LDR551_Book1 Flashcards
What are common goals of attackers?
Intellectual property theft, extortion, destruction
How might an attacker exploit key IT assets?
To damage or hijack value creation.
What are the main categories to break down a SOC?
Business Alignment, Technology, People, Process.
What is crucial for SOCs to avoid reliance on ‘tribal knowledge’?
Solid foundation of processes and procedures.
What has driven increased understanding of cyber risk by businesses?
Heightened awareness and impact of breaches.
What do most organizations focus on in their cyber defense programs?
Technology solutions and tools.
What functions are consolidated in security operations?
Hunt, threat intelligence, IR functions.
What has brought increased visibility to the cyber security function?
Better articulated requirements
What aspect of the maturity model saw the biggest single-year jump?
People
What happens to SOCs without solid processes and procedures?
Reliant on ‘tribal knowledge’
What cripples the capability of SOCs lacking good processes?
Turnover of individuals
What stands out in the most capable cyber defense programs?
Repeatability, continuous improvement, metrics
What is the average measured maturity score for security operations teams?
Between 1 and 2
What does a score between 1 and 2 indicate about SOCs?
Tools not well-integrated, lack of structured process
What makes the effectiveness of most cyber defense programs unpredictable?
Lack of repeatability, metrics, continuous improvement
What is the ideal maturity level for most enterprise SOCs?
Level 3
What is the ideal maturity level for most managed service provider SOCs?
Level 4
What is a key characteristic of level 5 maturity?
Processes are rigid and less flexible
What is a significant downside of rigid processes in SOC management?
Significant overhead outweighs benefits.
What can rigid processes and overhead lead to in SOCs?
They can become counter-productive.
How can rigid processes affect SOC workforce engagement?
They can create a less engaged workforce.
What is a potential consequence of a less engaged SOC workforce?
Higher turnover in the SOC.
What are the biggest challenges for SOCs according to the SANS SOC Survey?
Lack of context, skilled staff, visibility, and automation.
What is one of the goals for new SOCs in the course?
Building a solid starting foundation.
What is a key focus for all SOCs in the course?
Move toward “level 3-4” maturity level.
What tactics will be used to ensure continuous improvement in SOCs?
Continuous improvement tactics and metrics.
What is the purpose of automation and orchestration in SOCs?
To “do more with less”.
What are the three main sections of the class?
Creating your SOC, Execution, Continuous Improvement.
What is the fictional organization used for scenario-driven problem solving in the class?
Ops Outpost.
What is the course roadmap for the SOC class?
Design and Planning, Telemetry and Analysis, Detection and Triage, Response, Metrics.
What is included in SOC Planning Overview?
SOC Mission, Requirements, Goals, Standards, Policies, Roles, Staffing.
What is the first step in SOC planning?
Decide between internal SOC, MSSP, or hybrid model.
What should and shouldn’t be considered a SOC?
Occasionally, the term “SOC” is used inappropriately.
What follows the discussion on SOC models?
Defining the mission, constituents, and capabilities.
What does defining SOC standards include?
Standards, policies, services, roles, staffing, charter, steering committee.
What is a common solution for organizations with 0-1,000 users?
MSSP + non-dedicated internal security team.
What is a common solution for organizations with 1,000-10,000 users?
MSSP Hybrid with some functions in-house.
What is a common solution for organizations with 10,000-100,000 users?
Full internal SOC with possible outsourcing.
What is a common solution for organizations with 100,000+ users?
Full-fledged internal SOC with auxiliary services.
What determines if a dedicated internal SOC is right for an organization?
Number of employees and assets to protect.
Why might a small organization not need a dedicated security group?
Cost-prohibitive due to headcount and hardware requirements.
When might a small organization need a dedicated security team?
If dealing with regulatory compliance, health, or payment data.
What is a common practice for companies with fewer than 1,000 people?
Utilize managed security service providers (MSSPs).
What is a hybrid SOC model?
MSSP handles monitoring, in-house specialists handle incidents.
What is a key consideration for organizations with over 10,000 people?
Full-fledged SOC with most roles covered in-house.
What should you define when planning a SOC?
Mission, goals, threats, requirements, constituency, capabilities.
What are common high-level goals of a SOC?
Situational awareness, monitoring, preventing/minimizing impact.
What is the mission of the average security-focused SOC?
Maintain situational awareness, monitor events, prevent damage.
What should SOCs maintain awareness of?
Situational awareness of the threat landscape.
What is the key goal of any SOC?
Situational awareness of internal and external security environments.
What is the “detection” piece of the SOC process?
Monitoring network and endpoint events for suspicious activity.
What is the ideal role of a SOC in cyber incidents?
Preventing or minimizing damage and disruption.
What should a SOC do when bad things happen?
