🛡️ Blue Team & SOC Operations MOC

🧠 Core Concepts

• Blue Teaming - The defensive side of cybersecurity.
• Security Operations Center (SOC) - The centralized unit for security monitoring.
• SOC analysts - Roles and responsibilities (Tier 1, 2, 3).
• DevSecOps - Integrating security into the DevOps pipeline.
• Asset Inventory - Comprehensive catalog of organizational assets for security management.

🔎 Detection Engineering

Building the logic to catch threats.

• Detection Engineering - The overall process of creating detection rules.
• Detection Maturity Level Model - Assessing the maturity of detections.
• Alerting and Detection Strategies Framework - Framework for documenting detections.
• Types of Detection:
  • Indicator Detection - Detecting specific IOCs (hashes, IPs).
  • Threat-based detection - Detecting TTPs (Tactics, Techniques, Procedures).
  • Environment-based detection - Detecting anomalies in the specific environment.
  • Threat Behavior detections - Behavioral analysis.
• Tools:
  • Sigma - Universal detection rule format.
  • Uncoder.io - Detection rule translation platform.
  • ElastAlert - Elasticsearch alerting framework.

🪵 Logging & SIEM

Collecting and analyzing data.

• Security Information and Event Management system (SIEM) - Centralized log management.
• Windows Event Logs - Built-in Windows logging system and Event Viewer.
• Audit Logon Events - Windows audit policy for authentication monitoring.
• Tools:
  • Splunk - Industry standard SIEM.
  • ELK Stack - Elastic, Logstash, Kibana (Open source).
    • Elasticsearch - Search and analytics engine.
    • Logstash - Data processing pipeline.
    • Kibana - Visualization dashboard.
  • Sysmon - Advanced Windows system monitoring.
    • Sysmon Event ID 11 - File Create - Tracking file creations for ransomware/stagers.
  • Zeek - Network security monitoring and log generation.
  • RITA - C2 detection via network traffic analysis.
• Issues:
  • Logging & Alerting Failures - Common gaps in visibility.

🎯 Threat Hunting

Proactively searching for threats.

• Threat Hunting - Proactive search for cyber threats before they trigger alerts.
• Dwell Time - Duration an attacker remains undetected in the environment.
• Attack Residues - Traces and artifacts left behind by attackers.
• Attack Signatures - Patterns and identifiers used to detect known threats.
• Threat Intelligence Feeds - IOC feeds for proactive threat detection.
• DNS Tunneling - Covert C2/exfiltration via DNS queries.
• Command and Control (C2) - Attacker infrastructure detection.
• Domain Generation Algorithm (DGA) - Dynamic domain generation for C2.
• Fast Flux - IP rotation techniques for evasion.
• Lateral Movement - Post-exploitation network propagation.
• Honeypot - Decoy systems for detection.
• Key Detection Concepts:
  • Process Injection - Defense evasion via code injection (T1055).
  • PowerShell Script Block Logging - Event ID 4104 for hunting PowerShell abuse.
  • Sysmon Event IDs - Key Sysmon events for threat hunting.
  • Windows Event ID 1102 - Security log cleared detection.
  • Windows Event ID 4698 - Scheduled task creation detection.
• Labs:
  • C2 Detection - Command & Carol
  • THM - Threat Hunting Introduction
  • THM - Threat Hunting Foothold - Hunting Initial Access, Execution, Defense Evasion, Persistence, and C2.

🚨 Incident Response

Handling the alerts.

• Incident Response - The overall IR lifecycle and process.
• CSIRT - Cyber Security Incident Response Team: structure, roles, and authority.
• Alert - The initial signal of potential malicious activity.
• Alert Triage - The process of investigating and prioritizing alerts.
• Alert Reporting - Documenting findings.
• False Positive - Benign activity triggering an alert.
• Chain of Custody - Documented evidence handling process.
• Jump Bag - Pre-packed IR tools and supplies for rapid response.
• TheHive Project - Open-source case management platform for SOC/CSIRT.
• Atomic Red Team - Testing library for validating detections against MITRE ATT&CK TTPs.
• Tabletop Exercise - Discussion-based IR readiness testing.

🔄 Testing & Validation

Improving detection capabilities.

• Threat Emulation - Intelligence-driven adversary impersonation for testing defenses.
• Purple Teaming - Collaborative red/blue testing to improve detections.
• Atomic Red Team - Automated TTP testing framework.
• Tabletop Exercise - IR plan validation through scenarios.
• TIBER-EU Framework - European threat intelligence-based red teaming standard.

🔍 Linux Forensics

• File Timestamps (mtime, ctime, atime) - Timeline analysis for incident reconstruction.
• /etc/passwd and /etc/shadow - User account forensics and backdoor detection.
• /etc/sudoers - Privilege escalation configuration analysis.
• SSH authorized_keys - SSH key persistence mechanism detection.
• debsums - Package integrity verification for tampered files.
• strings - Binary analysis for extracting IOCs.

🛡️ Defense & Prevention

Security controls and countermeasures.

• Intrusion Prevention System (IPS) - Inline threat blocking.
• Endpoint detection and response (EDR) - Endpoint monitoring and response.
• Web Application Firewalls (WAFS) - Web attack prevention.
• Data Loss Prevention (DLP) - Exfiltration prevention.
• Multi-Factor Authentication (MFA) - Authentication hardening.
• DNS Sinkhole - Domain blocking via DNS redirection.
• Email Gateway - Email filtering and malicious content blocking.
• Firewall - Network traffic filtering and access control.
• Software Restriction Policies - Windows application execution control.
• Interactive logon - Display user info when locked - Security option for hiding user identity on lock screen.

📚 Frameworks

• Cyber Kill Chain - Lockheed Martin's 7-stage attack model.
• MITRE ATT&CK - Adversary tactics and techniques.
• Pyramid of Pain - Indicator effectiveness hierarchy.