How to build a SOC / How to run a SOC
In this resource I’ll locate some great resources for SOC, how to build a SOC, how to set-up a SOC and how to run and maintain your SOC once set up. I will also keep the links and tools up to date as I find new & better resources.
Let me know if you have comments or additions please.
1- Starting Point – Some theoretical content:
What is a SOC? A SOC is a Security operations centre, where you have people dedicated to the company’s ongoing information security watching and responding. They need the tools to prevent what they can and discover+remediate what they can not. They need the skills to do this.
IR process template via Frode Hommedal: http://frodehommedal.no/presentations/first-tc-oslo-2015/#/slide-start
CSIRT process, new one by Frode Hommedal: http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/
Report Template for Threat Intelligence and Incident Response by Lenny Zeltser
A HP SOC white paper: Building-Maturing-and-Rocking-a-Security-Operations-Center-Brandie-Anderson.pdf
The Grand List of Incident Management Frameworks via Gabor Szathmari
A slidedeck on building a SOC via Slideshare:
Lessons learned from working in a SOC by Jen Andre of Komand
How to build and run a Security Operations Center by Renato Basante Borbolla
Designing and Building Security Operations Center 1st Edition by David Nathans
Security Operations Center: Building, Operating, and Maintaining your SOC from October 2015 by Joseph Muniz, Gary McIntyre, Nadhem AlFardan
“Crafting the InfoSec Playbook. Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites. Thanks Sashank Dara for mentioning this.
2- Some Practical resources for incident response and SOC
Most of Opensecuritytraining http://opensecuritytraining.info/Training.html
GIAC Certified incident Handler (GCIH) https://www.giac.org/certification/certified-incident-handler-gcih
Incident response and network forensics on Infosecinstitute
SANS Master degree in Incident response: https://www.sans.edu/academics/certificates/incident-response
3. Tools of the trade:
The list of tools here on postmodernsecurity.com :
IP TO ASN via Teamcymru. IP To ASN allows one to map IP numbers to BGP prefixes and ASNs. These services come in various flavors, including whois (TCP 43), dns (UDP 53), HTTP (TCP 80) and HTTPS (TCP 443).
TOTALHASH totalhash provides static and dynamic analysis of malware samples. The data available on this site is free for non commercial use. If you have samples that you would like analyzed you may upload them to our anonymous FTP server.
- URL Abuse to check and review security of URLs
- cve-search Common Vulnerabilities and Exposures (CVE) web interface and API
- IP address to ASN mapping whois service including 4 years of historical data
- Passive DNS, historical dns records database (access on request, contact us)
- Passive SSL services, historical database of SSLcertificate per ip address (access on request, contact us)
- Dynamic malware analysis platform (access on request, contact us)
- Threat indicators sharing platform for private sector – MISP (access on request,contact us)
DA_667 on IR toolset on a shoestring budget using World of warcraft analogies:
SIEM: elk stack
NSM: Snort + Bro (with fullcap/flow later on when/if I had money)
Client-Side: GRR + El-Jefe + whatever crap A/V solution
Heroic Mode Extra credit: Packet Fence for shunting infected machines into a ?GTFO? VLAN for re-imaging/IR purposes
25-man RAID mode: Moloch for FPC.
List all named pipes via powershell:
PS C:\> [System.IO.Directory]::GetFiles("\\.\\pipe\\")Securityonion and Sysmon (slides)
Security onion Conference – 2015 from DefensiveDepth
LAIKA BOSS open sourced by lockheed martin https://github.com/lmco/laikaboss/blob/master/README.md
Incident response hunting tools: https://sroberts.github.io/2015/04/21/hunting-tools/
MozDef: The mozilladefense platform – automation of the security incident handling process and facilitate the real-timeactivities of incident handlers. Also via Jeff Bryner (suggested by @sastrytumuluri )
Maltrail: Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists
FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. Fido?s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them. As an orchestration platform fido can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
Fast IR Collector by Sekoialab
The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident responders, SCOT provides a new approach to manage security alerts, analyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.
Loki – Simple IOC and Incident Response scanner https://www.bsk-consulting.de/loki-free-ioc-scanner/
Volatility autoruns pluginFinding persistence points (also called ” auto-Start Extensibility Points”, or ASEPs) is a recurring task of any investigation potentially involving malware.To make an analyst’s life a BIT easier, I came up with the
autorunsbasically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.
Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
YARA – The pattern matching swiss knife
Mandiant Redline (free and open source) https://www.fireeye.com/services/freeware/redline.html
Good tool collection by category on dfir.training blog: http://www.dfir.training/index.php/tools/new
IRMA Incident Response Malware Analysis. Today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it. IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.
New (Nov, 2016): Introducing TheHive: a Scalable, Open Source and Free Incident Response Platform blog.thehive-project.org/2016/11/07/int…
Syncurity IR – Implement a repeatable, scalable, auditable process across your entire security operations and incident response lifecycle.
4. Relevant Blogs/Slides:
(In time this will be completed: https://www.peerlyst.com/blog-post/resource-incident-response-guide)
Incident response must improve! https://www.peerlyst.com/blog-post/security-incident-response-must-improve
Preparing for Incident Response https://www.peerlyst.com/blog-post/incident-response-preparation
Getting Management Buy-in for IR https://blog.peerlyst.com/blog-post/incident-response-management-buyin
Dealing with analyst fatigue https://www.peerlyst.com/blog-post/incident-response-how-do-you-deal-with-analyst-fatigue
The importance of process https://www.peerlyst.com/blog-post/incident-response-the-importance-of-process
Infosecinstitute on SOC: http://resources.infosecinstitute.com/security-operations-center/
How to Manage a Large Volume of Cyber Alerts via securityweek
Extracting a PCAP from memory https://isc.sans.edu/forums/diary/Extracting+pcap+from+memory/20639
From RSAC 2016 by Mark Russinovich:
From RSAC 2016 by Mark Russinovich:
crowdstrike blog: Recon detection by the blue team: http://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/
Improving Incident Response Investigations by JP Bourget https://www.peerlyst.com/posts/improving-incident-response-investigations-jp-bourget-1
WMI persistence blog and how to detect this persistence: http://windowsir.blogspot.lu/2016/04/cool-stuff-re-wmi-persistence.html which includes links to Matt Graeers blackhat US 2015 presentation + paper on this topic. and and the DellSecureworks blog about their discovery
SubTee SCT persistence module: https://github.com/subTee/SCTPersistence -> useful to know and be able to detect
ELF Shared Library Injection Forensics via backtrace.io
Proxy server logs for incident response https://www.vanimpe.eu/2016/10/21/proxy-server-logs-incident-response/ via Koen Van
- Raffy’s Blog – specifically Internal Threat Intelligence What Hunters Do and Hunting – The Visual Analytics Addition To Your SIEM To Find Real Attacks
- Security Visualization and Analytics – how visualization can help with data analytics – something each SOCneeds to think about.
- SIEM Use-Cases – A great guide on what a SOC should implement
- Data Analytics – Security Intelligence and Big Data presentation: Raffael Marty – Slideshare
- Security Data Lake (free download) – How to use Big Data in your SOC