Run down the ground truth, clean up, and restore order.
What is a “mission statement” for a SOC?
Output of the phase defining SOC’s goals.
What are key questions in threat modeling?
What to protect, from whom, likelihood, consequences, and effort.
What is the essence of Sun Tzu’s quote in threat modeling?
Preparation, understanding the enemy, and resource optimization.
What is required for effective defense?
Starting with the best possible threat model.
What should everyone in a SOC think about daily?
Who the enemy is, what they want, and how they’ll get it.
What is the entire point of threat intelligence?
Developing a strategic and tactical advantage over adversaries.
What must SOCs consider in their operations?
Compliance frameworks, standards, company policies, service levels.
What are common compliance frameworks affecting infosec?
GDPR, PCI-DSS, HIPAA, NIST SP 800-171, SOX, GLBA.
What does GDPR require?
Businesses must protect EU citizen personal data.
What is PCI-DSS designed to protect?
Credit cardholder data.
What does HIPAA regulate?
Privacy and security rules for health care information.
What does NIST 800-171 recommend?
Security requirements for protecting Controlled Unclassified Information (CUI).
What are examples of control frameworks?
CIS Critical Security Controls, NIST SP 800-53.
What are examples of program frameworks?
NIST Cyber Security Framework (CSF), ISO/IEC 27001.
What are examples of risk frameworks?
NIST SP 800-30, SP 800-37, SP 800-39, ISO/IEC 27005.
What are the three main types of cybersecurity frameworks?
Controls frameworks, program frameworks, and risk assessment frameworks.
What is the purpose of controls frameworks?
To provide baseline controls to mitigate cyber intrusions.
How do controls frameworks help established SOCs?
They assess technical capability and prioritize budget use.
Name two examples of controls frameworks.
CIS Controls and NIST SP 800-53.
What are the three implementation groups in the CIS Controls list?
Basic cyber hygiene, implementation group one.
What is the NIST Cyber Security Framework?
A program framework for structuring and operating security programs.
What is the purpose of risk frameworks?
To provide a standard way of assessing risk.
Name one example of a risk framework.
NIST SP 800-30 Guide for Conducting Risk Assessments.
What is SOC-CMM?
A tool for assessing SOC capabilities.
What should you do if creating new cybersecurity policies?
Leverage pre-made IT policy templates.
What is the SOC’s constituency?
The set of users, assets, networks, or organizations secured by the SOC.
What should be well defined for the SOC?
Group scope of protection
What should you consider when selecting SOC services?
Size and capacity of your team
What are small organizations’ SOC services focused on?
Monitoring and detection
What might large organizations’ SOC services include?
Core SOC functions and auxiliary capabilities
What is encouraged when choosing SOC services?
Not to boil the ocean from the start
What is a smart plan for SOC service offerings?
Break into phases for rollout
What should a SOC charter include?
Goals, mission statement, scope, authority
Why is the SOC charter important?
Authorizes SOC build and operation
Who should sign off the SOC charter?
Management
What is the purpose of the SOC steering committee?
Ensure business alignment and correct activities
What is the role of the steering committee in SOC planning?
Provides two-way communication with business
When should steering committee meetings be held?
Regularly or with significant changes
What is the goal regarding security in new initiatives?
Ensure security has a seat at the table
What does “shift left” in DevSecOps mean?
Add security from the start
What is a better approach to cloud security?
Notify security before usage
What is a good way to ensure security stays aware and represented in initiatives?
Constant engagement with IT, Legal, and Finance
What is the “10 tight/25 right/100 light” rule for tracking key relationships?
10 close, 25 regular, 100 occasional contacts
What should you create to list SOC services and major organization/business units?
An alignment matrix
Why is it important to show up for discussions outside of your immediate responsibilities?
To build key relationships
What should you do to prepare for meetings and interactions?
Prepare for both major meetings and 1-on-1 interactions
How can you stay informed about your company’s mission or business?
Read 10-K, annual reports, analyst reports, and strategy documents
What is the first step in SOC Planning according to the SOC Planning Summary?
Define your mission and specific goals
What is the purpose of creating an SOC Charter and Mission?
To build an organizationally-aligned security team
What is the first step in SOC functions?
Collection
What follows detection in SOC functions?
Triage
What is the final step in SOC functions?
Incident Response
What must be done to identified activity?
Triage for closer analysis
What happens to confirmed malicious activity?
Passed to incident response
What is required for all SOC steps?
Continuous improvement
What does “garbage in, garbage out” imply in SOC?
Good data is essential
What does the SOC take as its main input?
Environment data
What is considered the second input in SOC?
Threat intelligence
What is the output of the SOC?
Identified, minimized, remediated incidents
What does threat intelligence help identify?
Potential attacks
What must be done to understand SOC in detail?
