If you are new to working in a SOC or are trying to separate from the pack, the following resources should prove helpful. This is not all-encompassing, but is a good place to start as far as basic understanding of how to approach analysis, remediation, and general knowledge. I picked these resources for a couple of reasons. First, these are more along the lines of things you may get asked in an interview for your first SOC job. Second, if you are already in a SOC job, these are great resources to make sure that you are someone who can begin to separate yourself from the folks who are just happy to be there.
- The Cyber Kill Chain
- OWASP Top Ten
- SANS Incident Handler’s Handbook
- Regex Tutorials
- MITRE ATT&CK
- APT (Advanced Persistent Threat)
The Cyber Kill Chain usually refers to the model illustrated to the left and described by the Lockheed Martin white paper linked above.
This is the most common framework for explaining cybersecurity threats and their corresponding defense strategies.
It’s important to understand this model when triaging an alert or incident so that you have a clear picture of what the attacker is doing, has done, and may do next. This way you can search for related activity and artifacts more efficiently, as well as contain and remediate more effectively.
The OWASP Top Ten is currently in the 2017 revision. To the right we can see the changes made from 2013 and 2017.
The list addresses what have been determined are the most critical risks to web applications.
Familiarity with these is crucial for a SOC analyst or Incident Responder who wants to be able to quickly and accurately identify and mitigate threats, vulnerabilities, or malicious activity.
Understanding the Incident Response life cycle is another fundamentally important part of being an analyst or incident responder.
Not taking the appropriate steps into account when triaging or responding to an incident could set everyone back in terms of identifying, containing, or remediating an attack.
Being able to use Regex, or Regular Expressions, is a somewhat underrated skill for security analysts.
The ability to craft more granular queries in applications such as Splunk or CrowdStrike, or parse through various system logs quickly and with precision, is an invaluable skill that will make you a more efficient, not to mention valuable, analyst to your team.
The MITRE ATT&CK Framework organizes attacker techniques into categories along the Cyber Kill Chain. This makes it easier to understand adversaries and what to look for when you detect them in your environment.
APT (Advanced Persistent Threat) groups make up the content of the final three links above. As a SOC or IR Analyst you should try not to get carried away by attempting attribution too early during the IR process.
However, you want to be aware of possibilities that could assist in tracking down compromised systems and accounts, identifying and tracking IOCs, and protecting targeted systems, data, and users.
Whether you are trying to break into the field, are just starting out, or have been around for a few years, the above resources should be familiar to you if you want to be an above average analyst.
If you are planning to move into another discipline such as Incident Response, Penetration Testing, Forensics, Malware Analysis, Threat Hunting, Purple Teaming, Secure Software Development, Security Engineering, or move up the management chain within a SOC, these are all things you will need to know well.
These are by no means all you need to know, but as a starting point, this is the supplemental knowledge you want to have on top of any degrees or certifications you acquire. You would be surprised how many candidates I have come across that don’t have even this information as part of their foundation, even people who have been working in cyber security for awhile. It becomes clear who has a passion for learning and being great at their job vs. who is just going through the minimum motions.