This slide relates to the first soc fundamental course

1. Security Operation Center
Fundamental Course
1
By: Amir Zargaran
September 2017

2.  Who I am?
Amir Zargaran (LPIC2, ITILV3, Splunk Power User, ACSA)
Cyber Security Consultant and Instructor
- Designing and Implementation of Enterprise SOC
- Administration and Analyst of ArcSight ESM
- Power User of Splunk
- Network Security and sysAdmin of Linux
Zargaran@mail.com
https://www.linkedin.com/in/amirzargar
+98 9129355339
2

3. Agenda:
Day 1
 Introduction
 Most Famous Attacks and the confronting ways
 What is Security Operations Center
Day 2
 Key features and modules
 Processes and Procedures
 People
Day 3
 Technology
 Network Monitoring and Investigations
 Correlation
 Lab
3

4. Introduction
4
Why We Are Here?
What is the Data Protection?
We Must Think Smartly

5. The Most Famous Attacks in the
World
5

6.  Eavesdropping
 Data Modifications
 Identify Spoofing (IP Address Spoofing)
 Password-Based Attacks
 Denial of Services
 Man in the Middle
 Compromised-key Attack
 Application-Layer Attack
6

7. In general, the majority of network communications occur
in an unsecured or "clear text" format, which allows an
attacker who has gained access to data paths in your
network to "listen in" or interpret (read) the traffic. When an
attacker is eavesdropping on your communications, it is
referred to as sniffing or snooping. The ability of an
eavesdropper to monitor the network is generally the
biggest security problem that administrators face in an
enterprise. Without strong encryption services that are
based on cryptography, your data can be read by others as
it traverses the network.
7Eavesdropping

8. After an attacker has read your data, the next logical step is
to alter it. An attacker can modify the data in the packet
without the knowledge of the sender or receiver. Even if you
do not require confidentiality for all communications, you
do not want any of your messages to be modified in transit.
For example, if you are exchanging purchase requisitions,
you do not want the items, amounts, or billing information
to be modified.
8Data Modifications

9.  Most networks and operating systems use the IP address
of a computer to identify a valid entity. In certain cases, it
is possible for an IP address to be falsely assumed
identity spoofing. An attacker might also use special
programs to construct IP packets that appear to originate
from valid addresses inside the corporate intranet.
 After gaining access to the network with a valid IP
address, the attacker can modify, reroute, or delete your
data. The attacker can also conduct other types of
attacks, as described in the following sections.
9Identify Spoofing (IP Address Spoofing)

10. A common denominator of most operating system and network
security plans is password-based access control. This means your
access rights to a computer and network resources are
determined by who you are, that is, your user name and your
password.
Older applications do not always protect identity information as
it is passed through the network for validation. This might allow
an eavesdropper to gain access to the network by posing as a
valid user.
When an attacker finds a valid user account, the attacker has the
same rights as the real user. Therefore, if the user has
administrator-level rights, the attacker also can create accounts
for subsequent access at a later time.
10Password-Based Attacks

11.  Obtain lists of valid user and computer names and
network information.
 Modify server and network configurations, including
access controls and routing tables.
 Modify, reroute, or delete your data.
11What Happen After Password
Attack?

12. Imagine you're sitting in traffic on a one-lane country road,
with cars backed up as far as the eye can see. Normally this
road never sees more than a car or two, but a county fair
and a major sporting event have ended around the same
time, and this road is the only way for visitors to leave town.
The road can't handle the massive amount of traffic, and as
a result it gets so backed up that pretty much no one can
leave.
12
Denial-of-Service Attack

13. 13

14. Heavy Network Bandwidth Traffic
14

15. What Happen in DoS Attack?
That's essentially what happens to a website during a denial
of service (DoS) attack. If you flood a website with more
traffic than it was built to handle, you'll overload the
website's server and it'll be nigh-impossible for the website
to serve up its content to visitors who are trying to access it.
15

