In an increasingly connected society with more and more cyber threats, it has become essential to protect organizations against potential data breaches and vulnerabilities.
That's why more companies are choosing to subscribe to an MSSP (Managed Security Service Provider) service including an external SOC (Security Operations Center) service, which manages information security within the company.
Within this base, in a SOC there are analysts working 24/7 on a rotating shift basis. There is a permanent team of analysts ranging from level 1 to 3.
This article looks at the role of a level 1 analyst within the Senthorus SOC.
Level 1 analysts are on the front line of corporate defense against cyberattacks, playing a
central role in protecting companies from potential breaches and threats. Let's take a look at their tasks, skills, challenges, and importance in the field of cybersecurity.
The main task of an analyst is to triage security alerts on our customers' information systems constantly. Identifying and responding to security problems is essential, so security alerts must be identified and dealt with in real-time.
In this role, we are the first to face alerts raised by the detection rules, which is why it's vital
to have a wide range of IT knowledge. This multi-faceted role requires an in-depth understanding of various IT domains, from network architecture and systems administration to cloud services and application development. This diverse expertise enables SOC analysts to effectively decipher complex security incidents, actively navigate complex IT environments, and accurately discern anomalous activity. With a broad knowledge base, SOC analysts are better equipped to identify vulnerabilities, proactively detect emerging threats, and respond rapidly to security breaches. Ultimately, the ability to seamlessly integrate IT knowledge with security acumen enables SOC analysts to protect critical assets and fortify digital landscapes against an ever-evolving spectrum of cyber threats.
Within a Security Operations Center (SOC), two essential tools are employed by analysts: Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) :
- The SIEM is the central tool that collects and analyses data from several different sources. Its main functions are live monitoring, alerting, incident investigation, incident
response, and incident management. The SIEM provides a global view of an organization's digital landscape.
- The EDR continuously monitors individual endpoints - all devices connected to the corporate network - and provides deep visibility of endpoint activity to detect and respond to cyber threats. Integration with SIEM improves the SOC's ability to detect, respond, and investigate security incidents.
Together, the SIEM and EDR will be able to detect security incidents, increasing the SOC's capabilities and ensuring a proactive stance against cyber threats.
Incident resolution phase
When processing an incident, the analyst will be on the lookout for any signs of unusual activity or patterns that might correspond to suspicious activity.
1. Sorting
First, the analyst needs to assess the severity, categorization, and credibility of the alerts. Indeed, alerts created by EDR or SIEM are alerts that derive from detection rules, so there are a large number of alerts that aren't alerts at all. These are known as False Positives, which means that an analyst's first job is to judge the credibility of an alert.
In order to respect the SLA (service-level agreement) within the SOC, we use the FIFO (first in first out) principle for processing alerts. In some cases, however, it is more important to prioritize an incident deemed a priority in this first phase.
2. Investigation
This phase consists of an investigation to verify the activities of the user or host concerned by the alert. The aim is to find the chronology of events leading up to the incident, indicating the actions taken by the attacker. This will enable us to understand the incident better.
To do this, go to the incident page in the solution that generated the alert. Let's take Azure Sentinel as an example: when we open the link, we come to a summary of the incident, including its severity level and the resources affected. We can then start the investigation by looking for evidence of the attack. To do this, we'll perform KQL (Kusto query language) queries, which will enable us to retrieve information from other tables in the database. Finally, with all this information, we'll be able to determine the veracity of the incident. During the investigation, I used several tools to obtain more information. To name just a few, I use VirusTotal, an online service that analyzes suspicious files and all kinds of malware detected by antivirus engines, as well as AbuseIPdb, which lets me check an IP address and find out more about its origin, host, etc. I use sandboxes such as Joesandbox to check a URL and find out whether it's malicious or not. There are also URLscan.io, Cyberchef, valkyrie, ...
In the event of a confirmed incident, we follow predefined protocols to mitigate the impact of the incident. Depending on the preapproved action list made by the client, this may involve isolating affected systems, blocking malicious IP addresses, or initiating further investigation, all in compliance with authorized actions.
These protocols are playbooks that have been defined in advance by SOC analysts, which also saves time during investigations.
3. Resolution
Finally, after determining the result of the incident, there are 2 possibilities: closing the incident or sending a message to the customer asking for more information.
a. Closing the incident
During this process, we have collected all the information relating to the incident, which will now enable us to fill in the information sent to the customer.
b. Opening a customer ticket
If the incident is of medium severity, we open a customer ticket to give them the conclusions of our investigation and the information gathered. The aim is to be able to interact with the customer's security department to ask them to carry out checks or to request permission to act.
It's also possible that I haven't found the right evidence of an actual attack during the investigation. In this case, I escalate the incident to higher-level SOC analysts or management for further analysis and response.
Accurate documentation is essential to understand the chronology of the incident, the actions taken, and the results. The Level 1 analyst keeps detailed records to facilitate subsequent analysis and reporting.
Conclusion
In a SOC, the role of a Level 1 SOC analyst is crucial. Their real-time vigilance, rapid decisionmaking, and ability to work under pressure contribute significantly to an organization's overall security posture. As the cyber threat landscape continues to evolve, the expertise and dedication of these analysts remain crucial in the fight against digital adversaries.
If you're aspiring to pursue a career as a SOC analyst, here are some valuable training programs and certifications to consider:
➢ Ec-council CSA certified SOC Analyst
➢ Tryhackme SOC analyst L1 path
➢ Microsoft Security Operations Analyst SC-200
