1

Security Operation Center

Fundamental Course

By: Amir Zargaran

September 2017
 Who I am? 2

Amir Zargaran (LPIC2, ITILV3, Splunk Power User, ACSA)

Cyber Security Consultant and Instructor

- Designing and Implementation of Enterprise SOC

- Administration and Analyst of ArcSight ESM
- Power User of Splunk
- Network Security and sysAdmin of Linux

Zargaran@mail.com
https://www.linkedin.com/in/amirzargar
+98 9129355339
 3
Agenda:
Day 1
 Introduction
 Most Famous Attacks and the confronting ways
 What is Security Operations Center
Day 2
 Key features and modules
 Processes and Procedures
 People
Day 3
 Technology
 Network Monitoring and Investigations
 Correlation
 Lab
 4
Introduction

Why We Are Here?

What is the Data Protection?
We Must Think Smartly
The Most Famous Attacks in the 5
World
 6

 Eavesdropping
 Data Modifications
 Identify Spoofing (IP Address Spoofing)
 Password-Based Attacks
 Denial of Services
 Man in the Middle
 Compromised-key Attack
 Application-Layer Attack
 Eavesdropping 7

In general, the majority of network communications occur

in an unsecured or "clear text" format, which allows an
attacker who has gained access to data paths in your
network to "listen in" or interpret (read) the traffic. When an
attacker is eavesdropping on your communications, it is
referred to as sniffing or snooping. The ability of an
eavesdropper to monitor the network is generally the
biggest security problem that administrators face in an
enterprise. Without strong encryption services that are
based on cryptography, your data can be read by others as
it traverses the network.
 Data Modifications 8

After an attacker has read your data, the next logical step is
to alter it. An attacker can modify the data in the packet
without the knowledge of the sender or receiver. Even if you
do not require confidentiality for all communications, you
do not want any of your messages to be modified in transit.
For example, if you are exchanging purchase requisitions,
you do not want the items, amounts, or billing information
to be modified.
 Identify Spoofing (IP Address Spoofing) 9

 Most networks and operating systems use the IP address

of a computer to identify a valid entity. In certain cases, it
is possible for an IP address to be falsely assumed
identity spoofing. An attacker might also use special
programs to construct IP packets that appear to originate
from valid addresses inside the corporate intranet.
 After gaining access to the network with a valid IP
address, the attacker can modify, reroute, or delete your
data. The attacker can also conduct other types of
attacks, as described in the following sections.
 Password-Based Attacks 10

A common denominator of most operating system and network

security plans is password-based access control. This means your
access rights to a computer and network resources are
determined by who you are, that is, your user name and your
password.
Older applications do not always protect identity information as
it is passed through the network for validation. This might allow
an eavesdropper to gain access to the network by posing as a
valid user.
When an attacker finds a valid user account, the attacker has the
same rights as the real user. Therefore, if the user has
administrator-level rights, the attacker also can create accounts
for subsequent access at a later time.
 What Happen After Password 11
Attack?

 Obtain lists of valid user and computer names and

network information.

 Modify server and network configurations, including

access controls and routing tables.

 Modify, reroute, or delete your data.

 12
Denial-of-Service Attack

Imagine you're sitting in traffic on a one-lane country road,

with cars backed up as far as the eye can see. Normally this
road never sees more than a car or two, but a county fair
and a major sporting event have ended around the same
time, and this road is the only way for visitors to leave town.
The road can't handle the massive amount of traffic, and as
a result it gets so backed up that pretty much no one can
leave.
13
 14
Heavy Network Bandwidth Traffic
 15
What Happen in DoS Attack?