16. 16
Attacker
Users
Target
Users
Users
DDoS Attack

17. As the name indicates, a man-in-the-middle attack occurs
when someone between you and the person with whom
you are communicating is actively monitoring, capturing,
and controlling your communication transparently. For
example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network
layer, the computers might not be able to determine with
whom they are exchanging data.
17
Man-in-the-Middle Attack

18. 18
Original Connection
New Connection
Man in the Middle,
Phisher or
anonymous proxy

19. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being
aware of the attack. With the compromised key, the attacker can
decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access
to other secured communications.
19

20. Sniffer Attack
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If
the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the
attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
 Analyze your network and gain information to eventually
cause your network to crash or to become corrupted.
 Read your communications.
20

21. Application-Layer Attack
An application-layer attack targets application servers by deliberately causing
a fault in a server's operating system or applications. This results in the
attacker gaining the ability to bypass normal access controls. The attacker
takes advantage of this situation, gaining control of your application, system,
or network, and can do any of the following:
 Read, add, delete, or modify your data or operating system.
 Introduce a virus program that uses your computers and software
applications to copy viruses throughout your network.
 Introduce a sniffer program to analyze your network and gain information
that can eventually be used to crash or to corrupt your systems and
network.
 Abnormally terminate your data applications or operating systems.
 Disable other security controls to enable future attacks.
21

22. But it is not sufficient !
Many Attacks does not
have any Structured
Mechanism!
22

23. Advanced Attacks
 Very Complex
 Very Resistant
 Very Targeted
Zero-Day
Attacks
23

24. What is Zero-Day Attack?
24
A zero-day vulnerability, at its core, is a flaw. It is an
unknown exploit in the wild that exposes a vulnerability
in software or hardware and can create complicated
problems well before anyone realizes something is
wrong. In fact, a zero-day exploit leaves NO opportunity
for detection ... at first.

25. Attack Procedures
Detecting
Incursion
Discovery
Capture
Exfiltration
25

26. Most Complex Attack in the World
A Zero-Day Attack !
26

27. 27
Anomaly Traffic

28. What is Anomaly Traffic detection?
28
 Independent detection from Rules or Signatures
 Approach to network security threat detection
 Complementary technologies to detect Security threats
based on packet signatures
 Continuous monitoring unusual traffic and events
 In data mining, anomaly detection is the identification
items, events or observation witch do not confirm to an
expected patterns

29. Security Operation Center
29

30. What is SOC ?
 Operates 24x7 from central offsite location
 Complete and proactive in response to security incidents
 Predict the security attacks and minimize the impact
 Implement security policy across the enterprise
 Reduce cost of security supports by providing centralized
support
 SOC delivered:
 Incident management
 Governance risk compliance
 Monitoring and management of device/Events
 Implement security policies
30

31. How a SOC Works
Rather than being focused on developing security strategy,
designing security architecture, or implementing protective
measures, the SOC team is responsible for the ongoing,
operational component of enterprise information security.
Security operations center staff is comprised primarily of
security analysts who work together to detect, analyze,
respond to, report on, and prevent cybersecurity incidents.
Additional capabilities of some SOCs can include advanced
forensic analysis, cryptanalysis, and malware reverse
engineering to analyze incidents.
31

32. First Step !
The first step in establishing an organization’s SOC is to clearly define
a strategy that incorporates business-specific goals from various
departments as well as input and support from executives. Once the
strategy has been developed, the infrastructure required to support
that strategy must be implemented. According to best practices,
typical SOC infrastructure includes firewalls, IPS/IDS, breach detection
solutions, probes, and a security information and event management
(SIEM) system. Technology should be in place to collect data via data
flows, telemetry, packet capture, syslog, and other methods so that
data activity can be correlated and analyzed by SOC staff. The security
operations center also monitors networks and endpoints for
vulnerabilities in order to protect sensitive data and comply with
industry or government regulations.
32

