SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter

What is SOC?

                   Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology. 
SOC Architecture

PEOPLE:

                 The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response. Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM. 

 Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst. Level 1 analysts set rules for filtering out noise and determining which alerts get bubbled up to Level 2 analysts.

 Level 2 are responsible for drilling down into the alerts they receive from Level 1 and correlating them with other information to see if a security incident might have occurred and determine the appropriate responses. As part of this exercise, they try to understand the potential impact of the security incident on enterprise assets and help guide incident response.

 Level 3 analysts are seasoned security experts whose primary responsibilities are to proactively look for threats on the network and snuff them out rather than waiting on alerts before initiating action, and to work with the Level 1 and 2 teams when the likelihood of a threat has emerged. 
Multiple roles with different background, skills, pay levels, personalities

PROCESS:

              Before standing up a SOC capability, an organization needs to have a clear idea of existing capabilities, the right size for the effort, and whether the capability can be delivered internally or requires a service provider. 

               Quality SOC centers and processes are all about flow. Processes require extreme standardization of actions to make sure nothing is omitted. In my experience, creating repeatable incident management workflows and processes ensure that team members will function effectively as a cohesive unit when escalating an alert from Tier 1 to Tier 3. Based on the standardization of these workflows, resources can then be allocated very effectively.


TECHNOLOGY:

                 Core technologies such as SIEM having multiple solutions like data (raw log/packets) collection, aggregation, normalization, detection, and analytics is a secret of the effectiveness of SOC. For perfect Monitoring, SIEM (Security Information and Event Management) is all about one technology used in SOC. SIEM collects raw logs from multiple log sources like desktop, laptop, mobiles, servers, network as well as from Security devices convert it into logical security events and populate on SIEM console for further process of raising Security incidents. Based on defined correlation rule SIEM triggers the events. SOC consists of SIEM tools like Qradar, ArcSight, LogRhythm, Splunk and many more. every SIEM tool Detects threats and generate Security Alert in order to mitigate them. 

SIEM: Qradar and Logrhythm

Incident Response Process:



Incident Response Process

 The Incident Response Process consist of Six Phases as mentioned below :
  1. Detection
  2. Analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-Incident Activities

Detection Phase:

                    In Detection Phase it identifies a Security Event that is the result of a potential exploitation of a Security Vulnerability or a Security Weakness. Even if Personnel are not sure whether a Security Event is an actual Security Incident they are still required to report it as provided herein, as it is better to be cautious than to be compromised. The Following situations should be considered for Security Event reporting:
  • Ineffective security controls;
  • Breach of information integrity, confidentiality or availability expectations;
  • Human errors;
  • Non–compliance with policies or standards;
  • Breaches of physical security arrangements;
  • Uncontrolled systems changes;
  • Malfunctions of software or hardware;
  • Access violations.
Analysis Phase:

                  In this phase the SOC team determines whether or not a Security Event is an actual Security Incident? The type of Security Incident is based on the nature of the event. If Malware is Detected, then via two approaches it can be Analysed like Static malware Analysis and Behavioral Malware Analysis. few things to be noted for analysis like source IP, destination IP, source port, destination port, severity, event count, log source and signature.  



                       Analyse Phase used to determine the root cause of the Security Event and determine under which group it should be Categorized. After Analyzing malware it can be categorized under common Event names, Example types are listed as follows:
  • Data exposure.
  • Unauthorized access.
  • Distributed Denial of Service/ Denial of Service (DDoS/DoS).
  • Malicious code.
  • Improper usage.
  • Scans/Probes/Attempted access.
Very important concept of Analysis Phase that it Defines Severity Level and Potential Impact.

Containment Phase: 

                        In this phase it mitigates the root cause of the Security Incident to prevent further damage or exposure. This phase attempts to limit the impact of a Security Incident prior to an eradication and recovery event. following steps to be taken in containment phase: 
  • Secure the physical and network perimeter.
  • Shutting down a system 
  • disconnecting it from the network, and/or disabling certain functions or services.
  • Connect through a trusted connection and retrieve any volatile data from the affected system.
  • Appropriateness of backing the system up and determine the relative integrity of Data
  • Change the password(s) to the affected system(s). Personnel, as appropriate, are to be notified of the password change.
  • Determine whether it is safe to continue operations with the affected system(s).
  • Limit the Impact of Incident

Eradication Phase: 

                    The Eradication Phase is the phase where vulnerabilities causing the Security Incident, and any associated compromises, are removed from the environment.  following steps should be taken to remove threat from environment: 
  • Determine the symptoms and cause related to the affected systems.
  • Rebuilding Operating System.
  • Strengthen the controls surrounding the affected systems.
  • If additional issues or symptoms are identified, take appropriate preventative measures to eliminate or minimize potential future compromises.
  • Run Antivirus Software.
  • Update the Incident Record with the information learned from the vulnerability assessment, including the cause, symptoms, and method used to fix the problem with the affected systems.
  • Uninstalling Infected Software.
  • If necessary, escalate to higher levels of support to enhance capabilities, resources, or time-to-eradication.
  • Remove threat from Environment.
  • Clean Up the System.
  • Replace Hard disk if required.
  • Reconstruct the Network.
  • Eliminate components of the Security Incident. This may include deleting malware, disabling breached user accounts, etc.

