SEC450-1.pdf
Document Details
Uploaded by Deleted User
2022
Tags
Full Transcript
© 2022 SANS Institute. All rights reserved to SANS Institute and/or SANS Institute. PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (...
© 2022 SANS Institute. All rights reserved to SANS Institute and/or SANS Institute. PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. With this CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA. BY ACCEPTING THIS COURSEWARE, USER AGREES TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, USER AGREES THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If User does not agree, User may return the Courseware to SANS Institute for a full refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any.ir purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written 01 consent of SANS Institute. de If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware. hi SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this Courseware are the sole property of their respective trademark/registered/copyright owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc. PMP® and PMBOK® are registered trademarks of PMI. SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission. SIFT® is a registered trademark of Harbingers, LLC. Used with permission. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. All reference links are operational in the browser-based delivery of the electronic workbook. SEC450_1_H01_04 SEC450.1 Blue Team Fundamentals: Security Operations and Analysis Blue Team Tools and Operations © 2022 SANS Institute | All Rights Reserved | H01_04 ir 1. Welcome to SANS SEC450 – Blue Team Fundamentals: Security Operations and Analysis! 0 de hi © 2022 SANS Institute 1.ir SEC450 | Blue Team Fundamentals: Security Operations and Analysis 2 01 This page intentionally left blank. de hi 2 © 2022 SANS Institute TABLE OF CONTENTS PAG E Course Outline 04 Welcome to the Blue Team 05 EXERCISE 1.0: Virtual Machine Setup 17 SOC Overview 20 Defensible Network Concepts 46 Events, Alerts, Anomalies, and Incidents 69 Incident Management Systems 86 EXERCISE 1.1: TheHive Incident Management System 106 Threat Intelligence Platforms 108 EXERCISE 1.2: MISP Threat Intelligence Platform 132 SIEM and Automation 134 Know Your Enemy 152 Section 1 Summary 168 EXERCISE 1.3: SIEM with the Elastic Stack 171 SEC450 | Blue Team Fundamentals: Security Operations and Analysis 3.ir 01 450.1 Table of Contents This table of contents outlines the plan for 450.1. de hi © 2022 SANS Institute 3 Course Outline Section 1: Blue Team Tools and Operations Section 2: Understanding Your Network Section 3: Understanding Endpoints, Logs, and Files Section 4: Triage and Analysis Section 5: Continuous Improvement, Analytics, and Automation Section 6: Capture the Flag!!!.ir SEC450 | Blue Team Fundamentals: Security Operations and Analysis 4 01 Course Outline Here is the layout for SANS SEC450. This class consists of 5 books worth content, a virtual machine with de exercises aligning to the content presented each day, and a 6th day that will challenge you to apply all you have learned to a capture the flag challenge! This slide shows the high-level topics that will be discussed throughout the course! In this book, we will introduce security operations, the blue team mindset, data, tools, and processes hi that will support our cyber defense operation. 4 © 2022 SANS Institute B l u e Te a m To o l s a n d O p e r a t i o n s Course Roadmap 1. Welcome to the Blue Team! 2. Exercise 1.0: Virtual Machine Setup Section 1: Blue Team Tools 3. SOC Overview 4. Defensible Network Concepts and Operations 5. Events, Alerts, Anomalies, and Incidents Section 2: Understanding Your 6. Incident Management Systems Network 7. Exercise 1.1: TheHive Incident Management System Section 3: Understanding Hosts, 8. Threat Intelligence Platforms Logs, and Files 9. Exercise 1.2: MISP Threat Intelligence Section 4: Triage and Analysis Platform 10. SIEM and Automation Section 5: Continuous 11. Know Your Enemy Improvement, Analytics, and 12. Section 1 Summary Automation 13. Exercise 1.3: SIEM with the Elastic Stack SEC450 | Blue Team Fundamentals: Security Operations and Analysis 5.ir 01 This page intentionally left blank. de hi © 2022 SANS Institute 5 Welcome to the Blue Team! If you are new to security operations, welcome!!! We're glad you're here to join us! Organizations need your help Cyber defense…. A great industry to work in One of the most challenging and in- demand careers in cybersecurity! This class will start you (or help you continue) your journey! SEC450 | Blue Team Fundamentals: Security Operations and Analysis 6.ir 01 Welcome to the Blue Team! Welcome to SEC450: Blue Team Fundamentals: Security Operations and Analysis, and if you're new to the de information security and Security Operations Centers, get ready for the ride of your life! Cyber defense is, without a doubt, one of the most exciting and challenging careers in information security. With attacks only becoming more frequent and more destructive, defense is a position that will be desperately needed for years to hi come. You may have looked at attacker's tools and wondered how such brilliant ideas were conceived. Trust me when I say that not only can equally amazing things be done on the defensive side, but if nothing else, there's even MORE opportunity for development. In the past, defense teams have lagged behind the newest and wildest attacks, left behind by the rapid pace of hacking tool development, but we are in a new and exciting time right now. Blue Team tools have caught up, and defensive frameworks like MITRE's ATT&CK, for example, have helped bring the Blue Team up to speed and are continuing to be developed at a rapid pace. There's an enormous number of exciting things going on in the defensive space and, in the author's opinion, there's never been a better time to be joining the Blue Team. This class is designed to jumpstart those who are new to defensive operations, whether you're a one-person team or a new member of a SOC, the goal is to give you the mindset, knowledge, and operational familiarity needed to be successful in modern cyber defense. Without further hesitation, let's get started… 6 © 2022 SANS Institute About This Class This class is designed for defense team members and those who train, work with, and manage them We will cover a range Blue Team fundamentals: People: Mindset, mental models, career progression, burnout Process: Analysis, investigation theory, triage, and data flow Technology: Network and host monitoring, understanding protocols, spotting attacks, scripting and automation Strategic, operational, and tactical level info Why was it written? As a move toward standardized training, we need your help! SEC450 | Blue Team Fundamentals: Security Operations and Analysis 7.ir 01 About This Class This class is designed for those who are working in daily cyber defense operations - analysts, SOC managers, de engineers and anyone else looking to assist with prevention and detection of attacks. Whether you have a full enterprise SOC or are a single-person team, the concepts and tools covered will apply help you do your best. Success in security operations is driven primarily by three factors: People, process, and technology, and we hi will be covering all three. Process-wise, we will cover the workflows and actions taken by the typical Blue Team member, and how to make them as efficient as possible, utilizing automation and eliminating manual work wherever possible. Technology-wise, we will cover the main tools and sources of data the typical security operations group have, and how to understand and wield them to their best potential. Finally, the people factor, that is why we're all here, right? In these 6 books, we will cover a broad range of topics with in-depth explanations and hands-on activities to help facilitate learning as rapidly as possible. Why was this class created? Because the cyber defenders, also commonly known as “blue teams”, desperately need direction and help with what to prioritize and how to make the most of what they have! Our tools and process are rapidly maturing, and our technology is already outstanding when used correctly, but we have a dire shortage of people who are prepped and ready to jump into a security operations role. Therefore, the focus of this class will be developing you, with skills that will help you immediately understand and jump in with technical analysis and guidance on what to do when attackers come knocking on your virtual doors. © 2022 SANS Institute 7 State of the Industry Key points from 2021 ISC2 Global Workforce Study1: 4.19M workers globally 700k infosec jobs filled in 2020 Still a 2.72M worker shortage! Highest percentage of shortages in provision, analyze, and protect/defend functions Shortage of workers and available high salaries means hiring and retention is difficult! SEC450 | Blue Team Fundamentals: Security Operations and Analysis 8.ir 01 State of the Industry How large is our workforce gap? According to the 2021 Global Workforce Study performed by ISC2, even de though we’ve added 700,000 more people to the workforce, demand is still outpacing supply. We’re still facing a shortage of roughly 2.72M cybersecurity jobs according to ISC2 data1! From a security operations-specific perspective, the survey also notes that staffing shortages are highest for professionals in roles for secure hi provisioning, analysis, and protect/defend roles (which describes many people who take this class). This need for so many more workers and the availability of increasing salaries means that it's an employee's market! The slide above shows ISC2 survey results for average salaries1 for information security jobs worldwide, as well as a very clear average salary increase for those who obtain cybersecurity certifications! All this means job options are still plentiful for the employees out there. On the flip side, the managers out there may have it more tough, with so many available jobs, it may be more difficult to keep your team members. Regardless, the future is looking bright for security operations jobs! 2021 Cybersecurity Workforce Study: https://www.isc2.org/Research/Workforce-Study 8 © 2022 SANS Institute The Difficulty of SOC Work The problem is, SOC work can be tough… High barrier to entry Ticket/alert based, repetitive work Tiered structure may limit visibility and scope Over-prescribed workflow restricts freedom Repetitive clicking and information filling High turnover means "revolving door" of coworkers We'll discuss how to fix this Let's make security operations fun and engaging! SEC450 | Blue Team Fundamentals: Security Operations and Analysis 9.ir 01 The Difficulty of SOC Work One of the unfortunate sides of SOC work is that in some situations it can end up being repetitive and restricting. de The author has heard SOCs described as everything from an awesome place to work where everyone is engaged and constantly learning to "a revolving door" where "no one has any idea what they're doing," yikes! The processes used and the environment created within the group will have a huge impact on the effectiveness of the hi group, the engagement of its employees, and employee retention. To be clear, no matter where your SOC stands right now in this regard, there are ways to make it better, and we will discuss them throughout the course! A second goal of this class, beyond the technical training, is to help show ways to eliminate the unnecessary misery sometimes associated with SOC work—repetitive data entry, bad metrics, overly restrictive workflow, and mountains of false positive alerts. These issues can be controlled and should be aggressively tackled by any team facing them before they poison the environment and group morale. These issues will be tackled head-on in Section 5. The author's wish is to help improve the perception of Blue Team jobs. While they may have gotten a bad reputation in the past due to immature tools, those days are long gone. Automation and mature tooling and technology is here, and you should be using it! We want the SOC to be a place everyone wants to work for the long term, not a role you have to use as a steppingstone to something else, or as a hurdle before you can escape to something else. Whether or not this is the case in your organization will highly depend on how your people, process, and technology interact, but we will do our best to help you understand how you can turn a less-than- ideal situation around wherever possible. SOC will always be challenging, but it should be the fun kind of challenge, not an everyday struggle! © 2022 SANS Institute 9 Why Are We Being Attacked? From the 2021 Verizon DBIR SEC450 | Blue Team Fundamentals: Security Operations and Analysis 10 ir 1. Why Are We Being Attacked? 0 Why are so many cyber attacks happening in the first place? This discussion is very important as it forms the de foundation for which we will build our entire security strategy. In order to spend your budget in the most logical way, you must consider the most likely attacks and attacker motivations – this is also known as “threat intelligence” and helps us take our first step in the right direction. hi The 2021 Verizon Data Breach Investigations Report, which is one of the most comprehensive reports compiled every year, gives us an idea about the most common attacks and motivations for attacks. Above is the chart showing most the most common attacker types and motives across all industries. Industry specific data is available in the report and is something you should look at for your own industry.1 What is clear from this is data is that most attacks (that are know to Verizon) are financially motivated. In a very distant second place is “Espionage” which is where many of the scary-looking, APT labeled, zero day-wielding attacks you read about in the news would likely fall. The remaining attacks are comprised of grudges, fun, or "other." Given this information, consider what you spend most of your time worrying about: Do you plan for APT’s coming to steal your intellectual property, or organized crime groups looking to run a ransomware attack? Does that align with what the threat profile for your industry appears to be? Knowing the threats and preparing accordingly is a great initial goal for putting together threat-aligned defense. We will take this idea and continuously reiterate and develop on it throughout the course. Verizon 2021 DBIR: https://www.verizon.com/business/resources/reports/dbir/ 10 © 2022 SANS Institute How Long Does It Take To Realize It? Mandiant M-Trends 20213 Detection speed getting better…. or is it? SEC450 | Blue Team Fundamentals: Security Operations and Analysis 11.ir 01 How Long Does It Take To Realize It? Mandiant M-Trends 2020 How fast are we noticing that we're breached? Using the Mandiant M-Trends 2021 report, which covers all de breaches Mandiant responded to in 2020. While the global median dwell time was 24 days, down from 56 days in the previous year. Hooray for defenders, right? Partially, Mandiant says “Global median dwell time for incidents which were detected internally dropped to just 12 days and incidents with external notification sources hi came in at 73 days.”3 However, this doesn't tell nearly the whole story. While noting detection certainly has improved since this metric began, Mandiant also points out that over the past couple years these numbers are falsely lowered by attacks designed to be “found” – specifically, by ransomware attacks, which have increased in numbers in 2020 and 2021. These attacks immediately reveal the compromise, which brings this metric lower, even though this is not a true win for the blue team. This brings up the question, how fast is “fast enough” then? How might we even answer that question? One way is considering how quickly threat actors can potentially move and at least try to match it. Ideally, we want to move faster than attackers! We’ll discuss the importance of this statement later when we cover the OODA loop. Considering there are headlines from the DFIR report blog that show full-scale organization-level ransomware can be spread and active in single to double-digit hours1,2 (although this typically involves a missed critical patch), clearly most would agree that 28, or even 12 days is still too long! So, what are we going to do about it? Ryuk in 5 hours: The DIFR Report: https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ IcedID to XingLocker Ransomware in 24 hours: https://thedfirreport.com/2021/10/18/icedid-to-xinglocker- ransomware-in-24-hours/ Mandiant M-Trends 2021: https://vision.fireeye.com/editions/11/11-m-trends.html © 2022 SANS Institute 11 The Cure: Improving Cyber Security Operations Cyber Security Operations: "Protecting the confidentiality, integrity, and availability of information systems of an organization through proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimizing damage from unwanted effects.“1 SEC450 | Blue Team Fundamentals: Security Operations and Analysis 12.ir 01 The Cure: Improving Cyber Security Operations On to the first piece of a defensive security mindset: What is cyber security operations? This definition is used de by Chris Crowley, a SANS Sr. Instructor and security operations expert, as an all-encompassing mission statement. It's all about ensuring systems continue to perform as expected and facilitating doing that through good design and ongoing monitoring. When things do inevitably go wrong, it is Security Operations' job to hi ensure damage is minimized. Notice we did not say "there is no damage." This is an acknowledgement that no network is invincible, and that compromise will occur. The question will be: Is your team and technology properly configured to minimize that damage? 