Sign In Start Free Trial
Account

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Effective Threat Investigation for SOC Analysts
  • Table Of Contents Toc
  • Feedback & Rating feedback
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

By : Mostafa Yahia
4.8 (21)
close
close
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

4.8 (21)
By: Mostafa Yahia

Overview of this book

Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It's a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills. The book begins by explaining phishing and email attack types and how to detect and investigate them, along with Microsoft log types such as Security, System, PowerShell, and their events. Next, you’ll learn how to detect and investigate attackers' techniques and malicious activities within Windows environments. As you make progress, you’ll find out how to analyze the firewalls, flows, and proxy logs, as well as detect and investigate cyber threats using various security solution alerts, including EDR, IPS, and IDS. You’ll also explore popular threat intelligence platforms such as VirusTotal, AbuseIPDB, and X-Force for investigating cyber threats and successfully build your own sandbox environment for effective malware analysis. By the end of this book, you’ll have learned how to analyze popular systems and security appliance logs that exist in any environment and explore various attackers' techniques to detect and investigate them with ease.
Table of Contents (22 chapters)
close
close
1
Part 1: Email Investigation Techniques
4
Part 2: Investigating Windows Threats by Using Event Logs
10
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
15
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats

Investigating C&C and exfiltration attacks

C&C or command and control is when the attacker’s server communicates with the victim’s machine by either configuring malware installed on the victim’s machine to send reverse shell to the attacker C&C server or exploiting a service run by the victim, such as the SSH or Telnet services, to send instructions and commands to be executed on the victim’s machine. Exfiltration is when an attacker collects needed and valuable data and decides to transfer it to their server by using either the same C&C channel or another channel.

As we mentioned in the previous chapter, the firewall is positioned between the LAN (internal network) zone and the WAN (internet) zone. In the case of C&C or exfiltration attacks, the victim’s machine exists in the LAN zone and the attacker’s server exists in the WAN zone. See Figure 9.6:

Figure 9.6 – Firewall positions between an attacker’s C&C server and its victim

Figure 9.6 – Firewall positions between...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected

Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY