy, and
DDoS resistance to withstand massive traffic and attacks.
 Root servers are a key part of internet resilience and security.

🧩 Fun Facts About Root Servers:

 The first root server (A-root) was set up in 1984.

 They use UDP port 53 for queries.
 They serve a single root zone file, maintained by IANA (under
ICANN), which lists all TLDs.
 They are monitored and managed 24/7 to ensure global internet
stability.

🧩 In Summary:
DNS Root Servers are like the “traffic controllers” at the very beginning
of every web request. They don’t give answers directly, but they tell you
where to find them—making them foundational to the modern internet.

🌐 What Are DNS Records?

Every time you type a web address like www.linkedin.com, a powerful

system works behind the scenes to connect your browser to the right
server. That system is called DNS — the Domain Name System.
At the heart of DNS are DNS records — the key data types that make
websites reachable, emails deliverable, and networks functional.

P a g e 34 | 131
 Basics Concepts for SOC

Let’s dive into the most common DNS record types every IT
professional should know 👇

🧩 What Is a DNS Record?

A DNS record is a data entry stored in the DNS zone file of a domain,
used to map human-friendly domain names to machine-friendly
information — like IP addresses.
Think of DNS records as address book entries for the internet, telling
browsers, mail servers, and apps how to reach specific services.

🔐 Why DNS Records Matter in Cybersecurity

✅ TXT records (SPF, DKIM, DMARC) are critical for email spoofing
protection
✅ Misconfigured A or CNAME records can redirect users to
malicious sites
✅ PTR records help identify if a server is legitimate (especially for
mail servers)
✅ DNS is a major attack vector (e.g., DNS hijacking, cache poisoning)

🧩 Best Practice: Regularly audit DNS records, lock your DNS provider
account, and enable 2FA

🔑 Common Types of DNS Records (and What They Do)

P a g e 35 | 131
 Basics Concepts for SOC

Record
Purpose Example
Type

Maps domain to IPv4

A example.com → 192.0.2.1
address

Maps domain to IPv6

AAAA example.com → 2001:db8::1
address

Canonical name (alias) for blog.example.com →

CNAME
another domain example.com

Mail Exchange – routes example.com →

MX
email to mail servers mail.example.com

example.com →
NS Nameserver for the domain
ns1.dnsprovider.com

Stores arbitrary text – often Used for email validation &

TXT
for SPF, DKIM, DMARC security

Reverse DNS – IP to domain

PTR 192.0.2.1 → example.com
name

Service location record – Service

SRV
used for VoIP, LDAP, etc. _sip._tcp.example.com

Start of Authority – metadata Includes TTL, admin email,

SOA
about the domain zone etc.

🔌 Demystifying Network Devices: 🌐

P a g e 36 | 131
 Basics Concepts for SOC

Have you ever wondered what makes the internet or your office network
work so seamlessly? Behind every smooth Zoom call, file transfer, or
web page load are network devices—the unsung heroes of connectivity.
Let’s break down what these devices are and how each one plays a
crucial role:

🔁 1. Hub – The Basic Distributor

A hub is like a group chat where every message is sent to everyone—
whether it concerns them or not.

📌 Function: It simply receives data from one device and broadcasts it

to all others connected.

📌 Limitation: No filtering, no intelligence—this leads to a lot of

unnecessary traffic.

📌 Example: Early home networks used hubs to connect PCs and

printers. Not common today due to inefficiency.

🔄 2. Repeater – The Signal Booster

A repeater works like a megaphone for your network signal.

📌 Function: It receives a signal, amplifies it, and retransmits it to

extend network range.

📌 Example: Used in long-distance fiber or wireless connections to

maintain signal strength over large areas (e.g., connecting two buildings
in a campus).

🌉 3. Bridge – Network Divider and Connector

A bridge connects two different network segments, like a translator

between two language groups.

P a g e 37 | 131
 Basics Concepts for SOC

📌 Function: It filters traffic, forwarding only necessary data between

segments.

📌 Example: Connecting the wired network of one office floor to

another without exposing internal traffic to all users.

🔀 4. Switch – The Smart Distributor

Think of a switch as a private courier. It sends data only to the intended

recipient.

📌 Function: It reads MAC addresses to forward data intelligently to

the right device.

📌 Example: Modern offices use switches to connect dozens or

hundreds of computers while managing traffic efficiently.

🌍 5. Router – The Traffic Director

A router is your network’s GPS. It finds the best path for your data to
travel.

📌 Function: It connects different networks, such as your home

network to the internet, and routes data based on IP addresses.

📌 Example: Your home Wi-Fi router directs traffic between your

devices and the internet.

🔁 6. NAT (Network Address Translation) – The Privacy Guard

NAT is a feature often built into routers. It's like a receptionist for your
network.

📌 Function: It translates private IP addresses (used inside your

network) into a public one (used on the internet), helping multiple
devices share a single IP.

📌 Benefit: Enhances security and conserves IP addresses.

P a g e 38 | 131
 Basics Concepts for SOC

📌 Example: When multiple devices at home use one public IP to

browse the web—thank NAT.

⚖️ 7. Load Balancer – The Traffic Manager

A load balancer is like a smart queue manager for servers.

📌 Function: It distributes incoming traffic across multiple servers to

ensure no single server gets overwhelmed.

📌 Example: Large websites like Amazon or Netflix use load balancers

to ensure millions of users get fast, uninterrupted access.

🧩 Wrapping Up

Each device plays a specific and critical role:

 Hubs and repeaters focus on basic connectivity
 Switches and bridges improve efficiency
 Routers and NAT manage external communication and
privacy
 Load balancers ensure performance and reliability

🔐 What Are Security Devices?

In today’s connected world, cybersecurity isn’t optional — it’s

essential. Whether you’re a startup, enterprise, or just managing your
home network, protecting your data starts with understanding the core
security devices that defend our digital environments.
Let’s break down the most commonly used security devices in
networks and their roles 👇

P a g e 39 | 131
 Basics Concepts for SOC

🧩 1. Firewall – Your First Line of Defense

A firewall acts as a barrier between trusted and untrusted networks.

It monitors and filters incoming and outgoing traffic based on
predefined security rules.
Think of it like a security guard at a gate, checking each data packet for
permission to enter or exit.

✅ Popular Firewall Tools & Vendors:

 Cisco ASA / Firepower – Enterprise-grade network firewalls
 Palo Alto Networks – Advanced next-gen firewall with threat
intelligence
 Fortinet FortiGate – High-performance, UTM-integrated
firewalls
 pfSense (open source) – Great for small businesses and labs
 SonicWall – SMB-friendly with good cost-performance balance

🔍 Two Types of Firewalls:

 Network Firewalls: Protect entire networks

 Host-based Firewalls: Installed on individual devices

✅ Key Functions:

 Block unauthorized access

 Allow only trusted services (e.g., HTTP on port 80)
 Log suspicious activity

🧩 Example:
A firewall can block traffic from an unknown IP trying to access your
internal file server on port 445 — a common target for malware.
P a g e 40 | 131
 Basics Concepts for SOC

🕵️ 2. IDS (Intrusion Detection System) – The Security Camera

An IDS monitors network traffic or system activities for malicious

behavior or policy violations.
It doesn't block anything — instead, it alerts when suspicious activity is
detected.

✅ Popular IDS Tools:

 Snort (by Cisco) – One of the most popular open-source IDS
tools
 Suricata – High-performance open-source IDS/IPS
 Security Onion – A full Linux distro for IDS monitoring with
tools like Snort, Zeek, and Elastic
 Zeek (formerly Bro) – Powerful network analysis tool often
used in SOC environments

✅ Key Functions:
 Detect known threats (via signatures)
 Spot anomalies (unusual traffic patterns)
 Log and alert security teams

🧩 Example:
An IDS detects multiple failed login attempts from the same IP and alerts
the security team about a possible brute-force attack.

💡 Note: IDS is passive — it informs, but doesn’t stop attacks.

🛡️ 3. IPS (Intrusion Prevention System) – The Bodyguard

An IPS is like an IDS on steroids — it not only detects threats but also
blocks them in real-time.

P a g e 41 | 131
 Basics Concepts for SOC

It actively prevents attacks by:

 Dropping malicious packets
 Resetting connections
 Blocking traffic from harmful Ips

✅ Popular IPS Tools & Vendors:

 Palo Alto Next-Gen Firewalls – Integrated IDS/IPS capabilities

 Cisco Firepower IPS – Real-time threat detection and
prevention
 FortiGate IPS – Offers deep packet inspection and automated
response
 Trend Micro TippingPoint – Purpose-built for IPS with
advanced filtering
 Suricata – Open-source tool that also functions as an IPS when
configured inline

✅ Key Functions:

 Real-time threat prevention

 Deep packet inspection
 Signature-based and anomaly-based detection

🧩 Example:
If a hacker tries to exploit a known vulnerability (e.g., Log4Shell), the
IPS can detect the exploit pattern and immediately block the request —
preventing the breach.

🧩 Other Common Security Devices in the Network:

 Antivirus/EDR – Protects endpoints from malware

P a g e 42 | 131
 Basics Concepts for SOC

 DLP (Data Loss Prevention) – Prevents sensitive data leakage

 UTM (Unified Threat Management) – All-in-one solution
(Firewall + IDS/IPS + Antivirus)

🚨 Final Thoughts

Combining these devices creates a layered defense strategy — known

as Defense in Depth.

🔁 Firewall controls access

👀 IDS alerts you to threats
🛑 IPS blocks them in real-time

📌 Pro Tip: No device alone is 100% effective. Use them together, keep
them updated, and monitor them continuously.

🔐 What Are the Different Types of Firewalls?

In the world of cybersecurity, firewalls are essential. They're like

security guards that control who and what gets into (or out of) your
digital space.

🧩 1. Packet-Filtering Firewall

"The ID checker"
This is the most basic and oldest type of firewall. It inspects each packet
(unit of data) and allows or blocks it based on predefined rules — such
as IP address, port number, or protocol.

🛠️ Tools/Vendors:
 Cisco Access Control Lists (ACLs)
 pfSense (open-source)
 IPtables (Linux firewall utility)

P a g e 43 | 131
 Basics Concepts for SOC

🧩 Example:
Blocks all traffic from a suspicious IP address or blocks port 23 (used by
Telnet, often exploited).

✅ Pros: Fast, simple, low resource usage

❌ Cons: Doesn’t inspect payload (content), can’t stop complex attacks

🧩 2. Stateful Inspection Firewall

"The bouncer who remembers your face"

Unlike packet filters, this firewall tracks the state of active connections
and makes decisions based on both the packet and its context (e.g., part
of a trusted connection?).

🛠️ Tools/Vendors:

 Cisco ASA (Adaptive Security Appliance)

 Check Point Firewall
 Juniper SRX Series

🧩 Example:
Allows only HTTP responses if an HTTP request was first made from
inside the network.

✅ Pros: Smarter and more secure than packet filtering

❌ Cons: Heavier on resources, still doesn’t analyze deep content

🕵️ 3. Proxy Firewall (Application-Level Gateway)

"The middleman that speaks the language"

A proxy firewall acts as an intermediary between users and the internet.
It terminates the connection on behalf of the client, inspects the traffic,
and then forwards it.

P a g e 44 | 131
 Basics Concepts for SOC

🛠️ Tools/Vendors:

 Squid Proxy (open-source)

 Blue Coat ProxySG (by Symantec/Broadcom)
 Fortinet FortiProxy

🧩 Example:
When accessing a website through a proxy, the request goes from you →
proxy → website. The proxy can block malicious websites or hide your
IP.

✅ Pros: Can inspect content at the application level, hides internal IPs
❌ Cons: Slower, complex to set up, doesn’t scale easily for large
networks

🛡️ 4. WAF (Web Application Firewall)

"The app-specific bodyguard"

A Web Application Firewall specifically protects web applications
from attacks like SQL injection, Cross-Site Scripting (XSS), and more.

🛠️ Tools/Vendors:

 AWS WAF (cloud-native)

 Cloudflare WAF (SaaS-based, global edge)
 Imperva WAF
 F5 Advanced WAF
 Azure WAF

P a g e 45 | 131
 Basics Concepts for SOC

🧩 Example:
A WAF placed in front of an e-commerce site blocks a malicious user
trying to enter SQL code into a login form.