Zoom in on SOC workings
What does SOC collect from the environment?
Network transactions, file downloads, etc.
What is the goal of understanding SOC functions?
Clear model of SOC functions
What helps understand data flow in SOC?
Zooming in on SOC functions
What does breaking down SOC help achieve?
Common terminology
What is necessary for each function in attack identification?
Constant stream of feedback
What does deconstructing security operations help with?
Shows factors required for success
What are the core SOC activities?
Data Collection, Detection, Triage, Incident Response
What are the specialty/auxiliary functions?
Threat Intelligence, Forensics, Self-Assessment
Who typically performs core SOC activities?
SOC engineers, analysts, incident responders
What is the role of threat intelligence in SOC?
Improves attack detection
What does forensics support in SOC?
Incident Response (IR)
What is the purpose of self-assessment in SOC?
Feedback on SOC performance
What does the self-assessment function include?
Vulnerability assessments, penetration testing, Red Teaming
What drives the detection capability in SOC?
Threat intelligence
What happens to detected items in SOC?
Passed to triage and investigation
What assists incident response in SOC?
Specialty forensics
What is the output of incident response?
Remediated or prevented issues
What is the first step in the SOC process?
Collection
What is the output of the collection step in SOC?
Events (logs, network traffic, metadata)
Where is data turned into events typically generated?
On an endpoint device or from network traffic.
How is data centrally collected for SIEM indexing?
Via an endpoint agent or sensor.
What is analyzed against detection rules in SIEM?
Output events (logs and traffic metadata).
What is the goal of the data collection stage?
Thorough collection of all security relevant data.
Who determines the type of data you can record?
Data, infrastructure, or endpoint engineers.
What determines the Windows logs that are generated?
Audit policy set in Windows Group Policy Objects.
What requires cooperation with the network operations team?
Network taps.
What informs the specific data to be collected?
Threat intelligence function.
What is required for a thorough collection strategy in most SOCs?
Cooperation across multiple teams and budget.
What are the inputs and outputs of the detection stage?
Input: Events + threat intel, Output: Alerts.
Who is responsible for detection in SOCs?
Detection/Content Engineering, SOC Analysts, Threat Hunters.
How are potential attacks identified from collected data?
Automated analytics engines or manual threat hunting.
Who typically creates analytics or correlation rules in larger organizations?
A dedicated detection engineering team.
What is the goal of the detection stage?
Find malicious activity and alert with minimal false positives.
What correlates with SOC effectiveness in detection?
Quality of tools and threat hunting capabilities.
What does successful detection rely on?
Data availability from the collection stage.
What are the inputs and outputs of the triage stage?
Input: Alerts, Output: Ranked alerts.
What is the goal of the triage stage?
Identify and manage the most important alerts.
What factors influence triage decisions?
Attack progression, system criticality, account privilege.
What knowledge helps analysts in triage?
Lockheed Martin Cyber Kill Chain, MITRE ATT&CK framework.
What is the goal of the investigation stage?
Accurate verification of alerts as true or false positives.
What should analysts do when false positives occur?
Feed information back to the detection engineering team.
How should analysts perform the investigation stage?
In a rigorous way, free of cognitive bias.
What is the main trap new analysts fall into?
Confirmation bias
What mistake do many analysts make when matching alerts?
Gather data to confirm their belief
Why is matching alerts to beliefs the wrong approach?
Ignores other possible scenarios
How should analysts verify a theory?
Attempt to disprove it
What improves with thorough training and experience?
Verification of theories
What should analysts do after completing an investigation?
Spin up incident response
Who handles incident response in large organizations?
Separate team
Who handles incident response in smaller organizations?
Analysts
What is the goal of incident response?
Fast, complete remediation and recovery
What tools help analysts quickly query events?
EDR and centralized SIEM logging
What are the outputs of incident response?
Remediation and lessons learned
Why is feedback crucial in incident response?
Prevents similar incidents
What does tracking details over the long term provide?
Tactical and strategic advantage
What is the final piece of the SOC process puzzle?
Continuous improvement
What does conceptual feedback do?
Modifies input based on output
What helps understand the health of the SOC process?
Metrics
How should SOC functions be thought of?
Like steps in a manufacturing line
What is the goal of useful metrics collection?
Optimize each function individually
What are the core SOC activities?
Collection, detection, triage, investigation, incident response
What do metrics provide in the SOC process?
Feedback for continuous improvement
What is the importance of high-quality inputs in SOC operations?
High-quality inputs optimize SOC process outputs.
What will be discussed in detail through the rest of the course?
Components of SOC functions and their KPIs.
What are the key focuses of team creation in SOC?
Org charts, tiered vs. tierless, hiring, training.
What should you consider when creating a SOC org chart?
Quick communication, manageable team size, mission effectiveness.
