Introduction to Cybersecurity Operations

Questions and Answers

What is the primary responsibility of a Tier 3 SOC Analyst?

• Conducting in-depth incident analysis
• Threat hunting and developing preventive measures (correct)
• Assigning alerts to Tier 1 Analysts
• Initial analysis and incident confirmation

In a typical SOC structure, which tier is responsible for in-depth analysis and recommending remediation steps?

• Tier 2 (correct)
• Tier 4
• Tier 3
• Tier 1

If a Tier 1 Analyst determines a security alert is a false positive, what is the next step for the SOC?

• Escalate the issue to Tier 2 for a deeper analysis
• Close the ticket without further action (correct)
• Implement preventive measures immediately
• Notify the Tier 3 Analysts for further investigation

What follows the triaging of a security alert in a SOC?

Investigating whether it is a true or false positive (D)

Which of the following is NOT a responsibility of Tier 2 Analysts?

Threat hunting (A)

What is the primary function of a SIEM platform?

To provide a single platform for aggregating various log types (C)

Which phase in the Incident Response Lifecycle focuses on preparing for potential incidents?

Preparation (B)

What role does SOAR play in a Security Operations Center?

It aggregates security alerts and automates response workflows. (A)

Which statement is true regarding the structure of a Security Operations Center?

It has multiple tiers to address different phases of the incident response lifecycle. (C)

In the context of incident response, what is the focus during the Detection & Analysis phase?

Identifying attack vectors and signs of incidents (D)

What is the primary goal of the containment phase in the Incident Response Lifecycle?

To identify and isolate the main assets responsible for the incident. (B)

During the Recovery phase, which action is primarily emphasized?

Restoring affected systems back to their normal operational state. (C)

What is a critical component of Post-Incident Activity in the Incident Response Lifecycle?

Analyzing and discussing lessons learned from the incident. (C)

Which of the following best describes the role of indicators and precursors in incident analysis?

They provide early warnings that can lead to preventative measures. (A)

Which statement about the Incident Response Lifecycle is false?

Eradication is the first step following the detection of an incident. (D)

What is a primary reason organizations may view cybersecurity as a hindrance?

Cybersecurity implementation often leads to higher costs. (B)

What characterizes state-sponsored threat actors?

They are funded and organized by a country's government. (C)

What factor contributes to the greater need for cybersecurity in technology-dependent societies?

Increased prevalence and dependency on technology. (C)

Which statement accurately reflects the nature of threat actors in cyberattacks?

Threat actors can include both individuals and groups. (C)

What is a consequence of implementing more cybersecurity controls in organizations?

Increased financial expenditure. (B)

Why may some organizations resist adopting stringent cybersecurity measures?

Concerns about the immediate financial return on investment. (C)

What role does the presence of cyber units in first-world countries play in cybersecurity?

They enhance national security through counterintelligence. (C)

What might be a misconception about cyber threats in organizations?

Only large organizations face significant cyber threats. (C)

Flashcards

Cybersecurity

The practice of protecting computer systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction.

Cyberattacks

Harmful actions aimed at disrupting, damaging, or gaining unauthorized access to computer systems, networks, or data.

Threat Actors

Individuals or groups behind cyberattacks, driven by various motivations like financial gain, espionage, or disruption.

State-sponsored Threat Actors

Threat actors backed by a country's government, often involved in espionage or cyberwarfare.

Availability vs. Security

The conflict between making systems readily accessible and securing them from cyber threats.

Cybersecurity Controls

Measures implemented to protect computer systems and networks from cyber threats, such as firewalls, antivirus software, and encryption.

Cybersecurity as a Hindrance

The perception in some organizations that cybersecurity measures hinder productivity or efficiency, often due to cost or inconvenience.

Why is cybersecurity important?

Cybersecurity is crucial because technology is pervasive and vulnerable to attacks, making it vital to protect data, systems, and individuals.

What is a SOC?

A Security Operations Center (SOC) is a centralized team responsible for monitoring, detecting, and responding to cybersecurity threats in an organization.