✅ Pros: Application-layer protection, excellent for public-facing

websites
❌ Cons: Doesn’t protect lower network layers, must be regularly
updated with rules

🧩 Bonus: Next-Generation Firewalls (NGFW)

"All-in-one security toolbox"

NGFWs combine features of traditional firewalls, IPS, deep packet
inspection, application control, and even malware scanning.

🧩 Example:
Blocks social media usage during work hours while inspecting encrypted
traffic for malware.

🔐 Final Thoughts

Each firewall type plays a specific role in your defense-in-depth

strategy:

 🧩 Packet Filter: Basic filtering by ports and IP

 🧩 Stateful Inspection: Understands ongoing sessions

 🕵️ Proxy Firewall: Adds a layer between users and internet

 🛡️ WAF: Shields web apps from targeted attacks

 🧩 NGFW: One-stop-shop for modern enterprise security

P a g e 46 | 131
 Basics Concepts for SOC

🔐 Firewall, WAF & Proxy Actions Explained

🧩 1. Firewall Actions – The Network Traffic Bouncer

A firewall controls traffic based on IP addresses, ports, and protocols.
It's like a bouncer who decides which "data packets" get in or out of your
network.

✅ Common Firewall Actions:

 Allow / Accept – Let the traffic through
 Deny / Drop – Silently discard the traffic
 Reject – Block the traffic and notify the sender
 Log – Record the activity for analysis
 NAT (Network Address Translation) – Hide internal IPs

🧩 Example:
A firewall rule blocks all incoming traffic on port 23 (Telnet),
preventing unencrypted remote access.

🛠 Popular Firewalls:
Palo Alto, FortiGate, Cisco ASA, pfSense

🛡️ 2. WAF (Web Application Firewall) Actions – The Web App

Bodyguard
A WAF protects web applications by analyzing HTTP/HTTPS traffic at
the application layer (Layer 7). It defends against threats like SQL
injection, XSS, and bot attacks.

✅ Common WAF Actions:

 Allow – Let safe traffic through

 Block – Stop malicious requests (e.g., SQL injection)

P a g e 47 | 131
 Basics Concepts for SOC

 Challenge / CAPTCHA – Test if it's a bot or human

 Rate Limit – Throttle excessive traffic
 Redirect – Send to a warning page or honeypot
 Log / Alert – Record and notify security teams

🧩 Example:
A WAF blocks a login attempt that includes the payload: admin' OR 1=1-
-, recognizing it as an SQL injection attack.

🛠 Popular WAF Tools:

Cloudflare WAF, AWS WAF, Imperva, Akamai, F5 Advanced WAF,
ModSecurity (open source)

🌐 3. Proxy Actions – The Middleman with Control

A proxy server sits between users and the internet. It forwards

requests, hides client IPs, and can filter, cache, or modify traffic based
on policies.

✅ Common Proxy Actions:

 Forward – Relay the request to the target server

 Block / Deny Access – Stop access to certain websites or
domains
 Cache – Serve cached content for performance
 Authenticate – Require login before access
 Modify – Rewrite headers or URLs for tracking or security
 Log – Monitor user behavior

🧩 Example:
A proxy blocks access to facebook.com during working hours and
requires users to authenticate via Active Directory.
P a g e 48 | 131
 Basics Concepts for SOC

🛠 Popular Proxy Solutions:

Zscaler, Blue Coat (Symantec), Cisco Umbrella, , FortiProxy

🔐 What Are the Different Types of IDS and IPS Devices?

🔎 Types of IDS (Intrusion Detection Systems)

1. NIDS (Network-based IDS)

Monitors network traffic for signs of attacks or policy violations.

🧩 Example:
Detects a port scan happening across multiple IPs in the internal network.

✅ Best for detecting attacks like DDoS, malware spreading, or

unauthorized scanning.
2. HIDS (Host-based IDS)
Installed on individual systems (like servers or endpoints). It monitors
file integrity, logs, and local activity.

🧩 Example:
Alerts when a critical system file is modified on a Linux server.

✅ Ideal for spotting insider threats or malware on specific machines.

3. Signature-Based IDS
Detects known threats by comparing activity against a database of
attack signatures (like antivirus works).

🧩 Example:
Flags known exploit attempts like “SQL injection” or “Brute force
login”.

✅ Highly accurate for known threats

❌ Can’t detect new (zero-day) attacks

P a g e 49 | 131
 Basics Concepts for SOC

4. Anomaly-Based IDS
Uses machine learning or baseline profiles to detect abnormal behavior
(e.g., traffic spikes or unusual logins).

🧩 Example:
Flags a user who logs in at 3 AM from a foreign IP address.

✅ Can detect unknown or novel attacks

❌ May produce false positives if not fine-tuned

🛡️ Types of IPS (Intrusion Prevention Systems)

Like IDS, IPS can also be:

1. Network-based IPS (NIPS)
Placed inline within the network to block malicious traffic before it
reaches the target.

🧩 Example:
Detects and drops a malicious packet trying to exploit a vulnerability in
a public web server.

✅ Protects the network perimeter

2. Host-based IPS (HIPS)

Runs on individual devices to block activity like unauthorized app
execution or file modification.

🧩 Example:
Stops ransomware from encrypting files on an employee’s workstation.

✅ Great for endpoint protection

P a g e 50 | 131
 Basics Concepts for SOC

3. Hybrid/Integrated IPS
Combines network and host-level protection — often as part of Next-
Gen Firewalls (NGFW) or SIEM systems.

🧩 Example:
An NGFW that inspects encrypted traffic, blocks malware, and logs the
event in real-time.

✅ Best for organizations needing layered defense

🔌 Inline (used for IPS)

 The device sits directly in the traffic path (like a bump in the
wire).
 It can analyze, detect, and block malicious traffic in real-time.
 If the IPS fails or is misconfigured, it can disrupt network
traffic.

🧩 Example:
A network-based IPS between the internet and internal web servers that
blocks SQL injection attacks before they reach the application.

✅ Ideal for: Prevention and enforcement

❌ Must be highly reliable to avoid downtime

🏢 On-Premises IDS/IPS
 Installed in your physical infrastructure or local data center.
 Gives more control and visibility over internal traffic.
 Typically requires more hands-on management and maintenance.

P a g e 51 | 131
 Basics Concepts for SOC

🧩 Example:
A Snort-based IDS inside an organization’s LAN analyzing internal
network segments.

✅ Great for traditional or regulated environments

❌ May lack scalability and automation

☁️ Cloud-Based IDS/IPS

 Delivered as a service via the cloud or integrated into cloud-

native platforms (e.g., AWS GuardDuty, Azure Defender).
 Often includes automated threat detection and updates.
 Scalable and integrates well with modern DevOps and cloud-
native architectures.

🧩 Example:
A cloud-native IPS integrated into a Kubernetes environment to monitor
traffic between microservices.

✅ Ideal for hybrid or cloud-first organizations

👀 Passive (used for IDS)

 The device is not in the traffic path. It monitors a copy of the

traffic via port mirroring (SPAN port).
 Can detect threats but cannot block them directly.

🧩 Example:
A passive IDS watching internal traffic to detect data exfiltration
attempts without affecting performance.

✅ Ideal for: Detection, forensics, compliance

❌ Can’t stop attacks in real-time

P a g e 52 | 131
 Basics Concepts for SOC

Detailed table :

Traffic Block Deployment

Type Role
Access Capable Example

Between firewall
Inline IPS Prevention Direct ✅ Yes
and switch

Mirrored SPAN port or

Passive IDS Detection ❌ No
copy network tap

On-Prem Physical Deployed in internal

Flexible Depends
IDS/IPS infra LAN

Cloud Cloud AWS, Azure, GCP

Scalable ✅ Yes
IDS/IPS traffic security tools

⚖️ WAF vs Proxy – Key Differences

📦 Combine for Best Results

1. Reverse proxy (NGINX) manages SSL and routes requests

2. WAF (Cloudflare / Imperva) inspects the traffic for threats

3. Only clean traffic reaches your backend server

P a g e 53 | 131
 Basics Concepts for SOC

WAF vs Proxy

WAF (Web Application

Feature Proxy Server
Firewall)

Protects web apps from Intermediates and controls

Main Purpose
malicious input traffic

Layer of Application Layer

Application/Network Layer
Operation (HTTP/HTTPS)

Security (OWASP Top Anonymity, content

Focus
10, bot filtering) control, caching

Traffic Mostly inbound (to app Both inbound & outbound

Direction servers) (depending)

Common Use Block attacks on login Hide client identity or

Case forms/APIs restrict access

Tools / Cloudflare WAF, AWS Squid Proxy, HAProxy,

Vendors WAF, Imperva NGINX, Zscaler

🛡️ Firewall vs. IDS vs. IPS – What’s the Difference? 🔐

Here’s a simplified comparison to help you understand these key security
tools:

✅ Quick Analogy

 🔒 Firewall = Security gate with a list of allowed visitors

P a g e 54 | 131
 Basics Concepts for SOC

 👁️🗨️ IDS = CCTV camera that alerts security to strange

behavior

 🛡️ IPS = Security guard who sees a threat and stops it

immediately

IDS (Intrusion IPS (Intrusion

Feature Firewall Detection Prevention
System) System)

Controls traffic Detects suspicious Detects and blocks

🔍 Purpose
based on rules activity suspicious activity

Allows or blocks
🚦 Traffic Monitors traffic Monitors and actively
based on IPs, ports,
Control only blocks threats
etc.

Blocks Automatically takes

🧩 Action
unauthorized Generates alerts action (blocks, drops,
Taken
access etc.)

🔐 Security
Access control Threat detection Threat prevention
Focus

No alerts—just Yes—sends alerts Yes—takes action and

🔔 Alerting
blocks or allows to admin sends alerts

🛠️ Reactive (based on Proactive (alert +

Passive (alert only)
Proactivity rules) action)

Inside the network, Inline with traffic

🧩 Typical Perimeter of the
monitors internal flow (to intercept
Deployment network
traffic threats)

P a g e 55 | 131
 Basics Concepts for SOC

IDS (Intrusion IPS (Intrusion

Feature Firewall Detection Prevention
System) System)

Block Facebook Block a known

Alert when a port
🧩 Example access on office malware file transfer
scan is detected
network in real-time

🛡️ IDS vs. IPS – What's the Real Difference? 🤔

Feature IDS (Detection) IPS (Prevention)

🔍 Function Detects threats Detects and prevents threats

📦 Traffic Monitors traffic

In-line with traffic (active)
Flow (passive)

Takes automatic action

🔔 Response Sends alerts
(blocks/drops)

Monitoring,
Real-time protection and attack
🧩 Use Case investigation,
mitigation
compliance

📈 Impact on May slightly impact performance

No impact on flow
Traffic (due to analysis and blocking)

Alerts admin of a port Blocks a SQL injection attack in real

🧩 Example
scan time

🔁 Can They Work Together?

Yes—and they should!
Many modern systems combine IDS and IPS to create a layered security
strategy:
P a g e 56 | 131
 Basics Concepts for SOC

 IDS gives you visibility and logs for analysis.

 IPS ensures threats are blocked before they cause harm.

🎯 In Summary

🕵️ IDS: Watchdog that raises the alarm.

🛡️ IPS: Watchdog that raises the alarm and bites.

🧩 What Is UTM (Unified Threat Management)?

UTM is an all-in-one security appliance that consolidates multiple

security functions into a single device, making it ideal for SMBs and
mid-sized enterprises.

✅ A typical UTM includes:

 Firewall
 Intrusion Detection/Prevention (IDS/IPS)
 Antivirus scanning
 VPN support
 Web/content filtering
 Email filtering
 Data Loss Prevention (DLP)

✅ UTM Solutions:
 Fortinet FortiGate – UTM + NGFW features in one
 Sophos XG Firewall – UTM with AI-powered threat analysis
 WatchGuard Firebox – Easy-to-manage UTM for SMBs
 SonicWall TZ Series – Cost-effective UTM appliances

P a g e 57 | 131
 Basics Concepts for SOC

 Untangle NG Firewall (open-source-friendly)

🧩 Example Scenario:
A small business uses a UTM device like Fortinet FortiGate to manage
firewall rules, scan emails for phishing, and block malicious websites —
all from one central dashboard.

