soc training
TRANSCRIPT
![Page 1: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/1.jpg)
SOC trainingHow to teach the blind to drive
Kirill “isox” Ermakov,SOC in Russia IV, 2016
![Page 2: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/2.jpg)
2
#:whoami
- QIWI Group CTO/CISO- vulners.com founder- Web penetration tester- Member of “hall-of-fames” (Yandex, Mail.ru, Apple and
so on)- JBFC community participant- Well known integrator hater
![Page 3: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/3.jpg)
3
One more time about the essentials
- Stop calling it a “SOC”. It’s security monitoring
- Some kind of collectors and correlation rules
- Pretty little monkeys tired of a false positives (“SOC team”)
- Some kind of a software for operations management
- Technical solution does not matter
![Page 4: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/4.jpg)
4
The problem
![Page 5: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/5.jpg)
5
Common mistakes
- Templates usage
- Events overflow (system outage)
- Ignorance of it’s own architecture
- Lack of competence in hacking
- Faith in marketing bullshit
![Page 6: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/6.jpg)
6
Perfect correlation rules out of the box
- ICMP timeouts- Multiple login failures to the same destination (usually
domain controller)- IRC chat protocol- ”Connect to the known botnet C’n’C” (usually CDN)- Excessive firewall accepts across multiple hosts- Outbound connection to a foreign country/region- Systems using many different protocols
![Page 7: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/7.jpg)
7
Anomaly detection is useless unless you got:
- Asset management
- Stable product lifecycle
- Change management
- Documentation
- Network scheme with information flows
- Policies that are not just a paper sheet
![Page 8: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/8.jpg)
8
What da hell are you looking for?
- Collecting every logged event is not only stupid but also is very expensive
- Malicious activity as told by Certified Ethical Hackers
- Erotic fantasies of SIEM developers
- Infrastructure that actually didn’t match the reality
![Page 9: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/9.jpg)
9
Monitoring kiwi reservation
- Almost about 3 years of monitoring- Svetlana “Mona” Arkhipova as a gamekeeper- IBM qRadar as a log collector- IBM Guardium for DB- IBM XGS + StoneGate for the network- Verdasys Digital Guardian for the OS- OSSEC as a HIDS- Something about 3000 of kiwis in the wild- And many more other wild animals
![Page 10: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/10.jpg)
10
SOC KPI’s
- All that CISSP guys recommendations are outdated- There is no need to measure garbage like:
- Resolution time- Number of employee certification- Total count of the incidents
- You need to know it’s real efficiency
- One metric: ratio of registered attacks to performed attacks
![Page 11: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/11.jpg)
11
Sidestep: Penetration testing
- Hope that I have no need to explain what is it and what for
- In case of dramatic sclerosis:- Independent security audit- Hackers simulation attempts- Fast and dirty assessment
- Activity in three separated fields:- Perimeter- Internal network- Social
![Page 12: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/12.jpg)
12
About the classic approach
![Page 13: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/13.jpg)
13
Red team exercise
- Reinventing the wheel. Today with SOC realities.
- Survival game
- As close as possible to the real world hacking
- Challenge between the offensive and defensive lords
![Page 14: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/14.jpg)
14
Basic rules
- Game lasts until victory- Only CISO has “red stop button”. If he will press it –
red team wins- No restrictions on the attack surface or methods- Worst scenario for the blue team:
- Insider with tech expertise- No daytime limits
- Devices hijacking allowed- Drop-ins are welcome- Real life field operations - Any social attacks
![Page 15: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/15.jpg)
15
Team “Red”
- Cooperation of d0znpp with ONSEC team + BeLove with DSEC team
- Target: getting access to any sensitive information
- Must record all their actions to the timeline table
- Perfectly balanced pool of skills
![Page 16: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/16.jpg)
16
Team “Blue”
- QIWI security team
- Target: defend your home
- KPI: register at least 80% of the attacks
![Page 17: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/17.jpg)
17
One slide for the results
- 3 month of hell- Red team won- Aprox. 70% of attacks were registered- Gained access to the security team laptop- Disappointment in all the security toys- Lot of black holes in the monitoring - More in my ZeroNights 2015 presentation
![Page 18: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/18.jpg)
18
Let’s get back to the SOC
- Correlation of the attack table and monitoring results
- Real attack = real vectors- Now learn your systems to detect them- Not enough? Make honeypot and monitor it to
create patterns- Try to hack yourself if you can
![Page 19: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/19.jpg)
19
Learning your SOC to defend
- Practice. Only practice. - Don’t be lazy! Simulate attacks, perform pentests- There is no magic configuration, that suites
everyone- Get experienced team with at least one hacker in it- Don’t expect it will save you- Sometimes good compliance management shows better results
![Page 20: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/20.jpg)
20
That’s all. Questions?
- As usual thanks to my team for the great performance and endurance.
- Join us at the defensive section of the ZeroNights 2016
![Page 21: SOC training](https://reader035.vdocuments.pub/reader035/viewer/2022062503/58730bf91a28ab99088b6d99/html5/thumbnails/21.jpg)
21
See ya!