12 © 2022 SANS Institute What is a Cyber Security Operations Center? Cyber: Related to information Systems Security: Intended use only Operations: Ongoing performance Center: A hub or nexus of activity The "Blue Team" for your organization: Maybe a one-person security team, maybe a formal group Many potential acronyms – SOC, ISOC, SIRT, CSIRT, DART Goals are monitoring/hunting, incident response, threat intel, forensics Whoever is responsible for “security operations” SEC450 | Blue Team Fundamentals: Security Operations and Analysis 13.ir 01 What is a Cyber Security Operations Center? If security operations is protecting and monitoring your data, and minimizing damage from occurring, the SOC de is at the center of those activities. It houses (virtually or physically) and includes the people, process, and technology that operationalizes those goals. This group is often called the "Blue Team”, the SOC, or one of many other acronyms. The terms Blue Team and SOC will be used interchangeably throughout this class. hi We realize not all organizations have a full “SOC” in the traditional sense. For the sake of this course and the text however, whether you have a full formal defense team is usually not the point. When we refer to “the SOC” in this class, imagine that we are talking about the whoever performs the functions required for threat monitoring and detection, incident response and other similar tasks, whether that is one person, or many. Ultimately, what is important is getting the performance the business needs out of those responsible for cyber defense. What exactly does that mean and how do we achieve it? That's what the rest of this course is about! © 2022 SANS Institute 13 Modern Defense Mindset1 A modern defense is our only hope, this means: Presumption of Compromise Detection Oriented Defense Proactive Detection: Hunt Teams Post-Exploitation Focus Response-Driven Risk Informed Strategy "Prevention is ideal, detection is a must" SEC450 | Blue Team Fundamentals: Security Operations and Analysis 14.ir 01 Modern Defense Mindset As a Blue Team, we need to make sure everyone is on the same page as to what constitutes a "modern defense de mindset" and what it takes to defend the networks of today. SANS SEC511: "Continuous Monitoring and Security Operations" course (a great follow-on to this one) by Eric Conrad and Seth Misenar has a very well thought out rundown of some of the most important concepts, which are listed here. In short, we must hi acknowledge the likelihood of compromise at some point and put up a strong defense in terms of both prevention and detection technologies that can catch the things that do slip by. This proactive detection can be run by a hunt team or anyone else tasked with searching through the collected data looking for evidence of what has made it past the front gates and taken a foothold. This team will need to be post-exploitation focused on what they are looking for, as it is assumed to have already broken through the exploitation stage and is now present inside the environment. Detection is great, but without the ability to do something about it, it's of no use, so detection must be followed by a rapid response. This means that once anything has been found, we need to be prepared both process and technology-wise to respond as fast as possible to prevent any further damage from being done. In most compromise situations, the cost of cleanup rises as the breach progresses, so catching it and stopping it as early as possible is of utmost importance. Finally, we must put up our defense in a risk-informed manner. Many teams will not have the budget or time to protect everything perfectly and evenly; therefore, knowing what your adversary might be after in your organization and how they might get there is vital for the optimization of resources. Placing more prevention and detection technology in front of the servers that hold the most important data and the people who have access to it is a rational way to maximize return on your security tool investment. SEC511: https://www.sans.org/cyber-security-courses/continuous-monitoring-security-operations/ 14 © 2022 SANS Institute Summarizing Our Mission "Reduce the probability of material impact to my organization due to a cyber event."1 - Rick Howard, CSO and Chief Analyst @ CyberWire SEC450 | Blue Team Fundamentals: Security Operations and Analysis 15.ir 01 Summarizing Our Mission This slide holds one of the authors favorite definitions of cybersecurity as it boils down the job to a very de succinct and memorable phrase. Everything you do as a cyber defender should be able to map back up to this one main overarching goal – "Reduce the probability of material impact to my organization due to a cyber event". It is highly recommended you read the article in the foot note where this came from as Rick Howard hi explains in detail how he meticulously crafted this carefully worded definition. Understanding the makeup here is an important foundational item for every defender to fully grasp. Here is a summarized breakdown: "reduce the probability" - because we won't be perfect "of material impact" – because this is the most important, all impact is bad, but significant and material impact is what we need to focus on "to my organization due a cyber event" – this is scoping our job to our org and cybersecurity-specific events, because we aren't in charge of stopping all material impact So, what role do you play in this picture? Your mission, at the end of the day, is to reduce the effects of compromise of your organization to the minimum possible. The way to do this is to be prepared to quickly identify the signs of compromise and put a stop to the progression of the incident. We can do this via a well- monitored network and set of endpoints, and the ability to alert on and triage potential issues quickly and accurately. This task is not easy. It requires lifelong learning and a drive to chase down adversaries. Attack techniques and exploits will change daily, and to add to the challenge, you will always have imperfect knowledge of the situation at hand. Learning to understand the protocols in use on the network, how to read and interpret log files, how to perform high quality analysis, and how data should (and shouldn't) flow goes a long way toward accomplishing this mission. Fortunately, that is what we will be focusing on in this class. "Cybersecurity first principles", thecyberwire.com: https://thecyberwire.com/stories/36065117662b4e6ebf0d350163283fc6/cybersecurity-first-principles © 2022 SANS Institute 15 SEC450 Goals Goals of this class are to teach: Tools - SIEM, threat intel platforms, incident management systems, and more Data - Network, endpoint, and application logs Triage - Fast, accurate identification of the most important issues Analysis - How to perform high-quality investigations Automation – When and what to automate to make you life easier Mindset – Mental models for success in modern cyber defense Continuous Improvement! - How to identify and implement improvements Set you up for success as a Blue Team member! SEC450 | Blue Team Fundamentals: Security Operations and Analysis 16.ir 01 SEC450 Goals The Blue Team will be at its best when it has a realistic view of what is possible and has a good working de relationship with the business. Although most of this class will focus on inside-the-SOC data, processes and workflow, it's important to not lose sight of the big picture view of how the group fits within the organization at large. Remember that from the business perspective, your job can likely be summed up in a statement similar to hi "make sure that a cybersecurity-related problem is never the thing that stops business from happening/government from operating, etc. And while you're at it , try to minimize all cyber-security related costs where possible!" It is the translation of that high-level objective, however, to the low-level processes, tools, and data where things get complex. This class will focus heavily on the technical details, attack types, defensive measures, and in-SOC items toward the goal of creating a happy, well-functioning Blue Team set up to succeed at defending your organization! 16 © 2022 SANS Institute B l u e Te a m To o l s a n d O p e r a t i o n s Course Roadmap 1. Welcome to the Blue Team! 2. Exercise 1.0: Virtual Machine Setup Section 1: Blue Team Tools 3. SOC Overview 4. Defensible Network Concepts and Operations 5. Events, Alerts, Anomalies, and Incidents Section 2: Understanding Your 6. Incident Management Systems Network 7. Exercise 1.1: TheHive Incident Management System Section 3: Understanding Hosts, 8. Threat Intelligence Platforms Logs, and Files 9. Exercise 1.2: MISP Threat Intelligence Section 4: Triage and Analysis Platform 10. SIEM and Automation Section 5: Continuous 11. Know Your Enemy Improvement, Analytics, and 12. Section 1 Summary Automation 13. Exercise 1.3: SIEM with the Elastic Stack SEC450 | Blue Team Fundamentals: Security Operations and Analysis 17.ir 01 This page intentionally left blank. de hi © 2022 SANS Institute 17 Lab Workbook and Digital Wiki Workbook Digital Wiki Permanent copy Constantly updated Doesn't use screen real estate Errata quickly fixed Used for GSOC testing Copy and paste Clickable links Picture Zooming Lab Videos Reference material Instructor contact info SEC450 | Blue Team Fundamentals: Security Operations and Analysis 18 ir 1. Lab Workbook and Digital Wiki e0 This class utilizes a digital wiki that is built into the virtual machine and contains all the information about the lab environment, cheat sheets, quick reference content, as well as digital versions of the labs themselves. d Throughout the class, we highly recommend you work from the digital wiki instead of the workbook, as it allows the use of copy and paste for commands, which helps error-proof your experience. hi 18 Exercise 1.0: Virtual Machine Setup SEC450 | Blue Team Fundamentals: Security Operations and Analysis 19 1.ir Exercise 1.0: Virtual Machine Setup e0 If you haven’t already, please go to