How to build and run a Security Operations Center

A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.

The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.

Computer Security Incident Response Team (CSIT) ?
Computer Incident Response Team (CIRT) ?
Computer Incident Response Center (or Capability) (CIRC) ?
Computer Security Incident Response Center (or Capability) (CSIRC) ?
Security Operations Center (SOC) ?
Cybersecurity Operations Center (CSOC)
?Computer Emergency Response Team(CERT)

Tier Level:
Tier 1
Tier 2
Tier 3
Soc Manager

Tier 1: Alert Analyst
Duties
Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work.

Required Training
Alert triage procedures; intrusion detection; network, security information and event management (SIEM) and hostbased investigative training; and other tool-specific training. Certifications could include SANS SEC401: Security Essentials Bootcamp Style.

Tier 2: Incident Responder
Duties
Performs deep-dive incident analysis by correlating data from various sources; determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats.

Required Training
Advanced network forensics, host-based forensics, incident response procedures, log reviews, basic malware assessment, network forensics and threat intelligence. Certifications could include SANS SEC501: Advanced Security Essentials – Enterprise Defender; SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.

Tier 3 Subject Matter Expert/ Hunter
Duties
Possesses in-depth knowledge on network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident “hunter,” not waiting for escalated incidents; closely involved in developing, tuning and implementing threat detection analytics.

Required Training
Advanced training on anomalydetection; tool-specific training for data aggregation and analysis and threat intelligence. Certifications could include SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling; SANS SEC561: Intense Hands-on Pen Testing Skill Development; SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.

SOC Manager
Duties
Manages resources to include personnel, budget, shift scheduling and technology strategy to meet SLAs; communicates with management; serves as organizational point person for business-critical incidents; provides overall direction for the SOC and input to the overall security strategy

Required Training
Project management, incident response management training, general people management skills. Certifications include CISSP, CISA, CISM or CGEIT.

Intrusion Detection System (IDS) and Its detailed Function – SOC/SIEM

https://gbhackers.com/intrusion-detection-system-ids-2/

An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities or through security policy violations.

An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.

 Host-based intrusion detection system (HIDS)

A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.

Network-based intrusion detection system (NIDS)

A network-based intrusion detection system (NIDS) monitors activity on the network. 

Signature-based IDSs (also called definition-based) use a database of known vulnerabilities or known attack patterns.

Intrusion Prevention System(IPS) and Its Detailed Funtion – SOC/SIEM

https://gbhackers.com/intrusion-prevention-systemips-and-its-detailed-funtion-socsiem/

Intrusion Prevention System (IPS) is a framework that screens a network for evil exercises, for example, security dangers or policy compliance.

Host intrusion prevention systems (HIPS)

A host intrusion prevention system (HIPS) is an approach to security that relies on third-party software tools to identify and prevent malicious activities

Host-based intrusion prevention systems are typically used to protect endpoint devices.

Most host intrusion prevention systems use known attack patterns, called signatures, to identify malicious activity. Signature-based detection is effective, but it can only protect the host device against known attacks.

TCP and UDP packets can or cannot carry DNS, SMTP, HTTP and other protocols

Network Intrusion Prevention System (NIPS)

A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage.

The NIPS monitors the network for malicious activity or suspicious traffic by analyzing the protocol activity.

Critical Controls and SIEM

https://gbhackers.com/security-information-and-event-management-siem-a-detailed-explanation/

Critical Control 1: Inventory of Authorized and Unauthorized Devices

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 2: Inventory of Authorized and Unauthorized Software

SIEM should be used as the inventory database of authorized software
products for correlation with network and application activity.

Critical Control 3: Secure Conjurations for Hardware and Software on Laptops, Workstations, and Servers

Known vulnerabilities are still a leading avenue for successful exploits. If an automated
device scanning tool discovers a mis configured network system during a Common
Configuration Enumeration (CCE) scan, that misconfiguration should be reported to the
SIEM as a central source for these alerts. This helps with troubleshooting incidents as
well as improving overall security posture.

Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers,and Switches

Any misconfiguration on network devices should also be reported to the SIEM for consolidated analysis

Critical Control 5: Boundary Defense

Network rule violations, like CCE discoveries, should also be reported to one central
source (a SIEM) for correlation with authorized inventory data stored in the SIEM
solution

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Control 6 is basically a control about SIEMs, which are a leading means for collecting
and centralizing critical log data; in fact, there is even a subcontrol for analysis that
studies SIEM specifically. SIEMs are the core analysis engine that can analyze log events
as they occur.

Critical Control 7: Application Software Security

Like CCE scan results, vulnerabilities that are discovered in software applications should
also be reported to a central source where these vulnerabilities can be correlated with
other events concerning a particular system. SIEMs are a good place to store these scan
results and correlate the information with network data, captured through logs, to
determine whether vulnerabilities are being exploited in real time.

Critical Control 8: Controlled Use of Administrative Privileges

When the principles of this control are not met (such as an administrator running a
web browser or unnecessary use of administrator accounts), SIEM can correlate access
logs to detect the violation and generate an alert.

Critical Control 9: Controlled Access Based on Need to Know

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 10: Continuous Critical Control

SIEM can correlate vulnerability context with actual system activity to determine
whether vulnerabilities are being exploited.

Critical Control 11: Account Monitoring and Control

Abnormal account activity can only be detected when compared to a baseline of
known good activity. The baseline to meet this control should be recorded by the
SIEM; and, as future snapshots or baselines are recorded, they can be compared to the
approved baseline in the SIEM.

Critical Control 12: Malware Defenses

Malware that is discovered should be recorded according to this control. Centralized
anti-malware tools should report their findings to a SIEM, which correlates against
system and vulnerability data to determine which systems pose a greater risk due to the
malware discovered on that system

Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

if a system has a running port, protocol, or service that has not been authorized, it should also be reported to a central source where these vulnerabilities can be correlated with other events concerning a particular system. SIEMs can monitor log data to detect traffic over restricted ports, protocols, and services. Organizations can use these controls to decide which ports and services are useful for business, which are not, and which types of traffic and ports to limit

Critical Control 14: Wireless Device Control

Device misconfigurations and wireless intrusions should be reported to a central
database for incident handling purposes. A SIEM is a perfect candidate to consolidate
this information and use it for correlation or detection of threats to wireless
infrastructure

Critical Control 15: Data Loss Prevention

data loss rule violations, like CCE discoveries, should also be reported to one central source such as a SIEM, which can correlate data loss events with inventory or asset information as well as other system and user activity to detect complex breaches of sensitive data.

Security Information and Event Management (SIEM)

https://gbhackers.com/security-information-and-event-management-siem-a-detailed-explanation/

1. Authentication Activities

Abnormal authentication attempts, off hour authentication attempts etc, using data from Windows, Unix and any other authentication application.

2. Shared Accounts

Multiple sources(internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc.

3. Session Activities

Session duration, inactive sessions etc, using login session related data specifically from Windows server.

4. Connections Details

Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, connection made to bad destinations etc, using data from firewalls, network devices or flow data. External sources can further be enriched to discover the domain name, country and geographical details.

5. Abnormal Administrative Behavior

Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc, using data from AD account management related activities.

6. Information Theft

Data exfiltration attempts, information leakage through emails etc, using data from mail servers, file sharing applications etc.

7. Vulnerability Scanning and Correlation

Identification and correlation of security vulnerabilities detected by applications like Qualys against other suspicious events.

8. Statistical Analysis

Statistical analysis can be done to study the nature of data. Functions like average, median, quantile, quartile etc can be used for the purpose. Numerical data from all kind of sources can be used to monitor relations like ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.

9. Intrusion Detection and Infections

This can be done by using data from IDS/IPS, antivirus, anti-malware applications etc.

10. System Change Activities

This can be done by using data for changes in configurations, audit configuration changes, policy changes, policy violations etc.

IOA (Indicator of Attack)

https://gbhackers.com/socsiem-indicator-of-attackioas-a-detailed-explanation/

Use of IoAs - shift from reactive cleanup/recovery to a proactive mode
- attackers are disrupted and blocked before they achieve their goal.
-  AV signatures

1) Internal hosts with bad destinations
- communicating with known bad destinations or to a foreign country where you don’t conduct business

2) Internal hosts with non-standard ports 
- communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port

3) Public Servers/DMZ to Internal hosts
- Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. 
- allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.
- investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

- Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.

5) Network scans by internal hosts

- communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network

6) Multiple alarm events from a single host

- “User Login Failures” from Single Hosts
Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.

8. Multiple Login from different regions

- user account trying to login to multiple resources within a few minutes from/to different region.  This is a sign that user’s credentials have been stolen or that a user is up to mischief.

9. Internal hosts use much SMTP
- EMail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.
(Infected client that use SMTP(TCP/25))

10. Internal hosts many query to External/Internal DNS
- Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.

- Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)