Security Operations & Threat Intelligence
~60 minutes of structured interview prep, MCQs, and hands-on simulations covering SOC fundamentals, threat intelligence lifecycle, and advanced detection techniques.
Learning Outcomes
- Understand the structure and functions of a Security Operations Center (SOC)
- Utilize threat intelligence to predict and prevent cyber threats
- Conduct proactive threat hunting using SIEM and EDR tools
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | SOC Structure, SIEM, SOAR, EDR | 10 min | Reading |
| 2 | Threat Intelligence Lifecycle & MITRE ATT&CK | 5 min | Reading |
| 3 | Interview Questions & Answers (20) | 20 min | Q&A |
| 4 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 5 | Alert Triage Simulator | 4 min | Simulation |
| 6 | MITRE ATT&CK Tactic Mapper | 3 min | Simulation |
| 7 | Threat Intel Classification | 3 min | Simulation |
| 8 | SOC Tier Router | 3 min | Simulation |
SOC, Threat Intel & Detection
Essential theory before tackling interview questions.
SOC Structure — Three Tiers
| Tier | Role | Activities | Tools |
|---|---|---|---|
| Tier 1 | Alert Analyst / Triage | Monitor SIEM dashboards, initial alert triage, create/close tickets, escalate | SIEM, Ticketing (Jira/ServiceNow) |
| Tier 2 | Incident Responder | Deep investigation, timeline building, context correlation, malware analysis | EDR, SIEM, Sandbox, Threat Intel |
| Tier 3 | Threat Hunter / Senior IR | Proactive threat hunting, TTP-based detection, tool tuning, red team engagement | Velociraptor, YARA, ATT&CK, osquery |
SIEM, SOAR & EDR
| Tool | Full Name | What it does | Examples |
|---|---|---|---|
| SIEM | Security Information & Event Management | Collects logs from all sources, correlates events, fires alerts, enables investigation | Splunk, Microsoft Sentinel, IBM QRadar, Elastic |
| SOAR | Security Orchestration, Automation & Response | Automates repetitive tasks via playbooks; integrates tools; auto-contains threats | Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel |
| EDR | Endpoint Detection & Response | Monitors endpoints in real time, detects threats, enables threat hunting & rollback | CrowdStrike Falcon, Microsoft Defender XDR, SentinelOne |
Threat Intelligence Types
High-level, long-term trends for executives. "Nation-state actors are increasing attacks on healthcare." Audience: CISO, Board.
Upcoming specific campaigns or actor intentions. "APT29 planning spear phishing campaign next month." Audience: SOC Manager, IR.
TTPs — how adversaries operate. "Uses PowerShell with -EncodedCommand for execution." Audience: Tier 2/3 analysts.
Machine-readable IOCs: IP addresses, domains, file hashes, URLs. Used to feed SIEM/EDR blocklists. Audience: Tier 1.
Threat Intelligence Lifecycle
Planning
Define requirements
Collection
OSINT, feeds, HUMINT
Processing
Normalize, parse
Analysis
Context, attribution
Dissemination
Reports, feeds
Feedback
Refine requirements
MITRE ATT&CK Framework — 14 Tactics
| Tactic | Description | Example Technique |
|---|---|---|
| Reconnaissance | Gathering info before attack | Active scanning, OSINT |
| Resource Development | Establishing attack resources | Create accounts, buy infrastructure |
| Initial Access | Getting a foothold | Phishing, exploit public-facing app |
| Execution | Running malicious code | PowerShell, WMI, scheduled task |
| Persistence | Maintaining access | Registry run key, scheduled task, startup |
| Privilege Escalation | Getting higher permissions | Token impersonation, exploit local vuln |
| Defense Evasion | Avoiding detection | Disable AV, obfuscation, process injection |
| Credential Access | Stealing credentials | Mimikatz/LSASS dump, keylogging |
| Discovery | Understanding the environment | Network scan, account enumeration |
| Lateral Movement | Moving through the network | Pass-the-hash, PSExec, RDP |
| Collection | Gathering data of interest | Screen capture, clipboard data, file staging |
| Command & Control | Communicating with implants | HTTP/DNS beaconing, C2 frameworks |
| Exfiltration | Stealing data | FTP, DNS tunneling, cloud storage |
| Impact | Disrupting/destroying assets | Ransomware, data destruction, DDoS |
Key SOC Metrics
| Metric | Definition | Target |
|---|---|---|
| MTTD — Mean Time to Detect | Average time from breach to detection | < 24 hours (industry avg was 194 days) |
| MTTR — Mean Time to Respond | Average time from detection to containment | < 1 hour for P1 incidents |
| False Positive Rate | % of alerts that are not real threats | < 10% (high FP = alert fatigue) |
| Alert Volume | Total alerts per day handled by SOC | Depends on org size; tune to manageable |
Interview Questions & Model Answers
Click any question to reveal the model answer.
