BTLO: The Report 2
Building on your previous work, you're still refining the operations of your newly established SOC. This time, the stakes are a bit higher...
The Report 2
Building on your previous work, you're still refining the operations of your newly established SOC. This time, the stakes are a bit higher. You've been assigned to study the MITRE document "11 Strategies of a World-Class Cybersecurity Operations Center" to suggest structural and technical improvements. Time to dive back into the documentation!
Investigative Environment
- Hypervisor: VirtualBox
- OS: REMnux
- Tools: Document Viewer, Web Browser
- Reference: 11 Strategies of a World-Class SOC
Technical Walkthrough
1. Submit the name of the units/teams (in short form) that are responsible for maintaining network and other IT equipment, incident detection and response, and security compliance and risk measurement (Format: Team1, Team2, Team3)
I began by searching for "maintaining network" to identify the team responsible for hardware and infrastructure. Once I located the first abbreviation, the remaining teams were easily found in the same section. All answers are short, 2-3 letter abbreviations.
2. After investigation, what are the 4 suggested 'Response Options' mentioned in Basic SOC Workflow? (Format: Option1, Option2, Option3, Option4)
Searching for "Response options" as a text string yielded no results because the data is embedded within a graphic. To find it, I searched for the second term (what do you think the second term is? ) and i got the result.
3. What is the name of a military strategy used in SOCs to achieve a high level of situational awareness? (Format: Strategy Name)
i searched for "situational awareness" i got allot of result, tries using other keywords to make the result more shorter/specific, i didnt get the answer, went back to "situational awareness" then look through all searching for keywords like "army, navy, airforce. i didnt really see those (well at the place i stop), but i saw "aircraft" read through the section and i found the answer.
4. What is the name of the suggested organisational model if the constituency size is between 1000 to 10,000 employees (Format: Organisational Model Name)
The most effective search term here is "constituency size." This leads directly to a breakdown of different organizational scales and their corresponding recommended SOC models. Goodluck with the answer search lol.
5. In a Large Centralised SOC, who is responsible for generating SOC metrics, maintaining situational awareness, and conducting internal/external trainings? (Format: Role Name)
i didn't really use a search query to find the answer to this, i mean i tried but the results were much, i wanted to reduce that, part of the result i found is pointing to the list of table, "SOC Organizational Models" page 54. the answer wasnt there but i got something very similar to it at page 57
yes very similar just that the role name isnt there. i continue scrolling down while my sense port were all open lol, and yes i found the answer few pages away from it
6. In Coordinating & National SOCs model what are the 2 functions mentioned as Optional Capability under Expanded SOC Operations Category? (Format: Function1, Function2)
I searched for "Expanded SOC Operations" (removing "Category" to widen the results). I began my search until i got to the "Capability Template" section. Under the Expanded SOC Operations category, I identified three functions, two of which are specifically grouped or "ticked" together as optional.
i didnt really answer the question, it more of a guess answer, i wanted to know more so i searched about the image and i found a source (a pdf) which the pdf also referenced to it in the file we're working on. if you're also interested: https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
7. What are the two virtual console technologies (in short form) mentioned to support Virtual SOC / Remote Work scenarios during pandemics? (Format: Technology1, Technology2)
Searching for "Virtual SOC" provides the necessary context. note: We are not actually looking for virtual console technologies instead we are looking for what "support Virtual SOC/ Remote" which is under virtual "console technologies". The ability to decode questions can hasten your work
8. What is the name of the model used to distribute work load of SOC 24/7 across different timezones to eliminate working at night hours? (Format: Model Name)
I located the answer by searching for "night hours." The document describes a specific geographical distribution model designed to ensure 24/7 coverage without requiring local night shifts.
9. Submit the priorities (Low, Medium, High) assigned to Phishing, Insider Threat and Pre-incident Port Scanning activities respectively as per the Incident Prioritization mentioned in the document (Format: Priority1, Priority2, Priority3)
A quick search for "Phishing" leads to the answer.
10. Mention the name of the Open source Operating system mentioned, that can help in mobile incident investigations (Format: OS Name)
Searching for "mobile investigations" also get you to the answer.
11. Before choosing a CTI tool, the document suggests tool support for 2 open threat intelligence standards (short forms), what are they? (Format: Standard1, Standard2)
I searched for "CTI tool" to find the Cyber Threat Intelligence section.
12. Name the Data Source which consumes the highest volume (typically TB's/day)? (Format: Data Source Name)
Searching for "Data Source" yields many results, so I used the "List of Figures" to find a shortcut. On page 186, there is a chart titled "Data Source in Context of SOC Usage and Volume.", good place to start right, yh i got the answer at that page
13. In order to support forensics, what is the recommended data retention period (in months) to store logged EDR data? (Format: # of Months)
I searched for "data retention." The document specifies a clear timeframe for EDR logs. When submitting, ensure you use the numerical digit (e.g., 1, 2, 3) rather than writing the word.
14. According to the threat intelligence concept the 'Pyramid of Pain', what indicators are Trivial, Easy, Challenging, Tough for adversaries to change? (Format: Indicator1, Indicator2, Indicator3, Indicator4)
I searched for the "Pyramid of Pain." To get the answer.
15. Name of the Red Teaming approach to mimic the TTPs of an adversary? (Format: Approach Name)
Searching for "Red Teaming" leads to the answer
Success!
Thank you for following along! Hopefully, this helps you. Stay tuned for more defensive deep-dives!