Exercise 1.0 in the SEC450 Workbook for instructions on setting up the virtual machine for this course. Although you won’t need it just yet, this will ensure you have the lab d environment up and running before diving into the rest of the course. hi © 2022 SANS Institute 19 B l u e Te a m To o l s a n d O p e r a t i o n s Course Roadmap 1. Welcome to the Blue Team! 2. Exercise 1.0: Virtual Machine Setup Section 1: Blue Team Tools 3. SOC Overview 4. Defensible Network Concepts and Operations 5. Events, Alerts, Anomalies, and Incidents Section 2: Understanding Your 6. Incident Management Systems Network 7. Exercise 1.1: TheHive Incident Management System Section 3: Understanding Hosts, 8. Threat Intelligence Platforms Logs, and Files 9. Exercise 1.2: MISP Threat Intelligence Section 4: Triage and Analysis Platform 10. SIEM and Automation Section 5: Continuous 11. Know Your Enemy Improvement, Analytics, and 12. Section 1 Summary Automation 13. Exercise 1.3: SIEM with the Elastic Stack SEC450 | Blue Team Fundamentals: Security Operations and Analysis 20.ir 01 This page intentionally left blank. de hi 20 © 2022 SANS Institute Starting Off with a Strong Foundation In this module: 1. The core components of security operations 2. Defining and understanding the SOC mission 3. Ensuring SOC alignment with organization objectives and risk appetite 4. Org charts for security operations 5. Security operations core functions 6. Useful reference documents for practitioners 7. Measuring and communicating SOC effectiveness SEC450 | Blue Team Fundamentals: Security Operations and Analysis 21.ir 01 Starting Off With A Strong Foundation In this module, we will discuss some of the core components of security operations and multiple models used to de understand the people, process and technology involved. The goal will be to help you understand how to build a strong foundation (or assess the one you already have) and keep your SOC moving in alignment with your organization. hi © 2022 SANS Institute 21 The Components of Security Operations People: Performing analysis and investigation, design and run processes SOC Process: The defined sequence of events performed to achieve an end goal Technology: Hardware and software used to accomplish the mission People Technology Process SEC450 | Blue Team Fundamentals: Security Operations and Analysis 22 ir 1. The Components of Security Operations 0 One common way of looking at a SOC is through the lens of the required ingredients. A fully functioning Blue de Team requires three core components: People, process, and technology. First and foremost are the people. Without an engaged and well communicating team, no Blue Team can operate. The people are the heart and soul of the Blue Team operation. The selection of people on the team can single-handedly make or break it. No hi process or technology will be able to make up for a dysfunctional, untrained, or unhappy team. Second is the process, which defines what exactly those people will be doing with their time and how they do it. Process definition involves identifying important tasks and engineering the optimal solution for completing them. Finally, technology is the enabler of efficient and well-defined processes. Technology allows us to monitor vast amounts of data at scale and is a force multiplier for our team members. If you're doing defense right, technology is NOT a replacement for people—it merely makes them better. If your analysts can be replaced by technology, they likely were doing the repetitive work that would've been better handled by automation in the first place, not doing the type of work they should be doing—analysis. These three components make up the "three-legged stool" of security operations. Without each one, the team will not be able to succeed. 22 © 2022 SANS Institute Understanding Your Mission - Four Core Questions1 Cyber defense is difficult - where do we even start? Let's derive some goals and requirements Here's a great set of questions that will help you clarify your mission and what success looks like, consider: 1. What are we trying to protect? 2. What are the threats? 3. How do you detect them? 4. How will you respond? SEC450 | Blue Team Fundamentals: Security Operations and Analysis 23.ir 01 Understanding Your Mission - Four Core Questions People, process and technology are just categories of required ingredients, however. When you mix those things de together, what are we looking to do? Defend an organization of some sort, of course! hi To help use define how people, process and technology will help us build that defense, we can use the following four questions posed in "Crafting the Infosec Playbook".1 These questions are worded in such a way that they can help anyone derive the mission for their team. If you are just starting to build your team, they are an outstanding starting place to consider what your SOC mission should look like, and even how you might measure your success. If you already have a SOC, consider how you would answer these questions and if the answers align with what you team actually does day to day. What are we trying to protect? What are the threats? How do we detect them? How do we respond? The better, and in more detail, you can answer these questions, the better off you are. Yes, you may know you need to "defend your company data from APTs", but which APTs? How will they attack you? What types of data, specifically? Where is that data held? Who has access? You get the idea – the more info you have, the higher your chance at success. It is highly recommended you review and reconsider these questions periodically. The answers will change as threats, your team, and your organization evolves. Crafting the Infosec Playbook: https://www.oreilly.com/library/view/crafting-the-infosec/9781491913598/ © 2022 SANS Institute 23 Aligning the SOC with the Organization A charter, approved by management, describing: Constituency served Services to be delivered Scope of work High-level mission statement and goals Organizational structure, concept of operations, etc. Steering committee Enumerates risk concerns from the business Aligns SOC capabilities and performance with business needs SEC450 | Blue Team Fundamentals: Security Operations and Analysis 24.ir 01 Aligning the SOC with the Organization Once you have considered the answers to the four core questions, consider how those answers intersect with de your requirements, budget, team capabilities, and organization. Taken together, this information should help you craft or review your existing SOC charter. hi A SOC charter, whether you call it that or not, is the guiding document that lays out the parameters of the security operations team. It legitimizes and gives the Blue Team the authority to perform the activities required to defend the environment and describes at a high level how they will do it. It should contain the team's scope, duties, services, offered, constituency served, and high-level mission that is approved by management. This document sets the foundation for the team and ensures everyone (inside and outside of the team) is on the same page about what is expected from the group. The security team charter should be considered a living document. Technology and organizations change at a rapid pace and therefore your charter might need to too. Creating a "steering committee" can be the solution to that problem. A SOC steering committee – a periodic meeting with critical SOC stakeholders, can help ensure continuous alignment of the SOC with business expectations. The steering committee ensures communication lines stay open, that the SOC is hitting requirements and needs of the business and is focusing resources on the appropriate risks. It is how we, as a Blue Team, speak directly with our constituency and make sure we're providing the services expected and needed, not just making up what we think is the appropriate defense. These two high-level items provide the initial and ongoing direction for what the SOC should be doing, who it protects, and how. 24 © 2022 SANS Institute Finding the Organizational Risk Appetite Remember to consider the big picture Organizations don't exist to be secure Where is security on the priority list? Government/Military: Highest importance Reasonable Tight No Security Security Security New startup company: Low importance Ask if your org. has a "risk appetite statement" A mature security team understands the appetite Works within it (this doesn't mean you can't try to influence it) It will change as management, company, and priorities change SEC450 | Blue Team Fundamentals: Security Operations and Analysis 25.ir 01 Finding the Organizational Risk Appetite One of the items that should be made clear through the steering committee is the organizational risk appetite. de Everyone in the SOC should understand well what the business views as its biggest risks and how that translates to how it approaches its mission. Different organizations will have wildly different security priorities driven by the nature of the organization. Typically, government and national defense-related organizations will have the hi lowest risk appetite and be willing to implement more intrusive controls to ensure breaches are minimized. Companies just getting off the ground may