SOC Analyst Key Skills Getting Started With BHIS
Transcript of SOC Analyst Key Skills Getting Started With BHIS
![Page 1: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/1.jpg)
© Black Hills Information Security | @BHInfoSecurity
Getting Started With BHIS:SOC Analyst Key Skills
John Strand
![Page 2: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/2.jpg)
© Black Hills Information Security | @BHInfoSecurity
The Right Way
![Page 3: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/3.jpg)
© Black Hills Information Security | @BHInfoSecurity
SOC “Legos”
![Page 4: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/4.jpg)
© Black Hills Information Security | @BHInfoSecurity
Server Analysis
![Page 5: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/5.jpg)
© Black Hills Information Security | @BHInfoSecurity
Key Server Points
• Look at the following:• Processes• Users• Network Connections• Open Ports• Logs
• How is this different from looking at endpoints?• We are looking at all the above as it relates to the server
processes!• This becomes even more important in the cloud
![Page 6: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/6.jpg)
© Black Hills Information Security | @BHInfoSecurity
How To Learn This?
Hardening guides…. Yeah… That's it..
R T F M
![Page 7: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/7.jpg)
© Black Hills Information Security | @BHInfoSecurity
CIS
![Page 8: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/8.jpg)
© Black Hills Information Security | @BHInfoSecurity
Memory Forensics
![Page 9: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/9.jpg)
© Black Hills Information Security | @BHInfoSecurity
Volatility
![Page 10: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/10.jpg)
© Black Hills Information Security | @BHInfoSecurity
Go Learn!
![Page 11: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/11.jpg)
© Black Hills Information Security | @BHInfoSecurity
Links
https://www.youtube.com/watch?v=HcUMXxyYsnw&ab_channel=JohnStrand
https://www.youtube.com/watch?v=BMFCdAGxVN4&ab_channel=BlackHat
https://www.youtube.com/watch?v=R6ZvEIyS_O4&ab_channel=BlackPerl
![Page 12: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/12.jpg)
© Black Hills Information Security | @BHInfoSecurity
Egress Traffic Analysis
![Page 13: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/13.jpg)
© Black Hills Information Security | @BHInfoSecurity
Zeek
• Speed• Large user base• Lots of support• Consistency• Timestamps are key• Many devices handle timestamps in different/odd ways• Generates required log files• We are moving away from signature-based detection• Too many ways to obfuscate• Encryption, Encoding, use of third-party services like Google DNS
![Page 14: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/14.jpg)
© Black Hills Information Security | @BHInfoSecurity
Full pcap
• Very portable• Everything supports it• Issues of size• Encryption can cause issues• Learning curve• Tcpdump and Wireshark are the key tools to learn• Let’s play with it now
![Page 15: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/15.jpg)
© Black Hills Information Security | @BHInfoSecurity
Security Onion• Security Onion is free and kicks most commercial tools to the curb• They offer training• Zeek, Suricata and so much more are included• Works with RITA!!!
![Page 16: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/16.jpg)
© Black Hills Information Security | @BHInfoSecurity
Links
https://www.activecountermeasures.com/blog/
https://www.activecountermeasures.com/category/video-blog/
![Page 17: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/17.jpg)
© Black Hills Information Security | @BHInfoSecurity
Logs Are A Trainwreck
• There is no “You have been Hacked!!!” Log• Traditional Windows logs do not log useful data for
security• An example of changing the security policy• Less than 5% detects are from logs• Logs and percentages?• Linux Logs are not much better
• Note on Bash logging
![Page 18: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/18.jpg)
© Black Hills Information Security | @BHInfoSecurity
Why UEBA?
• Let's look at behaviors of attacks• Reflected in the logs• Reflected across multiple logs!!!• Can require AD, Exchange and OWA logs to tell a story• Often requires log tuning• For example: Internal Password Spray
• One ID, accessing multiple systems
![Page 19: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/19.jpg)
© Black Hills Information Security | @BHInfoSecurity
Lateral Movement
![Page 20: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/20.jpg)
© Black Hills Information Security | @BHInfoSecurity
6 Event IDs
![Page 21: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/21.jpg)
© Black Hills Information Security | @BHInfoSecurity
“False Positives”
• Not a thing (Watch people's heads explode)• Usually a problem of tuning• Service accounts• Help Desk• Systems administrators• Scripts• Backups• TUNING TUNING TUNING <- This is our job!
