PSTS SOC Training Program

Important Security Concepts

Task 1 – Bashar Milhem
 Task 1

Table of Contents

1. GRC: .............................................................................................................................................................................. 4
2. Red Team vs Pen testing................................................................................................................................................. 4
3. Vulnerability Scan vs Vulnerability Assessment ............................................................................................................ 5
4. Antivirus vs EDR ........................................................................................................................................................... 5
5. EDR vs XDR vs MDR ................................................................................................................................................... 5
6. Blue Team Solutions & Vendors: ................................................................................................................................... 6
7. SOC (Security operations center) ................................................................................................................................... 6
8. SOC Layers .................................................................................................................................................................... 6
9. SIEM (Security Information and Event Management) .................................................................................................. 7
10. Threat Intelligence (Inside Info) ................................................................................................................................ 7
11. Incident Response (Emergency Team) ....................................................................................................................... 7
12. Reports & Rules (Compliance) .................................................................................................................................. 7
13. False/True Classification in Cybersecurity ................................................................................................................ 7
14. SIEM: ......................................................................................................................................................................... 8
.15 Top 5 SIEM Providers................................................................................................................................................ 8
16. FortiSIEM SIEM........................................................................................................................................................ 8
17. SOAR ......................................................................................................................................................................... 8
18. XSOAR ...................................................................................................................................................................... 9
19. PALOALTO: .............................................................................................................................................................. 9
20. SYSLOG Protocol ..................................................................................................................................................... 9
21. SYSMON (System Monitor) ..................................................................................................................................... 9
22. NTP Protocol.............................................................................................................................................................. 9
23. Incident response ....................................................................................................................................................... 9
.24 Threat Hunting vs Threat Intelligence ..................................................................................................................... 10
.25 SOC Prime ............................................................................................................................................................... 10
26. Firewall vs Proxy ..................................................................................................................................................... 10
27. MITRE ATT&CK .................................................................................................................................................... 11
28. IOC’s and TTP’s, how it is related to MITRE ATT&CK ......................................................................................... 11
29. Cyber Kill Chain ...................................................................................................................................................... 11
30. Wineventlog & Most Popular EventID’s ................................................................................................................. 12
31. Pass-the-Hash (PtH) Attack: .................................................................................................................................... 12
32.DNS Tunneling ................................................................................................................................................................ 12
33. Statistic vs Dynamic Malware Analysis................................................................................................................... 12
2|Page
 Task 1

34. Session Hijacking..................................................................................................................................................... 12

.35 Log4Shell ................................................................................................................................................................. 12
36. DNS Security & DNS Sinkhole ............................................................................................................................... 13
37. Least Privilege Principle .......................................................................................................................................... 13
38. Zero Trust Architecture (ZTA) ................................................................................................................................. 13
39. Memory Forensics ................................................................................................................................................... 13
40. Container Security ................................................................................................................................................... 13
41. Dockers .................................................................................................................................................................... 13

3|Page
 Task 1

1. GRC:
GRC stands for:
Governance
This is all about how a company is run the right way. It means having clear rules and making smart decisions that help
the company reach its goals.
Risk Management
This is super important. It’s about spotting any risks the company might face like money problems, legal issues, or
technical glitches and finding ways to reduce them or avoid them before they cause trouble.
Compliance
This means making sure the company follows all the rules and laws set by the government or other official groups.
Sometimes, it also means sticking to the company’s own rules to stay on the right track.
Example: Facebook (Meta) – Data Privacy Issue
Facebook faced a $5 billion fine from the Federal Trade Commission (FTC) due to non-compliance with privacy laws
following the Cambridge Analytica scandal.
If an effective GRC system had been in place, these risks could have been identified early and addressed before
escalating into a major crisis.

2. Red Team vs Pen testing

Red Team Testing is a type of security test where a group of experts (called the Red Team) tries to break into a company’s
system or network just like real hackers would. But don’t worry, they’re not bad guys! They work for the company or
are hired by it, and their goal is to find weaknesses before real attackers do.
Simple Example:
Imagine your house. You ask a skilled person to try and enter your house without a key. If they manage to get in (maybe
through a window or an unlocked door), they’ll tell you how they did so you can fix the problem and make your house
safer.
Penetration Testing (Pen Testing) is when a security expert tries to find and exploit weaknesses in a system, network,
or website just like a hacker would, but in a safe and controlled way.
The goal is to see how easy (or hard) it is to break in, so the company can fix the problems before real hackers find
them.

4|Page
 Task 1

3. Vulnerability Scan vs Vulnerability Assessment

The difference between a Vulnerability Scan and a Vulnerability Assessment lies in depth and level of detail. A
vulnerability scan is a quick, automated process that uses specialized tools to check systems and networks for known
security weaknesses, and it typically results in a simple list of potential vulnerabilities without any in-depth analysis.
On the other hand, a vulnerability assessment includes the scanning step but goes further by analyzing the results,
determining the severity and potential impact of each vulnerability, and providing clear recommendations for
remediation. In other words, scanning identifies the problems, while assessment explains them and guides you on how
to fix them.