look at security as a function that should be done at a minimal level to ensure they can operate at the highest possible speed. The security team's job is to take this information as input, and work within it, or inform management when the risk has been misjudged so that a proper adjustment can be made. Be aware that the risk appetite will change over time naturally as the organization matures, as well as when leadership changes. Keeping a finger on the pulse of the current organizational thinking is one of the important things the Blue Team must do. Some organizations keep a formalized "risk appetite statement." Reading this document (if it exists) should help make the thinking of upper management clear. © 2022 SANS Institute 25 Meeting the Risk Appetite "What's the worst that could happen?" What type of work does your organization do? How critical is the success of the security team? Highly critical: Application control, EDR/XDR, zero trust network design, strict email policies, etc. Less Critical: Basic tools and data monitoring capabilities Your goal: Find ways to crank security as high as you can without hindering business process Applying all appropriate "invisible security" options Making smart choices when it comes to inconvenient/"visible" security SEC450 | Blue Team Fundamentals: Security Operations and Analysis 26.ir 01 Meeting the Risk Appetite Is your company absolutely unwilling to tolerate a breach and will it take extreme measures to protect itself de above all else? Or is it willing to go a little more relaxed and take a balanced approach to ensure that business gets done quickly? hi Consider the questions above. Although ideally this information will be handed down from above, sometimes the answers for these questions can be somewhat self-evident. Stop for a minute and consider what is the worst possible thing that could happen to your organization: Is it a data breach or disruption of critical infrastructure you run? Consider how likely those things are to occur, and what it might take to get to that point in terms of access. Then consider the controls your company has in place to get in the way of that scenario. One goal of the steering committee is to help produce the answers and determine how much money and time the business is willing to invest to stop these things from happening. The SOC will then take these directives and convert them into controls that will need to be in place. Those who have a low tolerance for a breach will likely find themselves subject to strict controls such as application control, zero trust-style networks, isolated or air gapped systems and strict lockdown of internet and email. Those with a higher risk tolerance may be fine with basic controls – OS built-in antivirus, default logging provided by vendors, and basic email filtering and spam detection. Your goal as a Blue Team member is to ensure the risk appetite and deployed controls and technologies stay in line. If you find the business starts taking unnecessary risks, perhaps ones they don't fully understand or are unaware of, you should feel empowered to make recommendations where there are gaps in coverage. We will discuss later in the course tactful ways of doing this without getting yourself in trouble. We are trying to hit that area of balance where (a well-informed) risk appetite is being met, both securing the company and allowing work to get done, largely unhindered, except where necessary. 26 © 2022 SANS Institute Risk Appetite Meets Reality Pretend you work for a vaccines company: A vendor-built PC runs a critical production line A locked-down, qualified build, no extra security software allowed Requires: Outbound FTP data transfer Inbound web status page Operating System is Windows XP How do you secure this machine? Hint: The answer is not "don't allow it to be used" – you'll quickly be shown the door with this approach SEC450 | Blue Team Fundamentals: Security Operations and Analysis 27.ir 01 Risk Appetite Meets Reality An example situation you might run into where the level of risk desired may be at odds with the realities of the de job you must do: Let's say you work for a vaccines manufacturing company and part of that manufacturing process takes a highly specific computer setup that has to be formally approved for all changes due to its sensitivity as part of the process. The build is based on Windows XP and cannot be modified beyond the stock hi software, so you cannot add monitoring or firewall software to the host, not even antivirus protection. In addition, you also can't update the operating system because the company went out of business and there is no alternative, so you're really stuck here. To make matters worse, this machine also needs to record data that it will send out via the insecure FTP protocol; and additionally, it hosts a status page via an old, likely insecure web server. This seems like a contradiction—you must be safe, but you also must run Windows XP on a machine performing a critical task. What do you do? Some might be tempted to tell the business that this situation is so risky that it would be insane to continue to use the machine in any capacity at all! Be prepared to be rejected if this is the conclusion you propose. The answer you would likely receive to that response is "absolutely not, that machine is responsible for $x/hr. of product, find another way!" What else can we do? Our requirements are that we do not touch the inner workings of the machine; therefore, solutions would likely involve external security appliances applied as compensating controls. These would need to scan the content of network communications for viruses, as well as lock down the system from communicating over any unneeded ports, or with any systems that it doesn't strictly need to communicate with. In addition, web application firewalls could be used to protect the web application. These are the types of complicated real-life situations you will encounter as a Blue Team member, and you will need to accept the situation, address the risk and requirements, and suggest a solution as well as interpret the data generated in order to detect a compromise under such a setup. © 2022 SANS Institute 27 Accepting the Risk SEC450 | Blue Team Fundamentals: Security Operations and Analysis 28.ir 01 Accepting the Risk The concept gets joked about a lot in information security.1 Do remember though, as badly as we want to make de the perfect most impenetrable network, it's common that the organization will want to accept an identified risk. Cybersecurity is one piece of a complex business pie, and although security may be your entire world, to someone else it's just one factor in an equation of items to worry about to keep the organization running. hi Ultimately, the best we can do is give management accurate and complete information to do their job, which is making sure the business continues to run. If you disagree with a decision that is being made and think it may be overly risky and lead to issues down the road, the best you can do is try to communicate why in a more effective way or document the advice that was given and continue with your day. "Host Unknown presents: Accepted the Risk": https://www.youtube.com/watch?v=9IG3zqvUqJY 28 © 2022 SANS Institute Blue Team Truth #1 Compromise Will Happen The question is…how it will affect you? Outcome 1: Adversary succeeds in initial steps of the attack, but is quickly detected and fails to complete their mission Outcome 2: Adversary is not detected, runs free, causes a huge impact! Not all adversaries will be blocked from the get-go The acknowledgement of this fact and preparation for what occurs after is what separates a good from bad security operations team Goal: Detect and minimize damage from compromise SEC450 | Blue Team Fundamentals: Security Operations and Analysis 29.ir 01 Blue Team Truth #1 One important truth to remember is that no matter how hard you try, compromise will happen to some extent. de It’s impossible to put up a defense that works perfectly forever. That's not to say any attack will be a full-on disaster, however. It's up to the Blue Team to determine how far an attack will progress and the damage it will be able to cause. The Blue Team affects these things by informing the business of the true risks in the hi cybersecurity landscape and driving good policy and configurations throughout the environment. This helps prevent many attacks from happening in the first place, but it won't stop everything. We also need to know how to respond and have the training and tools to respond (quickly!), when things do go wrong This class is focused on helping you stop the highest impact attacks – those targeted attacks looking to extort your money, destroy your data, or leak your critical information. These attacks are multi-stage and cannot happen all at once with a single exploit. Getting phished or getting a piece of malware installed on someone's laptop is not the end of the story. But what will happen if that attack is not noticed, and the attacker uses this access over months to ultimately steal intellectual property or sensitive personal information and take that breach public, well, that becomes very disruptive and expensive! It is the ultimate end goal impact we must focus on stopping, and