Module 01

Welcome and Course Introduction

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Program

▪ Welcome and introduction

▪ Course expectations

▪ Course resources

▪ The importance of the Security Operation Center

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Learning Objectives

▪ You will be able to describe the goals and expectations of the course

▪ You will be able to explain what is the importance of the Security

Operation Center and how to detect and investigate a security incident

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Welcome and Introduction

▪ Give a short introduction of yourself?

▪ Any prior experience with SOC / Incident Response or any security

operation?

▪ What do you expect/hope to get out of this course?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Course Roadmap
▪ Confidentiality, ▪ OS Logs
Integrity, and ▪ Application Logs
Availability
▪ Audit Logs
▪ What is SOC?
▪ Logs Analysis
▪ SOC Services Types
▪ Attack Identification
▪ Phishing & Email
▪ Sysinternals &
Header
PeStudio
▪ What is A Log?
▪ Event View & Registry
CYBERPRO Israel© Copyright | Do not distribute without written permission
https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Course Roadmap

▪ Task Scheduler & Persistence

▪ Endpoint Detection & Response

▪ MITRE Attack – Tactics & Techniques

▪ What is SIEM?

▪ SIEM Types

▪ Rule Creation

▪ Dashboard & Visualization

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Course Modules
▪ Module 1 – Introduction to Data Security
▪ Module 2 – The importance of SOC
▪ Module 3 - Data Enrichment & Playbooks
▪ Module 4 - Log Analysis
▪ Module 5 - Dynamic & Static Analysis
▪ Module 6 – OS Event Management
▪ Module 7 – Endpoint Detection & Response
▪ Module 8 – SIEM Architecture & Security Monitoring

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Course Expectations
▪ The lessons will be built upon each other. Make sure you don’t
miss important parts and do all the labs on time.

▪ Ask questions if you are not sure about something during or after
class while practicing with the materials.

▪ We work as a team, and I want leadership and cooperation. If you

are finished with a lab or assignment, help your fellow students
to make sure no one falls behind.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Course Preparation
▪ Management of your environment is crucial for a cyber professional
▪ VirtualBox

▪ Storage & Memory

▪ Network interfaces

▪ Course folder

▪ Create a course folder on your local machine. Place everything related to this course in
this folder.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Security Operation Center

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Millions of computers are attacked at every given
moment!

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Let’s see how Cyber Attacks affect our
daily life

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is Security
Operation Center?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Why do we need a
SOC?

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Responsibilities
1. A SOC, or Security Operations Center, is a facility used to monitor and control
network and security systems.

2. These centers usually have security analysts that review data to detect threats in
real-time and respond when necessary.

3. The SOC is a virtual radar that detects cyberattacks and protects the following:
Brand name, Profit / Income, Perimeter, Employees, Customers, Organizational
Assets, etc.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Responsibilities

Monitoring:

1. The SOC is responsible for monitoring the security aspect of the

organization, including logs from systems, flows from network
components, vulnerabilities from hosts, threat intelligence, and more.

2. There may overlap with other parts of the operations teams, especially
regarding issues of availability, which can be the responsibility of both
the SOC team and other operations teams, not necessarily security
related (IT Department, Fraud, Financial etc.).

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Responsibilities

Security Incident Response:

1. In many ways, this is the main reactive job of the SOC.

2. The objective of incident response is to promptly detect and respond to

security incidents.

3. The SOC will respond to incidents that are related to information

security.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Responsibilities

Cyber Threat Intelligence

1. A standard part of the role of the SOC is to be able to respond to potential

threats.

2. In order to do so, the SOC needs to gather threat intelligence that can guide the
actions of the SOC.

3. This can take many forms and utilize various sources such as social media,
Computer Emergency Response Teams (CERT) warnings, vendor briefings,
observations from our systems, etc.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Responsibilities

Information Security Compliance

1. Information security compliance is concerned with the degree of compliance with

external regulations and internal policies.