4. Antivirus vs EDR
The difference between Antivirus and EDR is that antivirus works in a basic way — it looks for known viruses and
removes them, using a database of virus "signatures" to catch threats. On the other hand, EDR is smarter and stronger;
it constantly monitors the device, can detect strange or suspicious behavior, and catches new or advanced attacks even
if they aren’t known. EDR also gives you tools to take action quickly, like isolating the infected device and investigating
what happened. Antivirus runs automatically and doesn’t need much user input, while EDR needs skilled people to
manage and respond to threats. So, antivirus gives limited protection, while EDR offers deeper and broader security.

5. EDR vs XDR vs MDR

➢ EDR (Endpoint Detection and Response)

• Focus on protecting endpoints like computers and laptops.
• It monitors, detects threats, and responds quickly if there’s an attack.
• It watches how the device behaves and needs a skilled team to manage it.
• Example: If the computer is under attack, EDR notices strange behavior, helps you isolate the
device, and gives you tools to investigate the attack.

➢ 2. XDR (Extended Detection and Response)

• Expands protection to cover everything: devices + network + servers + email, etc.
• It collects data from many sources and gives you a full view of threats across your entire system.
• It’s easier to manage because everything is in one place.
• Example: Not just the computer, your whole network and email are being watched. If there’s a
threat, XDR connects all the data and quickly identifies it.

➢ 3. MDR (Managed Detection and Response)

• Same idea as EDR or XDR, but with an external expert team managing it for you.
The company provides 24/7 monitoring, detects threats, and handles them without you needing
to do anything.
• Example: Instead of you monitoring and analyzing, a ready team handles everything and informs
you if there’s a threat and they take action fast.

5|Page
 Task 1

6. Blue Team Solutions & Vendors:

Blue Team solutions are the tools that help cybersecurity teams protect computers and networks from hackers. These
tools help spot threats, stop them, and respond fast if something bad happens. Some common examples include antivirus
programs, firewalls, EDR/XDR tools (which detect and stop advanced threats), and systems that watch the network and
analyze activity, Its Keep everything safe and catch problems early before they cause damage.
Blue Team vendors are the companies that make and sell these security tools. Some of the big names in the industry
are:

• Palo Alto Networks: great for firewalls and full security systems
• Splunk: helps analyze logs and detect problems
• Cisco: offers tools for network security and more

7. SOC (Security operations center)

It’s The nerve center for cybersecurity in any company that SOC analyst where working in, and they are key player in
cybersecurity, working as a member of a dedicated Security Operations Center (SOC) team or facility. These
professionals are responsible for keeping an eye on potential threats, quickly identifying vulnerabilities, and
responding to security incidents. SOC analysts serve as the first line of defense against cyberattacks and help to keep
an organization's digital environment safe and secure.

8. SOC Layers
➢ Perimeter Security (First Line of Defense)
Like locks and fences for your digital world. This stops bad stuff (like hackers or viruses) from getting
into your system in the first place — using firewalls and antivirus.

➢ Network Monitoring
It watches everything moving in and out of your network and alerts you if something strange happens.
Example: as it has security cameras for your internet.

➢ Device Protection (Endpoint Security)

Every computer, laptop, or phone is like a person with a bodyguard. This layer protects each device from
being hacked or infected.

➢ Logs (Record Keeping)

Everything that happens gets written down. This helps you go back and see exactly what happens if
something goes wrong.

6|Page
 Task 1

9. SIEM (Security Information and Event Management)

This is the brain that collects all the info and logs from your systems, connects the dots, and tells you if something’s
not right all in real-time.

10.Threat Intelligence (Inside Info)

Like having a friend who tells you what the bad guys are planning. It brings in updates about new threats from
outside, so you can be ready before they hit.

11.Incident Response (Emergency Team)

If something bad happens, this is your Emergency Move. They jump in fast, stop the threat, and fix the damage.

12.Reports & Rules (Compliance)

This is the paperwork making sure everything is safe and follows the rules. Super useful when someone checks your
security or asks for reports

13.False/True Classification in Cybersecurity

➢ True Positive (TP)

Real threat detected correctly
Example: A hacker tries to break in, and your system catches it (good job!)

➢ False Positive (FP)

Safe activity marked as a threat
Example: You open a normal file, but your system thinks it’s dangerous (false alarm).

➢ True Negative (TN)

No threat, and nothing is detected
Example: Everything is normal, and your system stays quiet (all good!)

