Overview
Basic overview of SOPs
General
Event Classification & Triage
The true value of collecting, correlating, and analyzing log data is that it gives you the ability to find the “signal in the noise.” Key indicators of compromise can be found within user activity, system events, firewall accept/deny, etc. Besides, specific sequences and combinations of these events in specific patterns can also signal an event that requires your attention. The key to success in this stage is having a way to classify each event quickly, so that you can prioritize and escalate critical events that require additional investigation.
The critical key to success is identifying attacker activity in the early stages of attack cybersecurity before sensitive data and systems are affected. As an attacker moves up these kill chain stages, it becomes more likely they’ll be successful in their attacks. By looking at environmental behaviour and infrastructure activity from an attacker’s perspective, you’ll be able to determine which events require your attention now.
Prioritization & Analysis
Prioritization is the key to success in any endeavour, and it’s even more critical in cyber security. The stakes are high and the pace of attacks continues to escalate and shows no sign of stopping. Meanwhile, the resources you have to protect assets against this onslaught are highly limited. Focus on those events that could be most impactful to business operations, which requires knowing which assets are the most critical. At the end of the day, maintaining business continuity is the most important responsibility entrusted to the SOC team.
Review and respond to any activity that indicates an adversary has infiltrated your environment. This can range from the installation of a rootkit/RAT or backdoor taking advantage of an existing vulnerability to network communications between an internal host and a known bad IP address associated with a cyber adversary’s C2 infrastructure.
The faster you can detect and respond to an incident, the more likely you’ll be able to contain the damage and prevent a similar attack from happening in the future. Please note: There are several decisions to make when investigating an incident, particularly whether your organization is more interested in recovering from the damage vs. investigating it as a crime. Make sure that you work closely with your management team. Be sure to communicate clearly and often—and document everything.
Each attack will differ in terms of the appropriate remediation steps to take on the affected systems, but it will often involve one or more of the following steps:
Re-image systems (and restore backups)
Patch or update systems (e.g. apps and OS updates)
Re-configure system access (e.g. account removals, password resets)
Re-configure network access (e.g. ACL and firewall rules, VPN access, etc.)
Review monitoring capabilities on servers and other assets (e.g. enabling HIDS)
Validate patching procedures and other security controls by running vulnerability scans
By the way, some SOC teams hand off remediation and recovery procedures to other groups within IT. In this case, the SOC analyst would create a ticket and/or change control request and delegate it to those responsible for desktop and system operations.
Assessment & Audit
It’s always optimal to find and fix vulnerabilities before an attacker exploits them to gain access to your environments. The best way to do that is to run periodic vulnerability assessments and review those report findings in detail. Keep in mind that these assessments will identify technical vulnerabilities rather than procedural ones, so make sure your team is also addressing gaps in your SOC processes that could expose you to risk as well.
Running network vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may also review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve SOC team performance and efficiency.
Resources
Last updated