if we can prevent the entire attack in the first place, even better! Therefore, it is the Blue Team's goal to catch the attacks as early as possible, when it is easy to clean up, and kick the attackers out of the environment! © 2022 SANS Institute 29 Blue Team Truth #2 Your company does not solely exist to be secure The team provides a "loss prevention" function: We reduce cybersecurity risk to an acceptable level Must strike balance between security and productivity No one can or wants to buy "perfect security", its prohibitively expensive Balance is defined by your organization/management Can be frustrating, but doesn't mean we can't try to influence decisions Blue team must inform those who make the risk decisions Good information requires a deep understanding of your craft… SEC450 | Blue Team Fundamentals: Security Operations and Analysis 30.ir 01 Blue Team Truth #2 Given the previous slide, it's easy to want to jump in and lock everything down to the fullest. However, it's de important to keep the higher-level perspective. Yes, the Blue Team can point out all the weak points the organization has and say everything must be locked down; but remember, your company does not solely exist to be secure. Organizations exist to create value in one way or another, and cybersecurity can ultimately be viewed hi as a loss prevention function, similar to security guards at a physical store watching for shoplifters. As a store owner, you could make everyone go through a TSA-style search entering and leaving the store, but you would likely find such a store quickly out of business despite the 0% shoplifting loss. There's a corollary to the above statement and that is "Organizations only get to stay in business if they effectively, and correctly manage risk." Therefore, we can't have zero security either! There's a balance that must be struck between security and allowing the business to function without hindrance. This can be very frustrating at times, but every business will have its own take on what the major risks are (cyber and otherwise), and where the dial should be set on security vs. productivity. The goal of the Blue Team is ultimately to help the business understand the true risk they face and help them lock down things as much as possible, ideally causing minimal or zero productivity hit. This is where the art of designing a secure system comes in. At times, bargains and tradeoffs must be made, and clever solutions can be designed that will allow people and networks to operate without slowing down the pace of whatever it is that makes the company valuable. 30 © 2022 SANS Institute How Are We Organized?1 Incident Lead Tier 1 Analysts SOC Lead Tier 2 & 3/SMEs Detection Engineering Incident Response Threat Intelligence Engineering & Infrastructure Forensics SOC-Adjacent Sys. Admin Functions Vuln Mgmt. Pen Testing/Red Teams SEC450 | Blue Team Fundamentals: Security Operations and Analysis 31.ir 01 How Are We Organized? Here is a chart showing a common functional organizational chart for a larger security operations team. This de chart highlights the fact that there is much more to running a SOC than analysts doing triage. Operating such a highly technical capability in a large organization also likely involves the support of dedicated people doing detection engineering, threat hunting, engineering, system administrators and more. There are also what, in this hi diagram, is labeled as "SOC adjacent functions". In some security teams, these groups are part of the SOC, in others they are separate groups. We will address these in more details in a bit. Many students are curious where these groups are best placed and if they should be under SOC management or not. The opinion of the author is that there is no "one size fits all" when it comes to this question to the highly varying nature of each organization, their missions and scope, and the personalities of people on each team. Instead of prescribing you an exact org chart, consider what a well functioning team in each of these functions might look like and how you could measure that. If your teams are hitting the mark, then it's likely that wherever they fall on the org chart is ok. If, however, there is a breakdown of communication across team members or other such issues where combining teams under a common manager might be the solution, then a reconsideration of lines of reporting may be in order. Ultimately, everyone in all these potential groups needs to work closely with one another and if the org chart appears to be the thing preventing that from happening, it's probably time to reconsider it. © 2022 SANS Institute 31 Tiered SOCs Many SOCs have tiered analyst roles Tier 3: Deep analysis, Tier 1: Learning the ropes methodology development, strategic Tier 2: Increasing capability support, hunting Tier 3: Highly complex tasks Tier 2: Attack scoping, further analysis, tactical and remediation support Tier 1: Initial triage and analysis, ticket Typical duties for each tier… generation SEC450 | Blue Team Fundamentals: Security Operations and Analysis 32.ir 01 Tiered SOCs When it comes to analyst roles in the SOC, many teams break down into a tiered structure where tier 1 de analysts represent an entry level role. As individuals gain experience, they may be promoted up the ranks into a higher tier. Tier 1, as an entry level role, typically involves a more highly defined process and tasks that will help newcomers understand the rules of the SOC and the data collected. Unfortunately, at least from the hi analyst's perspective, it may also involve restrictions on which tools an analyst is allowed to use, and which data can be viewed. There are valid arguments both for and against tiers. Having a restricted tier 1 role helps focus learning and removes the temptation to try to use data that might further confuse issues. On the plus side, controlling process and who can do what ensures the SOC has a repeatable workflow, and everyone knows exactly what is expected of them. The downside is that, at least at the more extreme side of the tiering spectrum, analysts might not be allowed to use more in-depth tools if it's not part of their role and may become quickly frustrated. We know that retention is a problem in many SOCs; therefore, exercise caution and careful consideration when assigning job tasks and restrictions to tier 1. Overly restrictive tiers can lead to a situation where people may leave out of frustration if they don't get promoted as fast as desired. No one wants to operate the "revolving door" SOC. As analysts gain familiarity with workflow, tiers 2 and 3 typically involve increasing amounts of freedom, potentially less process and more complex tasks. These challenging tasks often top out in activities like malware reverse engineering and memory forensics—specific and niche activities that require higher levels of specialization or expertise. The increased freedom is an acknowledgement that an analyst can be trusted with more dangerous files such as malware, or more sensitive incidents and data. This progression can be a great motivator and a highly efficient way to run the SOC when done correctly. 32 © 2022 SANS Institute Tierless SOCs Tierless: Tiered: Everyone works together to get Defined roles, clear path for everything done promotion Must carefully manage alerts More structured processes, efficient Even new analysts can use all handoffs and processing available data and tools Often have less freedom to use all Stay engaged, learn quickly tools/data restrictions …but must know limits Less ability to explore and learn? Analysts more self-guided, Slow progression, repetitiveness teamwork crucial may lead to retention issues Senior and Lead titles for career Neither is "right" – just progression optimized for different things SEC450 | Blue Team Fundamentals: Security Operations and Analysis 33.ir 01 Tierless SOCs Talking with many SOC analysts throughout the course of my career, we have found that many analysts become de very frustrated with tiered SOCs. The reasons vary, but often it has to do with overly repetitive tasks or feeling held back despite their ability to take on more complex tasks. Therefore, the tierless operating model might be better for some teams. While you might expect that most SOCs run on a tiered model, anecdotally, when polling hi students in this class over the years, more than half of students seem to describe their team as closer to the "tierless" side of this slide. In tierless SOCs, analysts are generally given more freedom to learn and explore all the data and tools available without an artificially imposed restrictions. Anecdotally at least, it seems that analysts from these environments seem happier with their jobs and there is some research presented in book 5 to back this up. Although this may seem less defined, is it worth the potential risk? Tierless SOCs, although perhaps less efficient, may boost retention over time, giving the SOC the ability to build and retain the talent that is required for highly complex tasks. Tierless SOCs are not meant to be chaotic, and care must be taken when operating a SOC in this manner to ensure everything is still being done in a dependable and repeatable way. In this mode, it is expected that everyone will collectively be