➢ False Negative (FN)

Real threat missed by the system
Example: A virus sneaks in, but your system doesn’t notice (very bad!)

7|Page
 Task 1

14.SIEM:
SIEM (Security Information and Event Management) is a smart tool that collects security data from across your
systems, analyzes it, and alerts you if something suspicious happens. It helps you see everything in one place, and it
arranges for you all the logs on one place so you can detect threats faster and respond quickly before any real damage
happens.

15. Top 5 SIEM Providers

➢ 1. Splunk
One of the most popular SIEMs. Known for powerful data analysis, real-time monitoring, and great
dashboards. Big companies love it.

➢ 2. IBM QRadar
Trusted by many large businesses. Offers strong threat detection and easy integration with other security
tools.

➢ 3. Microsoft Sentinel (formerly Azure Sentinel)

A cloud-based SIEM from Microsoft. Great if you’re already using Microsoft tools like Azure.

➢ 4. ArcSight (by Micro Focus)

Offers deep analytics and compliance features. Good for companies needing detailed reports and strong
rule-based monitoring.

➢ 5. LogRhythm
All-in-one SIEM that’s user-friendly and good for mid-sized companies. Offers strong threat detection
and response tools.

16.FortiSIEM SIEM

FortiSIEM is a security tool from Fortinet that helps companies monitor their systems and detect threats in real time.
It combines log analysis, performance monitoring, and security alerts all in one place. FortiSIEM is known for being
easy to use and can integrate smoothly with Fortinet products and many other tools. It’s a great choice for businesses
that want a complete and efficient security solution without too much complexity. It works well for small to medium-
sized companies and offers a good balance of power, simplicity, and cost.

17.SOAR
SOAR stands for Security Orchestration, Automation, and Response.
SOAR is a tool that helps cybersecurity teams save time by automating tasks, managing alerts, and responding to
threats faster and smarter.
Instead of doing everything manually like checking alerts, sending emails, isolating systems SOAR can do many of
these actions automatically or guide the team through them quickly.

8|Page
 Task 1

18.XSOAR
XSOAR is just a specific SOAR product made by Palo Alto Networks.
The “X” stands for “Extended” it means it does more than just SOAR. Palo Alto also includes case management,
threat intelligence, playbooks, and connects with lots of security tools to automate and manage everything from one
place.

19.PALOALTO:
Palo Alto Networks is one of the biggest and most trusted cybersecurity companies in the world. They make tools and
technology to protect companies from hackers, viruses, and cyber threats.
It’s like a digital security company that builds firewalls, cloud security, threat detection tools, and automation platforms
to keep everything safe from computers to networks to cloud systems.

20.SYSLOG Protocol

A standard way for devices (like servers, routers, firewalls) to send logs (activity reports) to a central system. So,
everything that happens like logins, errors, or attacks can be recorded in one place for easy monitoring.
Example:
Your router has an issue → It sends a message via SYSLOG → You see it in your log system and can fix it.

21.SYSMON (System Monitor)

A Windows tool that watches your system closely and records important events, like process starts, file changes, or
network connections.
To see what’s really going on inside your computer, which helps in detecting hackers or malware.

22.NTP Protocol
A protocol that keeps all your devices’ clocks in accurate and on time.
When investigating security events, time matters a lot. If your system times are not correct, you can’t understand
Example:
A hacker attacks at 2:00 PM → Thanks to NTP, all logs across all systems show the same time, making it easy to track
the attack.

23.Incident response
Incident Response is how a company reacts when something bad happens in its digital world like a hacker attack,
virus infection, or data leak.
It’s basically a step-by-step plan that helps the team detect the problem, stop it quickly, fix the damage, and make
sure it doesn’t happen again.

9|Page
 Task 1

24.Threat Hunting vs Threat Intelligence

➢ Threat Intelligence
This is like getting info from the outside world about what bad guys (hackers) are doing, what attacks
they’re using, what tools, what tricks.
You collect data about threats, analyze it, and use it to prepare and defend your systems better.

➢ Threat Hunting
This is you going on a mission inside your own system — looking for signs that something bad is
already there but hiding.

25.SOC Prime
SOC Prime is a smart platform that helps cybersecurity teams, especially in Security Operations Centers (SOC), detect
threats faster and easier.
Instead of writing detection rules from scratch, SOC Prime gives you ready-made, constantly updated detection rules
created by experts from around the world.

26.Firewall vs Proxy
➢ Firewall

A firewall is like a security guard at the door of your network. It controls what’s allowed in and out, and
blocks anything dangerous.

• It checks data traffic and decides: "Should I let this in or block it?"
• It protects against hackers, malware, and attacks.
• It’s focused on security.

➢ Proxy

A proxy is more like a middleman between you and the internet.

When you want to visit a website, you go through the proxy first it then gets the website for you.

• It helps with privacy (hides your real IP).