- Continuous monitoring: Monitor network, endpoint, cloud, and application logs for threats.
- Alert triage: Classify alerts as true/false positive, prioritize by severity.
- Incident response: Contain, eradicate, and recover from security incidents.
- Threat hunting: Proactively search for hidden threats not caught by automated tools.
- Threat intelligence: Consume and apply threat intel to improve detection.
- Reporting & metrics: Track MTTD, MTTR, SLA compliance, risk posture.
- Tier 1 — Alert Analyst: First line of defence. Monitors SIEM dashboards, performs initial triage, creates tickets, closes confirmed false positives, escalates real threats to Tier 2. Handles high volume, routine alerts.
- Tier 2 — Incident Responder: Deeper investigation of escalated alerts. Builds attack timelines, performs malware analysis, correlates multiple events, contains and remediates incidents.
- Tier 3 — Threat Hunter / Senior Analyst: Proactive threat hunting using hypotheses based on ATT&CK TTPs. Tunes detection rules, develops custom YARA/Sigma rules, leads major IR engagements, mentors Tier 1/2.
- Collects and aggregates log data from across the environment (firewalls, endpoints, cloud, apps)
- Normalizes data into a common format
- Correlates events using rules to identify threat patterns
- Generates alerts for analyst investigation
- Provides dashboards, reporting, and long-term log storage for forensics
| SIEM | SOAR | |
|---|---|---|
| Purpose | Collect, correlate, alert | Automate, orchestrate, respond |
| Action | Passive — generates alerts | Active — executes playbooks |
| Human role | Analysts must investigate & act | Automates Tier 1 tasks, reduces alert fatigue |
| Example action | Alert: "Suspicious login from new country" | Auto-block IP, disable account, notify analyst |
Why it matters:
- Shifts security from reactive to proactive — know before you're hit.
- Enables faster detection by feeding IOCs into SIEM/EDR blocklists.
- Helps prioritize patching based on active exploitation in the wild.
- Informs security strategy at the executive level (strategic intel).
- Supports incident response — knowing the attacker's TTPs speeds investigation.
- Planning & Direction: Define intelligence requirements — what do we need to know and why?
- Collection: Gather raw data from open sources (OSINT), commercial feeds, dark web, ISACs, honeypots, internal telemetry.
- Processing: Normalize, translate, and structure raw data into usable format (e.g., STIX format).
- Analysis: Add context, correlate, attribute to threat actors, assess confidence and relevance.
- Dissemination: Distribute finished intelligence to stakeholders in the right format (executive report, tactical feed, IOC blocklist).
- Feedback: Stakeholders provide feedback to refine future collection requirements.
- Tactics: The adversary's goal (the "why") — 14 tactics from Reconnaissance to Impact.
- Techniques: How the adversary achieves a tactic (the "how") — hundreds of techniques.
- Sub-techniques: More specific implementations of techniques.
- Procedures: Specific implementations used by known threat groups.
- IOC (Indicator of Compromise): Forensic evidence that a compromise has already occurred. Reactive. Examples: known malicious IP, file hash of malware, suspicious domain, compromised email address. Problem: attackers easily change IOCs (they're perishable).
- IOA (Indicator of Attack): Evidence of attacker behavior/intent in progress, regardless of the specific IOC. Proactive. Examples: PowerShell spawning from Word, process injecting into lsass.exe, lateral movement via SMB. Based on TTPs which are harder to change.
- Traditional detection: Reactive. SIEM rules fire alerts when known bad patterns match. Relies on signatures, rules, IOCs. Cannot detect unknown/novel threats.
- Threat hunting: Proactive. Analysts assume attackers are already in the environment and actively search for evidence of compromise without waiting for an alert. Hypothesis-driven.
- Form a hypothesis (e.g., "An APT may be using living-off-the-land techniques")
- Collect and query relevant data (Sysmon logs, PowerShell logs, network flows)
- Analyse for anomalies matching the hypothesis
- If found, escalate to IR; if not, document as evidence of coverage
- Create detection rules from hunt findings to automate future detection
- STIX (Structured Threat Information eXpression): A standardized language for describing cyber threat intelligence in a structured, machine-readable JSON format. Describes: threat actors, campaigns, malware, TTPs, IOCs, vulnerabilities, courses of action.
- TAXII (Trusted Automated eXchange of Intelligence Information): The transport protocol for sharing STIX content between organizations and threat intel platforms. Defines how to query and push threat intelligence feeds.
| Traditional AV | EDR | |
|---|---|---|
| Detection | Signature-based only | Behavioural + signatures + ML |
| Visibility | File-level scanning | Full process tree, network, registry, memory |
| Response | Quarantine file | Isolate host, kill process, rollback, hunt |
| Hunting | No | Yes — query telemetry across all endpoints |
| Unknown threats | Blind to zero-days | Detects anomalous behavior (IOAs) |
- MTTD (Mean Time to Detect): Average time between a breach occurring and the SOC detecting it. The 2024 IBM Cost of a Data Breach report shows the industry average was 194 days. Lower is better. Improved by better detection rules, more data sources, threat hunting.
