Resources Compilation
Last updated
Last updated
Last edited time: March 27, 2023 8:09 AM Source: https://github.com/cyb3rxp/awesome-soc
A collection of sources of documentation, and field best practices, to build and run a SOC (including CSIRT).
Those are my view, based on my own experience as SOC/CSIRT analyst and team manager, as well as well-known papers. Focus is more on SOC than on CERT/CSIRT.
NB: Generally speaking, SOC here refers to detection activity, and CERT/CSIRT to incident response activity. CERT is a well-known (formerly) US trademark, run by , but I prefer the term CSIRT.
Following the arrows, we go from log data sources to data management layer, to then data enrichment layer (where detection happens), to end-up in behavior analytics or at user interaction layer (alerts, threat hunting...). All of that being enabled and supported by automation.
Sensors log sources are likely to be: audit logs, security sensors (antimalware, FW, NIDS, proxies, EDR, NDR, CASB, identity threat detection, honeypot...).
Antimalware:
ITDR (Identity Threat Detection and Response): AD/AAD security (audit logs, or specific security monitoring solutions):
ASM: Asset Security Monitoring / Attack Surface Management:
Deceptive technology:
On-demand volatile data collection tool:
Remote action capable tools (ie.: remote shell or equivalent):
On-demand sandbox:
Forensics and reverse-engineering tools suite:
Incident tracker:
Scanners:
IOC scanners:
Offline antimalware scanners:
IOC repos for scanners:
Internal ticketing system (NB: not SIRP, not for incident response!):
Knowledge sharing and management tool:
Hence 3 critical tools (see above): SIRP, TIP, SOA, on top of SIEM.
And in my view, SOAR is more an approach, a vision, based on technology and processes, than a technology or tool per say.
-
-
-
-
Try to implement at least the following automations, leveraging the SOA/SIRP/TIP/SIEM capabilities:
Make sure all the context from any alert is being automatically transfered to the SIRP ticket, with a link to the SIEM alert(s) in case of.
Leverage API (through SOA) if needed to retrieve the missing context info, when using built-in integrations.
Automatically query the TIP for any artefacts or even IOC that is associated to a SIRP ticket.
Automatically retrieve the history of antimalware detections for an user and/or endpoint, that is associated to a SIRP ticket.
Automatically retrieve the history of SIEM detections for an user and/or endpoint, that is associated to a SIRP ticket.
Automatically retrieve the history of SIRP tickets for an user and/or endpoint, that is associated to a new SIRP ticket.
Automatically query AD or the assets management solution, for artefact anrichment (user, endpoint, IP, application, etc.).
Block an IP on all firewalls (including VPN), SWG and CASB.
Block an URL on SWG.
Block an email address (sender) on SEG.
Block an exe file (by hash) on endpoints (leveraging antimalware/EDR or AppLocker).
Block an exe file (by hash) on gateways and CASB: SWG, SEG, CASB.
Reset an AD account password.
Disable an AD account (both user and computer, since computer account disabling will block authentication with any AD account on the endpoint, thus preventing from lateral movement or priv escalation).
Report a (undetected) sample to security vendors, via email. Here are a few addresses, in case of:
Report a false positive to security vendors, via email;
Report a malicious URL (for instance, phishing) to a security vendor for takedown steps
SIEM rules publications:
Known exploited vulnerabilities:
LinkedIn / Twitter:
RSS reader/portal:
Government CERT, industry sector related CERT...
Other interesting websites:
Indications of an attack will rarely be isolated events on a single system component or system. So, where possible, having a single platform where analysts have the ability to see and query log data from all of your onboarded systems is invaluable. Having access to the log data from multiple (or all) components, will enable analysts to look for evidence of attack across an estate and create detection use-cases that utilise a multitude of sources. By creating temporal (actions over a period of time) and spatial (actions across the estate) use-cases, an organisation is better prepared to address cyber security attacks that occur system wide.
The goal is to prevent an attacker from achieving lateral movement from a compromised monitored zone, to the SOC/CSIRT work zone.
