Sharing here some of the basic concepts which an entry-level analyst should know for SOC role.
OWASP Top 10
OWASP Top 10—the foundational list of the most seen application vulnerabilities. This Top 10 currently includes:
The Open Worldwide Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation.
Broken Access control
Cryptographic Failure
Injection attacks
Insecure Design
Security misconfigurations
Vulnerability and outdated components
Identification and Authentication failures
Software and Data integrity failures
Broken Authentication
Security logging and Monitoring Failures
Server Side request forgery
A WAF is typically a reverse proxy (used by servers), NGFWs are often forward proxies (used by clients such as a browser).
Traffic analysis
Traffic analysis is one of the essential approaches used in network security, and it is part of multiple disciplines of network security operations listed below:
Network Sniffing and Packet Analysis
Network Monitoring
Intrusion Detection and Prevention
Network Forensics
Threat Hunting
There are two main techniques used in Traffic Analysis:
Flow Analysis
Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.
Packet Analysis
Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.
Benefits of the Traffic Analysis:
Provides full network visibility.
Helps comprehensive baselining for asset tracking.
Helps to detect/respond to anomalies and threats.
Why SOC
Why SOC
=======
Compliance Purpose
Log management
Events Monitoring
Threat Response
SOC Types
=========
Private SOC - On premise dedicated to an enterprise.
Hybrid SOC - On premise SOC team works with external experts to run the SOC operations.
Command SOC - high-level SOC which overseeing multiple lower level SOCs in multiple geographical regions.
MSSP/Outsourced SOC - Managed Security Service Provider
Virtual SOC - team is distributed across different regions and work remotely.
SOC Agenda
==========
Process
Alerts
Investigation
Incidents
Reports
SOC Processes
=============
Alerts/Alarm/notification/offenses
Alert fatigue **
Assignment
Triage
Investigation
Closure (false positive, category)
Client Confirmation (need more info, so create ticket/email to client)
Detection Engineering (repeated false positive/noise to fine tune the alert)
Cyber Threat Intelligence (artifacts related to some malicious file, so involve/Escalate CTI to confirm)
L2 Escalation
Incident Response
why, who, what, where, how,
Orchestration
SOAR
Security Orchestration and Automation Response.
Security Orchestration is a method of connection desperate security technologies through standardized and automatable workflows that enable security teams to effectively carry out incident response and security operations.
Security Technologies
Ticketing
DLP
SIEM
EDR
CTI(TIP)
Email and Web gateways
Network Security
Vulnerability Management
Cloud Tools
IAM/PAM
Automatable Workflows
====================
Finding indicator reputation from CTI tools.
Managing tickets in ticketing platform.
Isolating machines ?
Sending emails to affected Users?
Manual
=======
Processes which cannot be automated
collect further evidence
resolving an alert dependent on user approval
pivoting during an investigation based on gained information.
Eg:
#If alert fired from SIEM
#we triage the alert
#SOAR triage and find hash of file and send to TIP,
#if TIP give result it has bad reputations
#Orchestration contact EDR and give instruction/rules to block this hash file.
#SOAR performs a search on the SIMS solutions and finds other endpoint have such hash.
#According to the playbook it is following the steps.
one by one finish and finalize to close as False positive or need manual intervention.
Automation
Execution a single task on its own repeatedly.
Orchestration
multiple single tasks are executed
Task -> Automation -> Orchestration
Workflows
========
Playbooks
A step by step plan of action to serve as a response to different scenarios which may arise.
dependent on event type, organization policies and structure.
Playbooks becomes the bases for Orchestration
EDR
EDR
===
Endpoint
Detection
Response
Solution that 'records behavior' on 'endpoints', detects suspicious 'behavioral patterns' using data analytics and context-based information, 'block threats', and helps security analysts 'remediate' and restore compromised systems.
EDR Collecting:
==============
Network connections
Process Executions
Registry Modifications
Currently Running Processes
Cross Process Events
EDR Solutions in Market:
===========================
VMware carbon Black
Endgame
Crowd Strike Falcon
SOC technology
SIEM
EDR - visibility on below.
process creation, network connections, File creation, Registry modifications, DLL injections, whether connection to internet, while connecting to internet downloading any files, or any other behavior.
Ticketing System - Service Now/Jira
Threat Intelligence Platform - TIP
SOAR - automate
Types
Internal SOC - internal company alone.
Distributed SOC - small or big
Global SOC - 8 to 5 in different region
Co-Managed SOC - Agreement signed with vendor
L1 Analyst
Alert Triage
1st Line of Defense
Identifying anomalies
Performing Investigations
Raising request to whitelists or L2
L2 Analyst
Monitoring Alerts
Threat Hunting
Resource Mentoring
Creating & Approving Whitelists
Handling Escalated Investigations
SOC Lead/L3 Analyst
Client Onboarding
Incident Management
Report and Documentation
Stakeholders Communication (Technical)
SOC Manager
Strategy and Road Map Development
Addition of new services
OPEX and CAPEX
Resources Training
Coordination with all stakeholders
Responsible for Security Operations
SIEM Engineer
Detection Use cases
SIEM Administration
Assisting SOC resources with Reports and Queries
Reporting and Dashboards
End Result
Threat Monitoring
Incident Response
Risk Management
Threat Intelligence
Vulnerability Management
Process - Series of actions
Monitoring
Alerting and Investigation
Escalation Process
Contextual Information Gathering
Incident Declaration
Incident Reporting
Report Sharing
Asset Discovery
summary
Who will perform this action?
What will trigger the action?
How will be action performed?
Who are involved in the action?
Pyramid of Pain and Indicator of Compromise
Indicator of Compromise
Indicator of Attack
Hashes
IPs
Domains
Network
Host
Tools
TTP
Threat Intelligence
IT Analyst - Use the threat intelligence in preventive defense
SOC Analyst - Enhance detection capabilities of the organization
Incident Response - Enhanced and Well-informed capabilities for incident response.
Threat Intel Analyst - Rapidly extract more details about specific threat actors.
Risk Analyst - Accurate and timely information about the vulnerabilities.
Executive Management - Understanding the risks an organization faces and correlating in with
threat intelligence reports to make informed decisions.
Malware
Malicious Software
cause harm to a user, computer or an environment
it could be virus, trojan, worm, ransomware etc.
Virus - piece of code, attach it to host/exe file and spread across the computer, networks
Trojan - taking control of user computer, stealing data, acts like a legitimate program.
Ransomware - malware specifically designed the user cannot access the data unless he pays ransom.
Malware Analyst
will prepare a profile of a malware after analyzing.
(please refer the SIEM points)
behvaiour of Threat Actor
indicators of Attack & compromise
goals that attacker want to achieve
Contextual information
artifacts collection
Behavior understanding
Defense Enhancement
Automating Future Detections
Stages of Malware Analysis
Automated - use the sandbox
Static - understand what this file is, dll, exe,
Dynamic - run the file in a safe environment and see what changes in the system, any internet connection, registry changes, changes in file system, process changes.
Manual - when open in tool, will go through the code.
How to protect yourself
use VPN
Protect your machine (user VM)
Isolated Systems
Online Resources
Virus Total - Free service that analyze files, URLs for viruses, worms, trojans and other malicious content.
Virus scan - Free on-line scan service, which check uploaded files for malware, using antivirus engines.
Hybrid Analysis - File analysis approach that combines runtime data with memory dump analysis to extract all possible pathways even for the most evasive malware.
Any.Run - An interactive malware analysis sandbox
