/awesome-soc

A collection of sources of documentation, as well as field best practices, to build/run a SOC

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome SOC

A collection of sources of documentation, and field best practices, to build and run a SOC (including CSIRT).

Those are my view, based on my own experience as SOC/CSIRT analyst and team manager, as well as well-known papers. Focus is more on SOC than on CERT/CSIRT.

My motto is: without reaction (response), detection is useless.

NB: Generally speaking, SOC here refers to detection activity, and CERT/CSIRT to incident response activity. CERT is a well-known (formerly) US trademark, run by CERT-CC, but I prefer the term CSIRT.

Table of Content

Must read

For a SOC

For a CERT/CSIRT

Globally (SOC and CERT/CSIRT)

Fundamental concepts

Concepts, tools, missions, attack lifecycle, red/blue/purple teams

See: SOC/CSIRT Basic and fundamental concepts.

SOC and CSIRT core

From logs to alerts: global generic workflow

Quoted from this article:

image

Following the arrows, we go from log data sources to data management layer, to then data enrichment layer (where detection happens), to end-up in behavior analytics or at user interaction layer (alerts, threat hunting...). All of that being enabled and supported by automation.

SOC/CSIRT architecture of detection

Based on CYRAIL's paper drawing, that I've slightly modified, here is an example of architecture of detection (SIEM, SIRP, TIP interconnections) and workflow: image

  • Sensors log sources are likely to be: audit logs, security sensors (antimalware, FW, NIDS, proxies, EDR, NDR, CASB, identity threat detection, honeypot...).

Mission-critical means (tools/sensors)

Critical tools for a SOC/CSIRT

Critical sensors for a SOC

Critical tools for CSIRT

Other critical tools for a SOC and a CERT/CSIRT

IT/security Watch (recommended sources)

SOAR

Cf. SOAR page

Detection engineering

Cf. detection engineering page.

Threat intelligence

Cf. threat intelligence page.

Management

Cf. management page.

HR and training

Cf. HR and training page.

IT achitecture

Have a single and centralized platform ('single console')

As per NCSC website:

Indications of an attack will rarely be isolated events on a single system component or system. So, where possible, having a single platform where analysts have the ability to see and query log data from all of your onboarded systems is invaluable. Having access to the log data from multiple (or all) components, will enable analysts to look for evidence of attack across an estate and create detection use-cases that utilise a multitude of sources. By creating temporal (actions over a period of time) and spatial (actions across the estate) use-cases, an organisation is better prepared to address cyber security attacks that occur system wide.

Disconnect (as much as possible) SOC from monitored environment

The goal is to prevent an attacker from achieving lateral movement from a compromised monitored zone, to the SOC/CSIRT work zone.

Enclave:

  • Implement SOC enclave (with network isolation), as per MITRE paper drawing: image

  • only log collectors and WEF should be authorized to send data to the SOC/CSIRT enclave. Whenever possible, the SOC tools pull the data from the monitored environment, and not the contrary;

  • on top of a SOC enclave, implement at least a level 2 of network segmentation;

SOC’s assets should be part of a separate restricted AD forest, to allow AD isolation with the rest of the monitored AD domains.

Endpoints hardening:

To go further

Must read

Nice to read

SOC sensors, nice to have

Harden SOC/CSIRT environment

  • Implement hardening measures on SOC workstations, servers, and IT services that are used (if possible).
  • Put the SOC assets in a separate AD forest, as forest is the AD security boundary, for isolation purposes, in case of a global enterprise's IT compromise
  • Create/provide a disaster recovery plan for the SOC assets and resources.
  • Implement admin bastions and silo to administrate the SOC env (equipments, servers, endpoints):
    • My advice: consider the SOC environment as to be administrated by Tier 1, if possible with a dedicated admin bastion. Here is a generic drawing from Wavestone's article (see Must read references): image
    • Recommended technology choices: Wallix PAM
    • Implement a level 3 of network segmentation

Appendix

License

CC-BY-SA

Special thanks

Yann F., Wojtek S., Nicolas R., Clément G., Alexandre C., Jean B., Frédérique B., Pierre d'H., Julien C., Hamdi C., Fabien L., Michel de C., Gilles B., Olivier R., Jean-François L., Fabrice M., Pascal R., Florian S., Maxime P., Pascal L., Jérémy d'A., Olivier C. x2, David G., Guillaume D., Patrick C., Lesley K., Gérald G., Jean-Baptiste V., Antoine C. ...