Defensive Security

Training
Building Foundations for Cyber Defense
 Understand core defensive

01 security principles
 What is Defensive Security.

 Core Principles: Prevention, Detection, Response, Recovery

Identify common threats and

attack patterns
02  Tactics, Techniques, and Procedures.
 Layered Defense

Recognize essential security

tools and their functions
03  Types of security tools

 Defence tools example.

Objectives Perform basic detection and

incident response
04  Demo
Building Foundations for Cyber
Defense
Building Foundations for Cyber
Defense
Foundations of Defence Security
TRAINER: ANTONY BWANA, ISO
Foundations of Defensive Security
What is Defensive Security?
Core Principles:
•Prevention
ra m
•Detection
ro g
P
•Response

E
•Recovery

I T
Layered Defense (Defense-in-Depth)
N
IG
•Physical controls
•Administrative controls
•Technical controls
Common Threats & Attack Patterns
Threats:
• Malware
• Phishing
• DDoS
ra m
• Brute force attacks
ro g
P
• Ransomware

I T E
N
IG
Key Tools in Defensive Security
SIEM Tools: Splunk, Wazuh

ra m
Firewalls: Perimeter and host-based

ro g
E P
T
EDR/Antivirus: CrowdStrike, Defender

N I
IG
Security Operations Center (SOC)
Key Roles:
•Tier 1 Analyst

m
•Tier 2 Responder

a
•Threat Hunter
What is a SOC?
g r
Pro
I T E SOC Workflow Overview:
•Alert → Triage → Escalation →

N Resolution

IG
 In 2020, the COVID-19 pandemic and organizations’ rapid transition to remote operations have created numerous
opportunities for threat actors to launch sophisticated cyber attacks, with serious repercussions. Research suggests that
since the start of the pandemic, remote workers have caused security breaches in 20% of organizations , while
ransomware attacks accounted for over one-third of cyber incident response cases in 2020. Yet another report called

Incident
2020 the “worst year on record,” with almost 3000 publicly-reported data breaches, leading to the exposure of a
staggering 44+ billion records.

Detection m
Fast forward to 2025, ransomware cases decreased by 11.5% year over year, but ransomware-affiliated groups continue
to upgrade their attack techniques. In addition, 32% of incidents observed involved attackers using legitimate IT tools
for malicious purposes. (IBM)

g ra
and o
Here’s where Incident Response (IR) can play a game-changing role in preparing and protecting organizations from

r
future threats. We must ask four questions when considering Incident Response Plans:

P
•What is incident response and why is it important?

E
Response T
•What are the four phases of incident response?

I
•What are the five steps of incident response?

N
•Which phase of incident response involves investigation and diagnosis?

IG We need to answer the 5 Ws of IR (Who, What, Where, When, Why) and How
Incident Lifecycle:
Containment Recovery
Detection Isolate affected systems or Restore systems to normal
Recognize unusual activity networks. operations.
(e.g., alerts from SIEM, EDR).

m
Prevent further damage or Monitor to ensure no
Use threat intelligence and log

a
spread (e.g., block IPs, reinfection or recurring

r
monitoring. quarantine files). behavior.

ro g
E P
N I T
IG Triage Eradication
Lessons Learned
Document what happened
Assess severity and impact. Remove root cause (e.g., and why.
Prioritize based on criticality malware, backdoors). Update policies, rules, and
(e.g., user impact, data risk). Patch vulnerabilities and playbooks.
eliminate malicious artifacts. Conduct internal debrief.
The 5 Ws of IR
Who: State-sponsored attackers
What: Defacing web, ransomware and straight up

m
data theft are the typical attacks or DDOS attacks

ra
When: With a global hacking community there are

g
no holidays

o
Where: Attackers look for entry points ruthlessly;

Pryour network, your remote workers, your partners,

your suppliers, and the ever-present candy drop of a

I T E USB stick can still lead to a breach or just plain

Phishing

N Why: Financial motive is still the top reason for

IG attacks
How: Tactics, techniques, and procedures are
evolving and some of the old tricks (MS Office
Macros) are making a comeback.
Career & Certification Guidance
•Entry-Level Certifications:
• CompTIA Security+
• Microsoft SC-200
• Blue Team Level 1 (BTL1)
ra m
•Learning Platforms:
ro g
E
• CyberDefenders P
• TryHackMe (Blue Team Path)

I T
• BlueTeamLabs Online

N
IG
Wrap-Up & Q&A
Additional resources
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-
ir_research_en.pdf
ra m
• https://www.ultimatewindowssecurity.com

ro g
• https://www.splunk.com/en_us/blog/security/threat-
hunting-sysmon-event-codes.html
E P
N I T
• https://tryhackme.com/r/room/defensivesecurityintro

IG
THANK YOU