SOC ATTACKER CENTRIC - Analysis of a prevention oriented SOC
Ioris, Mirko (2023-02-06)
SOC ATTACKER CENTRIC - Analysis of a prevention oriented SOC
(06.02.2023)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2023021026723
https://urn.fi/URN:NBN:fi-fe2023021026723
Tiivistelmä
This thesis will explain what a Security Operation Center (SOC) is and how it works,
analyzing all the different phases and modules that make up the final product. Typically,
a SOC centralizes all of the company’s information in one place where it can
constantly keep an eye on the data and monitor the system. The IT infrastructure
is analyzed in real time for anomalies, malicious activities, or intrusion attempts.
Not only the data sent from one machine to another, but also the physical state
and resources (e.g., memory and CPU) are constantly monitored. Through the creation
and use of multiple detection rules, various alerts are generated and are then
reviewed by the SOC analyst team, which promptly informs customers in case of
need.
The State of the Art will be explored to study current SOCs and best practices
adopted. Then the innovative SOC Attacker Centric developed by the company
Wuerth Phoenix will be analyzed. The functioning of the SOC-AC will be studied
and explained, highlighting how it adds to the classic suite of services offered by a
SOC an extra part, focused on the attacker’s point of view. This SOC-AC is capable
of covering the reconnaissance phase, usually neglected by SOCs, in which attackers
gather information about a target in order to find the best strategy to break in and
successfully carry out the attack.
In the last part of the thesis, the design and implementation of an automatic SOC
reporting functionality will be shown. An important feature is to have an efficient
communication channel with the customer and to provide them with data on the
status of the SOC they are paying for. Initially, this procedure was a static, manually
executed, error-prone process. The procedure was improved by creating a
semi-automatic system of report generation and delivery using the Elastic SIEM
and several languages such as python, bash, Lucene, Elastic, and Kibana Query
Languages, leaving the reporter with fewer parts to analyze and document, saving
time and resources.
analyzing all the different phases and modules that make up the final product. Typically,
a SOC centralizes all of the company’s information in one place where it can
constantly keep an eye on the data and monitor the system. The IT infrastructure
is analyzed in real time for anomalies, malicious activities, or intrusion attempts.
Not only the data sent from one machine to another, but also the physical state
and resources (e.g., memory and CPU) are constantly monitored. Through the creation
and use of multiple detection rules, various alerts are generated and are then
reviewed by the SOC analyst team, which promptly informs customers in case of
need.
The State of the Art will be explored to study current SOCs and best practices
adopted. Then the innovative SOC Attacker Centric developed by the company
Wuerth Phoenix will be analyzed. The functioning of the SOC-AC will be studied
and explained, highlighting how it adds to the classic suite of services offered by a
SOC an extra part, focused on the attacker’s point of view. This SOC-AC is capable
of covering the reconnaissance phase, usually neglected by SOCs, in which attackers
gather information about a target in order to find the best strategy to break in and
successfully carry out the attack.
In the last part of the thesis, the design and implementation of an automatic SOC
reporting functionality will be shown. An important feature is to have an efficient
communication channel with the customer and to provide them with data on the
status of the SOC they are paying for. Initially, this procedure was a static, manually
executed, error-prone process. The procedure was improved by creating a
semi-automatic system of report generation and delivery using the Elastic SIEM
and several languages such as python, bash, Lucene, Elastic, and Kibana Query
Languages, leaving the reporter with fewer parts to analyze and document, saving
time and resources.