SOC1 vs SOC2 – Cyber Threat Intelligence Guide

Safety Operations Middle (SOC), which I name SOC1, is a outdated group of Analysts who analyze an incident/alert made from a security product. For a gigantic organization with SIEM, it would perchance perchance well perchance be an alert from their SIEM plot or an IPS/IDS machine for a smaller organization. This might possible perchance fluctuate on the dimensions of an organization. I hold most steadily seen organizations rendering their SOC products and companies to a third-social gathering supplier. Either draw, the SOC team would analyze and work on the incident to establish its supply and the rationale within the abet of the generation of that offense.

Let me take these products (most long-established ones) in an environment and behold how smartly a SOC would tackle an incident created by a SIEM plot.

• Antivirus
• EDR
• Email Gateway Solution
• Proxy
• IDS/IPS
• Firewall
• Active Directory
• SIEM

Diverse products will more than possible be portion of a security infrastructure, worship a DLP solution which I am now no longer fascinated about.

A SIEM is a centralized server that collects/receives logs from all other products in an organization relying on their prime use. It would perchance perchance well be logs from networking devices, security products, databases and applications. These products are referred to as log sources in SIEM phrases. An atmosphere friendly SIEM plot is how smartly the use cases are written on it. Some organizations lift out now no longer effectively originate essentially the most of this plot. When integrating a log supply, the main plot would perchance perchance well still be “what use lift out I hold with these captured logs” Otherwise, your SIEM will honest be every other log-storing instrument.

Now that every person the log sources are sending logs to SIEM, the SOC would perchance perchance well still hold a firsthand analysis of an incident.

Let’s take a use case; a extraordinarily frequent one, a identified ransomware infection. The SOC team would accumulate an alert from most products listed above.

• An antivirus product would warn you on the selection of Ransomware in step with Signature.
• An EDR (and next-gen AV) would warn you on malicious adjustments to Registry, products and companies, and community communications; fundamentally, a behavioral analysis.
• An Email Gateway solution would perchance perchance well still work as a suspicious electronic mail bought by customers a 2nd old to the infection.
• A proxy would warn you on a malicious URL the user visited, which would perchance perchance hold come in by an electronic mail the user bought.
• An IDS instrument would warn you from a user getting a phishing electronic mail, a URL established after clicking on the link, payload accumulate, and encryption.
• The firewall would warn you on verbal substitute initiated to/from a blacklisted vary of IPAddress.
• Active Directory would perchance perchance well abet with insights the attacker extinct to escalate from a median user to an admin sec or min or days old to the true infection (this most steadily will complement the analyst in finding the RCA)

SOC2

Now that we price that nearly all SOC operations are SOC1. So what is SOC2? I elaborate SOC2 as a conjunction of SOC1 and Cyber Possibility Intelligence. There are two scopes of intelligence, Initiating Intel and Shadowy Net Intel. Right here we will focus on initiate intelligence.

Cyber Possibility Intelligence (CTI) is a provider that identifies fundamental recordsdata, internal (will more than possible be logs from SIEM) or external (recordsdata for packed with life campaigns), and retrieves actual intelligence from it. This intelligence will pay a great distance for an organization when intelligence is actioned. Intelligence will more than possible be within the invent of

• Initiating Provide Intel (OSINT Instruments)
• Human Intel (HUMINT)
• Social Media Intel
• Third social gathering Intelligence – Licensed and free

There are three styles of Intelligence. They are;

A CTI lifecycle would hold the next items but now no longer be restricted to those,

• Planning – Notion the hunt
• Collection – Gathering Raw Files
• Diagnosis – Raw Files transformed into Actionable Intelligence
• Disseminate – Intelligence shared with diversified teams
• Remediation – Remediation actions taken by the teams

For an effective CTI provider, the next capabilities must be in tell for any organization

• Possibility Monitoring – Proactive draw makes use of Intelligence from Intel Sources and sweeping the infrastructure for intrusions and placing blocks
• Possibility Looking out out (similar to Crimson Team) – The use of threat recordsdata/intelligence to behold for substandard guys.

What does the Possibility Monitoring and Possibility Looking out out team behold out for; they behold for horrible guys. This might be horrible actors performing attacks worldwide and disgruntled internal workers (insider threat) performing attacks contained within the organization. From an analyst standpoint, these would perchance perchance well be

the stages of recordsdata he would accumulate and the peril in which they’d accumulate it. At the lowest stage, one of the best recordsdata that an intel analyst would accumulate is the Hash Values followed by the diversified indicators till the community artifacts. The final two change into quite more difficult to search out and block. The tools and the TTP (Tactic, Arrangement and Procedures) extinct by the attacker. TTPs and Instruments would most potentially depend upon a malware analyst or an Incident Responder with the records.

In the end along with your total above recordsdata on hunt, TTP, threat actor, it’d be narrowed down on the action that an analyst would take pertaining to an attack. Let’s take a use-case to slim down a hunt. A Chinese ATP group concentrated on your organization. Let’s deem you is more possible to be managing a banking security venture. I am the utilization of the MITRE framework to space this hunt. You might perchance well also use other how to instrument this hunt. I hold added my checklist of tools, framework and platform that will more than possible be counseled to hunt.

Let’s hunt!

List down all threat actors from China

1. With that end result, extract the threat actors who target banking organizations.
2. With that end result, that you just can still accumulate now no longer lower than 10 diversified groups and 30 diversified TTPs. With this recordsdata, it is possible you’ll perchance well perchance want got narrowed down from 100 diversified TTPs to 30.
3. Now that it is possible you’ll perchance well perchance want got 10 diversified groups let’s hunt for frequent TTPs extinct for your total groups. (use 4 or 5)
4. Now that all of us know the terminate 5 TTPs employed by the threat group. Shall we still devise a draw to instrument, video display and block these actions.

Instruments, Platforms and Frameworks

My witness on tools, platform, and framework which will more than possible be most extinct to accumulate intelligence (now no longer restricted to intelligence)

• https://github.com/hslatman/superior-threat-intelligence
• YETI intel platform
• Spiderfoot
• Maltego
• Burpsuite
• OpenVas
• Nmap
• Kyle Hubert’s Possibility intel plot – Aggregator
• Kibana with Elastic
• ZoomEye
• Metagoofil
• Exiftool
• Jigsaw
• Censys
• Shodan
• Wireshark

The SOC analyst will now hold incidents created out of intelligence added to the machine. Intelligence is all the time transformed to a rule to video display TTPs/Instruments/IP/Hash/Domain and more. For instance; when intelligence a couple of substandard IP/hash is added to the SIEM rule and when a user has a verbal substitute established with that IP, lets display screen down the intelligence a couple of campaign, an actor or a threat group. This might possible perchance completely repay within the long interval of time to establish intrusions which will more than possible be ensuing from retain entry to a community for an extended time.

You might perchance well furthermore apply us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.