Cyber Defense Team Building Guide

Strategic Overview

Foundation principles for enterprise cyber defense operations

Mission Statement

Establish a world-class Security Operations Center (SOC) capable of detecting, analyzing, and responding to cyber threats across Banking, ISP, and Telecommunications infrastructures with 24/7 monitoring capabilities.

Core Objectives

Continuous threat monitoring and detection
Rapid incident response and containment
Compliance with industry regulations
Proactive threat hunting and intelligence

Defense Framework & Architecture

Comprehensive defense-in-depth strategy with layered security controls

NIST Cybersecurity Framework Implementation

Core Functions

IDENTIFYAsset Management & Risk Assessment

PROTECTAccess Control & Data Security

DETECTContinuous Monitoring & Analysis

RESPONDIncident Response & Communication

RECOVERRecovery Planning & Improvements

Implementation Tiers

Tier 1Partial - Ad hoc processes

Tier 2Risk Informed - Some processes

Tier 3Repeatable - Formal processes

Tier 4Adaptive - Continuous improvement

SOC Operations - Wazuh SIEM & SOAR Platform

ComprehensiveWazuh-based SOC implementation with enterprise security tool integrations

Wazuh-Based SOC Architecture

Distributed architecture with centralized management and analysis

Cluster Components

Management Layer

• Wazuh Manager - Central orchestration and rule processing
• Worker Nodes - Distributed event processing
• Load Balancer - High availability and traffic distribution

Indexing Layer

• Wazuh Indexer Cluster - Distributed data storage
• High-availability configuration
• Fast search and retrieval capabilities

Visualization Layer

• Wazuh Dashboard - Real-time monitoring interface
• Custom dashboard creation
• Alert visualization and reporting

Data Collection Architecture

Cloud Infrastructure

• Office 365 - Email and collaboration logs
• CrowdStrike EDR - Endpoint telemetry
• Akamai WAF - Web security logs
• DLP - Data loss prevention events

On-Premise Infrastructure

• Palo Alto Firewall - Network traffic logs
• NAC - Network access control events
• Tenable - Vulnerability scan results
• Anti-DDoS - Attack mitigation logs
• Servers, databases, applications

Communication Protocols

• Syslog UDP 514 - Traditional syslog
• Wazuh Agent TCP 1514/1515 - Secure agent communication
• API Call TCP 443 - Cloud integrations

Team Structure & 24/7 Operations

Organizational structure with rotating shift schedules for continuous monitoring

SOC Analyst Level 1

Entry Level

Responsibilities

• Monitor security alerts and events
• Initial triage and classification
• Basic incident documentation
• Escalation to Level 2

Required Certifications

Security+CySA+GCIH

SOC Analyst Level 2

Intermediate

Responsibilities

• Advanced log analysis
• Threat hunting activities
• Incident investigation
• Tuning detection rules

Required Certifications

GCFAGNFACISSP

SOC Lead/Hunter

Senior

Responsibilities

• Advanced threat hunting
• Malware analysis
• Custom detection development
• Team leadership

Required Certifications

GCTIGREMCISSP

Specialized Roles

Security Engineer

Tool deployment, configuration, and automation

• Infrastructure as Code (Terraform, Ansible)

• Cloud security architecture

• DevSecOps practices

• API security and integration

Incident Response Specialist

Digital forensics and crisis management

• Digital forensics and evidence handling

• Malware reverse engineering

• Legal and regulatory compliance

• Crisis communication

Threat Intelligence Analyst

Threat landscape analysis and intelligence

• OSINT collection and analysis

• Threat actor profiling

• IoC analysis and sharing

• Intelligence report writing

Compliance Specialist

Regulatory compliance and audit management

• Regulatory framework expertise

• Audit preparation and management

• Policy development

• Risk assessment

Technical Skills & Investigation

Command-line expertise for investigation and analysis of compromised assets

Web Application Investigation

Log Analysis Commands

Apache/Nginx Access Logs

grep -E "40[0-9]|50[0-9]" /var/log/apache2/access.log

awk $9 >= 400 {print $0} /var/log/nginx/access.log

SQL Injection Detection

grep -i "union\|select\|drop\|insert" /var/log/apache2/access.log

XSS Attack Detection

grep -i "script\|javascript\|onerror" /var/log/apache2/access.log

Application Security Analysis

File Integrity Monitoring

find /var/www -type f -mtime -1 -ls

md5sum /var/www/html/*.php > checksums.txt

Process Investigation

ps aux | grep -E "apache2|nginx|php-fpm"

lsof -i :80,443

Database Investigation

mysql -e "SHOW PROCESSLIST;" | grep -v Sleep

SOC Training Program

Comprehensive training for SOC L1, L2, L3, and Lead roles with real-world scenarios

SOC L1 Analyst Training

Foundation skills for first-line security monitoring

Core Skills (Week 1-2)