33. The Benefits of Having SOC
 Improvement of security incident response
 24/7 service monitoring gives organizations an advantage
to defend against incidents and intrusions regardless of
source, time of day, or attack types
 The gap between attackers’ time to compromise and
enterprises’ time to detection is well documented in
Verizon’s annual Data Breach investigation reports and
having a security operations center helps organizations
close that gap and stay on top of the threats facing their
environments
33

34. The Best Practices of SOC
 Focus on human resources rather than technological
resources
 Continued recognition of threats
 Human analysis
 Update the latest threats and use it to defend
 Awareness of the vulnerability within the organization
and its relationship with external threats
34

35. Key features of SOC
35
Process
People
Technology

36. Process and Procedures
36

37. SOC
Processes
Analytic al
proc esses
Operational
Processes
Tec hnologic al
Processes
Business
Processes
Intrusion
Analytical
Process
Training Process
Subtle Event
Process
Event
Management
Process
Daily Operation
Process
Reporting
Process
Design Process
Configuration
Management
System
Administration
Metric Process
Process
Improvement
Process
Business
Continuity
Process
37

38. Process and Escalation in SOC
38
Level 1 Level 2
Engineer
Network
And System Owners
Correlation
Engine
1
2
3 4
5
6
Escalation
Case Closed
Process
People
Technology
Incident
Handler

39. Simple SOC triage
39

40. Detailed SOC triage 40
Identify host
& Incident
Information
Event
(Hack,
Malware)
Troubleshoot
& Resolve
Analyzer
L1
Analyzer
L2
NO
Identify host
& Incident
Information
Resolve
Incident
Senior
Engineer
NO
Resolve
Incident
YES
YES
NO
SOC
Manager
Start
End
Escalation
Escalation
CSIRT&
Forensics
YES
Report
Update
Knowledge Base
Ticket
YES
Action
Group
(NOC,
Software
Dept., )
Escalation
Resolve
Incident
NO
Document,
Update
&
Notification
In
Knowledge
Base

41. People 41

42. People Skills 724
 Forensic Knowledge
 Proficiency in coding, scripting and protocols
 Managing threat intelligence
 Penetration testing knowledge
 Data analysts
 Minimum 2 years experience in monitoring and incident management
 Experience reviewing and analyzing network packets capture
 Experience Performing security/Vulnerability reviews of network environments
 Possess a comprehensive understanding of the TCP/IP protocol, security
architecture and remote access security techniques/products
 Strong research background, utilizing and analytical approach
 Highly motivated individual with the ability to self-start, prioritize, multi-task and
work in a team setting
42

43. SOC People Skills
Most Wanted Skills
Skills Windows Linux
Scripting /
Writing
C/Java/
Python
Pen Testing
Packet
Analysis
Forensics Networking SIEM
Level 1 L L L L L
Level 2 M L L L L M M M M
Level 3 H H M M M H H H H
Low=L , Medium=M , High=H
43

44. SOC Manager
Senior SOC
Engineer (Tier 3)
Tier 2 AnalystTier 2 Analyst
Tier 1 Operator Tier 1 OperatorTier 1 OperatorTier 1 Operator Tier 1 Operator
SOC Chart
44

45. SOC Manager Roles
 Leadership to take all stakeholders together
 Stitch the solutions from different teams and drive it to
conclusion
 Understand security posture and able to guide the team
 Good communication skills
 Verification about knowledge base update
 Escalation tasks and tickets to CIERT
45

46. Senior SOC Engineer (Tier 3) Roles
 Forensic Analytics action
 Investigation intrusion attempts and perform in-depth analysis of exploits
 Task assigning to other operators with SOC manager confirmation
 Design and implementing the all use cases
 Provide information regarding intrusion events, security incidents, and
other threat indications and warning information
 Training
 SOC Tools Administration
46