2. The external regulation is often legal (e.g., GDPR, Computer Misuse Act, etc.), but may also be
sector standards such as the Payment Card Industry Data Security Standard (PCI DSS), which is
the standard organizations must adhere to in order to process credit card data.

3. One of the responsibilities of the SOC is to validate the organization’s compliance with
such regulations. Failing to comply with regulations may lead to fines and legal actions
against the organization.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Position in the Organization

The structure of the SOC unit changes between organizations.

Here are a few examples:

▪ As part of the information security department

▪ As part of the network infrastructure team

▪ As part of the NOC center (NOC)

▪ Directly under the CISO

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Types

1. Internal SOC – usually an on-premise infrastructure comprised of full-time

employees sitting in a dedicated room within the organization.

2. External SOC – An external company that manages the operation. This

will commonly be a 24/7 service containing integration with feeds,
compliance support, and an experienced team.

3. Co-managed SOC – the combination of an internal and external

service.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 SOC Common Activities

1. Handle and manage information security incidents 8. Validate information security policies

2. Collect data from the organization (logs, flows, and 9. Vulnerabilities management
more)
10. Threat intelligence process
3. Threat Hunting
11. Management reporting
4. Monitor defense systems such as IPS, Firewalls,
and more

5. Monitor DLP incidents

6. Security patch management and whitelisting validation

7. Analysis and research of trends in the

cybersecurity field

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Roles in the SOC

1. SOC Analyst – Tier 1 or Tier 2

2. Cyber Threat Intelligence Analyst

3. Digital Forensics and Incident Response

4. Threat Hunters

5. SIEM Engineer

6. SOC Manager

7. Technical Account Manager

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 What is the CIA?
(Not the American
CIA)

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 CIA Triad

▪ CIA triad:
▪ Availability:
data and services are available when needed.

▪ Integrity:
preventing unauthorized changes.

▪ Confidentiality:
preventing unauthorized access.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Confidentiality

▪ Keeping information private by preventing unauthorized access

▪ Private information:
▪ Personally Identifiable Information (PII): ID, Address, Phone Number, Email,
Passport, Full Name.

▪ Business information (like trade secrets, inventions, news embargos, etc.)

▪ Classified documents

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Breach Of Confidentiality

▪ What losses do we have in case of a breach of confidentiality?

▪ Hackers gained access to a hospital system and obtain information about
patients.

▪ A data breach at a popular social media platform, leaking thousands of email

addresses, passwords, and usernames.

▪ A health center sharing medical files with third-party suppliers without

informing clients.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Integrity

▪ Maintaining the consistency, accuracy, and trustworthiness of data over its

entire life cycle. In other words, protecting the data from unauthorized changes.

▪ Usually achieved using some form of hashing to identify a change was made.

▪ Other cryptographic measures.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Breach Of Integrity

▪ What losses do we have in case of a breach of integrity?

▪ A group of high school students hacked the school’s grading system and
changed their algebra grades to an A.

▪ Hackers accessed an international news agency to spread fake news in the

headlines.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Availability

▪ Making sure data and services are available to authorized users when needed.

▪ The degree by which the information is available to the right users when needed.

▪ Systems must always be accessible to provide information/service.

▪ Usually achieved by designing redundancy into the IT infrastructure.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Breach Of Availability

▪ What losses do we have in case of a breach of availability?

▪ A DDoS attack causes a website of motor parts to be offline for around three hours, between
19:00 and 22:00 on a Wednesday.

▪ A sales office at a small start-up fell victim to ransomware .The ten workers could not sell the
company's product for one and a half days.

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Lab 01 - CIA triad

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Learning objectives

▪ You will be able to describe the goals and expectations of the

course

▪ You will be able to explain what is the importance of the

Security Operation Center and how to detect and investigate a
security incident

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0
 Thank You!

CYBERPRO Israel© Copyright | Do not distribute without written permission

https://panoptotech.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=40084831-0028-40a7-b300-
b002013c6ad0