A collection of sources of documentation, and field best practices, to build and run a SOC (including CSIRT).
Those are my view, based on my own experience as SOC/CSIRT analyst and team manager, as well as well-known papers. Focus is more on SOC than on CERT/CSIRT.
My motto is: without reaction (response), detection is useless.
NB: Generally speaking, SOC here refers to detection activity, and CERT/CSIRT to incident response activity. CERT is a well-known (formerly) US trademark, run by CERT-CC, but I prefer the term CSIRT.
- Must read
- Fundamental concepts
- Mission-critical means (tools/sensors)
- IT/security Watch
- SOAR
- Detection engineering
- Threat intelligence
- Management
- HR and training
- IT achitecture
- To go further (next steps)
- Appendix
- SOC build:
- MITRE, 11 strategies for a world-class SOC (or use local file): part 0 (Fundamentals).
- FIRST, Building a SOC
- NCSC, Building a SOC
- Gartner, SOC model guide
- Splunk, State of Security 2023
- SOC training/interview:
- LetsDefend SOC analyst interview questions
- SOC management:
- SOC assessment:
- CSIRT build:
- FIRST, CERT-in-a-box
- FIRST, CSIRT Services Framework
- Security incident response management:
- ENISA, Good practice for incident management
- EE-ISAC Incident Response whitepaper
- LinkedIn Pulse, Security incident management according to ISO 27005
- Microsoft/EY/Edelman, Incident response reference guide
- Forensics:
- Incident response playbooks:
- Kaspersky, Incident Response Playbook: Dark Web Breaches
- SANS, IR Mitigations tasks
- Terms and concepts:
- Shubham, Security 360
- Vilius Benetis, CSIRT, SOC, ISAC and PSIRT definitions
- Thomas Roccia, Visual Threat Intelligence
- SentinelOne, What is SecOps
- Purp1eW0lf, Blue Team Notes
- PAN, Security orchestration for dummies
- ThreatConnect, SIRP / SOA / TIP benefits
- SOC/CSIRT processes:
- CSIRT build:
- Frameworks and materials:
- MITRE, ATT&CK: Getting started
- NIST, Cybersecurity framework
- FIRST, CVSS v4 specs
- OASIS Open, STIX
- FIRST, TLP (intelligence sharing and confidentiality), and PAP
- CIS, 18 critical security controls
- SOAR solutions:
- NIS2:
- Management:
See: SOC/CSIRT Basic and fundamental concepts.
Quoted from this article:
Following the arrows, we go from log data sources to data management layer, to then data enrichment layer (where detection happens), to end-up in behavior analytics or at user interaction layer (alerts, threat hunting...). All of that being enabled and supported by automation.
Based on CYRAIL's paper drawing, that I've slightly modified, here is an example of architecture of detection (SIEM, SIRP, TIP interconnections) and workflow:
- Sensors log sources are likely to be: audit logs, security sensors (antimalware, FW, NIDS, proxies, EDR, NDR, CASB, identity threat detection, honeypot...).
- SIEM:
- See Gartner magic quadrant
- My recommendations: Microsoft Azure Sentinel, Sekoia.io XDR, Splunk, Graylog.
- SIRP:
- e.g.: IBM Resilient, TheHive, SwimLane, PAN Cortex XSOAR
- My recommendations: TheHive, PAN Cortex XSOAR
- SOA:
- I recommend to read the Forrester's overview of SOAR providers
- e.g.: IBM Resilient, SwimLane, TheHive, PAN Cortex XSOAR, Microsoft Logic Apps
- My recommendations: SwimLane, TheHive, PAN Cortex XSOAR
- TIP:
- Antimalware/antivirus (you may want to have a look at my antivirus and EDR differences table):
- See Gartner magic quadrant or Forrester Wave
- My recommendations: Microsoft Defender, ESET Nod32, BitDefender.
- Endpoint Detection and Response:
- See Gartner magic quadrant, MITRE ENGENUITY, and Forrester Wave
- My recommendations: SentinelOne, Microsoft Defender for Endpoint, Harfanglab, ESET XDR, WithSecure Elements EDR, CrowdStrike Falcon EDR, Tanium, Wazuh
- Secure Email Gateway (SEG):
- See Gartner reviews and ratings
- My recommendations: Microsoft Defender for Office365, ProofPoint, Mimecast
- Secure Web Gateway (SWG) / Security Service Edge:
- see Gartner magic quadrant
- My recommendations: BlueCoat Edge SWG, CISCO SASE, Zscaler Cloud proxy, Netskope.