• Can filter content (block websites).
• Good for control, speed, and anonymity.

10 | P a g e
 Task 1

27.MITRE ATT&CK

MITRE ATT&CK is like a big cheat sheet of how hackers work.

It’s a framework (or guide) that shows all the tactics, techniques, and tools that attackers use when they
try to break into systems.

ATT&CK helps security teams understand how attacks happen, so they can detect and stop them better.

28.IOC’s and TTP’s, how it is related to MITRE ATT&CK

IOCs are like clues that show a system might have been hacked.
They are specific things you can see or detect, such as:

• A suspicious IP address
• A strange file name
• Unusual login time
• Unusual action

TTPs are how hackers work their habits, tricks, and patterns.
They’re more about how the attack is done, not just the clues.

Example:

• Tactics = Goal
• Technique = How they do it
• Procedure = The exact way a hacker uses phishing in a real attack.

TTPs, help you understand and predict hacker behavior, so you can stop them early.

MITRE ATT&CK is all about TTPs. It’s a huge library of hacker behaviors (tactics and techniques)
collected from real-world attacks.

29.Cyber Kill Chain

The Cyber Kill Chain is a step-by-step model that shows how hackers attack systems, from the very
beginning of an attack all the way to stealing data or causing damage.

It helps security teams understand the hacker’s process, so they can spot and stop the attack at any stage.

11 | P a g e
 Task 1

30.Wineventlog & Most Popular EventID’s

Wineventlog is Windows Event Log it’s like a diary where your windows computer writes down everything that
happens.
Every action, login, error, or warning gets recorded here with a special number called Event ID so it’s easy to track
what's going on. It helps to troubleshoot problems and lets you investigate incidents (who did what and when)
The most Popular Event ID’s (4624, 4625, 4634, 4688, 4627, 4648, 1102, 4720, 4726, 4776)

31.Pass-the-Hash (PtH) Attack:

A Pass-the-Hash attack is when a hacker steals a password “hash” (an encrypted version of a password) from one
computer and uses it to log into other systems — without ever needing the actual password.

32.DNS Tunneling
DNS Tunneling is when a hacker uses the DNS system (which is supposed to help you visit websites) to secretly send
or receive data like a hidden tunnel under the internet.
It’s a trick to bypass security and steal data or control systems without being noticed.
So, it hides data or commands inside these DNS requests, like smuggling secret messages inside normal internet traffic.

33. Statistic vs Dynamic Malware Analysis

In Statistic Analysis You study the malware without running it, you can find what it’s supposed to do just by looking at
its structure.
ON Dynamic Malware Analysis You run the malware in a safe, controlled environment (sandbox) to watch what it does
in real time.

34. Session Hijacking

Session Hijacking is when a hacker takes over your online session basically, they pretend to be you after you log into a
website or service.
They don’t need your password; they steal your session ID (a special token that websites use to remember you're logged
in) and then use it to access your account.

35.Log4Shell
Log4Shell is a dangerous security flaw found in Log4j, which is a popular logging tool used by millions of websites,
apps, and servers to record activity (like errors and system events).
The problem that Hackers could easily take control of a system by sending a simple, specially crafted message — and
Log4j would accidentally run it, giving the hacker access.

12 | P a g e
 Task 1

36.DNS Security & DNS Sinkhole

DNS Security = Protecting the system that helps you visit websites (DNS). Hackers can abuse DNS to redirect you to
fake sites or steal data.
DNS Sinkhole = A trick where bad traffic is sent to a fake, safe IP (like a digital trap), so malware can’t reach the hacker,
and you can track and block it.
Simple Example: DNS Sinkhole is like sending a thief to a fake house, so you can catch them.

37.Least Privilege Principle

Only give people the access they really need, nothing more. (If someone just needs to read a file, don’t let them edit or
delete it.)

38.Zero Trust Architecture (ZTA)

Trust no one, verify everything even inside your own network.
Just because a device or user is “inside” doesn’t mean they’re safe.
So always verify identity, check permissions, and monitor activity all the time.

39.NIST Cybersecurity Framework

A guide created by the U.S. government (NIST) to help organizations stay secure.
Simple Idea: A roadmap to build strong cybersecurity from start to finish.

40.Memory Forensics
Looking at a computer’s RAM (memory) to find hidden threats, like malware running secretly.
Because Some viruses only live in memory and don’t leave files, memory forensics helps find them.

41.Container Security
Containers (like Docker) are used to run apps.
Container Security = Protecting apps inside containers from being hacked.
Goal: Make sure apps are safe, isolated, and can’t be used to break into the system.

42.Dockers
Docker is a tool that lets you run apps in containers like little isolated boxes we use it to Easy to move apps between
systems, no need to install everything again, keeping things organized and fast.

13 | P a g e