Master of Your SOC: Are you asking your data the right questions?

image from https://easy-peasy.ai/ai-image-generator/images/ai-system-career-paths-cybersecurity-ethical-hacking-security-analysis-cyber-forensics

Master of Your SOC: Are you asking your data the right questions?

The Story

So there I was… watching a new cyber security analyst who was sitting in front of his computer clicking on buttons and menus on his screen.  He didn’t seem to be getting anywhere so after about 10 minutes I asked, “Hey, what are you looking for?”  “I have no idea,” he said.  Maybe that was too broad a question, “What question are you asking the data?”  Same response.  That sparked an idea in the back of my skull that has been rolling around ever since.  What questions are we asking our data?

What’s the Question?

As a cyber security analyst, what questions are we asking our data?  Let that sink in for a moment…  We can have all the logs we want: Windows event logs, Sysmon, antivirus, firewall, EDR, web proxy server, DNS, the list goes on and on ad infinitum.  If we don’t have a question to ask, then the data can’t help us! 

I realize that every SOC is different, every network is different, data sources are different, sensor placement is different, workflows are different, playbooks are different, politics are different, and policies are different in every place, nevertheless, there are some basic questions that every cyber security analyst should answer when looking at data. 

Let’s assume that the scenario we are stepping into is a daily hunt on your network.  There has been no indication of anything out of the ordinary, but your job is to make sure everything is good to go. 

My initial reviews are logons, DNS, accounts, and services. 

  • Logons: Any Administrative logins from unexpected places or during unexpected times?
  • Logons: Do the Local Administrator logons look right?
  • Logons: Is the failed login count too high?
  • Logons: Are all other login activities normal?
  • DNS: Any newly visited domains?
  • DNS: Any visited domains that have been registered for less than 30 days?
  • DNS: Is there a high level of NXDOMAIN responses?
  • DNS: Do other DNS activities look normal?
  • Accounts: Have any new Administrator accounts been created?
  • Accounts: Has there been any abnormal use of user accounts in the last 24 hours?
  • Accounts: Do we have any unauthorized devices on the network?
  • Services: Does HTTP traffic look normal?
  • Services: Do the User-Agent strings for HTTP traffic look normal?
  • Services: Does HTTPS traffic look normal?
  • Services: Do the X.509 (PKI, TLS/SSL) certificates look right?
  • Services: Are there any extended/long connections or sessions?

Moving Forward

These are just a starting point.  Your SOC may require something different.  Add, edit, and adjust this list until you have what you need to be Master of Your SOC!