That's essentially what happens to a website during a denial

of service (DoS) attack. If you flood a website with more
traffic than it was built to handle, you'll overload the
website's server and it'll be nigh-impossible for the website
to serve up its content to visitors who are trying to access it.
 16
Attacker

DDoS Attack

Users

Users

Users
Target
 17
Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs

when someone between you and the person with whom
you are communicating is actively monitoring, capturing,
and controlling your communication transparently. For
example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network
layer, the computers might not be able to determine with
whom they are exchanging data.
 18

Original Connection

New Connection

Man in the Middle,

Phisher or
anonymous proxy
 19
Compromised-Key Attack

A key is a secret code or number necessary to interpret secured

information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being
aware of the attack. With the compromised key, the attacker can
decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access
to other secured communications.
 20
Sniffer Attack
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If
the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the
attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
 Analyze your network and gain information to eventually
cause your network to crash or to become corrupted.
 Read your communications.
 21
Application-Layer Attack
An application-layer attack targets application servers by deliberately causing
a fault in a server's operating system or applications. This results in the
attacker gaining the ability to bypass normal access controls. The attacker
takes advantage of this situation, gaining control of your application, system,
or network, and can do any of the following:
 Read, add, delete, or modify your data or operating system.
 Introduce a virus program that uses your computers and software
applications to copy viruses throughout your network.
 Introduce a sniffer program to analyze your network and gain information
that can eventually be used to crash or to corrupt your systems and
network.
 Abnormally terminate your data applications or operating systems.
 Disable other security controls to enable future attacks.
 22
But it is not sufficient !

Many Attacks does not

have any Structured
Mechanism!
 23

 Advanced Attacks
 Very Complex
 Very Resistant
 Very Targeted
Zero-Day
Attacks
 24
What is Zero-Day Attack?

A zero-day vulnerability, at its core, is a flaw. It is an

unknown exploit in the wild that exposes a vulnerability
in software or hardware and can create complicated
problems well before anyone realizes something is
wrong. In fact, a zero-day exploit leaves NO opportunity
for detection ... at first.
 25
Attack Procedures

 Detecting
 Incursion
 Discovery
 Capture
 Exfiltration
 26
Most Complex Attack in the World
A Zero-Day Attack !
 27

Anomaly Traffic
 28
What is Anomaly Traffic detection?

 Independent detection from Rules or Signatures

 Approach to network security threat detection
 Complementary technologies to detect Security threats
based on packet signatures
 Continuous monitoring unusual traffic and events
 In data mining, anomaly detection is the identification
items, events or observation witch do not confirm to an
expected patterns
 29
Security Operation Center
 30
What is SOC ?
 Operates 24x7 from central offsite location
 Complete and proactive in response to security incidents
 Predict the security attacks and minimize the impact
 Implement security policy across the enterprise
 Reduce cost of security supports by providing centralized
support
 SOC delivered:
 Incident management
 Governance risk compliance
 Monitoring and management of device/Events
 Implement security policies
 31
How a SOC Works

Rather than being focused on developing security strategy,

designing security architecture, or implementing protective
measures, the SOC team is responsible for the ongoing,
operational component of enterprise information security.
Security operations center staff is comprised primarily of
security analysts who work together to detect, analyze,
respond to, report on, and prevent cybersecurity incidents.
Additional capabilities of some SOCs can include advanced
forensic analysis, cryptanalysis, and malware reverse
engineering to analyze incidents.
 32
First Step !
The first step in establishing an organization’s SOC is to clearly define
a strategy that incorporates business-specific goals from various
departments as well as input and support from executives. Once the
strategy has been developed, the infrastructure required to support
that strategy must be implemented. According to best practices,
typical SOC infrastructure includes firewalls, IPS/IDS, breach detection
solutions, probes, and a security information and event management
(SIEM) system. Technology should be in place to collect data via data
flows, telemetry, packet capture, syslog, and other methods so that
data activity can be correlated and analyzed by SOC staff. The security
operations center also monitors networks and endpoints for
vulnerabilities in order to protect sensitive data and comply with
industry or government regulations.
 33
The Benefits of Having SOC