SOC Tiers

SOCs are typically organized in tiers with increasing levels of expertise. Tier 1 focuses on initial triage and alert confirmation, Tier 2 conducts in-depth analysis and remediation, and Tier 3 focuses on threat hunting and developing preventive measures.

SOC Ticketing System

A system used to manage and track security alerts and incidents within a SOC.

SIEM

A platform that gathers logs from various sources into one searchable place, helping security teams understand security incidents and respond effectively.

Tier 1 SOC Analyst

A SOC analyst responsible for initial triage and alert confirmation. They determine if an incident is a true positive or a false positive.

Threat Hunting

A proactive security practice where security professionals actively search for threats that might have gone undetected by traditional security controls.

SOAR

A platform that automates security tasks like incident investigation and response, using workflows called playbooks.

Incident Response Lifecycle

A structured process with distinct phases for handling security incidents, ensuring a timely and effective response.

Preparation

The first phase of the Incident Response Lifecycle, where the SOC is prepared to handle incidents by having the necessary tools and resources ready.

Detection & Analysis

The second phase of the Incident Response Lifecycle, where attacks are identified and analyzed. Security teams investigate suspicious activity and determine the nature of the incident.

Containment, Eradication & Recovery (CER)

The phase of the incident response lifecycle focusing on isolating the affected systems, removing malicious elements, and restoring normal operations.

Post-Incident Activity

The final phase of the incident response lifecycle, involving analysis of the event, identification of vulnerabilities, and implementation of preventative measures.

Using Various Sources for Analysis

Employing multiple information sources, such as SIEMs, IDPSs, and antivirus software, to gain a comprehensive understanding of a security incident.

Precursors and Indicators

Data points or patterns that suggest an impending or ongoing security incident, helping in early detection and response.

Study Notes

Introduction to Cybersecurity Operations

• The presentation covers cybersecurity dangers, threat actors, and security operation centers (SOCs).

Cybersecurity Threats & Dangers

• 2023 saw a 72% increase in data breaches compared to 2021.
• There were 2,365 cyberattacks in 2023, impacting 343,338,964 victims.
• Data breaches cost approximately $4.88 million on average in 2024.
• Email is the most common vector for malware, comprising about 35% in 2023.
• Ninety-four percent of organizations reported email security incidents.
• Business email compromises caused over $2.9 billion in losses in 2023.

Cybersecurity Threats & Dangers - Singapore Context

• Over 8 in 10 organizations in Singapore experience a cybersecurity incident annually.
• Businesses experience cybersecurity incidents more frequently than other organizations.
• The incidents affect businesses, resulting in disruption, data loss, and reputational damage (48%, 46%, and 43% respectively).
• Non-profit organizations face similar impacts, including 60% data loss and 44% reputational damage.
• The increasing use of technology increases the need for cybersecurity.

Threat Actors

• Cyberattacks originate from threat actors, which can be individuals or groups.
• The root causes of cyberattacks are often driven by motivations including financial gain, trade secrets, and global politics.
• Common threat actor types include amateurs (script kiddies), hacktivists (those protesting politically), financial motivated actors, and state-sponsored actors (paid by governments).

Security Operations Center (SOC)

• SOCs are designed to monitor and respond to cybersecurity incidents.
• A typical SOC structure consists of levels of analysis. These are frontline analysts (Tier 1), incident responders (Tier 2), and threat hunters (Tier 3).
• Tools like security information and event management (SIEM) platforms help with monitoring, aggregating, and analyzing logs.
• Security orchestration, automation, and response (SOAR) platforms automate incident investigations and responses.

Incident Response Lifecycle

• The incident response process involves several phases: preparation, detection & analysis, containment, eradication & recovery, and post-incident activity.
• Preparation involves ensuring the necessary tools and resources are available.
• Detection & analysis involves identifying potential indicators from a variety of sources.
• Containment, Eradication & Recovery involves isolating threats, and restoring systems.
• Post Incident Activity involves learning and improving to prevent reoccurrences.