![Page 22: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/22.jpg)
© Black Hills Information Security | @BHInfoSecurity
Links
https://www.blackhillsinfosec.com/tag/elk/
https://www.youtube.com/watch?v=c0qOmu3pChc&ab_channel=BlackHillsInformationSecurity
https://www.youtube.com/watch?v=jL6Somex_58&ab_channel=BlackHillsInformationSecurity
![Page 23: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/23.jpg)
© Black Hills Information Security | @BHInfoSecurity
Endpoint Analysis
![Page 24: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/24.jpg)
© Black Hills Information Security | @BHInfoSecurity
DeepBlueCLI• https://github.com/sans-blue-team/DeepBlueCLI
![Page 25: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/25.jpg)
© Black Hills Information Security | @BHInfoSecurity
DeepWhiteCLI
![Page 26: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/26.jpg)
© Black Hills Information Security | @BHInfoSecurity
SANS Cheat Sheets
![Page 27: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/27.jpg)
© Black Hills Information Security | @BHInfoSecurity
Links
https://www.blackhillsinfosec.com/rainy-day-windows-command-research-results/
https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/
https://www.youtube.com/watch?v=fEip9gl2MTA&t=17s&ab_channel=BlackHillsInformationSecurity
https://www.youtube.com/watch?v=dtyX7XO-GSg&ab_channel=BlackHillsInformationSecurity
![Page 28: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/28.jpg)
© Black Hills Information Security | @BHInfoSecurity
Endpoint Protection Analysis
![Page 29: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/29.jpg)
© Black Hills Information Security | @BHInfoSecurity
Overlapping Fields of View
• The key is overlapping fields of visibility
• Endpoint
• SIEM/UBEA
• Network Monitoring
• Sandboxing
• Internal SegmentationEndpoint
AV/EDR NSM
UBEASIEM
![Page 30: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/30.jpg)
© Black Hills Information Security | @BHInfoSecurity
Everyone's a Winner!
![Page 31: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/31.jpg)
© Black Hills Information Security | @BHInfoSecurity
Detection Categories
![Page 32: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/32.jpg)
© Black Hills Information Security | @BHInfoSecurity
Play at Home!: EDR with Bluespawn
![Page 33: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/33.jpg)
© Black Hills Information Security | @BHInfoSecurity
Lateral Movement
![Page 34: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/34.jpg)
© Black Hills Information Security | @BHInfoSecurity
This is usually delivered as a client-side exploit or a drive-by download.
Just Your Standard Exploit
34
![Page 35: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/35.jpg)
© Black Hills Information Security | @BHInfoSecurity
psexec
Pass-the
-Token
RDesktop
Pass-the-Hash
Domain
Most Likely They Will Not
35
![Page 36: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/36.jpg)
© Black Hills Information Security | @BHInfoSecurity
Know These Protocols/Commands!
1. SMB2. Psexec3. WMI4. RDP5. WinRM6. MS Kerberos7. LANMAN/NTLM/NTLMv2
![Page 37: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/37.jpg)
© Black Hills Information Security | @BHInfoSecurity
JPCert
![Page 38: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/38.jpg)
© Black Hills Information Security | @BHInfoSecurity
Vulnerability Management
![Page 39: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/39.jpg)
© Black Hills Information Security | @BHInfoSecurity
Low and Informational Blind Spots: Example
39
![Page 40: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/40.jpg)
© Black Hills Information Security | @BHInfoSecurity
MITRE ATT&CK
40
![Page 41: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/41.jpg)
© Black Hills Information Security | @BHInfoSecurity
Addressing Vulnerabilities: The Wrong Way
• Many organizations address vulnerabilities by IP address
• For example: 1,000 IP addresses x ~25 vulnerabilities per IP = 25,000 issues to address
• This can be daunting
• Because of this we can see why so many companies focus on prioritization
• However, this approach is almost always wrong
41
![Page 42: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/42.jpg)
© Black Hills Information Security | @BHInfoSecurity
Addressing Vulnerabilities: The Correct Way
• Stop focusing on IP addresses and ranges
• Focus on the vulnerabilities
• Instead of 25,000 total vulnerabilities you will be dealing with a few hundred that repeat on multiple systems
• Use automation and address them as groups of issues
• This approach works regardless of the tool you use
• Consider it an “Open Source Technique”
• With this method IANS faculty have addressed over 1 million IP address, all vulnerabilities in less than 3 weeks
42
![Page 43: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/43.jpg)
© Black Hills Information Security | @BHInfoSecurity
Threat Emulation
• Don’t just think of vulnerabilities as missing patches and misconfigurations on systems
• Think post exploitation• What happens after an attacker gains access to a system• There are a number of free tools that will automate parts
of this process• Currently, would take a bit of tuning and trial and error• The collected data is invaluable
© Copyright 2020 IANS. All rights reserved. 43
![Page 44: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/44.jpg)
© Black Hills Information Security | @BHInfoSecurity
Open Source Tool Example: Caldera
© Copyright 2020 IANS. All rights reserved. 44
![Page 45: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/45.jpg)
© Black Hills Information Security | @BHInfoSecurity
Open Source Tool Example: Atomic Red Team
© Copyright 2020 IANS. All rights reserved. 45
![Page 46: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/46.jpg)
© Black Hills Information Security | @BHInfoSecurity
![Page 47: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/47.jpg)
© Black Hills Information Security | @BHInfoSecurity
Things That Are Hard...
• Teaching people to “keep digging”• Ping Port Parse• Fighting Burnout• Never “get stuck” pivot, try new things• LMGTFY• Drive….
![Page 48: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/48.jpg)
© Black Hills Information Security | @BHInfoSecurity
Architecture
Endpoint
AV/EDR NSM
UBEASIEM
![Page 49: SOC Analyst Key Skills Getting Started With BHIS](https://reader034.fdocuments.in/reader034/viewer/2022051412/627dd2b013d0d817091c353a/html5/thumbnails/49.jpg)
© Black Hills Information Security | @BHInfoSecurity
Questions?