🔐 What Is a Next-Generation Firewall (NGFW)?

A Next-Generation Firewall is a more advanced and application-aware
firewall. It goes beyond traditional firewalls by providing deep packet
inspection, real-time threat intelligence, and user-based access control.

✅ Key Features:

 Application-level inspection (e.g., block Facebook but allow LinkedIn)

 Integrated IDS/IPS

 SSL/TLS traffic decryption

 Threat intelligence feeds

 Identity-based policies (via Active Directory integration)

 Sandboxing & malware analysis

✅ Next-Gen Firewall Vendors:

 Palo Alto Networks – Industry leader in deep packet inspection and
Zero Trust

 Cisco Firepower – Enterprise-grade firewall with Cisco Talos threat

intelligence

 Check Point NGFW – Scalable, cloud-ready NGFWs

 Fortinet FortiGate – Offers both UTM and NGFW capabilities

P a g e 58 | 131
 Basics Concepts for SOC
 Juniper SRX Series – High-performance NGFW for carriers and
enterprises

🧩 Example Scenario:
An enterprise uses Palo Alto Networks NGFW to block known
malware, decrypt HTTPS traffic for inspection, and enforce policies per
department (e.g., devs vs. HR) using Active Directory.

🔍 Key Differences: UTM vs NGFW

Feature UTM NGFW

Advanced control,
Focus Simplicity, all-in-one
enterprise-grade features

Small to mid-size Medium to large

Ideal for
businesses enterprises

Application Advanced (Layer 7

Basic
awareness filtering)

May be lower due to High throughput with

Performance
multiple services optimized processing

Sophos XG, FortiGate, Palo Alto, Cisco

Examples
WatchGuard Firepower, Check Point

🧩 Final Thoughts

➡️ If you're looking for simplicity and cost-effectiveness, go with a

UTM.
➡️ If you're managing a large or complex environment, with the need

P a g e 59 | 131
 Basics Concepts for SOC

for granular control and advanced threat detection, choose a Next-

Gen Firewall.

🔄 Many modern solutions now blur the lines — with UTM tools
offering NGFW capabilities and vice versa.

🔗 What Is TCP Connection Establishment?

Let’s Decode the 3-Way Handshake 🤝

If you’ve ever wondered how two computers actually "talk" to each

other reliably on the internet, the answer lies in something called the
TCP 3-Way Handshake.
It’s the process that sets up a secure, reliable connection before any
actual data is transferred — like introducing yourself before starting a
conversation.

🧩 What is TCP 3-Way Handshake?

The 3-Way Handshake is the process used by the TCP (Transmission

Control Protocol) to establish a reliable connection between a client and
a server.
It ensures both sides are ready to send and receive data, and agree on
initial parameters such as sequence numbers.
Steps of the 3-Way Handshake:
1. SYN (Synchronize):
The client sends a SYN packet to the server, indicating it wants to
establish a connection and starts by sending an initial sequence number
(ISN).
Example: Client → Server: “Hey, I want to connect. Here’s my ISN =
P a g e 60 | 131
 Basics Concepts for SOC

1000”
2. SYN-ACK (Synchronize-Acknowledge):
The server responds with a SYN-ACK. It acknowledges the client’s SYN
and sends its own SYN, along with its ISN.
Example: Server → Client: “Got it. My ISN = 5000. ACK = 1001”
3. ACK (Acknowledge):
The client sends an ACK back to the server, acknowledging the server’s
ISN.
Example: Client → Server: “ACK = 5001. Let’s start communication!”

🧩 Real-World Example (Simple Analogy):

Let’s say you're calling a friend:

📞 You: “Hello, can you hear me?” → (SYN)

🗣️ Friend: “Yes, I hear you! Can you hear me too?” → (SYN-ACK)
🙋 You: “Yes, I can. Let’s talk!” → (ACK)

🧩 Where You’ll See This in Real Life

 Establishing an HTTP/HTTPS connection
 Secure file transfers (FTP over TCP)
 Email protocols like SMTP, IMAP
 Anywhere reliable data transmission is required

🔍 Tools to observe TCP handshakes:

 Wireshark – Capture and analyze packets
 tcpdump – Command-line packet analyzer
 Nmap – Uses TCP handshakes for port scanning
 Netcat – For testing open TCP ports
P a g e 61 | 131
 Basics Concepts for SOC

🧩 TL;DR:

The TCP 3-Way Handshake is how two devices introduce themselves

and agree to communicate.
It ensures data is reliably and securely transferred — just like
confirming both people are ready before a call.

🚩 🧩 What Are TCP Flags?

Let’s break it down 👇

TCP Flags are bits in the TCP header that control the state and flow of
communication between two devices.
They act as signals to manage connection establishment, data transfer,
and connection termination.
Think of them as traffic signals for data packets — telling them when to
stop, go, start a conversation, or shut it down.

🧩 The Most Common TCP Flags

Flag Meaning Use Case Example

Start a TCP connection (Step 1 of

SYN Synchronize
handshake)

Acknowledge received packets (used in

ACK Acknowledgment
almost every step)

FIN Finish Gracefully terminate a connection

Abruptly terminate a connection (error

RST Reset
or forced reset)

P a g e 62 | 131
 Basics Concepts for SOC

Flag Meaning Use Case Example

Push data immediately to application

PSH Push
layer

Mark a packet as urgent (rarely used

URG Urgent
today)

Congestion Used in network congestion handling

ECE/CWR
control (advanced TCP features)

🔄 How They Work: A Simple Example

📡 Let’s imagine your computer wants to connect to a web server.

1. SYN → You say: "Hi server, I want to talk!"

2. SYN-ACK → Server replies: "Sure! I'm ready, are you?"
3. ACK → You respond: "Yes! Let's chat."
This is the famous 3-Way Handshake, and it uses just SYN and ACK
flags.
Now, when the conversation (data exchange) is over:
1. FIN → "I'm done talking."
2. ACK → "Got it, I’ll close too."
3. FIN + ACK → Server also ends the session.
Sometimes, if something goes wrong, you’ll see:

🚨 RST (Reset) → “End this connection immediately!”

🛠 Tools to See TCP Flags in Action:

P a g e 63 | 131
 Basics Concepts for SOC

 Wireshark: Captures and shows each flag per packet.

 tcpdump: CLI-based packet capture with TCP flag display.
 Nmap: Uses flags for stealth scanning (e.g., SYN Scan, FIN
Scan).
 Firewall/SIEM Tools: Use flags to detect threats like SYN
Floods or abnormal resets.

 🧩 TL;DR:
 TCP flags are like hand signals that tell devices how to
start, continue, or end conversations across a network.

🔐 What is an SSL/TLS Handshake?

Ever noticed the 🔒 lock icon in your browser’s address bar? That’s
thanks to SSL/TLS—the technologies that keep your internet connection
secure.
But behind that lock icon is something magical called the SSL/TLS
Handshake—a secure conversation starter between your browser and a
website.

🤔 What is SSL/TLS?
 SSL (Secure Sockets Layer) and its modern version, TLS
(Transport Layer Security), are cryptographic protocols that
secure data as it travels across the internet.
 They make sure that any information you send (like passwords
or credit card numbers) is encrypted and can’t be intercepted or
tampered with.

🤝 What is the SSL/TLS Handshake?

The handshake is the initial process where your browser and the web
server agree on how to communicate securely.
P a g e 64 | 131
 Basics Concepts for SOC

Think of it like this:

Two people meet for the first time, agree to speak a common language,
verify each other's identity, and exchange secret notes only they can read.
🔐

🧩 Steps of the TLS Handshake (Simplified)

1.Client Hello (Your Browser):

 Says: “Hi! I want to start a secure conversation. Here are the
protocols and encryption methods I support, and here’s a
random number.”

2.Server Hello (The Website):

 Replies: “Great! I’ll use this protocol and encryption method.
Here’s my certificate to prove who I am, and my random number
too.”

3.Certificate Verification:
 Your browser checks if the certificate is valid and signed by a
trusted Certificate Authority (CA). ✅

4.Key Exchange:
 Using the public key from the server’s certificate, your browser
encrypts a "pre-master key" and sends it.

5.Session Key Generation:

 Both the browser and server generate the same session key from
the pre-master key. This key will be used to encrypt all future
communication.

6.Finished Message:

P a g e 65 | 131
 Basics Concepts for SOC

 Both sides say: “I’m ready. From now on, everything is

encrypted!”

👏 Handshake complete. A secure HTTPS connection is now

established.

🌍 Example in Action:

Let’s say you visit https://www.bank.com.

1. Your browser initiates a handshake.
2. The bank’s server sends its SSL certificate (includes its public
key).
3. Your browser verifies the certificate.
4. A session key is created and securely shared.
5. From this point on, your login credentials and bank data are
encrypted using that session key.
Even if someone intercepts the traffic, all they’ll see is encrypted
gibberish. 💬🔐

⚠️ Why This Matters:

✅ Confidentiality – No one can eavesdrop on your data

✅ Integrity – No one can modify your data in transit
✅ Authentication – You know you’re talking to the real website

🌐 🧩 Definition: What Is the OSI Model?

P a g e 66 | 131
 Basics Concepts for SOC

The OSI Model is a conceptual framework that standardizes the

functions of a communication system into 7 distinct layers.
It helps engineers and systems communicate, troubleshoot, and secure
data flows across networks.

💬 Think of it as a blueprint that shows how data travels from one

computer to another — from your app to the physical wire and back.
Each layer serves a specific purpose, and the model ensures that all
networking components (hardware or software) speak a universal
"language."

📶 The 7 Layers of OSI — Explained From Top to Bottom

🔹 Layer 7: Application Layer

📱 What it does: Interfaces directly with user-facing applications. It’s

where network services (like web browsing or email) happen.

 📄 Data Format: Data (user-readable)

 💻 Devices: End-user devices (laptops, phones, servers)

 🌐 Protocols: HTTP, FTP, SMTP, DNS, Telnet

 🛡️ Attacks: Phishing, social engineering, app-layer DDoS

 ✅ Responsibility: Interfaces with applications; provides

network services to end-users

 🧩 Example: You open your browser and type a URL – that’s

HTTP in action.

🔹 Layer 6: Presentation Layer

P a g e 67 | 131
 Basics Concepts for SOC

🔐 What it does: Translates, encrypts, or compresses data so that it can

be understood between different systems.

 📄 Data Format: Data (encoded/encrypted)

 💻 Devices: Endpoints, middleware

 🌐 Protocols: SSL/TLS, JPEG, MPEG, ASCII

 🛡️ Attacks: SSL stripping, encryption downgrade attacks

 ✅ Responsibility: Data encryption/decryption, compression,

translation

 🧩 Example: TLS encrypts your data during HTTPS sessions.

🔹 Layer 5: Session Layer

🧩 What it does: Establishes, manages, and terminates connections

between applications. Think of it as the session manager.

 📄 Data Format: Data

 💻 Devices: Host systems

 🌐 Protocols: NetBIOS, RPC, PPTP

 🛡️ Attacks: Session hijacking, MITM attacks

 ✅ Responsibility: Starts, manages, and terminates sessions

between applications

 🧩 Example: Keeping your session active while shopping online.

🔹 Layer 4: Transport Layer

🚚 What it does: Ensures reliable data delivery with correct sequencing

and error checking.

P a g e 68 | 131
 Basics Concepts for SOC

 📄 Data Format: Segments

 💻 Devices: Routers, firewalls, load balancers

 🌐 Protocols: TCP, UDP, SCTP

 🛡️ Attacks: SYN floods, TCP reset attacks

 ✅ Responsibility: End-to-end delivery, flow control, error

handling

 🧩 Example: TCP ensures your file is fully downloaded, in order.

🔹 Layer 3: Network Layer

🧩 What it does: Routing & IP Addressing, Determines the best path for
data to travel across networks using IP addressing.

 📄 Data Format: Packets

 💻 Devices: Routers, Layer 3 switches

 🌐 Protocols: IP, ICMP, OSPF, BGP

 🛡️ Attacks: IP spoofing, route poisoning, ICMP floods

 ✅ Responsibility: Determines best path for data, handles

logical addressing (IP)

 🧩 Example: Your router uses IP to send traffic to Google.

