Detailed Narration Script for Slides 16-

20 of SOC Analyst Training

Slide 16: Top Ports
Understanding the top ports used in networking is crucial for SOC analysts. Ports serve as
communication endpoints for different services and applications, making them essential for
network operations and security.

Ports are numerical identifiers used in networking to distinguish different services and
applications on a single device. There are well-known ports assigned to specific services,
such as port 80 for HTTP and port 443 for HTTPS. Knowing these ports helps in identifying
and managing network traffic, as well as detecting potential security threats.

Example 1: Port 22 is commonly used for SSH (Secure Shell), which provides a secure
channel for remote access and management of network devices.
Example 2: Port 25 is used for SMTP (Simple Mail Transfer Protocol), which is essential for
email communication.

Real-Time Scenario 1: A SOC analyst notices unusual traffic on port 3389, which is used for
Remote Desktop Protocol (RDP). This could indicate an attempted remote access by an
attacker, prompting further investigation.
Real-Time Scenario 2: During a network scan, a SOC analyst identifies open ports that are
not typically used in the organization, such as port 1433 for SQL Server. This could suggest
unauthorized services running on the network, requiring immediate attention.

Slide 17: Shodan

Shodan is a powerful search engine for Internet-connected devices. It allows users to
discover and analyze devices exposed to the Internet, providing valuable insights for
security assessments.

Shodan indexes devices based on various criteria, including open ports, services, and
vulnerabilities. By querying Shodan, SOC analysts can identify exposed devices within their
organization or across the Internet, helping to assess the security posture and identify
potential risks.

Example 1: Using Shodan, a SOC analyst can search for devices running outdated versions of
software, which may be susceptible to known vulnerabilities.
Example 2: Shodan can help identify misconfigured devices, such as routers or webcams,
that are inadvertently exposed to the Internet.
Real-Time Scenario 1: During a routine security assessment, a SOC analyst uses Shodan to
identify IoT devices within the organization that are exposed to the Internet. The analyst
then works to secure these devices by updating firmware and configuring proper access
controls.
Real-Time Scenario 2: A SOC analyst receives a report of an increase in cyberattacks
targeting industrial control systems (ICS). By querying Shodan, the analyst identifies similar
exposed ICS devices and alerts the respective teams to take protective measures.

Slide 18: Shodan Ports

Shodan provides detailed information about the ports and services running on discovered
devices. This information helps SOC analysts understand the potential attack surface and
prioritize security measures.

When querying Shodan, users can specify port numbers to narrow down their search to
specific services. The results include details such as banner information, protocols, and
potential vulnerabilities associated with the identified ports and services.

Example 1: Searching for devices with open port 80 on Shodan reveals web servers that
may be running outdated or vulnerable software versions.
Example 2: Querying Shodan for devices with open port 21 can identify FTP servers, which
might have weak authentication mechanisms.

Real-Time Scenario 1: A SOC analyst uses Shodan to identify devices within the organization
running services on non-standard ports. This helps in detecting potential misconfigurations
and securing the network.
Real-Time Scenario 2: During an investigation of a recent breach, a SOC analyst queries
Shodan to find other devices on the Internet with similar configurations to the
compromised device. This aids in understanding the attack vector and mitigating further
risks.

Slide 19: tcpdump -D

The `tcpdump` command is a powerful network packet analyzer. The `-D` option lists all
available network interfaces on which tcpdump can capture traffic.

Tcpdump is a command-line tool used for capturing and analyzing network packets. The `-
D` option is useful for identifying the network interfaces available on a system, allowing SOC
analysts to select the appropriate interface for packet capture.

Example 1: Running `tcpdump -D` on a Linux server lists all network interfaces, such as
eth0, wlan0, and lo, along with their descriptions.
Example 2: A SOC analyst uses `tcpdump -D` to identify the correct interface for capturing
traffic on a specific network segment.

Real-Time Scenario 1: During a network investigation, a SOC analyst needs to capture traffic
on a specific interface. Using `tcpdump -D`, the analyst identifies the interface name and
starts the capture, collecting valuable data for analysis.
Real-Time Scenario 2: In a training scenario, SOC analysts practice using `tcpdump -D` to
familiarize themselves with different network interfaces and how to select the appropriate
one for packet capture.

Slide 20: tcpdump -X and -A

The `tcpdump` command also includes options for displaying packet contents in different
formats. The `-X` option displays packets in both hex and ASCII, while the `-A` option
displays packets in ASCII only.

The `-X` and `-A` options of tcpdump are used to view packet contents in a readable format.
The `-X` option shows both the hexadecimal representation and the ASCII characters of the
packet data, which is useful for detailed analysis. The `-A` option displays only the ASCII
characters, making it easier to read text-based protocols.

Example 1: Using `tcpdump -X` to capture HTTP traffic allows SOC analysts to see both the
raw hex data and the readable text, providing a complete view of the packet contents.
Example 2: The `tcpdump -A` option is useful for capturing and analyzing protocols like
HTTP and SMTP, where the content is primarily text-based.

Real-Time Scenario 1: During a security incident, a SOC analyst uses `tcpdump -X` to analyze
suspicious network traffic, revealing hidden payloads within the packet data.
Real-Time Scenario 2: A SOC analyst troubleshooting email delivery issues captures SMTP
traffic using `tcpdump -A`, allowing them to read the email headers and body directly from
the packet data.