Skip to content

SOC Functional Model (SFM) helps organizations to plan & prepare setting up a new SOC or to asses your existing SOC capabilities and identify the areas to focus.

License

Notifications You must be signed in to change notification settings

blUeBUg200/soc-operations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security Operation Centre Functional Model (SFM)

SOC Functional Model (SFM) helps organizations to plan & prepare setting up a new SOC or to assess your existing SOC capabilities and identify the areas to focus.

Requesting the audience to understand below topics before jumping into the described process for better understanding,

MITRE ATT&CK | SOC Assessment | MITRE Navigator | Threat Modeling

Threat Emulation | DeTT&CT Framework | MITRE CJA | Risk Remediation Analysis

The SFM Model

SFM consists of 5 stages to build a new SOC and 4 stages to assess your existing SOC.

SFM Stages

Infancy

This stage applies only for organizations who are planning to setup Security Operation Centre (SOC) for first time. Below aspects can be decided during the process of planning

Infancy

Infancy.M1 - Monitoring Scope

SOC monitoring scope (such as only production, production + development, production + development + disaster recovery) based on business requirement

Infancy.M2 - Tools Procurement

Procurement of SOC tools with high Return of Investment (such as Security Information & Event Management, Endpoint Detection & Response, Network Detection & Response)

Infancy.M3 - Mode of Operation

Mode of SOC operation to be decided such as In-House or Managed Security Service Provider (MssP)

Age I

This stage is about understanding the environment, business and assets which are of high value target for an attacker.

Age I

Age:I.M1 - Crown Jewel Analysis

  • Understand Mission Priorities
    • Understand the business focus and its missions
    • Identify relevant assets which drive the mission's success
  • Identify Mission Dependencies
    • Identify dependencies for the mission critical assets

Topic Reference(s): MITRE CJA

Research Topic: Planning to build a asset dependency graph with the help of Neo4j. If you know any references or existing FOSS projects which has this module inbuilt, kindly shoot an email to kaviarasan1195@gmail.com with the references attached.

Age:I.M2 - Log Quality Analysis

Integrate the assets with centralized management solution such as Security Information & Event Management(SIEM). Post integration, the logs should be subjected to below checks to ensure it adds value to our security monitoring,

  • Device Completeness
  • Data Field Completeness
  • Timeliness
  • Consistency
  • Retention

Topic Reference(s): Log Quality Check

Age:I.M3 - Primary Analytics

In this stage we will build our first set of use cases to detect anomalies around our crown jewel assets. Below are the few categories of use cases (feel free to add more based on your environment)

  • Internet to Intranet (and vice-versa) connection on suspicious ports such as 445, 3389, 22, etc.,
  • VPN connections from non-business countries
  • Brute Force Login Attempts
  • Phishing email
  • Intranet Port Scanning

NOTE: Age:I.M3 might produce high False Positive alerts if we haven't understood the environment better (both N-->S and E-->W traffic behavior to be gathered and excluded as part of known behaviors)

Age II

This stage is more of an intelligence driven approach to detect, alert, and degrade attackers’ actions against an environment.

Age II

Age:II.M1 - Threat Modeling

In this stage we will gather the list of adversaries who might be interested against your crown jewel assets. The adversaries might land in your environment based on below factors,

  • Industry
  • Available Technology
  • Geographical Location

The output of this stage will produce adversary list from whom we will defend our network.

NOTE: Say for example, our output from previous step has given APT29 and APT 30 as our adversary and going forward this adversary profile is called "Threat Book"

Topic Reference(s): Threat Modeling

Age:II.M2 - Intelligence driven Analytics

From the previous stage (Age:II.M1) output we have compiled a TTP map for the adversaries,

The combination of TTP by both threat groups is compiled with the help of MITRE Navigator and the output will look something like this. Now we have list of TTPs for which we need to create detection use cases. There are plenty of resources which will help building the use case repository. Listing few sites for reference,

NOTE: IOC based intelligence to detect our "Threat Book" should be collected with the help of Threat Intelligence Platform such as MISP.

Age:II.M3 - Risk Remediation Analysis

During this stage we will analyze the list of security controls which will be helpful in defending against the adversary TTPs(in our case APT29 and APT30). This is a hands-off exercise to understand the detection, deny, degrade and deceive capabilities of the security tools and map them to MITRE matrix against our "Threat Book" TTPs.

Research Topic: Upon research, I found MITRE Engenuity security-stack-mapping for Azure and AWS.This is still a research topic for me wherein I am looking for something more similar to Engenuity project for on-premise IT environment. If you know any references or existing FOSS projects which has this module inbuilt, kindly shoot an email to kaviarasan1195@gmail.com with the references attached.

Topic Reference(s): Risk Remediation Analysis; SOC Assessment

Age III

During this stage, more proactive actions are conducted which helps SOC to respond faster to cyber threats.

Age III

Age:III.M1 - MITRE Detection Coverage

Based on the stage (Age:II.M1) we know the list of TTP to detect and from stages (Age:II.M2) & (Age:II.M3) we can compile a matrix which portrays the list of TTP we can detect, alert, deceive and degrade the attackers progress.

Create a MITRE Att&ck layer combining all the three and have a clear understanding of the below,

  • Techniques we can detect
  • Techniques we can degrade and deceive
  • Techniques we can deny

Based on the above we might end up with few TTPs remained untouched by all categories (deny, detect, deceive or degrade). A detailed research should be conducted against the list and threat-informed decisions need to be made (either enable logging or purchase of new security controls)

Topic Reference(s): MITRE Navigator

Research Topic: Looking for a way to map the output of this stage into node weights against each crown jewel asset. The final crown jewel asset dependency graph should contain node dependency link, node risk value which help defenders to understand their current capability and the area to focus.

Age:III.M2 - Security Automation

Automations to reduce man efforts on repeated tasks should be incorporated.

Age:III.M3 - Vulnerability Management

Vulnerability Assessment gives more visibility about the assets driving with high critical vulnerabilities. Periodic patch management and vulnerability assessment hand by hand provides more visibility to the security posture of the organization.

Age:III.M4 - Threat Hunting

The process of threat hunting is briefed in one of writings earlier. Follow this link for more details.

Age IV

Age IV

Age:IV.M3 - Threat Emulation

Threat Emulation will help organization to understand their capability to detect when an threat profiled adversary in conducting their operation against the environment. The mimicked Techniques need to be emulated and the security use case alerting efficiency need to be validated post emulation activity.

Topic Reference(s): Threat Emulation; Caldera

SOC Iteration Model

As mentioned in the introduction, the stages are iterative process and keeps changing as the organization mission changes, priority changes. Below picture shows the repeat loop of the stages which will be iterated over a period of time.

Iteration Model

  • Repeat Q : Operates when your emulation exercise output shows proven detection gaps which need to be fixed.
  • Repeat W : Operates when you business mission changes, priority changes and the environment expands.

SFM model was designed based on my understanding of SOC and the requirements it should full-fill to combat cyber threats. Feel free to reach me through email (kaviarasan1195@gmail.com) for queries and feedback.

Security Operation Centre Functional Model (SFM) © 2022 by Kaviarasan Asokan is licensed under Attribution 4.0 International. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

About

SOC Functional Model (SFM) helps organizations to plan & prepare setting up a new SOC or to asses your existing SOC capabilities and identify the areas to focus.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published