🔹 Layer 2: Data Link Layer

🔌 What it does: Deals with physical addressing (MAC addresses) and

provides error detection for data frames on the same network.

 📄 Data Format: Frames

P a g e 69 | 131
 Basics Concepts for SOC

 💻 Devices: Switches, NICs, bridges

 🌐 Protocols: Ethernet, ARP, PPP

 🛡️ Attacks: MAC spoofing, ARP poisoning

 ✅ Responsibility: Physical addressing, error detection, and

frame delivery

 🧩 Example: Ethernet helps send data between your laptop and

router.

🔹 Layer 1: Physical Layer

⚡ What it does: Transmits raw bits over a physical medium (cables,

fiber, radio waves). This is where hardware lives.

 📄 Data Format: Bits (1s and 0s)

 💻 Devices: Hubs, cables, modems, fiber optics, radio signals

 🌐 Protocols: None (just electrical/optical/mechanical

standards)

 🛡️ Attacks: Wiretapping, jamming, hardware sabotage

 ✅ Responsibility: Physical transmission of raw bits over

media

 🧩 Example: The actual cable that sends your internet signal.

🧩 Why It Matters (Especially in Security)

 Troubleshoot network issues faster

 Detect which layer an attack is targeting
 Configure firewalls, routers, and security policies effectively

P a g e 70 | 131
 Basics Concepts for SOC

 Design resilient, segmented architectures

🧩 Tools You Can Use to Analyze OSI Layers

 Wireshark – View each layer’s headers and behavior
 tcpdump – CLI network packet analysis
 Nmap – Scan open ports and services (Layer 4 & 7)
 Firewall/IDS/IPS – Filter and detect threats based on OSI logic

📊 Quick Summary Table

Layer Name Data Type Devices Protocols Example

HTTP, DNS,
7 Application Data PC, Phones Web browsing
SMTP

Same as TLS, JPEG, HTTPS

6 Presentation Data
above MPEG encryption

Online
Same as RPC,
5 Session Data banking
above NetBIOS
session

Routers,
4 Transport Segments TCP, UDP File download
firewalls

IP, ICMP,
3 Network Packets Routers Routing data
OSPF

Switches, Ethernet, MAC address

2 Data Link Frames
NICs ARP routing

P a g e 71 | 131
 Basics Concepts for SOC

Layer Name Data Type Devices Protocols Example

Physical Electrical
1 Physical Bits Cables, hubs
standards signals

💬 Curious about how to remember the OSI layers?

🧩 Mnemonic:
"All People Seem To Need Data Processing"
(A → P → S → T → N → D → P)

🎯 Real-World Analogy: Sending a Letter via Mail

OSI Layer Mail Analogy

Application You writing the letter

Presentation Translating the letter into another language

Session Adding a return address and contact information

Transport Choosing standard or express delivery

Network Postal system determining the route

Data Link Addressing the envelope with the correct house #

Physical Mail carrier physically delivering it to the house

P a g e 72 | 131
 Basics Concepts for SOC

🧩 What Is the TCP/IP Model?

The TCP/IP (Transmission Control Protocol / Internet Protocol)
Model is a 4-layer conceptual framework that defines how data is
transmitted across networks — from your device all the way to a
destination (like a web server).

📦 It's how emails get delivered, websites load, and files transfer —
reliably and securely.

🔁 It’s also the foundation of the modern internet and private

networks, making it one of the most important models in networking.

📚 The 4 Layers of TCP/IP – Explained

While the OSI Model has 7 layers, TCP/IP has 4 simplified layers, each
responsible for key aspects of communication.
Let’s explore them from top (closest to user) to bottom (network
hardware):

🔹 1. Application Layer

💬 What it does:
This is where apps and user interfaces interact with the network. It
combines the top 3 OSI layers (Application, Presentation, Session).

🧩 Examples of Protocols:
 HTTP/HTTPS – For web browsing
 SMTP/POP3/IMAP – For emails
 FTP/SFTP – For file transfers

P a g e 73 | 131
 Basics Concepts for SOC

 DNS – For domain name resolution

📌 Real-life Example:
When you visit www.linkedin.com, your browser uses HTTP/HTTPS at
this layer to request content from the LinkedIn server.

🔹 2. Transport Layer

🚚 What it does:
Responsible for reliable or fast delivery of data between devices.

🧩 Main Protocols:

 TCP (Transmission Control Protocol) – Reliable, ordered,

error-checked
 UDP (User Datagram Protocol) – Faster, no guarantee of
delivery

📌 Example:
 TCP is used when downloading a file or loading a webpage.
 UDP is used for video streaming or gaming where speed matters
more than perfection.

🔹 3. Internet Layer

🌐 What it does:
This layer decides where the data should go by handling logical
addressing (IP addresses) and routing.

🧩 Key Protocols:

 IP (IPv4 / IPv6) – Addressing and routing

 ICMP – Used for diagnostics (e.g., ping)
 ARP – Resolves IP to MAC addresses

P a g e 74 | 131
 Basics Concepts for SOC

📌 Example:
When you send a message from your device in India to a server in the
U.S., the Internet Layer ensures it finds the right route using the
destination IP.

🔹 4. Network Access (Link) Layer

🔌 What it does:
Covers how data is physically sent over the network — includes MAC
addressing, frames, cabling, and Wi-Fi signals.

🧩 Technologies Used:

 Ethernet
 Wi-Fi (IEEE 802.11)
 ARP
 Frame Relay

📌 Example:
Your laptop connects to your home Wi-Fi using this layer. It converts the
data into signals for transmission over air (wirelessly).

🔁 TCP/IP Model vs OSI Model – How They Align

TCP/IP Layer OSI Equivalent Layers

Application Application + Presentation + Session

Transport Transport

Internet Network

Network Access Data Link + Physical

While the OSI Model is ideal for theoretical understanding, TCP/IP is

what’s actually used in real networks.
P a g e 75 | 131
 Basics Concepts for SOC

🌍 Real-World Example – Loading a Web Page

1. You type www.example.com in your browser →

DNS resolves domain name to IP (Application Layer)
2. Your device starts a TCP connection →
Three-way handshake (Transport Layer)
3. Data packets are routed across the internet →
Routers and IPs help find the path (Internet Layer)
4. Data is sent through your Wi-Fi router →
Physical and MAC transmission (Network Access Layer)

5. You see the website fully loaded ✨

🛠 Tools That Use the TCP/IP Model

 Wireshark – Analyze packets across all 4 layers

 Nmap – Scan devices and open TCP/UDP ports
 ping / traceroute – Test Internet Layer (IP/ICMP)
 Burp Suite / Postman – Interact with Application Layer (HTTP,
API)

🌐 OSI vs TCP/IP: What's the Difference and Why It Matters in

Networking 🔍

If you're diving into the world of networking, you've likely come across
two foundational models:

📘 The OSI Model

🧩 The TCP/IP Model

P a g e 76 | 131
 Basics Concepts for SOC

At first glance, they might seem similar—but understanding the

differences between them is key to mastering how networks operate.
Let’s break it down:

🧩 What Are These Models?

Both the OSI (Open Systems Interconnection) model and the TCP/IP
(Transmission Control Protocol/Internet Protocol) model are
conceptual frameworks that describe how data travels over a network—
from one device to another.
They help us visualize, design, troubleshoot, and understand complex
networking systems by breaking down communication into layers.

📊 Comparison Table: OSI vs TCP/IP

Aspect OSI Model TCP/IP Model

🏗️ Structure 7 Layers 4 Layers

Developed by the U.S.

Developed by ISO as a theoretical
🧩 Development Dept. of Defense for real-
model
world use

Basis of the modern

🌐 Usage More of a reference model
Internet

1. Physical 2. Data Link 3. 1. Network Interface 2.

🔁 Layers Network 4. Transport 5. Session 6. Internet 3. Transport 4.
Presentation 7. Application Application

🔄 Approach Top-down design Bottom-up design

🔌 Protocol Protocols are not bound to specific Protocols are strictly tied
Binding layers to specific layers

P a g e 77 | 131
 Basics Concepts for SOC

🧩 Layer-by-Layer Analogy (Simplified)

Imagine you're sending a physical package to a friend:

 Application Layer (OSI & TCP/IP) – You write the letter
(data)
 Transport Layer – You choose the delivery method (e.g., fragile
or express = TCP/UDP)
 Network Layer – The address and routing (IP address and path
to recipient)
 Data Link/Physical (OSI) / Network Interface (TCP/IP) –
The delivery truck and road (actual hardware, cables, network
cards)

✅ Real-World Examples

📌 Web Browsing (HTTP)

 In OSI: Layer 7 (Application)

 In TCP/IP: Application Layer

📌 Sending Data via TCP

 OSI: Transport Layer (Layer 4)

 TCP/IP: Transport Layer

📌 IP Addressing & Routing

 OSI: Network Layer (Layer 3)

 TCP/IP: Internet Layer

📌 Summary

P a g e 78 | 131
 Basics Concepts for SOC

OSI Model TCP/IP Model

7 Layers 4 Layers

Conceptual, theoretical Practical, widely used

Used to teach and troubleshoot Used to build and run the Internet

🤔 So Which One Is Better?

 TCP/IP is the practical, real-world model used in actual networking

and the Internet today.

 OSI is a teaching tool—great for learning and understanding the flow

of data.

Think of it like this:

🔹 OSI = the ideal blueprint
🔹 TCP/IP = the working building

🚀 TCP vs UDP

In the world of networking, TCP and UDP are two of the most important
transport layer protocols.

Let’s break it down in a clear, simple way 👇

🧩 What Are TCP and UDP?

Both TCP (Transmission Control Protocol) and UDP (User Datagram

Protocol) are used to send data over the internet. They operate at the
Transport Layer of the TCP/IP and OSI models.
But they handle data very differently.

🧩 Side-by-Side Comparison

P a g e 79 | 131
 Basics Concepts for SOC

Feature TCP UDP

🔗 Connection
Connection-oriented Connectionless
Type

Reliable (guarantees delivery Unreliable (no delivery or

🔄 Reliability
& order) order guarantee)

Slower (due to checks and

🚦 Speed Faster (less overhead)
retransmissions)

📬 Delivery
Yes (ACKs) No
Confirmation

📊 Overhead High Low

📦 Use Case Video Calls, Gaming, DNS,

HTTP, FTP, SSH, Email
Examples Streaming

🎯 Quick Analogy

 TCP = A phone call 📞 – you say “Hello?”, wait for a response,

and carry a reliable conversation.

 UDP = A text message 📲 – you just send it and hope it gets

there.

💡 Final Thoughts
 Use TCP when accuracy and completeness are critical.
 Use UDP when speed matters more than reliability.

🚨 Top 10 OWASP Vulnerabilities (2021): Explained with Examples

P a g e 80 | 131
 Basics Concepts for SOC

The OWASP Top 10 is a list of the most common and dangerous web
application security risks, maintained by the Open Worldwide
Application Security Project (OWASP).
Let’s break them down with real-world examples to make it easy to
understand. 👇

🔐1. Broken Access Control

💥 What it is: Users can access resources or actions they shouldn’t.

🧩 Example: A regular user can access /admin/dashboard without proper

privileges.

🔐 Fix: Enforce role-based access control (RBAC), deny by default.

🧩 2. Cryptographic Failures (Previously “Sensitive Data Exposure”)

💥 What it is: Data isn’t properly encrypted in storage or transit.

🧩 Example: Credit card numbers sent over HTTP (not HTTPS) can be
stolen.

🔐 Fix: Use strong encryption (e.g., TLS 1.2+), never store passwords
in plain text.

🧩 3. Injection

💥 What it is: Untrusted input is interpreted as code by the server.

🧩 Example: '; DROP TABLE users;-- in a login form = database

wipeout!

🔐 Fix: Use parameterized queries or prepared statements.

🕵️♂️ 4. Insecure Design

💥 What it is: The system is insecure by design, not just by bug.

P a g e 81 | 131
 Basics Concepts for SOC

🧩 Example: A banking app that doesn't verify the transfer limit on the
server side.

🔐 Fix: Implement security during the architecture and design phase

(threat modeling, secure patterns).