- Identity Threat Detection and Response (ITDR) for identity and AD/AAD security (audit logs, or specific security monitoring solutions):
- My recommendations: Semperis Directory Services Protector
- for a one-shot security assessment of AD and Enta ID, I recommend: Semperis Purple Knight or PingCastle
- EASM: External Asset Security Monitoring / External Attack Surface Management:
- My recommendations: Intrinsec (in French), Mandiant, Qualys EASM
- for a security check-up:
- quick security assessment of your website: ImmuniWeb
- AWS/Azure/GCP security assessment (community tool): ScootSuite
- CASB: Cloud Access Security Broker, if company's IT environment uses a lot of external services like SaaS/IaaS:
- See Gartner magic quadrant
- My recommendations: Microsoft MCAS, Zscaler, Netskope.
- Deceptive technology:
- My recommendation: implement AD decoy acounts and AD DNS canary
- Compromise assessment tools:
- My recommendations:
- Paid ones:
- free ones:
- for Linux:
- for Windows:
- simple but efficient ESET Sysinspector;
- Velociraptor;
- DFIR-ORC;
- Sysmon (install it, let it run for a few hours/days, then investigate its log), with Olaf Hartong's config;
- For AD:
- For MS Entra ID & M365:
- Semperis Purple Knight;
- simple but efficient ADRecon;
- 365Inspect;
- Azure AD Incident Response Powershell
- For Azure / GCP / AWS:
- My recommendations:
- On-demand volatile data collection tool:
- My recommendations: FastIR, VARC, FireEye Redline, DFIR-ORC;
- Remote action capable tools (ie.: remote shell or equivalent):
- My recommendations: CIMSweep, Velociraptor, CrowdStrike Falcon Toolkit but it relies on CrowdStrike EDR, GRR but it needs an agent to be installed.
- On-demand sandbox:
- My recommendations for online ones: Joe's sandbox, Hybrid Analysis, etc;
- My recommendation for local one: Windows 10 native Sandbox, with automation.
- Forensics and reverse-engineering tools suite:
- My recommendations: SIFT Workstation, or Tsurugi;
- My recommendation for reverse engineering and malware analysis, under Windows: FireEye Flare-VM;
- My recommendation for pure malware analysis, under Linux: Remnux.
- Incident maangement tracker:
- My recommendations: Timesketch, DFIR IRIS
- Scanners:
- IOC scanners:
- My recommendations: Loki, DFIR-ORC
- For smartphones: Tiny Check
- IOC repos for scanners:
- Google CTI's repo: Yara rules for Cobalt Strike and others.
- Yara-rules GitHub repo: multiple Yara rules types.
- Spectre Yara rules repo
- Neo23x0 Community Yara rules
- and those listed here, Awesome threat intel
- Offline antimalware scanners:
- My recommendation: Windows Defender Offline, ESET SysRecue
- IOC scanners:
- Logs analyzers with detection capabilities:
- My recommendations: CrowdSec, Sekoia XDR, DeepBlue
- Data analysis tools:
- Admin tools:
- My recommendations: Azure AD Internals suite, SysInternals Suite
- Internal ticketing system (NB: not SIRP, not for incident response!):
- My recommendation: GitLab
- Knowledge sharing and management tool:
- My recommendations: Microsoft SharePoint, Wiki (choose the one you prefer, or use GitLab as a Wiki).
- Vizualization tool for OSINT search and IOC:
- My recommendation: OSINTracker
- SIEM rules publications:
- Known exploited vulnerabilities +0days:
- LinkedIn / Twitter:
- RSS reader/portal:
- e.g.: Netvibes
- Government CERT, industry sector related CERT...
- Newsletters:
- Other interesting websites:
- e.g.: ISC, ENISA, ThreatPost ...
Cf. SOAR page
Cf. detection engineering page.
Cf. management page.
Cf. HR and training page.
As per NCSC website:
Indications of an attack will rarely be isolated events on a single system component or system. So, where possible, having a single platform where analysts have the ability to see and query log data from all of your onboarded systems is invaluable. Having access to the log data from multiple (or all) components, will enable analysts to look for evidence of attack across an estate and create detection use-cases that utilise a multitude of sources. By creating temporal (actions over a period of time) and spatial (actions across the estate) use-cases, an organisation is better prepared to address cyber security attacks that occur system wide.
The goal is to prevent an attacker from achieving lateral movement from a compromised monitored zone, to the SOC/CSIRT work zone.
-
Implement SOC enclave (with network isolation), as per MITRE paper drawing:
-
only log collectors and WEF should be authorized to send data to the SOC/CSIRT enclave. Whenever possible, the SOC tools pull the data from the monitored environment, and not the contrary;
-
on top of a SOC enclave, implement at least a level 2 of network segmentation;
SOC’s assets should be part of a separate restricted AD forest, to allow AD isolation with the rest of the monitored AD domains.