able to get everything done, and that everyone shares in the responsibility and is expected to contribute at the level they are capable of. To do this, everyone must know their own limits and be comfortable asking for help when they are reached. The benefits of this operating model are clear however, newer analysts are exposed to more techniques and complex analysis quickly and can take on more tasks as soon as they are ready, without having to wait for a promotion to be available. © 2022 SANS Institute 33 The SOC at a High Level The best analysts also 1. Collection deeply understand these steps Improvement Continuous 2. Detection 3. Triage 4. Investigation Many analysts' daily life is here Feedback 5. Incident Response SEC450 | Blue Team Fundamentals: Security Operations and Analysis 34.ir 01 The SOC at a High Level Now that we've discussed team structure and goals, let's take a more chronological view of how security de operations does its work and break it down into some more atomic pieces. If we were to break the average SOCs functions down into a general set of steps, this is one useful way you can look at it: Collect, detect, triage, investigate (and potentially incident response if you perform those duties as well). hi Collection – The collection phase is all about the SOC receiving security relevant data feeds that help them understand what is happening in the environment. Detection - Of all the data that is collected, suspicious items must be picked out at the detection stage. How well we do this is determined by our tools, threat intelligence, attacker tactics and techniques knowledge, and more. Anything that is crosses a threshold of likely being an attack becomes an alert, gets marked for investigation, and put in the triage queue. Triage - There will almost always be more than one item to attend to at once, so accurate triage of the most dangerous or important looking item is crucial. Ideally, your tools help highlight the most important items. How well this works in practice depends on multiple factors: Knowledge of attack stages and methods of attack, risk scoring capability, data enrichment, experience with the environment, etc. Analysis - Once the most seemingly dangerous item is selected, we must dive in, triage, and investigate it to see if it truly is something bad going on, then, pass the case on to incident response if required (sometimes the SOC is in charge of incident response, sometimes it is done by a different dedicated group). Analysts should be trained to do this investigation in a rigorous way, free of cognitive bias and errors in analysis. This includes both investigation to determine whether the alert is a false positive or not, as well as investigation of "what happened" when there is a true incident. Doing this step well, like all others, takes thorough training and improves with experience, and it is one of the steps we will focus on in this class. Incident Response - Once the investigation is complete, we must go through all the activities to contain the issue, eradicate the attacker, and recover the environment back to normal. We also must document the conclusions of the incident and look for any improvements that could be made to do it better next time. This leads to the overarching process that must happen at all stages and times—continuous improvement fed by the outcome of investigations. 34 © 2022 SANS Institute Each of these steps has an important role to play in a successful security operations capability. A weakness in any of them leads to further problems downstream in the process, so it is important we look to continuously evaluate and improve each atomic step. One final item on this process - when it comes to a SOC analyst's daily life, especially newer ones, we tend to live in steps 3-5. Learning how to select an alert and then triage it is a large topic unto itself and requires learning attack progression cycles and attack tactics. Investigation is a large topic as well. Both are necessary for an analyst to know and are covered in this course. The best analysts, however, understand the entire process and understand the collection and detection steps that are often tasks for other job roles such as detection, content, or data engineers. Understanding the fundamental principles of why you see the data you see, how it is collected, how malicious things are identified by your detection tools, and how it is all aggregated for analysis makes you a more well- rounded analyst. The goal of this class is to explain all these processes and break down the required items to reason your way through each..ir 01 de hi © 2022 SANS Institute 35 Deconstructing the SOC Process and Technology To understand SOC functions, we will be simplifying them Abstract tools/functions into a simple “box” with inputs, outputs Deconstruction into inputs, outputs, and internal process shows how each item relates to each other Input 1 Output Input 2 SEC450 | Blue Team Fundamentals: Security Operations and Analysis 36.ir 01 Deconstructing the SOC Process and Technology Another challenge for new SOC analysts is understanding how all the data they must deal with flows between de all the tools in the SOC. While a SOC is a highly complex interconnection of many tools and processes, the operation can still be understood if you start of small and build upwards. To do this, throughout the course we will deconstruct and abstract complex systems into an individual set of inputs, internal processes, and outputs. hi Doing this makes it clear what type of input each system takes in, the internal processes that act on the input, and what it is expected as produce as output. Take an intrusion detection system for example, while it is true this is a highly complex machine, we can generalize what it is doing to simplify it for quick understanding. At its essence, an IDS takes as input network traffic forwarded to it and a set of signatures for specific traffic contents it needs to look for. Internally it finds traffic that matches a signature from the input list in the given traffic and outputs alerts that will ultimately be forwarded to the SOC alert queue. We don’t need to care too much about exactly how the IDS does its job to understand its role. We simply must understand that the output is a function of the inputs, which are traffic it can see, and the number and type of signatures that are active. Simple, right? Once each individual function of the SOC is understood in this way it is much easier to recombine them and see the bigger picture of how they all work together. Through this method we will work to understand how the SOC can and should use each of the tools at its disposal. 36 © 2022 SANS Institute The SOC Abstracted Input Output What attacks look like (threat intel: high level tactics & signatures) Identified, minimized, and SOC remediated Things that happened incidents (network traffic, endpoint events) Better output requires better input, “garbage in, garbage out” SEC450 | Blue Team Fundamentals: Security Operations and Analysis 37.ir 01 The SOC Abstracted Although building up from the bottom and understanding all the pieces is useful, we can also learn from the top de down, abstracting away all the details to make the mission clear. What if we abstracted the entire SOC? At a very high level, what are the SOCs main inputs and outputs? As the slide above shows, we could generalize it by saying the SOC is a function that takes both the things that have happened in the environment and what attacks hi look like as input, and outputs identified, minimized, and remediated incidents. As with any system, if we want better output, we need better input (this is where the phrase “garbage in, garbage out” comes from). For a SOC, that means either more visibility or better knowledge of what an attack looks like. The “SOC” box, of course, is an abstraction of an extremely complicated set of interactions, but at it’s most basic, that’s what we do, and those are the main variables that control it. It is through looking at our tools and systems in this highly abstracted view that, although imperfect, helps us understand the system and identify the levers that can be pulled when something isn’t working as well as we’d like. © 2022 SANS Institute 37 SOC Process and Technology Functions Organizing security team duties: Core SOC Activities Data Collection: What’s happening on the network/devices Detection: Identifying items of interest from data collected Triage and Investigation: Confirming and prioritizing detected issues Incident Response: Responding to and minimizing the impact of attacks Specialty/Auxiliary Capabilities Threat Intelligence: Collecting information to improve attack detection Forensics: Supporting I.R. with deep research and reverse engineering Self-Assessment: Inventory, config monitoring, vuln. assessment, Red Team, etc. SEC450 | Blue Team Fundamentals: Security Operations and Analysis 38.ir 01 SOC Process and Technology Functions Now let's take the previously discussed higher-level functions of a SOC and break them down into the items that de would more likely be considered “core SOC” functions vs. the specialty fields. Core SOC items are more likely to be performed by SOC analysts or those that work very closely with them. Small teams may