⚙️ 5. Security Misconfiguration

💥 What it is: Default settings, open cloud buckets, or exposed debug

info.

🧩 Example: Leaving the admin panel accessible at /admin with default

credentials.

🔐 Fix: Harden configurations, disable unused features, perform regular

audits.

📦 6. Vulnerable and Outdated Components

💥 What it is: Using outdated libraries or plugins with known

vulnerabilities.

🧩 Example: Using an old jQuery version vulnerable to XSS.

🔐 Fix: Regularly patch and update dependencies, use tools like

OWASP Dependency-Check.

👤 7. Identification and Authentication Failures

💥 What it is: Weak authentication mechanisms that can be bypassed.

🧩 Example: No limit on login attempts → brute-force attack succeeds.

🔐 Fix: Use MFA, limit login attempts, secure password storage (bcrypt,
scrypt).

P a g e 82 | 131
 Basics Concepts for SOC

🛡️ 8. Software and Data Integrity Failures

💥 What it is: Relying on untrusted software updates or plugins.

🧩 Example: Auto-updating a plugin over an unsecured connection—

attacker swaps the file.

🔐 Fix: Use signed updates, secure CI/CD pipelines, integrity checks.

📋 9. Security Logging and Monitoring Failures

💥 What it is: No logs or alerts for suspicious behavior.

🧩 Example: An attacker logs in with a stolen account and no one

notices.

🔐 Fix: Enable detailed logging, monitor actively, integrate with SIEM

tools.

💻 10. Server-Side Request Forgery (SSRF)

💥 What it is: The app fetches data from URLs without validation,
allowing internal network access.

🧩 Example: Attacker tricks the server into calling

http://localhost:8080/admin.

🔐 Fix: Validate and restrict external URLs, block internal IP ranges.

✅ Final Thoughts:

Understanding these vulnerabilities helps developers build safer

applications, and security professionals identify and defend against
common attack vectors.

💡 Tip: You can use tools like OWASP ZAP, Burp Suite, or Nikto to
find these flaws in web apps.

P a g e 83 | 131
 Basics Concepts for SOC

🔁 What is NAT?
📡 Understanding How Private IPs Talk to the Public Internet
In today's connected world, every device in a private network (like
your home Wi-Fi or office LAN) needs a way to communicate with the
public internet — but there aren’t enough public IP addresses to go
around.
That’s where NAT (Network Address Translation) comes in — one of
the most important concepts in networking and cybersecurity.

🧩 What is NAT (Network Address Translation)?

NAT is a method used by routers and firewalls to translate private IP

addresses to public IP addresses, and vice versa, allowing devices in a
private network to access external networks (like the internet).

🔐 It helps with:

 Conserving public IP addresses

 Hiding internal network structure
 Improving security and scalability

📍 Implemented at: Routers, firewalls, and NAT gateways

🌐 Used in: Homes, businesses, cloud networks, data centers

🛠 Types of NAT – Explained with Real Examples

1.Static NAT (One-to-One Mapping)

P a g e 84 | 131
 Basics Concepts for SOC

🔄 Maps one private IP to one public IP.

Used when a specific internal server needs to be reachable from the
internet.

✅ Use Case: Hosting a web or email server that must be publicly

accessible.

📌 Example:

 Internal IP: 192.168.1.100

 Mapped Public IP: 203.0.113.10
 Every time someone accesses 203.0.113.10, it goes to
192.168.1.100

🎯 Tools/Vendors: Cisco ASA, Fortinet, Palo Alto Firewalls

2.Dynamic NAT (Many-to-Many Mapping)

🔁 Maps multiple private IPs to a pool of public IPs, assigned

temporarily.

✅ Use Case: Internal users need access to the internet, and you have a
limited number of public IPs.

📌 Example:

 Internal range: 192.168.1.0/24

 Public pool: 203.0.113.10 - 203.0.113.20
 Internal devices get a public IP temporarily while browsing

🎯 Note: Public IPs must be available in the pool.

3.PAT (Port Address Translation) Also known as NAT Overload

P a g e 85 | 131
 Basics Concepts for SOC

🔁 Maps many private IPs to a single public IP, using different port
numbers to keep track of each connection.

✅ Use Case: Most common NAT type used in homes and offices to
connect many devices through one internet connection.

📌 Example:

 Private IPs: 192.168.1.2, 192.168.1.3, 192.168.1.4

 All map to Public IP: 203.0.113.10
 Differentiated using ports:
o 192.168.1.2:1045 → 203.0.113.10:60001
o 192.168.1.3:1046 → 203.0.113.10:60002

🎯 Common in: Home routers, NAT gateways in AWS/Azure/GCP

🔐 Encryption & Decryption Explained

In today’s connected world, data is the new currency — and

protecting it is more important than ever.

That’s where encryption and decryption come in.

🧩 What Is Encryption?
Encryption is the process of converting plain, readable data (called
plaintext) into unreadable, scrambled data (ciphertext) so that
unauthorized people cannot understand it.

📌 Example:
You send a message saying:
"Meet me at 7 PM"
After encryption, it becomes something like:
"X4#gh93!Bkd@" – meaningless to anyone without the key.

P a g e 86 | 131
 Basics Concepts for SOC

🔓 What Is Decryption?

Decryption is the reverse process — converting ciphertext back into

readable plaintext, using a key.
Only the intended recipient, who has the correct decryption key, can
read the original message.

🔐 Types of Encryption

1.Symmetric Encryption

✅ Uses one single key to encrypt AND decrypt the data.

🔑 The same key must be shared securely with the recipient.

📌 Example: AES (Advanced Encryption Standard)

Use case: Encrypting large volumes of data quickly (e.g., full disk
encryption)
Sender Shared Key Receiver

📤 ———> 🔒Encrypt "Hello" ———> 📨 ———> 🔓Decrypt

"Hello"

2.Asymmetric Encryption

✅ Uses two keys:

 A public key to encrypt

 A private key to decrypt

📌 Example: RSA, ECC

Use case: Secure email ,digital signatures, SSL/TLS (used in HTTPS)

Sender Receiver

P a g e 87 | 131
 Basics Concepts for SOC

📤 ———> 🔒 Encrypt with Receiver's Public Key ———> 📨 ——

—> 🔓 Decrypt with Private Key

🧩 Simple Text-Based Diagram

[ Plaintext ]

🔐 Encryption (Key)

[ Ciphertext ] ←— Safe to transmit

🔓 Decryption (Key)

[ Original Plaintext ]

🔁 Depending on the method:

 🔑 Same key = Symmetric

 🗝️🔑 Key pair (Public/Private) = Asymmetric

🧩 Why Is This Important?

Encryption protects:

 Your online transactions 💳

 Your chats and calls 💬

 Your emails 📧

 Confidential business data 🏢

P a g e 88 | 131
 Basics Concepts for SOC

Without encryption, your data is like a postcard anyone can read in

transit. With encryption, it becomes a sealed envelope with a lock.

🔐 In Summary

Asymmetric
Feature Symmetric Encryption
Encryption

Same key for

🔑 Keys Public key + Private key
encrypt/decrypt

⚙️ Speed Fast Slower

Only public key is

🔄 Key Sharing Must be done securely
shared

📌 Common Use Secure emails, HTTPS,

File encryption, bulk data
Case auth

✅ Real-World Examples

 💬 WhatsApp uses end-to-end encryption (E2EE) powered

by asymmetric cryptography.

 💳 Online shopping websites use TLS/SSL certificates for

secure transactions via HTTPS.

 📦 BitLocker and VeraCrypt use symmetric encryption to

protect files and drives.

🔐 What is the CIA Triad in Cybersecurity?

Understanding the Core Pillars of Digital Security

P a g e 89 | 131
 Basics Concepts for SOC

It stands for Confidentiality, Integrity, and Availability — the three

core principles that form the backbone of all security strategies.

Let’s break it down in a simple and practical way 👇

🔺 What is the CIA Triad?

The CIA Triad is a model that helps organizations design, evaluate, and
implement their security policies by focusing on three key objectives:

1.Confidentiality
2.Integrity
3.Availability

Together, they ensure that data is:

 Protected from unauthorized access (Confidentiality)
 Accurate and unaltered (Integrity)
 Accessible when needed (Availability)

🔐 1. Confidentiality – Keeping Data Private

Goal: Ensure that sensitive information is accessed only by authorized

individuals.

✅ Real-World Example:
 Encryption of emails so only the recipient can read them.
 Multi-Factor Authentication (MFA) to secure login access.
 Access Control Lists (ACLs) restricting who can open a file or
system.

🛠 Tools/Technologies:

P a g e 90 | 131
 Basics Concepts for SOC

 SSL/TLS
 VPNs
 Data classification and DLP (e.g., Symantec DLP, Microsoft
Purview)

🧩 2. Integrity – Keeping Data Accurate and Trustworthy

Goal: Ensure that data has not been altered maliciously or accidentally.

✅ Real-World Example:

 Checksums and hashing used to verify file integrity.

 A bank transaction should not be modified between sender and
receiver.
 Version control systems like Git ensure correct tracking of
changes.

🛠 Tools/Technologies:

 Hashing algorithms (SHA-256)

 File integrity monitoring (Tripwire)
 Digital signatures and certificates

🕒 3. Availability – Keeping Systems Up and Running

Goal: Ensure that systems, applications, and data are accessible when
users need them.

✅ Real-World Example:

 A hospital’s electronic records must be available 24/7 for patient

care.
 Redundant servers or backups kick in if the main system fails.

P a g e 91 | 131
 Basics Concepts for SOC

🛠 Tools/Technologies:

 Load balancers (e.g., NGINX, F5)

 Backup systems (Veeam, Acronis)
 DDoS protection (Cloudflare, AWS Shield)

🧩 Why the CIA Triad Matters

📉 A breach in any one pillar can cause:

 Loss of trust (if data leaks)

 Business disruption (if systems go down)
 Financial damage (from fraud or downtime)
 Legal consequences (for violating data protection laws)
Strong cybersecurity = Balancing all 3 elements.
Focus too much on one, and you risk weakening the others.

💡 Quick Summary

Pillar Goal Example

Prevent unauthorized
Confidentiality Encrypted communication
access

Prevent unauthorized
Integrity File hash verification
changes

Ensure data/system Redundant servers, uptime

Availability
access monitoring

P a g e 92 | 131
 Basics Concepts for SOC

🎯 Final Thought

The CIA Triad is more than a theory — it's a mindset and a blueprint
for securing everything from personal devices to enterprise cloud
environments.

🛡 Whether you're designing a firewall rule, securing a database, or

rolling out an app — always ask:
"Does this support Confidentiality, Integrity, and Availability?"

🔐 What is Hashing?
Understanding the Digital Fingerprint of Your Data
In cybersecurity, one of the most powerful tools we have for ensuring
data integrity and verification is something called hashing.
It’s not encryption, and it’s not reversible — so what is it?

Let’s break it down simply 👇

💡 What is Hashing?

Hashing is the process of converting any input data (text, file,

password, etc.) into a fixed-length string of characters, called a hash
value or digest.

✅ Even a tiny change in input produces a completely different hash.

🔒 It’s a one-way function — you can’t reverse a hash to find the
original data.

🔁 Real-World Example:

Let’s say you hash the word “hello” using the SHA-256 algorithm:
Hash of “hello” = 2cf24dba5fb0a... (64-character string)

P a g e 93 | 131
 Basics Concepts for SOC

Now, change it slightly to “Hello” (capital H):

Hash of “Hello” = 185f8db32271f... (completely different string)
That’s how sensitive hashing is to change — it’s designed to detect any
tampering or alteration.

🔒 Where is Hashing Used?

✅ 1. Password Storage

Websites don’t store your actual password — they store the hash of it.
When you log in, the system hashes your input and compares it to the
stored hash.

🛠 Tools:

 bcrypt
 PBKDF2
 Argon2

✅ 2. Data Integrity Verification

Hashing helps check if files were altered during download or
transmission.

🧩 Example:
You download software, and the site shows the SHA-256 checksum.
You hash the file on your end and compare — if they match, the file is
clean.

🛠 Tools:
 shasum, md5sum, certutil
 Tripwire (file integrity monitoring)
P a g e 94 | 131
 Basics Concepts for SOC

✅ 3. Digital Signatures & Blockchain

Hashing is used in digital certificates, signatures, and even blockchain

transactions.