What are the core functions of a SOC?
Detection, Incident Response, Support.
What is the role of the IR group in organizations?
Clean separation of duties.
What does the IR group typically include?
Analysts, forensics capacity.
What functions support the SOC?
Architects, system administrators, engineers.
Who may handle new analytic writing in some SOCs?
Analysts.
What is the mission of the assessment team?
Ensure company is secured from cyber attacks.
What is the goal of the threat intel team?
Support SOC activities.
Why should the incident response and threat intel teams be under shared management?
Maximize communication and collaboration.
What are the core SOC activities?
Detection, triage, analysis, IR.
What might organizations need as they grow?
More subgroups or layers of management.
Why might forensics be separate from the SOC?
Specialized knowledge different from analysts.
What other groups might utilize forensic experts?
Internal corporate investigations, insider threats.
Why keep lines of communication open between SOC and other teams?
Compensate for management separation.
What is the traditional tiered analyst model?
Tier 1 triages alerts, escalates complex issues.
What happens to alerts that analysts cannot determine or require complex solutions?
Get escalated to Tier 2
Who handles alerts that Tier 2 cannot resolve?
Tier 3
What is the job breakdown of Tier 1-3 dependent on?
The organization
What do SOCs with dedicated incident response teams use tiers for?
Increasing difficulty of triage and investigation
What tasks are typically assigned to Tier 1 in SOCs without incident response groups?
Triage and alert investigation/validation
What tasks are typically assigned to Tier 2 in SOCs without incident response groups?
Incident response
What tasks are typically assigned to Tier 3 in SOCs without incident response groups?
Hunting, malware reversing, specialty tasks
What should you consider when going with a tiered model for your SOC?
What’s most important to you and SOC structure
How do analysts in tierless SOCs handle alerts?
All levels triage and investigate alerts
What is a key characteristic of the analysis function in tierless SOCs?
Much flatter
What is a downside of tiered SOCs for analysts?
Limits analyst growth
What is a pro of tierless SOCs for analysts?
Uncapped analyst talent growth
What is a con of tierless SOCs?
Less defined process
What can cause analysts in tiered SOCs to lose enthusiasm?
Narrow track of repetitive tasks
What might analysts do if they can’t quickly move to the next tier?
Look for another job
Why might MSSPs prefer tiered SOCs?
Customers expect best practice
What are some benefits of a tierless model for internal SOCs?
Long-term retention, analyst growth
What should you consider when choosing between tiered and tierless models?
Defined process importance, analyst number, budget
How many people are needed for a single 24x7x365 seat?
Five people
What is a benefit of a 9x5 SOC with on-call positions?
Lower costs, less disruption
What can MSSPs provide for off hours coverage?
If budget allows
What is the minimum number of people needed for a 24/7 shift configuration?
10-12 people
Why are 12-hour shifts not recommended?
Burnout, efficiency drop, personal life balance
What are common shift durations for continuous coverage?
12-hour, 10-hour, 8-hour shifts
What is a “follow-the-sun” coverage model?
Teams in multiple time zones cover 24/7
What percentage of SOCs operate 24/7 according to the survey?
80%
What are some alternative shift configurations mentioned?
9/80, 10/40, 12-hour shifts
What should be included in an MSSP service contract?
Scope, alert validation, escalation plans
What are three key questions for MSSP SLAs?
Value measurement, breach response, service continuity
What is a critical part of MSSP onboarding?
Technology deployment, credential sharing, knowledge transfer
What should technology deployment be treated as?
Its own major project or basic installation
How should vendor-provided hardware and software be treated?
Subject to vulnerability assessment and updates
What does credential sharing involve?
Creating domain accounts or establishing VPN connections
What increases your attack surface in supply chain risk management?
Establishing trust relationships with vendors
What has been a common initial access point for data breaches?
Trusted connections
What should an analyst consider to validate alerts and investigate anomalies?
Network diagrams, asset lists, IP ranges
What should you develop with your MSS for better incident management?
A communications plan
How long does an escalation plan usually need to work out bugs?
Thirty to sixty days
What do MSS relationships require for success?
Active engagement and ongoing management
Why might SOC teams be unhappy with their MSSPs?
Little to no value from the service
What is crucial for hiring the best candidates?
A solid recruiting effort
What can steer interviews in the wrong direction?
Poorly performed interviews
Where should you not only advertise your SOC jobs?
On your organization’s website
Where can you meet potential infosec recruits in person?
Infosec conferences and local groups
What type of attitude are you looking for in recruits?
Willing to learn more about infosec
What can you do with ungraduated candidates from college clubs?
Pre-select them as interns
Where do infosec enthusiasts commonly hang out online?
Forums, email lists, Slack, Discord
Where can you find potential recruits during online CTFs?
RPG video game style boards