 Improvement of security incident response

 24/7 service monitoring gives organizations an advantage
to defend against incidents and intrusions regardless of
source, time of day, or attack types
 The gap between attackers’ time to compromise and
enterprises’ time to detection is well documented in
Verizon’s annual Data Breach investigation reports and
having a security operations center helps organizations
close that gap and stay on top of the threats facing their
environments
 34
The Best Practices of SOC

 Focus on human resources rather than technological

resources
 Continued recognition of threats
 Human analysis
 Update the latest threats and use it to defend
 Awareness of the vulnerability within the organization
and its relationship with external threats
 35
Key features of SOC

Technology
Process

People
 36
Process and Procedures
 SOC
Processes 37
Ana lytic al Op era tional Tec hnolog ic a l Busine ss
p ro c e sse s Proc esses Pro c e sse s Proc esses

Intrusion Event
Analytical Management Design Process Metric Process
Process Process

Process
Daily Operation Configuration
Training Process Improvement
Process Management
Process

Business
Subtle Event Reporting System
Continuity
Process Process Administration
Process
 38
Process and Escalation in SOC

Process
Technology
Escalation
1 People
5
Network
Incident And System Owners
2 Handler

Level 1 Level 2
4 6
3
Case Closed
Engineer

Correlation
Engine
 39
Simple SOC triage
 40
Start

Event
Detailed SOC triage
(Hack,
Malware)

Identify host
Analyzer Troubleshoot YES
& Incident
L1 & Resolve
Information

Escalation NO

Identify host
Analyzer Resolve YES
& Incident
L2 Incident
Information

Escalation NO

Senior Resolve YES

Engineer Incident

Update
Knowledge Base NO
Ticket
Escalation
YES
SOC Resolve
Manager Incident
Action Document,
NO Group Update
(NOC, &
Report Software Notification End
Dept., ) In
CSIRT& Knowledge
Forensics Base
People 41
 724 People Skills 42
 Forensic Knowledge
 Proficiency in coding, scripting and protocols
 Managing threat intelligence
 Penetration testing knowledge
 Data analysts
 Minimum 2 years experience in monitoring and incident management
 Experience reviewing and analyzing network packets capture
 Experience Performing security/Vulnerability reviews of network environments
 Possess a comprehensive understanding of the TCP/IP protocol, security
architecture and remote access security techniques/products
 Strong research background, utilizing and analytical approach
 Highly motivated individual with the ability to self-start, prioritize, multi-task and
work in a team setting
 43
SOC People Skills

Most Wanted Skills

Scripting / C/Java/ Packet

Skills Windows Linux Pen Testing Forensics Networking SIEM
Writing Python Analysis

Level 1 L L L L L

Level 2 M L L L L M M M M

Level 3 H H M M M H H H H

Low=L , Medium=M , High=H

 44
SOC Manager
SOC Chart

Senior SOC
Engineer (Tier 3)

Tier 2 Analyst Tier 2 Analyst

Tier 1 Operator Tier 1 Operator Tier 1 Operator Tier 1 Operator Tier 1 Operator
 45
SOC Manager Roles

 Leadership to take all stakeholders together

 Stitch the solutions from different teams and drive it to
conclusion
 Understand security posture and able to guide the team
 Good communication skills
 Verification about knowledge base update
 Escalation tasks and tickets to CIERT
 46
Senior SOC Engineer (Tier 3) Roles

 Forensic Analytics action

 Investigation intrusion attempts and perform in-depth analysis of exploits
 Task assigning to other operators with SOC manager confirmation
 Design and implementing the all use cases
 Provide information regarding intrusion events, security incidents, and
other threat indications and warning information
 Training
 SOC Tools Administration
 47
Tier 2 Analyst Roles
 Searching and Investigation incident triggered
 Update knowledge base
 Escalation all Non-Solved incident
 Analyzing incidents with correlation
 Set the priority of assets
 Creation the scheduler task for back up
 Making back up planning
 Analyzing in raw logs and
 Researching and development (R&D) Continuously
 48
Tier 1 Operators Roles
 Deep analyzing any raw channel and reports
 Investigating on correlated events
 Escalating any Non-resolved incident
 Making analysis dashboards immediately
 Making analysis reports immediately
 Monitoring Continuously queued incidents and raw events
 Supervision on all tools health
 Researching and development
 Self-study and make own up to date in security investigation knowledge
 Ticket creating for any incident analysis (for knowledge base updating or
escalation)
 49
Technology
 50
SIEM