-
SOC/CSIRT's endpoints should be hardened with relevant guidelines;
(full featured) Honeypot:
Phishing and brand infringement protection (domain names):
NDR:
MDM:
DLP:
Network TAP:
-
-
-
Implement hardening measures on SOC workstations, servers, and IT services that are used (if possible).
Create/provide a disaster recovery plan for the SOC assets and resources.
Implement admin bastions and silo to administrate the SOC env (equipments, servers, endpoints):
My advice: consider the SOC environment as to be administrated by Tier 1, if possible with a dedicated admin bastion. Here is a generic drawing from Wavestone's article (see Must read references):
Yann F., Wojtek S., Nicolas R., Clément G., Alexandre C., Jean B., Frédérique B., Pierre d'H., Julien C., Hamdi C., Fabien L., Michel de C., Gilles B., Olivier R., Jean-François L., Fabrice M., Pascal R., Florian S., Maxime P., Pascal L., Jérémy d'A., Olivier C. x2, David G., Guillaume D., Patrick C., Lesley K., Gérald G., Jean-Baptiste V., Antoine C. ...
MITRE, (or use ): part 0 (Fundamentals).
CMM,
LetsDefend
FIRST,
NCSC,
Gartner,
FIRST,
FIRST,
ENISA,
NIST,
Microsoft/EY/Edelman,
NIST,
ENISA,
NIST,
MITRE,
Purp1eW0lf,
ThreatConnect,
Gartner,
Orange Cyberdefense,
PAN,
FIRST,
OASIS Open,
FIRST, (intelligence sharing and confidentiality)
CIS,
Gartner,
See: .
Quoted from :
Based on , that I've slightly modified, here is an example of architecture of detection (SIEM, SIRP, TIP interconnections) and workflow:
:
See
My recommendations: ,
:
e.g.: , , ,
:
My recommendations: , , ,
:
See
See
My recommendations: , , .
:
See
My recommendations: , , , , , .
(SEG):
See
My recommendations: , ,
(SWG) / Security Service Edge:
see
My recommendations: BlueCoat, CISCO, Zscaler, .
My recommendations: or
My recommendations: , ,
CASB: , if company's IT environment uses a lot of external services like SaaS/IaaS:
See
My recommendations: , , .
My recomendation: implement
My recommendations: , , , .
My recommendations: , , but it relies on CrowdStrike EDR, but it needs an agent to be installed.
My recommendations for online ones: , , etc;
My recommendation for local one: Windows 10 native Sandbox, with .
My recommendations: , or
My recommendation for reverse engineering and malware analysis, under Windows:
My recommendation for pure malware analysis, under Linux:
My recommendation:
My recommendations: ,
My recommendation: ,
Google : Yara rules for Cobalt Strike and others.
: multiple Yara rules types.
Spectre
Neo23x0
and those listed here,
My recommendation:
My recommendations: , Wiki (choose the one you prefer, or ).
As per :
Files samples (to be attached in a password-protected Zip file, with 'infected' as password): , , , , , , , ,
URL/IP samples: , , , , , , , , ,
You may want to have a look at to know the required email address.
My recommendation: , or .
e.g.:
e.g.:
e.g.: ,
e.g.: , , ...
Cf. .
Cf. .
Cf. .
Cf. .
As per :
SOC’s assets should be part of a separate , to allow AD isolation with the rest of the monitored AD domains.
My recommendations: ,
MITRE,
CISA,
FireEye,
Kaspersky,
Wavestone,
MalAPI,
FireEye,
Herman Slatman,
Microsoft,
Betaalvereniging,
ANSSI (FR),
GMU,
J0hnbX,
Fabacab, .
Microsoft, .
iDNA, , in FR.
Soufiane Tahiri, , in FR.
PwnDefend, .
NIST,
Amazon,
Microsoft,
CIS,
Abdessabour Boukari,
Trellix,
Elastic,
,
(CERT description)
Soufiane Tahiri,
CISA,
My recommendation:
My recommendation: ,
My recommendation:
My recommendation:
See
My recommendation:
e.g.: ,
Put the SOC assets in a separate AD forest, as , for isolation purposes, in case of a global enterprise's IT compromise
Recommended technology choices:
