2. Agenda
Introduction to SOC and SIEM
SOC – What, Why and How
SIEM - Tools and terminology
Threat Hunting
CyberKill Chain
APT - Advanced persistent threats
IoC -Indicators Of Compromise
IoA - indicators of attack
TTP - Tactics, Techniques and Procedures
2
3. SOC
A security operations center
(SOC) is a facility that houses an
information security team
responsible for monitoring and
analyzing an organization’s
security posture on an ongoing
basis. The SOC team’s goal is to
detect, analyze, and respond to
cybersecurity incidents using a
combination of technology
solutions and a strong set of
processes.
3
SOC
protect
report
identify
investigate
9. IOC
virus signatures
IP addresses
URLs or domains
hash values
registry keys
filenames,
HTTP user agents
Open Source Threat Intel :-
OTX,OpenIOC,STIX,cybox
9
10. IOA
Series of actions that an
adversary must conduct in order
to succeed.
All actions done by the
attacker in order to prepare his
attacks.
All the “signs” left by the attacker
in earlier stages of the attack.
Indicators
of Attack
11. IoC vs. IoA
IoC’s are reactive indicators while IoA’s are
proactive indicators
IoC’s can be used after a point in time,
while IoA’s are used in real time
IoC’s are known, universal bad news, while
IoA’s only become bad based on what
they mean to you and the situation
11