• SIEM Console Navigation

• Alert Triage & Classification

• Basic Log Analysis

• Incident Documentation

• Escalation Procedures

Practical Exercises

• Malware Detection Scenarios

• Failed Login Analysis

• Network Anomaly Identification

• Phishing Email Investigation

• False Positive Handling

Essential Command Line Skills

Windows Commands

System Information

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

wmic computersystem get model,name,manufacturer

whoami /all

net user

Process & Service Analysis

tasklist /svc

wmic process list full

sc query state= all

net start

Network Investigation

netstat -ano

arp -a

ipconfig /all

nslookup suspicious-domain.com

Linux Commands

System Information

uname -a

cat /etc/os-release

cat /etc/passwd | grep -v nologin

Process & Service Analysis

ps aux --sort=-%cpu

systemctl list-units --type=service

top -n 1

pgrep -fl suspicious

Network Investigation

ss -tulpn

ip route show

cat /etc/hosts

dig suspicious-domain.com

L1 Response Time Targets

• Alert Acknowledgment: < 5 minutes

• Initial Triage: < 15 minutes

• Escalation Decision: < 30 minutes

• Documentation: < 45 minutes

Tabletop Exercises & Simulations

Practical scenarios to test and improve SOC response capabilities

Scenario 1: Ransomware Attack

Critical

Initial Alert: Multiple file encryption events detected

Affected Systems: 50+ workstations, 3 servers

Timeline: 2 hours to full response

Response Steps

1. Immediate containment (network isolation)

2. Identify patient zero

3. Assess backup integrity

4. Coordinate with legal/PR teams

5. Execute recovery procedures

Success Criteria: Containment within 30 minutes, full recovery within 24 hours

Scenario 2: APT Infiltration

High

Initial Alert: Suspicious PowerShell execution

Indicators: C2 communication, lateral movement

Timeline: 4 hours investigation

Investigation Steps

1. Timeline reconstruction

2. IOC extraction and hunting

3. Scope assessment

4. Attribution analysis

5. Eradication planning

Success Criteria: Complete attack timeline within 2 hours

Scenario 3: Data Exfiltration

High

Initial Alert: Unusual data transfer volumes

Affected Data: Customer PII, financial records

Timeline: 6 hours to breach notification

Response Actions

1. Data flow analysis

2. Exfiltration vector identification

3. Impact assessment

4. Regulatory notification

5. Customer communication

Success Criteria: Accurate impact assessment within 4 hours

Scenario 4: Supply Chain Attack

Critical

Initial Alert: Compromised software update

Scope: Enterprise-wide deployment

Timeline: 1 hour to containment

Emergency Response

1. Immediate software rollback

2. Network segmentation

3. Vendor coordination

4. System integrity verification

5. Threat intelligence sharing

Success Criteria: Zero data loss, containment within 1 hour

Reports & Templates

Professional templates for penetration testing and root cause analysis reporting

Professional penetration testing report template for documenting security assessments

1Executive Summary

High-level overview for management and stakeholders

Assessment Overview:Brief description of scope and objectives

Risk Rating:Overall security posture (Critical/High/Medium/Low)

Key Findings:Top 3-5 critical vulnerabilities discovered

Recommendations:Priority actions to improve security

2Assessment Details

Scope Information

Assessment Type:External/Internal/Web App/Cloud

Target Systems:IP ranges, domains, applications

Testing Period:YYYY-MM-DD to YYYY-MM-DD

Methodology:OWASP/PTES/NIST

Team Information

Lead Tester:[Name, Certifications]

Team Members:[Names and roles]

Report ID:PT-2025-XXXX

Classification:Confidential

3Vulnerability Findings

Detailed technical findings organized by severity

CRITICALFinding Title

Description: Technical details of vulnerability

Impact: Potential business/security impact

Affected Systems: List of vulnerable assets

CVSS Score: 9.8 (Critical)

Remediation: Step-by-step fix instructions

Evidence: Screenshots, logs, proof of concept

HIGHFinding Title

Similar structure as above...

MEDIUMFinding Title

Similar structure as above...

4Remediation Roadmap

IMMEDIATECritical vulnerabilities - Fix within 24-48 hours

SHORT-TERMHigh severity issues - Fix within 1-2 weeks

MEDIUM-TERMMedium severity issues - Fix within 1 month

LONG-TERMLow severity & improvements - Fix within 3 months

5Appendices

Appendix A: Testing Methodology

Appendix B: Tools Used

Appendix C: Raw Scan Results

Appendix D: References & CVE Details

Mission Statement

Core Objectives

NIST Cybersecurity Framework Implementation

Core Security Tools

Wazuh-Based SOC Architecture

Management Layer

Indexing Layer

Visualization Layer

Cloud Infrastructure

On-Premise Infrastructure

Communication Protocols

Responsibilities

Required Certifications

Responsibilities

Required Certifications

Responsibilities

Required Certifications

Specialized Roles

Web Application Investigation

Apache/Nginx Access Logs

SQL Injection Detection

XSS Attack Detection

File Integrity Monitoring

Process Investigation

Database Investigation

Essential Command Line Skills

System Information

Process & Service Analysis

Network Investigation

System Information

Process & Service Analysis

Network Investigation

L1 Response Time Targets

Response Steps

Investigation Steps

Response Actions

Emergency Response

Scope Information

Team Information