TheCyberSecHub

Cyber Defense Models

Explore the key frameworks and policies that help create a robust cybersecurity foundation. Learn how organisations utilize these resources as part of their defensive measures.

Understanding the different phases of a cyber attack and the techniques employed by attackers is vital. By examining the actions taken during an incident, organisations can enhance their responses and identify the underlying cause. Utilizing established models and frameworks—like the Cyber Kill Chain—can greatly improve an organisation’s overall security posture.

This content is adapted from TryHackMe’s Cyber Defence Frameworks.

1. Junior Security Analyst Intro

Task 1: A career as a Junior (Associate) Security Analyst

As a Junior Security Analyst, your primary role will be as a Triage Specialist, focusing on monitoring and analysing event logs and alerts.

Junior SOC Role

Key responsibilities for a Junior Security Analyst (Tier 1 SOC Analyst) include:

Required qualifications (most common):

Recommended certification: CompTIA Security+

Advancing Beyond the Junior Security Analyst Role

As you gain experience and develop your skills as a Junior (Tier 1) Security Analyst, you’ll have the opportunity to advance to more advanced tiers within the SOC.

An overview of the SOC Three-Tier Model is given below:

SOC Analyst Tiers

Task 2: Security Operations Center (SOC)

What is SOC

The primary function of a Security Operations Center (SOC) is to continuously monitor, analyse, prevent, and respond to cybersecurity threats. As defined by McAfee, a SOC is tasked with protecting critical assets—including intellectual property, employee data, business infrastructure, and brand reputation.

Acting as the central operation point for an organisation’s cybersecurity approach, SOC teams work together to identify, assess, and address cyber threats in real time. The composition of a SOC team can vary from a small group to a large division, depending on the size of the organisation and its security requirements.

What can be included in the responsibilities of the SOC?

The SOC functions as the organisation’s cybersecurity core center, ensuring proactive defense and swift action against threats.

SOC Responsibilities

The responsibilities of the SOC include:

  1. Preparation and Prevention

    • Threat Awareness:
      • Monitor cybersecurity trends via sources like Twitter, Feedly, or threat intelligence platforms.
      • Understand adversary Tactics, Techniques, Procedures (TTPs)—e.g., review CISA alerts like APT40 analysis.
    • Proactive Defense:
      • Update firewall rules, patch vulnerabilities, and manage blocklists/safelists (IPs, apps, emails).
      • Develop security roadmaps to mitigate emerging threats.

  2. Monitoring and Investigation

    • Continuous Surveillance:
      • Employ SIEM tools (e.g., Splunk, Elastic Stack) and EDR tools (e.g., CrowdStrike) to detect anomalies.
      • Prioritise alerts by severity (Critical → Low).
    • Triage & Analysis:
      • Investigate alerts by analysing logs to trace attack vectors.
      • Leverage open-source tools (e.g., VirusTotal) for context.

  3. Incident Response

    • Containment & Remediation:
      • Isolate compromised hosts, terminate malicious processes, and remove harmful files.
      • Coordinate with IT/network teams to restore systems securely.
    • Documentation:
      • Record actions taken in ticketing systems and update the Knowledge Base for future reference.

  4. Collaboration & Improvement

    • Threat Intelligence:
      • Correlate data from SIEM with threat feeds to identify patterns.
    • Post-Incident Reviews:
      • Fine-tune detection rules and response playbooks based on lessons learned.

Tools & Processes:

In general, Junior Analysts focus on triage, basic investigations, and tool maintenance, while higher-level analysts manage complex responses and strategies.

Task 3: A day In the life of a Junior (Associate) Security Analyst

Day in the Life of Junior Analyst

Stepping into the role of a Junior (Associate) Security Analyst involves being at the frontline of cyber defense—a vibrant and demanding profession where each day presents unique challenges.

A Typical Day:

  1. Morning: Alert Triage & Ticket Review

    • Examine the ticketing system for new alerts or ongoing incidents.
    • Prioritise tasks based on severity.
    • Analyse logs from SIEM, IDS/IPS, and other monitoring tools for anomalies.

  2. Monitoring & Investigation

    • Investigate network traffic, suspicious emails, and endpoint alerts.
    • Use OSINT tools to validate threats.
    • Extract forensic data (e.g., malware samples, log files) to trace attacks.

  3. Incident Response: The Thrill of the Hunt

    • Handle incidents of varying complexity.
    • Collaborate with Tier 2/3 analysts to neutralize threats.
    • Isolate affected hosts, block malicious IPs, and mitigate damage.

  4. Continuous Learning & Adaptation

    • Study attacker TTPs to improve detection.
    • Document findings for future use.
    • Handoff outstanding issues to the next shift.

Why It’s Thrilling:

Ready to join the SOC? Every alert is a puzzle waiting to be solved—and you’re the first line of defense.

Lab Exercise Solutions: Investigating Suspicious Activity

Referencing TryHackMe’s “Security Monitoring” lab

Investigation Summary:

  1. Malicious IP Address Identified

    • Found in SIEM dashboard alerts: 221.181.185.159

  2. Escalation Protocol

    • Event escalated to: Will Griffin (Senior Analyst)

  3. Attacker’s Message

    • Firewall-block response: THM[UNTIL-WE-MEET-AGAIN]