Today is International Data Privacy Day, and I just wrapped up TCM Security – SOC 101.
That timing isn’t poetic — it’s accurate.
Because every practical exercise in this course answered the same question in different ways:
Where does data leak when detection fails?
What I Actually Did (Not Just What I Studied)
🔹 Phishing Analysis (Email as an Attack Surface)
I didn’t just “analyze emails” — I tore them apart.
- Parsed raw
.emlfiles - Validated SPF / DKIM / DMARC failures
- Extracted URLs from base64 and quoted-printable bodies
- Defanged malicious links before reputation checks
Example techniques I repeatedly used:
grep -i "Received:" challenge.eml
grep -Ei 'https?://[^ ]+' decoded_body.txt
nslookup -type=txt example-domain.com
Takeaway:
Phishing isn’t about spotting bad grammar.
It’s about tracing where credentials and personal data were being pushed.🔹 Network Security (Packets Don’t Lie)
Using TCPDump and Wireshark, I reconstructed malware behavior from raw traffic.
- Counted ICMP and HTTP POSTs
- Extracted credentials from payloads
- Identified malware by User-Agent strings
- Detected DNS tunneling patterns
Representative workflow:
tcpdump -r capture.pcap
tshark -r capture.pcap -Y "http.request"
tshark -r capture.pcap -Y "dns" | sort | uniq -c
Takeaway:
Data exfiltration doesn’t announce itself — it hides inside “normal” traffic.
🔹 Detection Engineering (Snort)
I wrote and debugged custom Snort rules — and learned the hard way that detection logic matters more than syntax.
- HTTP 401 brute force detection
- LFI payload detection (
../) - Sensitive file exfiltration
- Debugging thresholds vs detection_filters
Example pattern:
alert tcp any any -> any 80 (
msg:"LFI Attempt";
content:"../";
sid:9000041;
)
Why this matters:
Bad rules = false confidence.
Good rules = fewer blind spots where private data leaks quietly.
🔹 Endpoint Analysis (Windows & Linux)
I investigated live persistence, not screenshots.
Windows
- Identified malicious listeners via
netstat - Traced parent processes and DLLs
- Found attacker-created shares
- Located persistence in
Runkeys, services, and scheduled tasks
netstat -ano
tasklist /fi "PID eq <pid>"
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Linux
- Identified backdoors listening on high ports
- Traced deleted binaries via
/proc - Analyzed cron persistence
- Extracted malware identity via strings
ss -lntp
readlink -f /proc/<pid>/exe
crontab -l
strings /proc/<pid>/exe
Takeaway:
Persistence is how privacy breaches survive reboots.
🔹 SIEM & Log Analysis
Given raw Apache logs, I reconstructed an attack timeline:
- IP enumeration
- SQL injection attempts
- Successful UNION-based extraction
- Suspicious user-agent identification
awk '{print $1}' access.log | sort | uniq -c
grep -Ei "union|select|--" access.log
Lesson:
If logs aren’t monitored, attackers don’t need stealth — just patience.
🔹 Threat Intelligence & YARA
I wrote real YARA rules, not signatures copied from blogs.
- String-based detection
- Artifact-based detection (registry keys)
- File signature detection (GIF, OpenSSH keys)
- Applied Pyramid of Pain thinking
Example:
rule Delphi_RTL_RegistryKey {
strings:
$rk = "SOFTWARE\\Borland\\Delphi\\RTL"
condition:
$rk
}
Takeaway:
Detection that attackers can’t easily rename is what protects data long-term.
Why This Matters on Data Privacy Day
Every lab involved:
- Credentials
- User accounts
- SSH keys
- Databases
- Logs that should’ve been monitored
Privacy isn’t a policy problem.
It’s a detection and response problem.
SOC work is where privacy either holds or collapses.
Final Reflection
SOC 101 didn’t teach me tools.
It taught me how data gets lost when defenders hesitate, assume, or stop digging too early.
That’s the mindset I’m carrying forward. Know more about me.