🧩 In blockchain, each block contains a hash of the previous block —

making tampering nearly impossible without breaking the entire chain.

🧩 Popular Hashing Algorithms

Algorithm Output Length Common Uses

MD5 128 bits Checksums (less secure today)

SHA-1 160 bits Legacy systems

SHA-256 256 bits Modern security tools

bcrypt Variable Password hashing

Argon2 Variable Passwords, memory-hard tasks

⚠️ Note: MD5 and SHA-1 are considered cryptographically weak and

not recommended for security purposes.

🔄 Hashing vs Encryption

Feature Hashing Encryption

One-way or two- One-way Two-way (reversible with

way (irreversible) key)

Verify integrity,
Purpose Protect confidentiality
identity

P a g e 95 | 131
 Basics Concepts for SOC

Feature Hashing Encryption

Example Use Password verification Sending secure emails

🔐 Final Thought

Hashing may seem simple, but it’s one of the most important building
blocks of cybersecurity. From keeping your passwords safe to powering
blockchain — it's everywhere behind the scenes.

🔐 What is Access Control?

Have you ever swiped a badge to enter an office or needed a password to
access a file?

👉 That’s Access Control in action.

Access control is one of the core pillars of cybersecurity, and yet many
misunderstand how powerful (and necessary) it really is.

Let’s break it down in simple terms 👇

🧩 What is Access Control?

Access Control is a security technique that restricts access to systems,

data, and resources based on who you are and what you’re allowed to
do.
It answers 3 key questions:
1. Who are you? (Authentication)
2. What can you access? (Authorization)
3. What actions can you perform? (Permissions)

P a g e 96 | 131
 Basics Concepts for SOC

🧩 Real-World Example
Think of a corporate office:

🏢 The receptionist can access the front desk system

🧩💼 A manager can access HR and project files
🧩💻 A developer can access the code repository, but not payroll records

Each person gets access only to what they need — nothing more,
nothing less.
That’s Access Control.

✅ Why Is Access Control Important?

 🛡 Prevents data breaches

 📂 Protects sensitive information

 👥 Ensures proper separation of duties

 🧩 Supports compliance (GDPR, HIPAA, ISO 27001)

🔐 Types of Access Control Models

Model Description Example Use Case

DAC Data owner decides who

File sharing in a team
(Discretionary) gets access

MAC Access based on security Government & military

(Mandatory) labels/levels systems

P a g e 97 | 131
 Basics Concepts for SOC

Model Description Example Use Case

Access is granted based on HR team sees HR data;

RBAC (Role-
the user’s role in the Finance team sees
Based)
organization budget

Access depends on user,

ABAC (Attribute- Allow access only
action, resource, and
Based) during business hours
context attributes

🔐 Access Control Components

1. Authentication – Proving identity (e.g., passwords, biometrics,

OTP)
2. Authorization – Granting access based on policies
3. Auditing – Logging and monitoring access for accountability

📌 Final Thought

Access control is like a smart security guard — it knows who you are,
what room you’re allowed in, and what you’re allowed to do inside.
Without it, organizations risk data leaks, insider threats, and
compliance violations.

🔐 What is AAA in Cybersecurity?

The Foundation of Access Control: Authentication, Authorization, and
Accounting
Whether you’re logging into your laptop, accessing a cloud app, or
connecting to a company network — AAA is silently working in the
background to protect systems and data.

P a g e 98 | 131
 Basics Concepts for SOC

Let’s unpack what AAA is

🔁 What is AAA?

AAA stands for:

1. Authentication – Who are you?

2.Authorization – What are you allowed to do?
3.Accounting – What did you do?

AAA is a framework used to control access, ensure security, and track

user activity across IT systems and networks.

📍Used in: VPNs, servers, cloud platforms, firewalls, wireless access, and
more.

🔑 1. Authentication – Prove Your Identity

✅ This is the first step: verifying you are who you say you are.

🔐 Examples:

 Entering a username + password

 Using Multi-Factor Authentication (MFA) with a mobile app
or OTP
 Logging in with a biometric scan (fingerprint or face ID)

🛠 Common Tools:
 Microsoft Active Directory
 Okta, Duo Security, Google Auth
 RADIUS, LDAP, SAML

🎯 Without authentication, there is no secure access to systems.

P a g e 99 | 131
 Basics Concepts for SOC

✅ 2. Authorization – Define What You Can Do

✅ Once authenticated, authorization controls what resources or

actions you’re allowed to access.

🔐 Examples:

 An HR employee can access payroll records, but not firewall

settings.
 A user can view a document but not edit or delete it.
 A developer gets read/write access to code repositories.

🛠 Common Tools:

 IAM tools like AWS IAM, Azure RBAC

 Group policies in AD
 OAuth, Role-Based Access Control (RBAC)

🎯 It’s about permissions, roles, and policies — critical for least

privilege access.

📊 3. Accounting – Track What You Did

✅ Finally, accounting logs user activity for auditing, troubleshooting,

and security.

🔐 Examples:

 Logging login attempts, file access, and system changes

 Monitoring bandwidth usage on a VPN
 Tracking failed login attempts (for threat detection)

🛠 Common Tools:

P a g e 100 | 131
 Basics Concepts for SOC

 SIEM systems (Splunk, IBM QRadar, LogRhythm)

 RADIUS Accounting
 Syslog, Event Logs, CloudTrail (AWS)

🎯 Essential for compliance, audits, and detecting anomalies.

🧩 Why AAA Matters

 ✅ Enforces secure access

 🛡️ Enables role-based security

 📜 Provides audit trails for investigations

 🧩 Supports regulatory compliance (e.g., GDPR, HIPAA, ISO

27001)
Whether it's a corporate firewall, VPN, or cloud dashboard — AAA is
the first line of defense and the last record of responsibility.

🧩 Real-Life Scenario: Logging into a Company VPN

1. 🔐 Authentication: You log in using a username, password, and

OTP.

2. ✅ Authorization: Based on your role, you’re given access only

to the HR server, not finance or development servers.

3. 📊 Accounting: The system logs your session time, IP address,

and resources accessed — useful for audits or incident response.

🔚 Final Thought

AAA is the gatekeeper of your digital world.

Whether you're in IT support, network engineering, or cybersecurity,
understanding AAA is critical for building secure systems and enforcing
access control policies.
P a g e 101 | 131
 Basics Concepts for SOC

🔐 What is MFA (Multi-Factor Authentication)?

In a world where passwords get leaked and cyber threats are rising,
relying on a password alone is no longer safe.

That’s where MFA – Multi-Factor Authentication – comes in. 👇

🧩 What is MFA?

Multi-Factor Authentication (MFA) is a security method that requires

users to provide two or more different verification factors to prove
their identity before they can access a system or account.
It’s based on the idea:
✅ Don’t rely on just one thing (like a password) to protect something
important.

🔑 The 3 Types of Authentication Factors

MFA typically combines two or more of the following:

1.Something you know – a password or PIN
2.Something you have – a phone, smart card, or security token
3.Something you are – biometrics like fingerprint, face scan, or voice

📱 Real-World Example
Think about logging into your email account:
1. You enter your password (something you know)
2. You receive a code on your mobile app or SMS (something you
have)
✅ Only after both steps are verified, you’re granted access.

P a g e 102 | 131
 Basics Concepts for SOC

🔒 Why is MFA Important?

 🚫 Stops unauthorized access — even if your password is stolen

 🛡 Protects sensitive data, emails, cloud accounts, banking, and

more

 📈 Reduces risk of phishing, ransomware, and brute-force

attacks

 💼 Supports regulatory compliance (HIPAA, GDPR, PCI-DSS,

etc.)

💬 Common MFA Methods

Factor Type Example

🔑 Password/PIN Something you know

📲 OTP via SMS/email Something you have

🔒 Authenticator app Time-based codes (e.g., Google Auth)

🧩 Biometric Fingerprint, Face ID

💳 Security key Hardware token (e.g., YubiKey)

✅ Bonus Tip

🔄 MFA ≠ 2FA
2FA (Two-Factor Authentication) is just one type of MFA (using exactly
two factors).
MFA means two or more, so 2FA is a subset of MFA.

📌 Final Thought

P a g e 103 | 131
 Basics Concepts for SOC

🔐 Passwords are no longer enough.

MFA is one of the simplest, most effective ways to secure your digital
life and business.

If you’re not using MFA, you’re leaving the door half open. 🚪

🔐 What is a VPN?
Whether you’re working remotely, streaming from another country, or
securing your data at a coffee shop — you may be using a VPN.

🧩 What is a VPN (Virtual Private Network)?

A VPN is a secure, encrypted tunnel between your device and the

internet. It hides your data, IP address, and online activity from hackers,
ISPs, and even governments.
In simple terms:

✅ VPN = Privacy + Security + Remote Access

🔐 What Does a VPN Do?

 🛡 Encrypts your internet traffic

 🌍 Masks your IP address

 🔒 Secures connections on public Wi-Fi

 🏢 Allows remote access to company resources

 🚫 Bypasses censorship or geo-restrictions

📱 Real-World Examples

 A remote employee securely connects to their company's

internal systems using a corporate VPN
P a g e 104 | 131
 Basics Concepts for SOC

 A user in Europe watches US-based Netflix content by routing

traffic through a US VPN server
 A traveler uses a VPN at the airport to safely check their bank
account on public Wi-Fi

🧩 Types of VPN

Type Description Use Case

🔒 Remote Connects individual users to a Employees working from

Access VPN private network from anywhere home

🌐 Site-to-Site Connects entire networks together Corporates with multiple

VPN (e.g., branch offices to HQ) locations

📱 Client- Installed on user devices; often Personal browsing security

based VPN used for mobile security on public networks

☁️ Cloud VPN hosted in the cloud to access

Cloud-native organizations
VPN cloud resources securely

🛠 SSL/TLS Uses a web browser with HTTPS Secure portal access via
VPN to establish a secure connection browser without software

📌 VPN Protocols (How It Works Under the Hood)

Some common VPN protocols include:

 OpenVPN – Open-source, highly secure
 IKEv2/IPSec – Great for mobile devices
 WireGuard – Fast and modern protocol

P a g e 105 | 131
 Basics Concepts for SOC

 L2TP/IPSec – Widely supported but older

 SSL VPN – Easy for web-based access

✅ Why Use a VPN?

 📡 Secure data transfer for remote work

 🌐 Browse the internet privately

 🚫 Access content that’s blocked or restricted

 🏢 Connect to internal company apps safely from anywhere

 🔒 Defend against data interception and snooping

🧩 Final Thought
Think of a VPN as a secure private tunnel through the chaotic public
highway of the internet. 🚇

Whether you're a business leader, remote worker, or privacy-conscious

individual — VPNs are a must-have tool in your cybersecurity toolbox.

Basic Command-Line Tools

Whether you're troubleshooting a slow network, verifying connectivity,
or testing security — the command line remains one of the most
powerful tools in your networking toolbox.

🛠 Top Basic Networking Command-Line Tools

P a g e 106 | 131
 Basics Concepts for SOC

Command Purpose Example Usage

ping google.com → Replies confirm

ping Check if a host is reachable
connection

ipconfig / Display IP address and network ipconfig (Windows) / ifconfig

ifconfig config (Linux/macOS)

tracert / Show path data takes to reach a

tracert linkedin.com → Displays hops
traceroute host

nslookup linkedin.com → Shows IP

nslookup Get DNS info for a domain name
address

Show open ports and active netstat -an → See who your system is
netstat
connections talking to

View or modify the ARP cache

arp arp -a → List of devices in your LAN
(MAC ↔ IP mapping)

route Display or modify routing tables route print → View routing info

hostname → Returns your machine

hostname Displays the system's hostname
name

curl https://api.github.com → Fetch

curl Transfer data from/to a server
data

telnet mail.example.com 25 → Test

telnet / nc Test connectivity to specific ports
SMTP port

Detailed DNS lookup (advanced dig linkedin.com → Shows DNS

dig
version of nslookup) records

🧩 Real-World Scenarios

🔍 Website not loading?

Use ping and traceroute to check where it’s failing.

