Many beginners entering cybersecurity and SOC analysis rush toward tools, dashboards, and alerts. However, experienced analysts know that most SOC mistakes are not tool-related but concept-related. If you do not understand how network traffic behaves, how IP addresses are translated, and how services communicate, alerts will look random and confusing.
Day 5 is designed to fix that problem.
This day focuses on four deeply connected networking concepts:
Network Traffic Flow
NAT (Network Address Translation)
VAT / PAT (Port Address Translation)
Ports and Services
Together, these topics form the mental model every SOC analyst must have before touching SIEMs, IDS, or firewall logs.
Understanding Network Traffic Behaviour
What Is Network Traffic?
Network traffic refers to the movement of data packets from a source system to a destination system across a network. This movement is not random. Every packet follows a defined path, passes through specific devices, and carries identifiable attributes such as IP addresses, ports, protocols, and timing.
For a SOC analyst, traffic is not “data moving on the network.”
It is evidence.
Traffic Flow tells you:
where the data originated,
where it is going,
how frequently it is communicating,
and whether the communication pattern makes sense.
Security monitoring is essentially traffic interpretation.
Traffic Direction and Why It Matters
One of the most important ways to understand traffic is by looking at its direction.
North–South Traffic
North–south traffic is traffic that moves between an internal network and the internet. This includes users browsing websites, servers communicating with cloud platforms, and systems downloading updates.
This traffic usually passes through perimeter devices such as firewalls, gateways, and NAT systems. Because it crosses the network boundary, it is often well-logged and monitored.
From a SOC perspective, north–south traffic is commonly associated with:
external attacks,
malware command-and-control communication,
data exfiltration attempts.
Most beginner analysts focus only on this traffic, assuming that internal traffic is safe. That assumption is dangerous.
East–West Traffic
East–west traffic is traffic that moves within the internal network itself. Examples include server-to-server communication, database queries, internal scans, and lateral movement.
Modern attackers prefer east–west traffic because:
it often bypasses perimeter security,
it is less monitored,
it allows attackers to spread silently.
In real SOC operations, post-compromise activity almost always appears in east–west traffic.
Ignoring internal traffic is one of the most costly mistakes a SOC analyst can make.
Inbound and Outbound Traffic
Another important distinction is whether traffic is inbound or outbound.
Inbound traffic originates from outside the network and enters internal systems. This traffic is usually tightly controlled and represents obvious attack vectors.
Outbound traffic originates from inside the network and exits to the internet. Many organizations allow outbound traffic by default, which makes it attractive for attackers.
A critical SOC mindset is understanding that:
Outbound traffic is not automatically safe.
Malware frequently communicates outward to command servers, downloads payloads, and exfiltrates data using outbound connections.
NAT (Network Address Translation)
What Is NAT?
Network Address Translation (NAT) is a process that translates private IP addresses into public IP addresses and vice versa.
Internal networks use private IP ranges that are not routable on the internet. NAT enables these internal systems to communicate externally without exposing their internal addressing scheme.
In simple terms, NAT acts as a translator between private networks and the public internet.
Why NAT Exists
NAT exists primarily because of IPv4 address exhaustion. Public IPv4 addresses are limited, while private IP addresses can be reused indefinitely within organizations.
NAT allows:
conservation of public IP addresses,
internal network abstraction,
controlled internet access for private systems.
It is important to clarify that NAT is not a security control. While it hides internal IP addresses, it does not inspect, filter, or block traffic.
How NAT Works Conceptually
When an internal system initiates communication with the internet, the NAT device replaces the private source IP with a public IP. A mapping entry is stored so that when the response returns, it can be forwarded back to the correct internal host.
Become a Medium member
This mapping is stored in a NAT translation table.
For SOC analysts, NAT logs and translation tables are critical because they enable attribution. Without them, identifying the true source of traffic is extremely difficult.
Types of NAT
Static NAT
Static NAT creates a permanent one-to-one mapping between a private IP and a public IP. This type of NAT is commonly used for public-facing servers that must always be reachable from the internet.
From a SOC perspective, static NAT makes attribution easier because the public IP always maps to the same internal system. However, it also increases exposure if the system is misconfigured or vulnerable.
Dynamic NAT
Dynamic NAT maps private IP addresses to a pool of public IP addresses on a temporary basis. The mapping exists only while the session is active.
Because public IPs change over time, SOC investigations involving dynamic NAT require precise timestamp correlation. Logs become essential for determining which internal host was using a specific public IP at a given moment.
VAT / PAT (Port Address Translation)
What Is VAT?
VAT, commonly known as PAT or NAT Overload, allows multiple private IP addresses to share a single public IP address by using port numbers to distinguish sessions.
This is the most widely used form of NAT in modern networks, including home routers, enterprise environments, ISPs, and cloud infrastructures.
How VAT Works
With VAT, every internal connection is assigned a unique source port on the public IP. The NAT device tracks these mappings so that return traffic can be correctly delivered.
Because of VAT:
one public IP can represent thousands of internal systems,
ports become critical for session identification.
This significantly complicates SOC investigations.
SOC Impact of VAT
When analysts see logs showing the same public IP generating multiple connections, it does not mean a single system is responsible. It could represent hundreds of users behind a NAT device.
Without source port and timestamp information:
Accurate attribution is impossible.
This is why SOC teams frequently request NAT and VAT logs during investigations.
Ports and Services
What Is a Port?
A port is a logical number used by an operating system to identify which application or process should receive incoming traffic.
An IP address identifies the system.
A port identifies the application on that system.
Without ports, a system could run only one network service at a time.
What Is a Service?
A service is a software process that listens on a port to provide network functionality. Web servers, email servers, and remote access daemons are all examples of services.
Ports and services work together:
the port acts as the entry point,
the service performs the function.
Port and Service Mapping
Ports and services are linked by convention rather than enforcement. While certain ports are commonly associated with specific services, any service can technically run on any port.
This flexibility is frequently abused by attackers. Malware often uses common ports such as 80 or 443 to blend into normal web traffic.
Client and Server Port Roles
Servers listen on fixed, well-known ports so that clients know where to connect. Clients use temporary, ephemeral ports that change with each session.
A common beginner mistake is confusing source ports with destination ports during traffic analysis. SOC analysts must clearly understand which side initiated the connection.
Why Port Numbers Do Not Equal Safety
Many assume that traffic on common ports is safe. This assumption is incorrect.
Encrypted traffic can carry malicious payloads. Legitimate ports can be abused. SOC analysis must consider Behavior, frequency, destination, and context rather than relying on port numbers alone.
How All Concepts Connect in SOC Analysis
These topics are not separate. They form a single chain:
Traffic Flow explains how data moves.
NAT hides internal IP structure.
VAT makes ports critical for identity.
Ports and services explain what kind of activity is happening.
SOC analysis is about correlating all of these factors together.
A realistic SOC identity is determined by:
IP address + Port + Time + Behavior
Final Thoughts
Day 5 is not about memorizing definitions.
It is about learning to see the network the way attackers and defenders do.
When an alert appears, a skilled SOC analyst does not panic. Instead, they ask:
Does this traffic flow make sense?
Is this service expected on this host?
Does the timing and pattern align with normal behavior?
Mastering these fundamentals transforms SOC work from guessing into reasoning.
Top comments (0)