47. Tier 2 Analyst Roles
 Searching and Investigation incident triggered
 Update knowledge base
 Escalation all Non-Solved incident
 Analyzing incidents with correlation
 Set the priority of assets
 Creation the scheduler task for back up
 Making back up planning
 Analyzing in raw logs and
 Researching and development (R&D) Continuously
47

48. Tier 1 Operators Roles
 Deep analyzing any raw channel and reports
 Investigating on correlated events
 Escalating any Non-resolved incident
 Making analysis dashboards immediately
 Making analysis reports immediately
 Monitoring Continuously queued incidents and raw events
 Supervision on all tools health
 Researching and development
 Self-study and make own up to date in security investigation knowledge
 Ticket creating for any incident analysis (for knowledge base updating or
escalation)
48

49. Technology
49

50. SIEM
Security Information and Event Management provide
real-time analysis of security alerts generated by
applications and network hardware.
Vendors sell SIEM as software, as appliances or as
managed services; these products are also used to log
security data and generate reports for compliance
purposes.
50

51. Most SIEMs in the world
51
• Qradar
• Splunk
• LogRythm
• McAfee
• ArcSight

52. We Peruse ArcSight and Splunk in this
Course
52

53. ArcSight
53
Micro Focus ArcSight is a cyber security company founded in
2000 that provides big data security analytics and intelligence
software for SIEM and log management solutions. ArcSight is
designed to help customers identify and prioritize security
threats, organize and track incident response activities, and
simplify audit and compliance activities. It became a subsidiary
of Hewlett-Packard in 2010. It was merged with Micro Focus on
September 1, 2017. ArcSight is headquartered in Sunnyvale,
California USA, with sales offices in other countries.

54. Splunk
54
Splunk is an American multinational corporation based in San Francisco,
California, that produces software for searching, monitoring, and analyzing
machine-generated big-data, via a Web-style interface. Splunk (the product)
captures, indexes, and correlates real-time data in a searchable repository
from which it can generate graphs, reports, alerts, dashboards, and
visualizations. Splunk's mission is to make machine data accessible across an
organization by identifying data patterns, providing metrics, diagnosing
problems, and providing intelligence for business operations. Splunk is
a horizontal technology used for application management ,
security and compliance, as well as business and Web analytics. As of early
2016, Splunk has over 10,000 customers worldwide.Splunk is based in San
Francisco, with regional operations across Europe, the Middle East, Africa,
Asia, and Australia

55. Data Security and Monitoring
 Data Asset Classification
 Data Collection
 Data Normalization
 Data Protection
 Data Distribution
55

56. Event Management
 Event Correlation
 Identification
 Triage
 Roles
 Notification
 Ticketing
 Forensics
56

57. Incident Response
 Security Incident Reporting
 Security Incident Monitoring
 Security Incident Escalation
 Forensics and Root Cause Analysis
 Return to Normal Operations
 Post-Incident Planning
 Communication Guidelines
 CERT Integration
57

58. SOC Operating Guidelines
 SOC Workflow
 Personnel Shift Distribution
 Shift Reporting
 Shift Change
 SOC Monitoring Suite
 SOC Reporting Structure
 Organizational Chart
58

59. Escalation Management
 Escalation Procedures
 Pre-Escalation Tasks
 IT Security
 Network Operation Center
 Security Engineering
 CERT Integration
 Law Enforcement
 3rd Party Service Provider and Vendors
59

60. Data Recovery Procedures
 Disaster Recovery
 Recovery Time Objective
 High Availability
 Backup Planning
60

61. Security Incident Procedures
 Email Phishing
 Virus and Worm Infection
 Anti-Virus Management incident
 Netflow Abnormal Behavior Incident
 Network Behavior Analysis Incident
 Distributed Denial of Service Incident
 Host Compromise Web Application Security Incident
 Network Compromise
 Domain Hijack or DNS Cache Poisoning
 Suspicious User Activity
 Unauthorized User Access
61

