So you've just picked up your first ticket in the SOC. What do you do now? I hope you're beginning by writing the 5-steps in the 5-step SOC Methodology.
Reason
Supporting Evidence
Analysis
Conclusion
Next Steps
For a reason, you put in the signature or a particular reason why this alarm was triggered.
Begin documenting all of the supporting evidence for the alarm, adding source and destination to their appropriate categories as you do so.
You are doing this because it's imperative to visualize network traffic flow. The traffic comes from where, to where, over what port, and by what protocol.
Let me say that again: the traffic is coming from what IP, to what IP, over what port, and over what protocol?
When you get down, you can visualize the primary intent of the traffic. With networking, the destination port will be the open service that the source IP address is trying to contact from the source IP address. If no service is running at that port, or if it's not open, then the source IP address cannot connect to the destination IP address.
So, the next thing you want to see is if the connection was successful. Just because an attacker tried to connect to a service doesn't mean it was there and accepted the connection. It can get rejected by the firewall or even by the host itself if the port is closed and there is usually evidence of that in the packets or flow data.
In our Cyber Range, you can see that the dionaea_action accepted the connection, resulting in a successful connection to the honeypot. This is a field generated by the honeypot in the log to let us know that the traffic was allowed into the host. So there's no host-based firewall preventing the traffic from entering and making a connection. There may be a similar log if a firewall in front of this honeypot says that the connection was allowed. If the connection was rejected, you can likely close the alert as benign or false positive. Benign meant the activity happened but couldn't hurt anything.
It's essential to know the directionality of traffic and where a connection started. If you see that the source port is 80 and the destination port is 3932, then it is likely to be return traffic, and you're not looking at the first packet in the sequence. You know this because port 80 is a lower port (typically below 1024), and these are reserved for host services.
Port 80 is typically a web server, so it only makes sense that this is a web server that is returning traffic and you need to then verify that. However, it is common sometimes to land on an event where this might be the particular packet that caused the alarm to trigger. Still, it wasn't the origin of the traffic, and the SIEM has got its directionality backward. Now you know that this traffic should be reversed and that the true source IP address is the one that has a high source port. You can typically close these out as false positives quickly after you understand the traffic flow and if it matches the intent of the reason it fired.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and also holds CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and seven online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Premium Membership of Cyber NOW® for $29.99, which includes all courses, the cyber range, webinars, and the extensive knowledge base.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker and Resume Template for FREE.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
Commentaires