TryHackMe (THM) - SOC Fundamentals

Lawrence Juma "Jumalaw98"Lawrence Juma "Jumalaw98"
4 min read

The SOC Fundamentals room introduces us to the core concepts of a Security Operations Center (SOC). It explains the responsibilities of a SOC team, its processes, and the technologies it uses to protect an organization from cyber threats.

Check out the room here: https://tryhackme.com/r/room/socfundamentals

Expectations:

  • Learn what a SOC is and its importance in cybersecurity.

  • Understand the three pillars of SOC: People, Processes, and Technology.

  • Gain practical experience analyzing security incidents using an SIEM tool.

  • Complete quizzes and tasks to reinforce learning.

Task 1: Introduction to SOC

This task explains the concept of a SOC. A SOC is a facility where a dedicated security team works 24/7 to monitor and protect an organization’s IT environment.

Key Points:

  • SOC teams prevent damage by identifying and responding to suspicious activities.

  • Modern SOCs focus on detection and response rather than relying solely on traditional security practices.

Quiz Answers:

  1. What does SOC stand for?
    Security Operations Center

Task 2: Purpose and Components

This task focuses on how SOCs maintain detection and response to prevent security incidents. It introduces core SOC activities such as:

  • Detecting vulnerabilities, unauthorized activity, policy violations, and intrusions.

  • Supporting incident response to minimize impact and find root causes.

Key Concept: The three pillars of SOC are People, Processes, and Technology.

Quiz Answers:

  1. The SOC team discovers an unauthorized user is trying to log in. What capability is this? Detection

  2. What are the three pillars of SOC? People, Process, Technology

Task 3: People

This task highlights the hierarchy and responsibilities of SOC team members.

Roles in a SOC team:

  • SOC Analyst (Level 1): First responders who triage alerts.

  • SOC Analyst (Level 2): Perform deeper investigations and correlate data.

  • SOC Analyst (Level 3): Proactively hunt threats and assist in incident response.

  • Security Engineer: Deploy and configure security solutions.

  • Detection Engineer: Create rules for detecting malicious activity.

  • SOC Manager: Manage processes and update the organization’s leadership.

Quiz Answers:

  1. Alert triage and reporting is the responsibility of?
    SOC Analyst (Level 1)

  2. Which role is responsible for establishing detection rules?
    Detection Engineer

Task 4: Process

This task discusses critical SOC processes, including:

  • Alert Triage: Analyze and prioritize alerts using the 5 Ws: What, When, Where, Who, Why.

  • Reporting: Escalate harmful alerts through detailed tickets with evidence.

  • Incident Response and Forensics: Handle critical security incidents and investigate their root causes.

Example:

  • An alert of malware detected on GEORGE PC might look like this:

    • What? Malicious file detected.

    • When? June 5, 2024, at 13:20.

    • Where? Directory on GEORGE PC.

    • Who? User George.

    • Why? The user downloaded pirated software.

Quiz Answers:

  1. If John attempted to steal system data, which ‘W’ does this answer? Who

  2. The SOC team detects a large data exfiltration. Which ‘W’ is this? What

Task 5: Technology

Technology is the backbone of a SOC. It enables teams to centralize monitoring and automate responses to security threats.

Key Tools:

  • SIEM (Security Information and Event Management): Collects and correlates logs to identify suspicious activity.

  • EDR (Endpoint Detection and Response): Provides visibility into endpoint activities and automates responses.

  • Firewall: Monitors and filters incoming/outgoing traffic to prevent unauthorized access.

Quiz Answers:

  1. Which security solution monitors network traffic? Firewall

  2. Do SIEM solutions focus on detecting and alerting about security incidents?
    Yes

Task 6: Practical Exercise of SOC

This task provides a hands-on scenario simulating the responsibilities of a Level 1 SOC Analyst. You’ll analyze logs in an SIEM tool to answer the 5 Ws for a port scanning alert.

Quiz Answers:

  1. What: Activity that triggered the alert? port scan

  2. When: Time of the activity? June 12, 2024 17:24

  1. Where: Destination host IP? 10.0.0.3

  2. Who: Source host name? Nessus

  3. Why: Reason for the activity? Intended/Malicious Intended

  4. Additional Investigation Notes: Has any response been sent back to the port scanner IP? (yea/nay) yea

  5. What is the flag found after closing the alert?

Scenario:

  • What? Port Scan

  • When? June 12, 2024, 17:24

  • Where? Destination host IP: 10.0.0.3

  • Who? Source host name: Nessus

  • Why? Intended activity

Task 7: Conclusion

This room illuminates the foundational skills required to work in a SOC environment. Key Takeaways:

  • SOC teams detect, investigate, and respond to incidents to protect organizational assets.

  • Effective communication and collaboration between People, Process, and Technology are essential.

  • Hands-on exercises simulate real-world scenarios, enhancing understanding.

Thank you for reading my article. Please leave any questions or comments. We can also connect more on LinkedIn or X.

0
Subscribe to my newsletter

Read articles from Lawrence Juma "Jumalaw98" directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SOC Fundamentals TryHackMe WalkthroughTryHackMe WalkthroughLearn SIEM, EDR, and SOC Roles soc fundamentalstryhackme#walkthrough

Written by

Lawrence Juma "Jumalaw98"
Lawrence Juma "Jumalaw98"

Growth mindset in the tech field, Front-end "React Js, Vue Js", Project Manager, Digital Marketer.