SOC Functional Model (SFM) helps organizations to plan & prepare setting up a new SOC or to assess your existing SOC capabilities and identify the areas to focus.
Requesting the audience to understand below topics before jumping into the described process for better understanding,
MITRE ATT&CK | SOC Assessment | MITRE Navigator | Threat Modeling
Threat Emulation | DeTT&CT Framework | MITRE CJA | Risk Remediation Analysis
SFM consists of 5 stages to build a new SOC and 4 stages to assess your existing SOC.
This stage applies only for organizations who are planning to setup Security Operation Centre (SOC) for first time. Below aspects can be decided during the process of planning
SOC monitoring scope (such as only production, production + development, production + development + disaster recovery) based on business requirement
Procurement of SOC tools with high Return of Investment (such as Security Information & Event Management, Endpoint Detection & Response, Network Detection & Response)
Mode of SOC operation to be decided such as In-House or Managed Security Service Provider (MssP)
This stage is about understanding the environment, business and assets which are of high value target for an attacker.
- Understand Mission Priorities
- Understand the business focus and its missions
- Identify relevant assets which drive the mission's success
- Identify Mission Dependencies
- Identify dependencies for the mission critical assets
Topic Reference(s): MITRE CJA
Research Topic: Planning to build a asset dependency graph with the help of Neo4j. If you know any references or existing FOSS projects which has this module inbuilt, kindly shoot an email to kaviarasan1195@gmail.com with the references attached.
Integrate the assets with centralized management solution such as Security Information & Event Management(SIEM). Post integration, the logs should be subjected to below checks to ensure it adds value to our security monitoring,
- Device Completeness
- Data Field Completeness
- Timeliness
- Consistency
- Retention
Topic Reference(s): Log Quality Check
In this stage we will build our first set of use cases to detect anomalies around our crown jewel assets. Below are the few categories of use cases (feel free to add more based on your environment)
- Internet to Intranet (and vice-versa) connection on suspicious ports such as 445, 3389, 22, etc.,
- VPN connections from non-business countries
- Brute Force Login Attempts
- Phishing email
- Intranet Port Scanning
NOTE: Age:I.M3 might produce high False Positive alerts if we haven't understood the environment better (both N-->S and E-->W traffic behavior to be gathered and excluded as part of known behaviors)
This stage is more of an intelligence driven approach to detect, alert, and degrade attackers’ actions against an environment.
In this stage we will gather the list of adversaries who might be interested against your crown jewel assets. The adversaries might land in your environment based on below factors,
- Industry
- Available Technology
- Geographical Location
The output of this stage will produce adversary list from whom we will defend our network.
NOTE: Say for example, our output from previous step has given APT29 and APT 30 as our adversary and going forward this adversary profile is called "Threat Book"
Topic Reference(s): Threat Modeling
From the previous stage (Age:II.M1) output we have compiled a TTP map for the adversaries,
The combination of TTP by both threat groups is compiled with the help of MITRE Navigator and the output will look something like this. Now we have list of TTPs for which we need to create detection use cases. There are plenty of resources which will help building the use case repository. Listing few sites for reference,
NOTE: IOC based intelligence to detect our "Threat Book" should be collected with the help of Threat Intelligence Platform such as MISP.
During this stage we will analyze the list of security controls which will be helpful in defending against the adversary TTPs(in our case APT29 and APT30). This is a hands-off exercise to understand the detection, deny, degrade and deceive capabilities of the security tools and map them to MITRE matrix against our "Threat Book" TTPs.
Research Topic: Upon research, I found MITRE Engenuity security-stack-mapping for Azure and AWS.This is still a research topic for me wherein I am looking for something more similar to Engenuity project for on-premise IT environment. If you know any references or existing FOSS projects which has this module inbuilt, kindly shoot an email to kaviarasan1195@gmail.com with the references attached.
Topic Reference(s): Risk Remediation Analysis; SOC Assessment
During this stage, more proactive actions are conducted which helps SOC to respond faster to cyber threats.
Based on the stage (Age:II.M1) we know the list of TTP to detect and from stages (Age:II.M2) & (Age:II.M3) we can compile a matrix which portrays the list of TTP we can detect, alert, deceive and degrade the attackers progress.
Create a MITRE Att&ck layer combining all the three and have a clear understanding of the below,
- Techniques we can detect
- Techniques we can degrade and deceive
- Techniques we can deny
Based on the above we might end up with few TTPs remained untouched by all categories (deny, detect, deceive or degrade). A detailed research should be conducted against the list and threat-informed decisions need to be made (either enable logging or purchase of new security controls)
Topic Reference(s): MITRE Navigator
Research Topic: Looking for a way to map the output of this stage into node weights against each crown jewel asset. The final crown jewel asset dependency graph should contain node dependency link, node risk value which help defenders to understand their current capability and the area to focus.
Automations to reduce man efforts on repeated tasks should be incorporated.
Vulnerability Assessment gives more visibility about the assets driving with high critical vulnerabilities. Periodic patch management and vulnerability assessment hand by hand provides more visibility to the security posture of the organization.
The process of threat hunting is briefed in one of writings earlier. Follow this link for more details.
Threat Emulation will help organization to understand their capability to detect when an threat profiled adversary in conducting their operation against the environment. The mimicked Techniques need to be emulated and the security use case alerting efficiency need to be validated post emulation activity.
Topic Reference(s): Threat Emulation; Caldera
As mentioned in the introduction, the stages are iterative process and keeps changing as the organization mission changes, priority changes. Below picture shows the repeat loop of the stages which will be iterated over a period of time.
- Repeat Q : Operates when your emulation exercise output shows proven detection gaps which need to be fixed.
- Repeat W : Operates when you business mission changes, priority changes and the environment expands.
SFM model was designed based on my understanding of SOC and the requirements it should full-fill to combat cyber threats. Feel free to reach me through email (kaviarasan1195@gmail.com) for queries and feedback.
Security Operation Centre Functional Model (SFM) © 2022 by Kaviarasan Asokan is licensed under Attribution 4.0 International. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/