Day 2 β Understanding SOC, SOC Team & Cyber Kill Chain.
π’ What is a SOC β Deep Explanation (Simple & Clear)
A SOC is a 24/7 digital security control room for a company.
Think of it like this:
A shopping mall has:
- CCTV cameras
- Security guards
- Control room
- Incident response team
A companyβs SOC has:
- Monitoring tools
- SOC Analysts (L1, L2, L3)
- Incident Response team
- Threat Intelligence team
SOC = Digital safety headquarters.
π₯ SOC Team Structure (Explained in simple words)
1οΈβ£ L1 β SOC Analyst (Junior)
Role:
- Watch alerts
- Identify suspicious activity
- Escalate to L2
Simple example:
You see someone trying the wrong password 30 times β You escalate the issue.
2οΈβ£ L2 β Senior SOC Analyst
Role:
- Deep investigation
- Log correlation
- Validates incidents
- Suggest containment steps
Simple example:
L2 checks logs from firewall, server, VPN, and confirms the attackerβs IP is malicious.
3οΈβ£ L3 β Expert SOC Analyst / Threat Hunter
Role:
- Advanced threat hunting
- Malware analysis
- Forensics
- Writing complex detection rules
Example:
L3 finds out the attacker used a new technique and creates a rule to detect it in future.
4οΈβ£ Incident Response (IR) Team
Role:
- Contain the attack
- Block attacker
- Recover systems
Example:
They isolate an infected system from the network.
5οΈβ£ Threat Intelligence Team
Role:
- Research new attacks
- Provide IOCs (bad IPs, domains, hashes)
- Update detection rules
π How SOC Monitoring Works (Explained for Beginners)
Step-by-step (Easy Example):
- User logs in at midnight from another country β unusual
- SIEM creates an alert
- L1 sees the alert β Flags it as suspicious
- L2 investigates logs β Confirms itβs unauthorized
- IR team blocks the login + resets password
- L3 writes new rule to improve detection
This is the SOC workflow.
π Cyber Kill Chain (Day 2 Key Topic)
Cyber Kill Chain explains how attackers plan and execute attacks.
We teach this to understand the attack lifecycle.
𧨠1. Reconnaissance β Attacker studies the target
Example:
Checking LinkedIn profile of employees, scanning open ports.
π§ͺ 2. Weaponization β Preparing the attack
Example:
Creating a malware file or phishing email.
βοΈ 3. Delivery β Sending the attack
Example:
Sending malicious email attachment.
π₯ 4. Exploitation β Attack is executed
Example:
User clicks link β malware runs.
βοΈ 5. Installation β Malware installs itself
Example:
Malware hides in system files.
π‘ 6. Command & Control (C2)
Example:
Attacker connects to the infected device remotely.
π― 7. Actions on Objectives
Example:
Data theft, ransomware, deleting files, etc.
π§ Simple Real-World Example of Entire Kill Chain
βAn employee receives a fake Amazon refund email with an attachment.β
- Recon: Attacker finds employee email
- Weaponize: Creates malicious PDF
- Delivery: Sends email
- Exploit: User opens PDF
- Install: Malware downloads
- C2: Attacker controls PC
- Objective: Attacker steals data
This is how attackers operate β and SOC Analysts stop them.
π Day 2 Activity for Students
Ask them to list:
- One real-life example for each Kill Chain stage
(Example: Delivery = phishing mail)
π Day 2 Homework
Google and write:
βFamous phishing attack cases in India.β
Note down:
- What happened?
- Who was targeted?
π€ Trainer Script for Day 2
You can read this during class:
βSOC is like a security control room.
L1, L2, L3 all have different responsibilities just like security staff in a mall.Cyber Kill Chain teaches us how hackers attack step-by-step.
If we know their steps, we can stop them early.Today, you understood how SOC teams work and how attacks happen in real life.β
"Share Knowledge" 
Leave a comment