Recovery Phase: 

                   In this phase restore the affected systems to operation after the resulting security Threats in our network. Although the specific actions taken during the Recovery Phase can vary depending on the identified Security Incident, the standard process to accomplish this is as follows:
  • Installing patches.
  • Rebuilding systems.
  • Changing passwords
  • Service restoration as per policies plans
  • system validation
  • Testing system/Networks
  • certifying that systems are operational
  • Restoring systems from clean backups.
  • Replacing affected files with clean versions.

Post Incident Review: 

                     In this phase, Reviews the complete incident response Cycle and overview the process/procedures used in all phases. After verification of a successful containment and eradication the following post-incident activities should be conducted:
  • Was Personal Information compromised?
  • Was subscriber data compromised?
  • Were legal and/or contractual obligations invoked by the Security Incident?
  • What is the organization’s strategy moving forward?
  • Types of Security Incidents?
  • Volumes of Security Incidents and malfunctions?
  • Costs incurred during the Security Incidents?
  • Overall reduction in time spent responding to Security Incidents?
  • Reduction of impact of certain Security Incidents?
  • Overall reduction of the occurrence of Security Incidents?
  • Was there sufficient Preparation?
  • Did Detection Occur in timely manner?
  • Were communication conducted Clearly?
  • What was the Cost of the incident?
  • Did you have a Business Continuity Plan?
  • How can we prevent it from happening again?
  • Was the Approach right??

Stay Tuned....
            
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

  1. Israel Hotels25 March 2019 at 01:33

    Nice blog. Incident response process is the entire lifecycle of an incident investigation, while incident response procedures are the specific tactics you and your team will be involved in during an incident response process.

    ReplyDelete
  2. jhon17 April 2019 at 20:48

    It is also called man in the middle attack and it is still widely used because it is hard to prevent. User is, using social engineering, easily tricked into installing malicious software which enables full control to the attacker.
    Serious Security CCTV Bayswater

    ReplyDelete
  3. Cyber security training courses online25 April 2019 at 23:19

    Very informative blog... I found valuable information on NIST incident response process. Thanks for sharing.

    ReplyDelete
  4. poshe14 May 2019 at 17:46

    Great Information! Useful for me to develop my knowledge. Thank you!
    NEBOSH Process Safety Management Certificate
    Nebosh IGC in Chennai
    International Safety Courses
    Nebosh Courses In Chennai
    NEBOSH HEALTH AND SAFETY LEADERSHIP
    Fire Safety Course In Chennai

    ReplyDelete
  5. Natural gas17 June 2019 at 20:34

    Great information. This info regarding cyberbit announcement and SOC automation. Thanks for sharing

    ReplyDelete
  6. Unknown29 August 2019 at 19:18

    Nice blog. I found complete information on SOC automation and its importance for cyber security. Thanks for sharing.

    ReplyDelete
  7. Unknown26 September 2019 at 17:51

    This blog post share complete information on SOC. I found best place for SOC training and get help regarding this training. Thanks

    ReplyDelete
  8. Best Guitar29 September 2019 at 17:31

    SOC automation drives playbook execution of incident response workflows by formalizing best practices and then executing them through an automated sequence of tasks.

    ReplyDelete
  9. ICS Cyber Security28 October 2019 at 12:53

    This blog share very good information on Security Operations Center. It increase my knowledge on SOC cyber security. Thanks for sharing.

    ReplyDelete
  10. Sruthi Nagaraj18 December 2019 at 09:56

    Thanks for sharing a useful information with us. If someone wants to know about Safety Software and Occupational health and Safety Software I think this is the right place for you.

    ReplyDelete
  11. Priya5 March 2020 at 17:18

    Great post. It was a good read about the soc operation. Here IARM Top Cyber Security Company in Chennai provides information security services to enterprises, small & large scale organizations, Manufacturers, finance, Retails, IT/ITES and so on.
    Information Security Company in Chennai
    Penetration Testing Company In Chennai
    Soc Services In India
    Cyber Attack Recovery Services In India
    SOC2 Auditing Company in chennai

    ReplyDelete
  12. shanewarner21 April 2020 at 20:06

    The post is written in very a good manner and it contains many useful information for me.


    gexton advance security solution

    ReplyDelete

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more