TryHackMe (THM) - SOC Fundamentals

The SOC Fundamentals room introduces us to the core concepts of a Security Operations Center (SOC). It explains the responsibilities of a SOC team, its processes, and the technologies it uses to protect an organization from cyber threats.

Check out the room here: https://tryhackme.com/r/room/socfundamentals

Expectations:

• Learn what a SOC is and its importance in cybersecurity.

• Understand the three pillars of SOC: People, Processes, and Technology.

• Gain practical experience analyzing security incidents using an SIEM tool.

• Complete quizzes and tasks to reinforce learning.

---

Task 1: Introduction to SOC

This task explains the concept of a SOC. A SOC is a facility where a dedicated security team works 24/7 to monitor and protect an organization’s IT environment.

Key Points:

• SOC teams prevent damage by identifying and responding to suspicious activities.

• Modern SOCs focus on detection and response rather than relying solely on traditional security practices.

Quiz Answers:

1. What does SOC stand for?
   Security Operations Center

---

Task 2: Purpose and Components

This task focuses on how SOCs maintain detection and response to prevent security incidents. It introduces core SOC activities such as:

• Detecting vulnerabilities, unauthorized activity, policy violations, and intrusions.

• Supporting incident response to minimize impact and find root causes.

Key Concept: The three pillars of SOC are People, Processes, and Technology.

Quiz Answers:

1. The SOC team discovers an unauthorized user is trying to log in. What capability is this? Detection

2. What are the three pillars of SOC? People, Process, Technology

---

Task 3: People

This task highlights the hierarchy and responsibilities of SOC team members.

Roles in a SOC team:

• SOC Analyst (Level 1): First responders who triage alerts.

• SOC Analyst (Level 2): Perform deeper investigations and correlate data.

• SOC Analyst (Level 3): Proactively hunt threats and assist in incident response.

• Security Engineer: Deploy and configure security solutions.

• Detection Engineer: Create rules for detecting malicious activity.

• SOC Manager: Manage processes and update the organization’s leadership.

Quiz Answers:

1. Alert triage and reporting is the responsibility of?
   SOC Analyst (Level 1)

2. Which role is responsible for establishing detection rules?
   Detection Engineer

---

Task 4: Process

This task discusses critical SOC processes, including:

• Alert Triage: Analyze and prioritize alerts using the 5 Ws: What, When, Where, Who, Why.

• Reporting: Escalate harmful alerts through detailed tickets with evidence.

• Incident Response and Forensics: Handle critical security incidents and investigate their root causes.

Example:

• An alert of malware detected on GEORGE PC might look like this:

  • What? Malicious file detected.

  • When? June 5, 2024, at 13:20.

  • Where? Directory on GEORGE PC.

  • Who? User George.

  • Why? The user downloaded pirated software.

Quiz Answers:

1. If John attempted to steal system data, which ‘W’ does this answer? Who

2. The SOC team detects a large data exfiltration. Which ‘W’ is this? What

---

Task 5: Technology

Technology is the backbone of a SOC. It enables teams to centralize monitoring and automate responses to security threats.

Key Tools:

• SIEM (Security Information and Event Management): Collects and correlates logs to identify suspicious activity.

• EDR (Endpoint Detection and Response): Provides visibility into endpoint activities and automates responses.

• Firewall: Monitors and filters incoming/outgoing traffic to prevent unauthorized access.

Quiz Answers:

1. Which security solution monitors network traffic? Firewall

2. Do SIEM solutions focus on detecting and alerting about security incidents?
   Yes

---

Task 6: Practical Exercise of SOC

This task provides a hands-on scenario simulating the responsibilities of a Level 1 SOC Analyst. You’ll analyze logs in an SIEM tool to answer the 5 Ws for a port scanning alert.

Quiz Answers:

1. What: Activity that triggered the alert? port scan

   

2. When: Time of the activity? June 12, 2024 17:24

3. Where: Destination host IP? 10.0.0.3

   

4. Who: Source host name? Nessus

   

5. Why: Reason for the activity? Intended/Malicious Intended

6. Additional Investigation Notes: Has any response been sent back to the port scanner IP? (yea/nay) yea

7. What is the flag found after closing the alert?

Scenario:

• What? Port Scan

• When? June 12, 2024, 17:24

• Where? Destination host IP: 10.0.0.3

• Who? Source host name: Nessus

• Why? Intended activity

Task 7: Conclusion

This room illuminates the foundational skills required to work in a SOC environment. Key Takeaways:

• SOC teams detect, investigate, and respond to incidents to protect organizational assets.

• Effective communication and collaboration between People, Process, and Technology are essential.

• Hands-on exercises simulate real-world scenarios, enhancing understanding.

---

Thank you for reading my article. Please leave any questions or comments. We can also connect more on LinkedIn or X.