- SOC/CSIRT's endpoints should be hardened with relevant guidelines;
- My recommendations: CIS benchmarks, Microsoft Security Compliance Toolkit
- MITRE, 11 strategies for a world-class SOC (remaining of PDF)
- CISA, Cyber Defense Incident Responder role
- FireEye, Purple Team Assessment
- Kaspersky, AV / EP / EPP / EDR / XDR
- Wavestone, Security bastion (PAM) and Active Directory tiering mode: how to reconcile the two paradigms?
- MalAPI, list of Windows API and their potential use in offensive security
- FireEye, OpenIOC format
- Herman Slatman, Awesome Threat Intel
- Microsoft, SOC/IR hierarchy of needs
- Betaalvereniging, TaHiTI (threat hunting methodology)
- ANSSI (FR), EBIOS RM methodology
- GMU, Improving Social Maturity of Cybersecurity Incident Response Teams
- J0hnbX, RedTeam resources
- Fabacab, Awesome CyberSecurity BlueTeam
- Microsoft, Windows 10 and Windows Server 2016 security auditing and monitoring reference.
- iDNA, how to mange FP in a SOC?, in FR
- Soufiane Tahiri, Playbook for ransomware incident response, in FR
- PwnDefend, AD post-compromise checklist
- Gartner, Market guide for NDR
- Rawsec, Resources inventory
- Quest, Best practices for AD disaster recovery
- Microsoft, Isolate Tier 0 assets with group policy
- Securenvoy, How to be compliant with NIS2?
- CyberVigilance, Mitre Engenuity Evaluations 2022 review
- NIST, SP800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations)
- Amazon, AWS Security Fundamentals
- Microsoft, PAW Microsoft
- CIS, Business Impact Assessment
- Abdessabour Boukari, RACI template (in French)
- Trellix, XDR Gartner market guide
- Elastic, BEATS agents
- V1D1AN's Drawing: architecture of detection,
- RFC2350 (CERT description)
- Awesome Security Resources
- Incident Response & Computer Forensics, 3rd ed
- GDPR cybersecurity implications (in French)
- SANS SOC survey 2022
- Soufiane Tahiri, Digital Forensocs Incident Response Git
- Austin Songer, Incident playbook
- CISA, Cybersecurity incident and vulnerability response playbooks
- Reprise99, Microsoft Sentinel queries
- MyFaberSecurity, MS Sentinel architecture and recommendations for MSSP
- Gartner, PAM Magic Quadrant reprint
- Rawsec, Tools inventory
- Microsoft, command line reference
- Microsoft, Sentinel data collection scenarios
- SOC CMM, SOCTOM
- PTES
- OWASP, WSTG
- BitDefender, Analyzing MITRE ATT&CK evaluations 2023
- Dark Web monitoring (data leaks, etc.)
- My recommendation: AIL Framework
- for paid SaaS solutions, I recommend to have a look at this top 10
- (full-featured) Honeypot:
- My recommendation: Canary.tools
- Or, have a look at Awesome honeypots Git
- Phishing and brand infringement protection (domain names):
- NIDS:
- My recommendation: Crowdsec
- NDR:
- My recommendation: Gatewatcher
- MDM:
- My recommendation: Microsoft Intune
- DLP:
- OT (industrial) NIDS:
- My recommendation: Nozomi Guardian
- Network TAP:
- My recommendation: Gigamon
- Mobile network security (2G/3G):
- My recommendation: Dust Mobile.
- Implement hardening measures on SOC workstations, servers, and IT services that are used (if possible).
- Put the SOC assets in a separate AD forest, as forest is the AD security boundary, for isolation purposes, in case of a global enterprise's IT compromise
- Create/provide a disaster recovery plan for the SOC assets and resources.
- Implement admin bastions and silo to administrate the SOC env (equipments, servers, endpoints):
- My advice: consider the SOC environment as to be administrated by Tier 1, if possible with a dedicated admin bastion. Here is a generic drawing from Wavestone's article (see Must read references):
- Recommended technology choices: Wallix PAM
- Implement a level 3 of network segmentation
Yann F., Wojtek S., Nicolas R., Clément G., Alexandre C., Jean B., Frédérique B., Pierre d'H., Julien C., Hamdi C., Fabien L., Michel de C., Gilles B., Olivier R., Jean-François L., Fabrice M., Pascal R., Florian S., Maxime P., Pascal L., Jérémy d'A., Olivier C. x2, David G., Guillaume D., Patrick C., Lesley K., Gérald G., Jean-Baptiste V., Antoine C. ...