Skip to main content
HashnodeSOC Level 1SOC Level 1

Command Palette

Search for a command to run...

The SOC operating models

Updated
5 min read
M
Mohd Kashif
Aspiring SOC Analyst with hands-on experience in VAPT, firewall configuration, IDS/IPS setup, Windows log monitoring, and network analysis.
Part of seriesSOC Learning Day 1

1. In-House (Internal) SOC-

A company builds and runs its own SOC internally using its people, tools and processes.

2. Outsourced/Managed SOC (MSP/MSSP)-

Third party security company(MSSP) provides SOC services to multiple client organizations.

MSP : Managed Service Providers(Operations in IT)

MSSP: Managed Security Service Providers(Security in IT)

3.Hybrid SOC(Co-Managed SOC)-

A shared responsiblity model between Internal & External MSSP.

System as Attack Vector

In SOC, we don't just protect user or data, we protect systems because every system can be abuse as an attack vector.

Attack Vector- The specific path, method or entry point a hacker uses to gain unauthorized access to a computer, network or application.

A system becomes attack vector when an attacker uses it to:

  • Gain inicial access(access computer or netowork)

  • Move laterally(low to high level access)

  • maintain Persistence(long term access)

  • Exfiltrate data(theft or sensitive information from a computer to external location)

  • Launch further attacks.

Human Oriented Attacks

Because threat actors frequently design attacks to exploit user workflows, the majority of organizational breaches begin at the user level, highlighting our team members as our most critical line of defense.

  • By inserting malicious USB found on street

  • Download malware from pirated resources

  • Using weak password

  • Clicking on Suspecious links

  • Storing passwords on unsecure portals

  • Using outdated/Pirated software etc.

Vulnerability

  • What it is: A weakness or flaw in a system’s code, design, or security measures.

  • The Impact: It acts as an open door that threat actors (hackers) can use to breach a network or steal data.

1. Software Vulnerability-

A flaw or weakness in application code that allows attackers to crash a program, bypass controls, or steal data.

e.g. Buffer Overflow, Command Injection, Cross site Scripting(XSS) etc.

SOC Detection:

  • Web Application Firewall(WAF) alerts

  • Web server logs

  • unusual POST request

  • EDR alerts on servers.

2. Operating System Vulnerability-

A security defect deep within an Operating System's core or kernel. Because the OS manages system resources and hardware, these flaws can grant hackers deep, system-wide administrative control if left unpatched.

e.g. Windows vulnerability, Kernel vulnerablity, service vulnerablity etc.

SOC Detection:

  • Sudden Privilege changes

  • Exploit behaviour in EDR

  • Kernel drivers loading alerts.

3. Network Vulnerability-

Weaknesses in network infrastructure or communication protocols. This includes unsecured Wi-Fi, unencrypted data transmission, or exposed ports that allow unauthorized devices to intercept data or intrude on a network.

e.g. Weak protocols(telnet, ftp), unpatched router/firewall, exposed admin panel etc.

SOC Detection:

  • IDS/IPS alerts

  • Firewall logs

  • Excessive authentication failure

4. Authentication & Authorization Vulnerability-

Flaws in how a system verifies user identity (authentication) or determines their access permissions (authorization). Common issues include weak password requirements, broken session management, or the ability to bypass login screens entirely.

e.g. Weak password, no MFA, Broken Access Controll etc.

SOC Detection:

  • Identity and Access Managment(IAM) alerts

  • Access logs

  • Role change events.

5. Configuration-Dependent Vulnerability-

Weaknesses that stem from improper system setup rather than a flaw in the code. Examples include leaving default administrator passwords unchanged, overly permissive cloud storage permissions, or failing to turn on security.

e.g. Debug mod enable, default credentials, excessive permissions etc.

SOC Detection:

  • Admin panel exposed

  • Default credentials unchanged

  • System takeover.

6. Zero-Day Vulnerability-

A newly discovered software or hardware flaw that is completely unknown to the vendor, leaving the developer with "zero days" to create a patch. Because no official fix exists, attackers often exploit these before developers even know the weakness is there.

SOC Detection:

  • Lateral movement

  • Abnormal processes

  • Suspecious network traffic.

Common Misconfigurations

Misconfiguration : Not bug but a mistake in how a system was setup.

1. Cloud Misconfiguration-

  • Public S3 buckets

  • Open Azure blob storage

  • Over-permissive IAM rules

  • Exposed access keys

2. Network Misconfiguration-

  • Firewall allow all traffic

  • internal Services exposed externally

  • No network segmentation(All devices on same network)

e.g. Internal Database port exposed ---> External scans finds it ---> Database accessed.

3. IAM Misconfiguration-

  • Multi Factor Authentication(MFA) desable for admins

  • Accessive group membership

  • Shared admin accounts

e.g. Compromised user ---> User already has admin privileges ---> No escalation needed.

4. Endpoint Misconfiguration-

  • Antivirus desable

  • Local admin access

  • USB allowed everywhere

e.g. Malware executed ---> No EDR ---> Persistance Established.

Most breach = not zero days, but because misconfiguration and unpatched vulnerability.

Major system category used as Attack Vector

1. Endpoint(users machines)-

  • Laptops

  • Desktops

  • Virtual Desktop infrastructure(VDI)

  • Workstation

How attackers use them:

  • Phising emails ---> malicious emails

  • Drive-by-Download

  • USB-based Malware

  • Exploiting unpatched software

Why endpoints are dangerous:

  • Users have access

  • Users click things

  • Often weakest security points

2. Servers (Database/Application/File)-

Types:

  • Web servers

  • Application servers

  • Database servers

  • File servers

How attacker abuse servers:

  • Exploiting

  • SQL Injection

  • Weak admin credentials

  • Exposed services

  • Remote Code Execution(RCE)

Why servers are high-value:

  • Run critical apps

  • Store sensitive data

  • Often trusted internally

3. Network Devices-

  • Router

  • Firewall

  • VPN gateways

  • Load balancers

How attacker abuse them:

  • Default credentials

  • VPN vulnerabilities

  • Misconfigurations

  • Firmware exploit

4. Cloud systems(AWS/Azure/GCP)-

Common cloud attack vectors:

  • Publick S3 bucket

  • Exposed access keys

  • Over permissive IAM roles

  • Metadata service abuse

- Lifecycle of Zero-Days -

  1. A new vulnerability is discovered

  2. A method to exploit the vulnerability is discovered

  3. Cybercriminal laverage the vulnerability to cause damage

  4. Vulnerability discovered by the software vendors

  5. Patch release by the security vendors

5 views

Comments

Join the discussion

No comments yet. Be the first to comment.

SOC Learning Day 1

Part 2 of 6

This is my first day of learning SOC.

Up next

TTP(Tactics, Techniques and Procedures)

They describe how attacker thinks, acts and operate during a cyber attack. If as Indicator Of Compromise(IOC) tells you what happened, TTPs tell you how and why it happened. SOC analyst use TTPs to:

More from this blog

S

SOC Level 1

6 posts

This is my learning of SOC Level 1 Study.