🌐 Can't connect to a server?

Use netstat, telnet, or nc to test port connectivity.
P a g e 107 | 131
 Basics Concepts for SOC

📡 Need to find your IP address quickly?

Use ipconfig (Windows) or ifconfig (Linux/macOS).

🔐 Need to debug a DNS issue?

Use nslookup or dig to resolve and verify DNS records.

🔐 Why These Tools Matter

 ✅ Quick diagnostics in any environment

 🛡 Useful for security investigations

 💡 Helps in understanding network behavior

 💻 Foundational for careers in networking, cybersecurity,

DevOps, and sysadmin

📌 Final Thought

🖥️ These commands may look basic, but they unlock deep insights into
how networks function and behave.
Whether you're a student, IT professional, or security analyst — knowing
your way around the terminal can turn you into a network detective.
🕵️♂️

🧩💻 What is DHCP?

Ever wonder how your laptop, phone, or smart TV automatically gets an

IP address when it connects to Wi-Fi?
The magic behind that convenience is called DHCP — Dynamic Host
Configuration Protocol.
P a g e 108 | 131
 Basics Concepts for SOC

Let’s break it down in simple terms 👇

🌐 What is DHCP?
DHCP (Dynamic Host Configuration Protocol) is a network protocol
that automatically assigns IP addresses and other network settings (like
gateway and DNS) to devices on a network.

💡 Without DHCP, you’d have to manually configure every device with

an IP address — a nightmare in large networks.

🔄 How Does DHCP Work? (Step-by-Step)

Let’s say you turn on your laptop and connect to Wi-Fi. Here’s what
happens:

1.DHCP Discover
Your device shouts: “Is there a DHCP server out there?”
(Broadcast message to find a DHCP server)

2.DHCP Offer
A DHCP server replies: “Here’s an IP address you can use!”

3.DHCP Request
Your device says: “Yes, I’d like to use that IP, please.”

4. DHCP Acknowledgement (ACK)

The server confirms: “IP address assigned — you’re good to go!”

🎉 Your device is now on the network — no manual setup needed.

🧩 What Does DHCP Assign?

 ✅ IP Address (e.g., 192.168.1.100)

 ✅ Subnet Mask

 ✅ Default Gateway
P a g e 109 | 131
 Basics Concepts for SOC

 ✅ DNS Server

 ✅ Lease Time (how long the IP is valid)

🧩 Real-World Example

📱 You connect your phone to your home Wi-Fi:

 Your phone sends a DHCP request.

 Your router (which acts as a DHCP server) gives it an IP like
192.168.0.23.
 You start browsing the internet immediately — no manual setup
needed.
In corporate networks, dedicated DHCP servers manage large pools of
IP addresses for thousands of users.

⚙️ Why is DHCP Important?

 🔧 Reduces manual configuration

 🌐 Supports scalability in enterprise networks

 🔄 Ensures IP address consistency without conflicts

 🛡 Helps network admins manage devices more efficiently

📌 Final Thought

DHCP is one of those behind-the-scenes technologies that just works —

and that’s exactly why it’s so powerful.
Understanding how IP addresses are assigned is a core concept for
networking, cybersecurity, and cloud.

P a g e 110 | 131
 Basics Concepts for SOC

🧩 DMZ (Demilitarized Zone)

A DMZ is a part of a network that's exposed to the internet, but isolated

from your internal LAN for safety.

📌 Use Case: Hosting a public website or mail server that users outside
your company need to access — without letting them into your internal
systems.

🛡️ Think of it as a buffer zone between the public internet and your

private network.

🚫 Implicit Deny
If no rule explicitly allows traffic, deny it by default.

📌 Example: A firewall rule that only allows ports 80 and 443. Any
other traffic, like FTP (port 21), is implicitly denied — even if not
mentioned.

🧩 It’s a security best practice: "If it's not allowed, it’s denied."

🧩 IPS Snort Rule

Snort is an open-source Intrusion Prevention System (IPS) that uses

rules to detect and block malicious activity.

📌 Example Snort Rule:

snort
alert tcp any any -> any 80 (msg:"Suspicious HTTP traffic";
content:"malware"; sid:1000001;)

➡️ This triggers an alert if TCP traffic on port 80 contains the word

“malware”.

🛡️ You can customize rules for real-time threat prevention.

P a g e 111 | 131
 Basics Concepts for SOC

🧩 IDS Signature Syntax

Intrusion Detection Systems (IDS) look for known patterns

(signatures) in traffic.

📌 Example Signature:
A rule that flags 10 failed login attempts from the same IP within 1
minute.
IDS doesn't block — it monitors and alerts.

📊 Use IDS to gain visibility into threats before they escalate.

🔥 Firewall Deny vs Drop

Action What It Means Result to Attacker

Block the traffic AND send a “Access Denied” message

Deny
rejection notice sent

Block the traffic silently (no Looks like the host doesn’t
Drop
response) exist

📌 When to use:
 Drop = More secure (stealthy)
 Deny = More informative (for debugging or internal use)

🔧 Top Basic Linux Commands (with Examples)

Command What It Does Example

pwd →
pwd Shows current directory path
/home/user/Documents

ls Lists files and directories ls -l → long list with details

P a g e 112 | 131
 Basics Concepts for SOC

Command What It Does Example

cd Changes directories cd /etc → Move to /etc folder

mkdir Creates a new directory mkdir new_folder

touch Creates an empty file touch file.txt

rm Deletes files or directories rm file.txt / rm -r folder

cp Copies files or directories cp a.txt b.txt

mv Moves/renames files or directories mv old.txt new.txt

cat Displays file content cat notes.txt

nano or vi Opens a text editor inside terminal nano file.txt

clear Clears the terminal screen clear

man Displays manual/help for commands man ls

chmod Changes file permissions chmod 755 script.sh

ps Lists running processes ps aux

Shows live system processes &

top top
usage

Runs commands with superuser

sudo sudo apt update
privileges

🧩 Defense in Depth

Think of it as layered security — like locking your front door, installing

an alarm system, and using a camera.

🛡️ It combines multiple security controls (firewalls, antivirus, MFA,

encryption) to protect against threats at every level.
P a g e 113 | 131
 Basics Concepts for SOC

📌 Example: Even if an attacker gets past your firewall, they’d still

need to bypass endpoint protection and authentication controls.

🚫 Zero Trust Model

“Never trust, always verify.”

No user or device — inside or outside the network — is automatically
trusted.

✅ Every access request is verified using identity, device health,

location, and more.

📌 Example: Even an employee must re-authenticate to access sensitive

files, even if they're logged into the company network.

🔐 Kerberos Authentication
A secure way to verify users using tickets — kind of like showing your
ID once, then using a badge to move around.

📌 Used widely in Windows environments for secure login without

transmitting passwords.

🗝️ Example: When you log into your work computer, Kerberos

provides a “ticket” that lets you access email, shared folders, etc.,
without retyping your password.

📜 Compliance in Cybersecurity
Organizations must follow laws and industry standards to protect data
— or face penalties.

⚖️ Examples include:

 GDPR (Europe – data privacy)

P a g e 114 | 131
 Basics Concepts for SOC

 HIPAA (Healthcare – patient info)

 PCI-DSS (Finance – card data)

📌 Example: A healthcare provider must encrypt patient records to

comply with HIPAA and avoid legal issues.

Types of Hackers and Their Motivations

1. Black Hat Hackers – Malicious hackers who exploit systems
for personal gain or to cause harm.
2. White Hat Hackers – Ethical hackers who help improve
security by identifying vulnerabilities.
3. Grey Hat Hackers – Hackers who may breach systems without
malicious intent, but still operate without authorization.
4. Hacktivists – Hackers who attack systems to promote social or
political causes.
5. Script Kiddies – Inexperienced hackers who use pre-written
scripts for hacking, often without full understanding.
6. State-Sponsored Hackers – Government-backed hackers who
engage in espionage or cyber warfare.
7. Insider Threats – Individuals within an organization who
misuse their access for malicious purposes.
Comparison Table of Hacker Types

P a g e 115 | 131
 Basics Concepts for SOC

Type of
Motivation Example Actions
Hacker

Stealing credit card Exploiting system

Malicious gain,
Black Hat info or deploying vulnerabilities for
cause damage
ransomware personal gain

Penetration testing,
Ethical, improve Finding and fixing
White Hat vulnerability
security security weaknesses
assessments

Reporting a
Mixed motives, Breaching systems
vulnerability
Grey Hat often without and sometimes
publicly without
approval reporting issues
permission

Attacks by
Social or Disrupting websites
Anonymous to
Hacktivists political to promote political
protest government
activism causes
actions

Launching DDoS Using pre-written

Script
Fun or fame attacks using tools tools/scripts to cause
Kiddies
downloaded online disruption

Conducting targeted
State- Stuxnet malware
Espionage, espionage or
Sponsored attack on Iran’s
cyber warfare sabotaging
Hackers nuclear program
operations

An employee Abusing access

Insider Personal gain,
stealing customer privileges to steal or
Threats revenge
data for sale sabotage data

P a g e 116 | 131
 Basics Concepts for SOC

🔐 What is the Cyber Kill Chain?

Understanding the Anatomy of a Cyberattack – Step by Step 🧩

In cybersecurity, one of the most powerful frameworks for

understanding how cyberattacks unfold — and how to stop them — is
called the Cyber Kill Chain.
Developed by Lockheed Martin, the Cyber Kill Chain breaks down a
cyberattack into seven stages.

⚔️ What is the Cyber Kill Chain?

The Cyber Kill Chain is a military-inspired model that outlines the

typical steps attackers take to infiltrate a system, steal data, or cause
damage.
Think of it as a roadmap of how hackers move planning to execution

🔁 The 7 Stages of the Cyber Kill Chain

1. Reconnaissance
The attacker gathers information about the target — websites,
employees, IP addresses, vulnerabilities.

📌 Example: Searching LinkedIn for employee roles, or scanning your

website for open ports.

🔍 Tools used: Nmap, Shodan, Google Dorking

2. Weaponization

They pair a malicious payload (like malware or ransomware) with an

exploit or delivery method.

📌 Example: Embedding a trojan into a PDF or Word document.

🔧 Tools used: Metasploit, MSFvenom

P a g e 117 | 131
 Basics Concepts for SOC

3. Delivery

The attacker sends the payload to the target via email, USB, drive-by
download, etc.

📌 Example: A phishing email with a fake invoice attachment.

📧 Delivery methods: Email, website links, social media messages

4. Exploitation

The malware is executed, often by tricking the user into opening or

clicking something.

📌 Example: The victim clicks the attachment, and a hidden script

exploits a software vulnerability.

💥 Common exploits: Zero-days, unpatched software, macros

5. Installation

The malware installs itself on the victim’s machine, often giving

persistent access.

📌 Example: A Remote Access Trojan (RAT) silently installs and

connects back to the attacker.

🛠 Tools used: Cobalt Strike, NetWire, njRAT

6. Command and Control (C2)

The infected system connects to an external server controlled by the

attacker to receive instructions.

📌 Example: The RAT sends screenshots, keystrokes, or uploads files to

the attacker’s C2 server.

🌐 Common protocols: HTTPS, DNS tunnelling, IRC

P a g e 118 | 131
 Basics Concepts for SOC

7. Actions on Objectives

Now inside, the attacker achieves their goal — data theft, ransomware
deployment, or system destruction.

📌 Example: Exfiltrating databases, encrypting files for ransom, or

destroying backups.