62. Vulnerability and Patch Management
 Vulnerability Research
 Patch Management
 Identifications
 Compliance Monitoring
 Network Configuration Base Line
 Anti-Virus Signature Management
 Microsoft and Linux Updates
62

63. SOC Technical SIEM Topologies
63

64. 64

65. ArcSight
Topologies
(1)
65

66. ArcSight
Topologies
(2)
66

67. ArcSight
Topologies
(3)
67

68. Common Event Format (CEF)
 Sample Raw Log :
Sep 19 08:26:10 host security threatmanager 100 worm successfully stopped
10 src=10.0.0.1 dst=2.1.2.2 spt=1232
 Sample CEF syslog :
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully
stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
68

69. Time Stamp Formats
 2. MMM dd HH:mm:ss
 3. MMM dd HH:mm:ss.SSS zzz
 4. MMM dd HH:mm:ss.SSS
 5. MMM dd HH:mm:ss zzz
 6. MMM dd yyyy HH:mm:ss
 7. MMM dd yyyy HH:mm:ss.SSS zzz
 8. MMM dd yyyy HH:mm:ss.SSS
 9. MMM dd yyyy HH:mm:ss zzz
69

70. Network Monitoring and Investigation
Network Operation Center
Report
DNS Usage Threshold Raising
Find an IP Address Maximum Request
lookup in DNS
Report of All Traffic
Usage of IP Address
Maximum Login Failed in DB is
for This IP Address
Getting a specific
query generated from
this IP Address Finding 3 IP Address has
been generated this
specific query
After that finding the
.exe file executed in
the time
70

71. Correlation
71

72. John
John`s PC
Working Time:
8:00 AM– 17:00 PM
Shutting Down PC in
17:00 PM
1
Microsoft Event Viewer
Generating (Stopping
Services , Logout John ,
Shutdown Windows ) at
17:00 PM
Corre
Engine
Record the exit
on Access
Control Device
2
Exit log
Generated at
17:05 PM
endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message
1: 17:00 | Stop Service | John | 1.1.1.1 | /Operation Systems | /Success | High | Stop the explorer Service
2: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
72

73. David
John`s PC
Working Time :
17:00 PM – 08:00 AM
Turn on John`s PC
by David !
4
Microsoft Event Viewer
Generating (Log on John`s
PC, Start Services)
at 18:00 PM
Corre
Engine
Record the
Entering David in
Access Control at
17:00 PM
3
Entering log
Generated at
17:00 PM
endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message
4: 18:00 | Turn on PC | John | 1.1.1.1 | /Operation Systems | /Success | Medium | Start Windows
3: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
73

74. Corre Engine
Conditions in Correlation Rule:
If{
AND( sourceAddress=“1.1.1.1”, categoryBehavior=”/Authentication/
Verify”, categoryOutcome=“/Success”, NOT(endTime Between “08:00
AM-17:00PM”))
}
Then{
Action=“Anomaly User Activity Correlated”, “send Notification to
“John@Company.co”
}
5: 18:05 |Anomaly User Behavior | ArcSight | 1.1.1.1 |/Found|/Attempt |Very High |Unauthorized User Login
74

75. SOC Tools and Sensors
 FIM (File Integrity Management)
 SCM (Security Change Management)
 Vulnerability Assessment
 Patch Management
 Ticketing
 Dashboards
 NTP Server
75

76. 76

77. SCM – HIDS – FIM Roles
 File systems changes
 All directories contains files changes
 Microsoft windows registry changes
 Service status changes
 Policy changes (GPOs , Compliances)
 User activities
 Compliance Reports and Remediation
77

78. Vulnerability Assessment
 Identifying vulnerabilities
 Quantifying vulnerabilities
 Priorities vulnerabilities
 Cataloging assets and capabilities
 Risk analyzing
78

79. Lab
 The Structures of a Log Managements
 Famous features in Log Managements
 Data Gathering Methodologies
 Search and Query in Log Managements
 Reports and Dashboards
 Simple Scenarios (User Behavior Analysis)
79