Welcome to Day 9 of your SOC Analyst Challenge! Today, we're diving into something that every SOC analyst needs to know — the lingo. Yep, that's right, we're talking about all those cybersecurity terms that get tossed around in SOC meetings, incident reports, and threat analyses. If you're like, "Wait, what's an IOC, and why do I care about TTPs?" — don't worry, you're not alone. By the end of this blog, you'll be fluent in SOC terminology and ready to impress with your knowledge.

Whether you're just starting out in security operations or you're gearing up for your next SOC shift, knowing the right terms is key to being a successful SOC analyst. Let's break down these key terms so that next time someone drops a cybersecurity buzzword, you'll know exactly what they mean — and maybe even drop a few of your own!

IOC — Indicator of Compromise

What is an IOC? An Indicator of Compromise (IOC) is a piece of data that suggests a system or network has been compromised. Think of IOCs as the fingerprints or clues left behind by attackers when they breach a system. These could be anything from a suspicious IP address, to a malicious file hash, to an unusual domain name.

Examples of IOCs:

  • IP addresses linked to known malicious activity.
  • File hashes of malware detected in your environment.
  • URLs or domains associated with phishing or command-and-control servers.
  • Registry keys or other system-level indicators that suggest malicious activity.

Why IOCs Matter:

When you're investigating an alert or an incident, IOCs help you identify malicious activity and track the attacker's movements. By comparing IOCs to data in your SIEM or EDR system, you can quickly spot if an attack is in progress and, in some cases, determine its origin.

TTP — Tactics, Techniques, and Procedures

What is TTP? TTP stands for Tactics, Techniques, and Procedures, and it's a framework for understanding how attackers operate. While IOCs tell you what the attacker left behind (like fingerprints), TTPs give you insight into how the attacker did it — from the strategy (tactics) to the specific tools and methods used to execute the attack.

  • Tactics: The why behind the attack. What is the attacker trying to achieve? For example, gaining privilege escalation, exfiltrating data, or establishing persistence.
  • Techniques: The how of the attack. The methods attackers use to accomplish their goals. This could include exploiting vulnerabilities, using spear-phishing emails, or using malicious payloads.
  • Procedures: The specific steps or tools used in the attack. For example, attackers might use PowerShell scripts to move laterally or RATs (Remote Access Trojans) to maintain persistence.

Why TTPs Matter:

TTPs are critical for understanding and defending against cyberattacks. The MITRE ATT&CK Framework is a great example of how TTPs are structured and used to analyze attack patterns. By knowing the common TTPs attackers use, SOC analysts can better detect, defend against, and mitigate future attacks.

APT — Advanced Persistent Threat

What is an APT? An Advanced Persistent Threat (APT) is a sophisticated and prolonged cyberattack that is often nation-state or organization-driven. APTs are not just about getting in and stealing a bit of data — they're about gaining access to your network for the long haul. Attackers using APTs are usually well-funded, well-organized, and highly skilled. They don't just rush in and out — they stay undetected for months, sometimes even years, as they exfiltrate data, steal intellectual property, or sabotage systems.

Why APTs Are Dangerous:

  • Stealth: APTs are stealthy, meaning they blend in with normal traffic and behaviors for as long as possible.
  • Persistence: Once in, they establish multiple pathways to keep access open and maintain control over your network.
  • Long-term Objectives: Attackers aren't looking for a quick payoff. They want to exfiltrate data, plant backdoors, or disrupt your operations in a sustained way.

Real-World Example:

One infamous example of an APT is the Stuxnet worm, which was used by nation-states to sabotage Iran's nuclear program. It targeted industrial control systems (ICS) and went undetected for months, causing physical damage to equipment while also stealing sensitive information.

RAT — Remote Access Trojan

What is a RAT? A Remote Access Trojan (RAT) is a type of malware that gives the attacker remote control over an infected machine. Once a RAT is installed, the attacker can monitor activity, exfiltrate data, and even take control of the system as if they were physically sitting at the computer.

Why RATs Are a Big Deal:

  • Complete Control: Attackers can do almost anything on the compromised machine — install more malware, steal sensitive data, or even use the machine as a launchpad for further attacks.
  • Stealthy: Many RATs are designed to remain hidden and operate in the background, making them difficult to detect.

Real-World Example:

One of the most well-known RATs is DarkComet, which has been used in various cyberattacks to gain unauthorized access to victims' machines. Once installed, DarkComet allows attackers to control the infected system remotely, record keystrokes, access webcam feeds, and more.

MITM — Man-in-the-Middle

What is MITM? A Man-in-the-Middle (MITM) attack occurs when an attacker intercepts communication between two parties (like a user and a website or a server and a client). The attacker can then eavesdrop, modify, or redirect the communication without either party knowing.

How Does MITM Work?

The attacker can position themselves between the two parties in a variety of ways:

  • Session Hijacking: Stealing a session token to impersonate the victim.
  • SSL Stripping: Downgrading a secure HTTPS connection to HTTP to read the data in plain text.

Why MITM Attacks Are a Threat:

  • Data Interception: Attackers can steal sensitive data like login credentials and financial transactions.
  • Data Manipulation: Attackers can alter communications, potentially causing major disruptions (e.g., changing bank account numbers during a transaction).

Phishing

What is Phishing? Phishing is a social engineering attack where an attacker pretends to be someone trustworthy (like a company or an individual) to trick the victim into revealing sensitive information (passwords, financial data, etc.). This often comes in the form of emails, but can also happen over SMS (SMiShing) or phone calls (Vishing).

Why Phishing Works:

Phishing exploits human psychology — people tend to trust emails from what seem like legitimate sources, even when they're not. Attackers often create fake websites that look nearly identical to real ones to steal login credentials.

Example:

A common phishing tactic is a fake email that looks like it's from your bank, asking you to click a link and update your account information. Once you click, the attacker has your credentials and can steal your funds.

Zero-Day

What is a Zero-Day? A Zero-Day vulnerability is a flaw in software or hardware that is unknown to the vendor and has no patch available. Attackers exploit this vulnerability before the vendor is aware of it and can fix it, hence the name "zero-day." This makes zero-day attacks extremely dangerous because there is no defense in place.

Why Zero-Day Exploits Are a Threat:

Zero-days are hard to defend against because the defender has no warning that a vulnerability exists. Attackers can exploit the flaw to gain access, escalate privileges, or cause damage — all before a patch is available.

Access the complete learning list here:

SOC Analyst - 100 Days Learning

Edit description

medium.com

Wrapping Up: Speak the Lingo Like a Pro

As a SOC analyst, understanding common terminologies is crucial for effective communication and fast, accurate incident handling. Whether it's analyzing IOCs, diving into the TTPs behind a threat, or identifying a potential APT, these terms help you quickly spot and understand what's going on in your environment.

The more familiar you get with these terms, the more confident you'll be in detecting, analyzing, and responding to incidents in real-time. Plus, you'll sound like a total cybersecurity expert in your next team meeting! 🤓💬

Your Turn: Which of these terms were you already familiar with, and which ones are you excited to dive deeper into? Let's chat about them in the comments! 👇

Coming Up Next: On Day 10, we'll dive into Incident Response — how to handle security incidents from start to finish. Stay tuned! 🚀