SOC Fundamentals - Nico's Knowledge Base

NIST,PCI,HIPAA are security requirements for SOC Roles: - SOC Analyst - classifies alert, look for cause, advises remediation - Incident Responder - initial assessment of security breaches - Threat Hunter - investigates potential threats and vulns - manual + automated techniques to deal with sophisticated attacks - deep understanding of org's IT and security posture - Security Engineer - maintain SIEM (Security Information and Event Management) - SOC Manager - operational management rather than technical issues --- ### Analyst Responsibilities review alerts in SIEM and determine real threats utilize various EDR (Endpoint Detection and Response) Understand basics/typical operations of OSs, Networking, Malware Analysis --- #### SIEM And Analyst Relationship Security Solution to provide real time logging of events in order to detect security threats. - filter data and provide alerts Popular SIEM solutions: IBM QRadar, ArcSight ESM, FortiSIEM, Splunk #### Relationship between SOC Analyst and SIEM typically only track alerts - generated from data that passes through filters View alerts in Main Channel - select alert to work on - take ownership button - gather information required to investigate If false alert generated, should be able to ID and provide feedback --- #### Log Management Provides access to all logs in one environment - web - OS - Firewall - Proxies - EDR Manage them in one place Use to determine if there are communications with a particular address across an organization and view details of that communication --- #### EDR - Endpoint Detection and Response Integrated endpoint security solution that combines continuous monitoring and collection of endpoint data with rules-based automation and analysis Common: - CarbonBlack - SentinelOne - FireEye HX If you have an IOC, perform search in EDR to determine if there's a match. - For example, search for hash file to determine if file exists or is being executed on other devices --- #### SOAR - Security Orchestration Automation and Response Enables security products and tools to work together, streamlining the tasks of the SOC team. Common: - Splunk Phantom - IBM Resilient - Logsign - Demisto Process Automation: - IP Address Reputation Control - Hash Query - Scan acquired file in sandbox environment - ... Wraps tools from many vendors under one ##### Playbooks Easily investigate alerts using playbooks - steps are outlined so you don't have to remember all the procedures - ensure entire SOC team is on same page during analysis Clicking on open cases lets you view automatically assigned playbooks --- #### Threat Intelligence Feed Data provided by third party company, includes C2, domain/ip addresses, etc Common Free: - VirusTotal - Talos Intelligence Remember: - If data run through feeds does not show up, doesn't mean file is clean. - IP addresses can change hands --- #### Common Mistakes - Over-reliance on VirusTotal - new software can bypass fingerprinting techniques - Hasty Analysis of Malware in sandbox - sophisticated malware can detect sandboxes - may have longer sleep timer than analysis yields - Inadequate Log Analysis - when determining malware, make sure connections aren't being established elsewhere on network - Overlooking Virustotal Dates - queries can be cached - make sure to conduct new search -