Security Information and Event Management provide

real-time analysis of security alerts generated by
applications and network hardware.
Vendors sell SIEM as software, as appliances or as
managed services; these products are also used to log
security data and generate reports for compliance
purposes.
 51
Most SIEMs in the world

• Qradar
• Splunk
• LogRythm
• McAfee
• ArcSight
We Peruse ArcSight and Splunk in this 52
Course
 53
ArcSight

Micro Focus ArcSight is a cyber security company founded in

2000 that provides big data security analytics and intelligence
software for SIEM and log management solutions. ArcSight is
designed to help customers identify and prioritize security
threats, organize and track incident response activities, and
simplify audit and compliance activities. It became a subsidiary
of Hewlett-Packard in 2010. It was merged with Micro Focus on
September 1, 2017. ArcSight is headquartered in Sunnyvale,
California USA, with sales offices in other countries.
 54
Splunk

Splunk is an American multinational corporation based in San Francisco,

California, that produces software for searching, monitoring, and analyzing
machine-generated big-data, via a Web-style interface. Splunk (the product)
captures, indexes, and correlates real-time data in a searchable repository
from which it can generate graphs, reports, alerts, dashboards, and
visualizations. Splunk's mission is to make machine data accessible across an
organization by identifying data patterns, providing metrics, diagnosing
problems, and providing intelligence for business operations. Splunk is
a horizontal technology used for application management ,
security and compliance, as well as business and Web analytics. As of early
2016, Splunk has over 10,000 customers worldwide.Splunk is based in San
Francisco, with regional operations across Europe, the Middle East, Africa,
Asia, and Australia
 55
Data Security and Monitoring

 Data Asset Classification

 Data Collection

 Data Normalization

 Data Protection

 Data Distribution
 56
Event Management

 Event Correlation
 Identification
 Triage
 Roles
 Notification
 Ticketing
 Forensics
 57
Incident Response

 Security Incident Reporting

 Security Incident Monitoring
 Security Incident Escalation
 Forensics and Root Cause Analysis
 Return to Normal Operations
 Post-Incident Planning
 Communication Guidelines
 CERT Integration
 58
SOC Operating Guidelines

 SOC Workflow
 Personnel Shift Distribution
 Shift Reporting
 Shift Change
 SOC Monitoring Suite
 SOC Reporting Structure
 Organizational Chart
 59
Escalation Management

 Escalation Procedures
 Pre-Escalation Tasks
 IT Security
 Network Operation Center
 Security Engineering
 CERT Integration
 Law Enforcement
 3rd Party Service Provider and Vendors
 60
Data Recovery Procedures

 Disaster Recovery

 Recovery Time Objective

 High Availability

 Backup Planning
 61
Security Incident Procedures

 Email Phishing
 Virus and Worm Infection
 Anti-Virus Management incident
 Netflow Abnormal Behavior Incident
 Network Behavior Analysis Incident
 Distributed Denial of Service Incident
 Host Compromise Web Application Security Incident
 Network Compromise
 Domain Hijack or DNS Cache Poisoning
 Suspicious User Activity
 Unauthorized User Access
 62
Vulnerability and Patch Management

 Vulnerability Research
 Patch Management
 Identifications
 Compliance Monitoring
 Network Configuration Base Line
 Anti-Virus Signature Management
 Microsoft and Linux Updates
 63
SOC Technical SIEM Topologies
64
 65