- MTTR (Mean Time to Respond): Average time from detection to full containment and recovery. High-severity incidents (P1) should target under 1–4 hours. Improved by automation (SOAR), clear playbooks, well-practised IR.
A YARA rule consists of:
- Meta: Descriptive info (author, date, description)
- Strings: Patterns to match (hex, text, regex)
- Condition: Boolean logic combining strings
Key Sysmon Event IDs:
- Event ID 1: Process creation (includes full command line, parent process, hashes)
- Event ID 3: Network connections (process making outbound connections)
- Event ID 7: Image/DLL loaded (detect DLL hijacking)
- Event ID 8: CreateRemoteThread (detect process injection)
- Event ID 10: Process access (detect LSASS dumping)
- Event ID 11: File creation
- Event ID 12/13: Registry modifications
- Baseline normal behavior: Understand what "normal" looks like (UEBA) before tuning alerts.
- Allowlist known-good: Exclude trusted processes, admin IPs, scheduled tasks from triggering certain rules.
- Add context to rules: Instead of "any PowerShell execution", alert on "PowerShell with -EncodedCommand spawned from Word/Excel".
- Risk scoring: Use risk-based alerting — only alert when multiple lower-confidence signals combine (e.g., unusual location + new device + sensitive data access).
- Tune continuously: After every false positive, update the rule. Track FP rate per rule.
- Enrich alerts: Add threat intel context to automatically score severity.
- Reconnaissance → 2. Weaponization → 3. Delivery → 4. Exploitation → 5. Installation → 6. Command & Control → 7. Actions on Objectives
- Kill Chain is high-level, linear, phase-based — good for understanding the attack narrative.
- MITRE ATT&CK is detailed, non-linear, technique-based — better for detection engineering and threat hunting.
- They are complementary: Kill Chain gives the story, ATT&CK gives the technical depth.
- Defenders use both: Kill Chain to understand where to break the chain; ATT&CK to detect specific techniques at each phase.
Common techniques:
- Pass-the-Hash / Pass-the-Ticket (using credential hashes/Kerberos tickets)
- PSExec / WMI / RDP to remote systems
- Remote service creation
- SMB/admin share access
- Alert on unusual admin tool usage (PSExec, WMI) from non-admin machines
- Detect accounts authenticating to many systems in a short time window
- Watch for SMB connections to C$ / ADMIN$ shares
- Detect Kerberos ticket anomalies (Kerbeasting, Golden Ticket)
- Sysmon Event ID 3 (unusual network connections from workstations)
- Ensures consistent, repeatable response regardless of which analyst handles the incident
- Reduces response time by eliminating decision paralysis under pressure
- Supports compliance and audit trails
- Isolate affected systems from the network immediately
- Identify ransomware variant (ID Ransomware tool)
- Notify SOC Manager and CISO
- Preserve memory and disk images for forensics
- Notify law enforcement and legal
- Restore from clean backups
- Post-incident review and policy update
SOC use cases:
- Submit a suspicious file hash from an alert — see if any AV vendor detects it as malicious
- Check if a URL or domain is known malicious
- Investigate IP addresses associated with C2 beaconing
- View behavioral analysis (sandbox results) for unknown files
- Use VirusTotal Intelligence (paid) to hunt for similar malware samples
| In-House SOC | Managed SOC (MSSP/MDR) | |
|---|---|---|
| Ownership | Built and run by the organization | Outsourced to a security vendor |
| Cost | High upfront (people, tools, infrastructure) | Subscription-based, lower capex |
| Control | Full control over tools and processes | Limited customization |
| Expertise | Build your own team — hard to hire | Instant access to specialists |
| Context | Deep knowledge of internal environment | Requires onboarding period |
| Best for | Large enterprises, regulated industries | SMBs, organizations without security team |
Multiple Choice Questions
Select an answer then click Check. Explanations shown after submission.
Alert Triage Simulator
You are a Tier 1 SOC analyst. Classify each SIEM alert as True Positive, False Positive, or Needs Investigation.
MITRE ATT&CK Tactic Mapper
Match each attacker action to the correct MITRE ATT&CK tactic using the dropdown.
Threat Intel Classification
Classify each piece of intelligence as Strategic, Operational, Tactical, or Technical.
SOC Tier Router
Route each incident scenario to the correct SOC tier that should handle it.
Module Complete!
You've completed Module 10: Security Operations & Threat Intelligence.