My Cybersecurity Notes

SOC (Security Operations Center) is a team that works 24/7 to detect threats and respond to incidents. SOC analysts use SIEM tools to collect logs, write correlation rules, and detect anomalies.

Threat Intelligence involves analyzing attackers' TTPs (Tactics, Techniques, Procedures) to anticipate future attacks. IOCs (Indicators of Compromise) — IP addresses, domains, file hashes — are the core building blocks of threat intel.

DFIR (Digital Forensics and Incident Response) is the process of collecting evidence and understanding how a system was compromised after an attack. Chain of custody is critical to maintaining the integrity of digital evidence.

Malware Analysis comes in two forms: Static analysis (examining without executing — strings, hash, PE headers) and Dynamic analysis (running in a sandbox to observe behavior).

In this room I used Gobuster to perform a directory brute-force attack against a web application. Gobuster uses a wordlist to discover hidden directories and files on a web server.

Paths like /admin, /secret, and /backup can be discovered this way. Using a black-box testing approach, I started with zero knowledge of the target and performed surface-level reconnaissance.

The goal of offensive security is to find vulnerabilities before attackers do — which in turn strengthens the blue team's defensive strategy. Thinking like an attacker is a SOC analyst's strongest weapon.

Cybersecurity career paths include: SOC Analyst (L1/L2/L3), Penetration Tester, Red Team Operator, Security Engineer, Malware Analyst, Threat Intelligence Analyst, and DFIR Specialist.

A SOC L1 Analyst performs alert triaging — prioritizing alerts from SIEM, filtering false positives, and escalating real threats to L2. L2 performs deeper analysis, while L3 focuses on threat hunting and proactive defense.

My legal background gives me an edge in compliance (GDPR, HIPAA, PCI-DSS) and chain of custody. In digital forensics, the legal validity of evidence is just as important as technical skill.

My goal: start as a SOC L1 Analyst and progressively move toward L2/L3 over time.

A network is a system where two or more devices are connected to share data. IP addresses operate at OSI Layer 3 (Network Layer) and provide logical addressing.

IPv4 uses 32-bit address length while IPv6 uses 128-bit. IPv4 can generate approximately 4.3 billion addresses, while IPv6 was developed to overcome this limitation.

A MAC address provides physical addressing at OSI Layer 2 (Data Link Layer) and is embedded in the NIC (Network Interface Card). It is 48 bits long and displayed in hexadecimal: 00:1A:2B:3C:4D:5E

ARP (Address Resolution Protocol) translates IP addresses to MAC addresses. When a device wants to communicate, it first sends an ARP broadcast: "Who has 192.168.1.1? Tell 192.168.1.5"

LAN topologies: In Star topology, all devices connect to a central switch — the single point of failure is the switch, but management is easy. In Bus topology, all devices share a single backbone cable with high collision risk.

VLAN (Virtual LAN) logically segments a physical network. For example, the IT and Finance departments can be isolated in different VLANs even if connected to the same physical switch. This is critical for both security and traffic management.

Router vs Switch: A switch operates at OSI Layer 2 and forwards frames based on MAC address tables. A router operates at Layer 3 and uses a routing table to direct packets between different networks.

DHCP DORA process: Discover (client sends broadcast) → Offer (server offers IP) → Request (client accepts IP) → Acknowledge (server confirms and assigns IP).

The CIA Triad is the foundation of cybersecurity: Confidentiality (only authorized users access data), Integrity (data is not altered), and Availability (systems are accessible when needed).

NIST Cybersecurity Framework (CSF) consists of five core functions: Identify → Protect → Detect → Respond → Recover. It provides organizations a structured approach to managing cybersecurity risk.

The 8 CISSP Security Domains cover the full scope of security: Security & Risk Management, Asset Security, Security Architecture, Communication & Network Security, Identity & Access Management, Security Assessment, Security Operations, and Software Development Security.

Common attack types include: Phishing, Malware, Social Engineering, SQL Injection, and Man-in-the-Middle attacks. Understanding attacker motivations — financial gain, espionage, hacktivism — helps in threat modeling.

Risk management involves identifying, assessing, and mitigating risks. Risk = Likelihood × Impact. Organizations use risk registers to track and prioritize risks.