ArcSight
Topologies
(1)
 66

ArcSight
Topologies
(2)
 67

ArcSight
Topologies
(3)
 68
Common Event Format (CEF)

 Sample Raw Log :

Sep 19 08:26:10 host security threatmanager 100 worm successfully stopped
10 src=10.0.0.1 dst=2.1.2.2 spt=1232

 Sample CEF syslog :

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully

stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
 69
Time Stamp Formats

 2. MMM dd HH:mm:ss
 3. MMM dd HH:mm:ss.SSS zzz
 4. MMM dd HH:mm:ss.SSS
 5. MMM dd HH:mm:ss zzz
 6. MMM dd yyyy HH:mm:ss
 7. MMM dd yyyy HH:mm:ss.SSS zzz
 8. MMM dd yyyy HH:mm:ss.SSS
 9. MMM dd yyyy HH:mm:ss zzz
 70
Network Monitoring and Investigation
Network Operation Center
Report

DNS Usage Threshold Raising

Maximum Login Failed in DB is Find an IP Address Maximum Request

for This IP Address lookup in DNS
Report of All Traffic
Usage of IP Address

Getting a specific
query generated from
this IP Address Finding 3 IP Address has
been generated this After that finding the
specific query .exe file executed in
the time
 71
Correlation
 Working Time:
8:00 AM – 17:00 PM

72
1

John
John`s PC
Shutting Down PC in
17:00 PM
Exit log
Generated at
17:05 PM

Microsoft Event Viewer 2

Generating (Stopping Record the exit
Services , Logout John , on Access
Shutdown Windows ) at Control Device
17:00 PM

Corre
Engine

endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message

1: 17:00 | Stop Service | John | 1.1.1.1 | /Operation Systems | /Success | High | Stop the explorer Service

2: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
 Working Time :
17:00 PM – 08:00 AM

73
4

David
John`s PC
Turn on John`s PC
by David !
Entering log
Generated at
17:00 PM

Microsoft Event Viewer 3 Record the

Generating (Log on John`s Entering David in
PC, Start Services) Access Control at
at 18:00 PM 17:00 PM

Corre
Engine

endTime | name | sourceUserName | sourceAddress | categoryBehavior | categoryOutcome | deviceSeverity | Message

4: 18:00 | Turn on PC | John | 1.1.1.1 | /Operation Systems | /Success | Medium | Start Windows

3: 17:05 | Exit Normaly | John | accessControl IP Addr | /Access/Device | /Success | Low | Exit John from Access Control
 74

Conditions in Correlation Rule

:

If {
AND( sourceAddress = “1.1.1.1” , categoryBehavior
=”/Authentication
/
Verify”, categoryOutcome = “/Success”, NOT(endTime Between08:00
“
AM-17:00 PM”))
}

Then{
Action = “Anomaly User Activity Correlated”
, “send Notification to
“John@Company.co”
Corre Engine
}

5: 18:05 |Anomaly User Behavior | ArcSight | 1.1.1.1 | /Found | /Attempt | Very High | Unauthorized User Login
 75
SOC Tools and Sensors

 FIM (File Integrity Management)

 SCM (Security Change Management)

 Vulnerability Assessment

 Patch Management

 Ticketing

 Dashboards

 NTP Server
76
 77
SCM – HIDS – FIM Roles

 File systems changes

 All directories contains files changes
 Microsoft windows registry changes
 Service status changes
 Policy changes (GPOs , Compliances)
 User activities
 Compliance Reports and Remediation
 78
Vulnerability Assessment

 Identifying vulnerabilities
 Quantifying vulnerabilities
 Priorities vulnerabilities
 Cataloging assets and capabilities
 Risk analyzing
 79
Lab

 The Structures of a Log Managements

 Famous features in Log Managements

 Data Gathering Methodologies

 Search and Query in Log Managements

 Reports and Dashboards

 Simple Scenarios (User Behavior Analysis)