even have all these functions performed by the same group of people. The other specialty fields involve significantly different hi enough skillsets that they typically ideally have a unique person to perform the duty. While large organizations may have dedicated forensics, threat intel, and penetration testing teams, smaller organizations often outsource these capabilities for cost efficiency. Core SOC: Data Collection: This is the technology and processes that enables us to understand what is occurring on both the network and the endpoints. As we will later discuss, this can be broken down into network monitoring and endpoint/application monitoring. Detection: The goal of the detection function is watching the data collected from the network and endpoints and accurately identifying any potential compromises. This can be thought of as what your network and host IDS systems are doing, anti-virus, SIEM analytics, and anything else that watches everyday events and outputs alerts of possible compromise. Triage and Investigation: The triage and analysis functions are where all the identified alerts go to get prioritized and verified. Since in nearly every SOC there will be many potentially malicious events identified, it is the primary job of the SOC analyst to sort through them for criticality and verify whether an attack has indeed occurred. Incident Response: The incident response area is responsible for reacting to problems that are verified and ensuring the impact of the issue is minimized. In smaller SOCs, this falls under the scope of the analysts; in others, this may be a separate group called the CIRT or CSIRT. Regardless of the org structure, incident response is typically considered a core function of the blue team. 38 © 2022 SANS Institute Specialty and Auxiliary Capabilities: Threat Intelligence: The mission of the threat intelligence group is to collect detailed high and low-level information on attack groups interested in the organization. The goal is to help give the Blue Team a tactical and strategic advantage over the attacker. If we can anticipate attacker goals, moves, and infrastructure ahead of time, it will be much harder for adversaries to accomplish their mission. Forensics: A specialized function focused on determining exactly what occurred during a breach. This may be traditional hard drive forensics, or something more specific such as memory analysis, malware reverse engineering, or even eDiscovery. Self-Assessment: This name is an umbrella term for multiple functions that may or may not be considered as directly within the SOC. This group contains things such as configuration monitoring, vulnerability assessment, penetration testing, and red teaming, and inventory. These activities are all similar in that they help the blue team perform their job effectively by either watching for potential issues (vulnerability management) or test the blue teams’ reaction to simulated threats (penetration testing and red teaming). Regardless of its position in the org chart, it is a critical piece of the security puzzle..ir 01 de hi © 2022 SANS Institute 39 Inside the SOC System Input Output Threat SOC Forensics Intel Signatures Triage/ Incident Remediated Detection Investigation Response Issues Events Red Team/Pen Testing SEC450 | Blue Team Fundamentals: Security Operations and Analysis 40.ir 01 Inside the System Let's now take the functional areas combined with the very high-level input/output diagram of the SOC and de begin to develop a more detailed picture. Looking at this version, the bold boxes show which components can be thought of as core to the SOC – collection detection, triage, investigation, and incident response. The dashed boxes are functions that help enhance the capabilities of the other functions and help us to get better results out hi of the core functions. Red teaming, for example, is a capability that helps test our detection and response functions by simulating real adversary activity and attack tactics. Forensics helps us understand our incidents in greater depth by finding out the truth of what happened on an affected endpoint, the capabilities of malware, or what data has been stolen. Threat Intel helps sharpen our detection capabilities by telling what to expect of our adversaries at a higher and lower level. Throughout this class, we will inspect these individual functional components and the tools that help perform them, looking at what their inputs and outputs are, as well as what is inside them as well. The goal is to ensure you are aware of now only how each individual system works, but how they interconnect into what you see here. 40 © 2022 SANS Institute Critical SOC Information Network diagram: Simplified version for easy reference Points of visibility: Taps and span ports, full PCAP Data flow diagram: How does traffic reach the internet? Log flow diagram: Where do logs come from/go? Incident response plan: What to do when things go wrong Communication plan: Who to inform, and when List of critical assets and points of contact Disaster recovery/business continuity plans Any other relevant policies, standards, procedures, guidelines SEC450 | Blue Team Fundamentals: Security Operations and Analysis 41.ir 01 Critical SOC Information In order to perform the main SOC functions, there are some important pieces of information and inputs for the de SOC to have on hand. One item is an overall view of how data traverses the network, and where the SOC has points of visibility. Often, in an incident, the question "would we have seen that traffic?" must be answered. Without a firm grasp on how data flows over the network as well as where it can be seen, this will be a hard hi question to answer and can lead to confusion and slow down progress. Ideally, this information would include how both internet and internal network traffic is flowing, and where the SOC can see flow logs, full PCAP, or logs from devices that would report any suspicious activity. What we do not want is an analyst going to search for logs, not finding them because they don't exist, and incorrectly concluding a compromise didn't occur because there are no logs of it. Understanding where you do and do not have monitoring coverage helps avoid this problem. In addition to this info, an incident response plan, detailing the steps that should be taken in the case of a major incident, can keep things running smoothly during a disaster. A communication plan should also be in place, so time is not wasted looking up who to contact and how to contact them. A list of critical assets is of utmost importance as well so there is no question whether that server had important data or not (we'll discuss data classification later on in the course). It's hard to defend your most important data or even recognize it's in jeopardy if you don't know where it is and the systems it sits on. Having a prescribed process for these items, at least in the case of major incidents, should be a priority. © 2022 SANS Institute 41 Documents Analysts Must Be Familiar With Policies: High level, broad, direction setting, mandatory "All systems plugged into the network must have antivirus Policies installed" Standards: Also mandatory, define how or how much Standards "Configuration settings for antivirus agents must be…" Procedures: Step-by-step instructions for a process "How to install and ensure antivirus is working" Procedures Guidelines: Discretionary, suggested actions/recommended procedures where actual standards Guidelines and procedures do not exist "Best practices for antivirus deployment" Baselines Baselines: Highly specific settings list (CIS benchmarks) Use Case/Playbook: SOC Specific prescriptive rules/procedures for detection SEC450 | Blue Team Fundamentals: Security Operations and Analysis 42.ir 01 Documents Analysts Must Be Familiar With One item that can be confusing for newcomers is the difference between all the various types of documentation de involved in running a SOC. The types of documents you will likely run into may sound similar at first glance but do have content that can be distinguished from the others. These document types are listed here as well as their generally recognized purpose. hi Policies: Policies are high-level, broad, direction-setting documents that do not go into specifics but lay out the general requirements for configuration items. They generally answer the "what" must be done. Items laid out in Policies should be viewed as mandatory. Standards: As opposed to Policies, standards give more specifics in that they specify "how" something gets accomplished or how much of something should be applied. Standards should also be considered mandatory compliance. Procedures: Procedures explain the step-by-step instructions for completing a specific task. These can be thought of as the lowest level documentation in terms of containing lots of specific detail. Guidelines: Of the previously discussed document types, guidelines are the ones that are not necessarily mandatory. They lay out suggestions and recommended actions or procedures of configuration or other best practices. Baselines: Highly detailed and itemized checklists. A perfect example is the security benchmarks provided by the Center for Internet Security for security operating systems and applicat