🎯 Objectives: Data breach, financial fraud, espionage, disruption

🔐 Why the Cyber Kill Chain Matters

✅ Helps identify and break the attack at any stage

✅ Improves threat detection and incident response
✅ Builds a proactive defence strategy, not just reactive

💡 Real-World Example: Phishing Attack on an HR Employee

1. 🔎 Recon: Hacker identifies HR staff via LinkedIn

2. 🔧 Weaponization: Embeds malware in a fake resume

3. 📧 Delivery: Sends it via email as a job application

4. ⚠️ Exploitation: HR opens it and triggers the malware

5. 🛠 Installation: Malware installs silently

6. 🌍 C2: Device connects to hacker’s server

7. 🎯 Objective: Attacker steals employee PII

P a g e 119 | 131
 Basics Concepts for SOC

🔄 Cyber Kill Chain Summary Table

🎯 Attacker
Stage 🛠 Description 📌 Example
Goal

Scanning open
Information Identify weak
1. Reconnaissance ports, LinkedIn
gathering points
info

Create malicious Craft attack Embed malware in

2. Weaponization
payload vector a PDF

Transmit
Get malware to Phishing email
3. Delivery payload to
the target with attachment
victim

Execute the Exploit a system User clicks

4. Exploitation
attack vulnerability malicious file

Deploy Remote
5. Installation Install malware Maintain access Access Trojan
(RAT)

6. Command & Connect to Issue commands, Infected system

Control attacker’s server exfiltrate data "calls home"

7. Actions on Final attack Steal data, Data theft or

Objectives steps disrupt, encrypt ransomware attack

🛡️ Final Thought

The Cyber Kill Chain is more than a theory — it's a real-world

roadmap to understanding and stopping cyberattacks before they cause
damage.

P a g e 120 | 131
 Basics Concepts for SOC

🧩 What is the MITRE ATT&CK Framework?

In today’s cybersecurity landscape, threats are becoming more
sophisticated, and so should our defences. One of the most widely
adopted tools in modern threat detection and response is the MITRE
ATT&CK Framework

🧩 What is MITRE ATT&CK?

MITRE ATT&CK stands for:

Adversarial Tactics, Techniques & Common Knowledge
It is a knowledge base of real-world adversary behaviour maintained
by MITRE Corporation. It documents how attackers operate after
they’ve gained access to a network or system.

✅ It’s like a playbook of hacker behaviour — and a guide for

defenders to map, detect, and respond to threats.

🧩 Structure of MITRE ATT&CK

The framework is organized into three core elements:

🔢
📌 What It Means
Element

The goals or objectives of an attacker (e.g., Initial Access,

Tactics
Privilege Escalation)

How attackers achieve those goals (e.g., Spearphishing,

Techniques
Credential Dumping)

Procedures Real-world examples of those techniques in action

🧩 Think of it like this:

Tactic = Why, Technique = How, Procedure = Who did it

P a g e 121 | 131
 Basics Concepts for SOC

📚 Example: Spear phishing Attack

Let’s say an attacker sends a fake job offer email with malware to an
employee. This can be mapped to MITRE ATT&CK like this:

🎯 Tactic 🛠 Technique 🧩 Real-World Procedure

Initial Access Spear phishing Attachment Emotet Malware Campaign

✅ Security teams can detect, hunt, and respond more effectively by

understanding these mappings.

🔍 Why is MITRE ATT&CK Important?

✅ Helps in threat detection and response

✅ Provides standard terminology for blue/red teams
✅ Aids in adversary emulation and purple teaming
✅ Supports gap analysis in defences
✅ Useful for SIEM and EDR rule tuning

🧩 MITRE ATT&CK® Tactics and Example Techniques

Tactic Example Techniques

Active Scanning, Phishing for Information, Search Open

1. Reconnaissance
Websites/Domains

Acquire Infrastructure, Establish Accounts, Compromise

2. Resource Development
Accounts

Spear phishing Attachment, Drive-by Compromise,

3. Initial Access
Exploit Public-Facing Application

P a g e 122 | 131
 Basics Concepts for SOC

Tactic Example Techniques

Command and Scripting Interpreter, PowerShell,

4. Execution
Scheduled Task/Job

Account Manipulation, Create or Modify System Process,

5. Persistence
Boot or Logon AutoStart Execution

Abuse Elevation Control Mechanism, Process Injection,

6. Privilege Escalation
Access Token Manipulation

Obfuscated Files or Information, Deactivate Security

7. Defense Evasion
Tools, Indicator Removal on Host

8. Credential Access Brute Force, Credential Dumping, Input Capture

System Information Discovery, Network Share Discovery,

9. Discovery
Permission Groups Discovery

Remote Services, Pass the Hash, Remote Service Session

10. Lateral Movement
Hijacking

11. Collection Screen Capture, Clipboard Data, Audio Capture

12. Command and Application Layer Protocol, Encrypted Channel, Remote

Control Access Tools

Exfiltration Over Web Service, Exfiltration Over

13. Exfiltration
Alternative Protocol, Scheduled Transfer

14. Impact Data Destruction, Defacement, Resource Hijacking

💡 Many security tools now integrate MITRE ATT&CK mappings

directly — like Microsoft Defender, CrowdStrike Falcon, Splunk, Palo
Alto Cortex, etc.

P a g e 123 | 131
 Basics Concepts for SOC

🧩 Real-World Use Case

Imagine you're a SOC Analyst investigating a suspicious login. By

mapping activities to MITRE ATT&CK:
 You notice Lateral Movement via Pass-the-Hash (Technique:
T1075)
 Then Credential Dumping with LSASS access (Technique:
T1003)
 And finally Data Exfiltration over HTTPS (Technique: T1041)
Using MITRE ATT&CK, you can trace the entire kill chain and
quickly remediate the threat.

🎯 Final Thoughts
The MITRE ATT&CK Framework gives cybersecurity teams a shared
language and a deep understanding of how attackers behave post-
breach.
If you’re in blue teaming, threat hunting, SOC operations, red
teaming, or GRC, MITRE ATT&CK is an essential part of your toolkit.

🔍 What Are TTPs and Zero-Day in Cybersecurity?

In the world of cyber defence, understanding how attackers operate is

just as important as spotting the attack itself.

🛠 What are TTPs?

🔹 Tactics – The goal or objective of an attacker (e.g., gaining access)

🔹 Techniques – How the attacker achieves that goal (e.g., phishing)
🔹 Procedures – The specific tools or actions used (e.g., sending a fake
HR email with malware)

P a g e 124 | 131
 Basics Concepts for SOC

📌 Example:

 Tactic: Initial Access

 Technique: Spear phishing
 Procedure: Sending a malware-laced PDF disguised as a job
offer
Security teams use TTPs to track attacker behaviour, build threat
profiles, and improve detection.

🕳️ What is a Zero-Day?
A Zero-Day is a previously unknown vulnerability in software or
hardware. It’s called "zero-day" because developers have zero days to
fix it before attackers exploit it.

📌 Example:
An attacker finds a flaw in a browser that no one has discovered yet.
They create an exploit and use it in a targeted attack. Since the vendor
doesn’t know about the flaw, there’s no patch available — making it
extremely dangerous.

🧩 Why Does This Matter?

✅ Tracking TTPs helps SOC teams anticipate attacker moves

✅ Understanding Zero-Days helps prioritize patching and threat
detection
✅ Both are critical for threat intelligence, incident response, and
proactive defence

P a g e 125 | 131
 Basics Concepts for SOC

🔍 What Are Logging Levels in Network Devices?

Logs are the black box of your network. When something goes wrong —
or right — logs tell the story.
But not all logs are created equal. That’s where logging levels come in!

🧩 What Are Logging Levels?

Logging levels define the severity or importance of events recorded by

routers, firewalls, switches, and other network devices.
They follow a standard defined by Syslog — ranging from level 0 (most
critical) to level 7 (least critical).

📊 Syslog Logging Levels

Level Name Description Example

0 Emergency System is unusable Power failure, kernel panic

Immediate action
1 Alert Disk full, config corruption
needed

2 Critical Critical condition Firewall failure, memory issue

3 Error Error condition Failed authentication, link failure

4 Warning Warning condition High CPU usage, nearing capacity

Interface up/down, service

5 Notice Normal but significant
restarted

6 Informational General information User login/logout, config change

Troubleshooting protocols, packet

7 Debug Debug-level messages
trace

P a g e 126 | 131
 Basics Concepts for SOC

🔍 Understanding Important Windows Event IDs in Cybersecurity

Event logs are like the CCTV footage of your operating system. They
capture everything — from user logins to suspicious activity. But how do
you know which logs really matter?
That’s where Windows Event IDs come in!

🧩 What Are Event IDs?

Every action on a Windows machine (login, file access, privilege change)
generates a log entry with a unique Event ID. These IDs help SOC
analysts and system admins track and investigate incidents.
🔑 Top Windows Event IDs to Know

Event ID Category What It Means Example

4624 Logon A user successfully logged on John logged in at 9:00 AM

4625 Logon Failed login attempt Brute force attempt detected

4634 Logoff User logged off John logged out at 5:00 PM

Domain Admin accessed the

4672 Special Logon Privileged account login
system

4688 Process Creation A new process was created cmd.exe or PowerShell started

4689 Process Termination A process was ended PowerShell script closed

Logon with Explicit User tried logging into another

4648 Possible lateral movement
Credentials system with creds

User Account
4720 A new user account was created attacker user created via script
Management

Local account removed by

4726 User Account Deleted A user account was deleted
admin

Group Membership User added to a security- User added to "Administrators"

4732
Change enabled group group

P a g e 127 | 131
 Basics Concepts for SOC

🔍 Example Scenario

Your system logs show:

 Event ID 4625: 10 failed logins from one IP
 Followed by Event ID 4624: 1 successful login
 Then Event ID 4672: Privileged access used
 Finally, Event ID 4688: Suspicious PowerShell process runs

🎯 This pattern = Potential Intrusion Attempt!

🔐 Understanding Windows Logon Types

In cybersecurity, not all logins are the same. When a user logs into a
Windows machine, the system assigns a Logon Type, which tells how
the user is accessing the system — physically, remotely, via network, or
through a service.

Knowing these logon types is key to detecting suspicious activity 🔍

🛡️ Why Does This Matter?

✅ Helps detect unauthorized remote logins (e.g., Logon Type 10)

✅ Flags unusual service or scheduled task behaviour
✅ Supports threat hunting and forensic investigation

🔍 Example: Suspicious Behaviour

 Logon Type 3: Network login from an unknown IP
 Followed by Logon Type 10: Remote Desktop session initiated
 No Logon Type 2 seen before that (no local login)
This could be an attacker moving laterally inside your network
P a g e 128 | 131
 Basics Concepts for SOC

🧩 Common Windows Logon Types (with Examples)

🔢 Logon
💻 Method 📌 Example
Type

Interactive User logs in physically at

2
(Console) keyboard/screen

Access via SMB, remote file share,

3 Network
mapped drives

4 Batch Scheduled task or script execution

System services start using service

5 Service
accounts

User unlocks an existing session

7 Unlock
(e.g., after idle)

Access using credentials sent in

8 Network Cleartext
clear text (not ideal)

RunAs command or similar with

9 New Credentials
different user creds

Remote Interactive
10 Remote Desktop session
(RDP)

Login using cached domain

11 Cached Interactive
credentials (offline login)

Logon type 2,3 and 10 are most common.

🔐 Windows Login Failures – What Do Status & Sub status Codes

Mean?
P a g e 129 | 131
 Basics Concepts for SOC

Not every failed login attempt is an attack — but every failed login tells
a story.
Windows logs failed logins using Event ID 4625, along with a Status
and Sub status code. These codes explain why the login failed — wrong
password, disabled account, expired password, etc.
Understanding these codes helps detect threats and troubleshoot faster

🧩 Common Windows Login Failure Status Codes

Status Substatus Meaning Example

Typo in username or invalid

0xC0000064 — User name does not exist
account

0xC000006A — Incorrect password Wrong password entered

0xC0000234 — Account locked out Too many failed login attempts

0xC0000072 — Account currently disabled Admin disabled the account

User logon blocked by Logon hour restrictions or

0xC000006F —
restrictions workstation limit

0xC0000193 — Account expired User account has expired

Attempt to log in from

0xC0000070 — Invalid workstation
unauthorized system

Password reset required at next

0xC0000224 — User must reset password
logon

0xC0000225 — Account not yet activated New user account not activated

Logon not allowed (e.g., no RDP

0xC000018C — Logon method not granted
permissions)

🛠 Real-World Example

Your Event Log shows:

P a g e 130 | 131
 Basics Concepts for SOC

 Event ID 4625
 Status: 0xC000006A – Incorrect password
 Repeated every 5 seconds from same IP

🚨 This could be a brute-force attack attempt!

💡 Why This Matters:

✅ Helps distinguish between user error and real threats

✅ Enables quick response to account lockouts
✅ Essential for incident investigations and audits

P a g e 131 | 131