Security frameworks like NIST RMF (Risk Management Framework) and ISO 27001 provide structured approaches to managing information security. NIST RMF steps: Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor.

Security audits evaluate whether security controls meet organizational standards and compliance requirements. Internal audits focus on identifying gaps; external audits verify compliance with regulations like GDPR, HIPAA, or PCI-DSS.

SIEM tools like Splunk and Chronicle aggregate and analyze log data from multiple sources. They generate alerts based on correlation rules and help analysts identify suspicious patterns.

The TCP/IP model has four layers: Network Access (physical transmission) → Internet (IP addressing, routing) → Transport (TCP/UDP, ports) → Application (HTTP, DNS, FTP). Unlike OSI's 7 layers, TCP/IP is the practical model used in real networks.

Common network attacks: DDoS (flooding a system with traffic to disrupt availability), Packet Sniffing (intercepting unencrypted network traffic), IP Spoofing (forging source IP to impersonate trusted hosts), and On-path attacks (intercepting communications between two parties).

Firewalls filter traffic based on rules — stateless firewalls check individual packets, while stateful firewalls track active connections. Next-Generation Firewalls (NGFW) add deep packet inspection and application awareness.

VPNs encrypt traffic and create a secure tunnel between the client and server using protocols like WireGuard or OpenVPN, protecting data from interception on untrusted networks.

Linux is the dominant OS in cybersecurity environments. Key commands for security analysts: grep (search log files), find (locate files), chmod/chown (manage permissions), ps aux (view running processes), netstat -tulnp (check open ports).

File permissions in Linux use rwx format: -rwxr-xr-- means owner has read/write/execute, group has read/execute, others have read only. Permission management is critical for the principle of least privilege.

SQL for security is essential for querying log databases. Key queries: SELECT * FROM logs WHERE severity = 'HIGH', using WHERE, AND/OR, LIKE, and JOIN to filter and correlate security events across tables.

SQL injection attacks exploit unsanitized user input. Understanding SQL helps analysts both detect injection attempts in logs and understand why input validation is critical.

Asset classification categorizes assets by sensitivity: Public, Internal, Confidential, Restricted. Each level requires different security controls. An asset inventory is the foundation of any security program.

Threat modeling frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) help identify potential attack vectors against a system.

Vulnerability management involves identifying, scoring (using CVSS), and remediating vulnerabilities. CVEs (Common Vulnerabilities and Exposures) are publicly disclosed vulnerabilities tracked in the NVD database.

OWASP Top 10 covers the most critical web application risks: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, and more. Essential knowledge for any security analyst.

The Incident Response Lifecycle (NIST): Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity. Each phase has specific tasks and documentation requirements.

IDS vs IPS: An IDS (Intrusion Detection System) monitors and alerts on suspicious activity without blocking. An IPS (Intrusion Prevention System) actively blocks malicious traffic. Suricata is an open-source IDS/IPS that uses rule-based detection.

Wireshark captures and analyzes network packets. Key filters: ip.addr == 192.168.1.1, tcp.port == 443, http.request.method == "POST". Following TCP streams reveals full communication between hosts.

Python for security automation reduces manual work and speeds up analysis. Core skills: file I/O for log parsing, string manipulation, and working with structured data formats like JSON and CSV.

Regular expressions (import re) are essential for extracting data from logs. Example: re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', log) extracts all IP addresses from a log file.

Example log parser: reading a log file, filtering lines containing "FAILED", extracting timestamps and usernames, and counting failed login attempts per user — all automated with ~20 lines of Python.

Functions and modules make security scripts reusable. Using os, sys, datetime, and subprocess modules allows analysts to build powerful automation tools without third-party dependencies.

Escalation procedures define when and how a SOC analyst escalates an incident. L1 analysts handle initial triage and escalate to L2 when an alert requires deeper investigation or confirmed malicious activity.

Stakeholder communication is critical during incidents. Technical findings must be translated into business impact language for management. Incident reports include: timeline, affected systems, root cause, containment steps, and recommendations.

Security mindset means thinking about security implications in every decision. Analysts must balance security requirements with business operations — overly restrictive controls can disrupt productivity.

Key documentation skills: writing clear incident reports, maintaining runbooks (step-by-step response procedures), and updating playbooks based on lessons learned from past incidents.