Skip to content
/ SOC-in-my-Pocket Public

SOCIMP: design, build, implement and become a SOC Analyst in a foundational Security Operation Center enviroment.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

phamthanhsang-cs/SOC-in-my-Pocket

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

192 Commits
.build
.build
 
 
deployment
deployment
 
 
external-documents
external-documents
 
 
images
images
 
 
installation-notes
installation-notes
 
 
README.md
README.md
 
 

Repository files navigation

SOC IN MY POCKET

Contributors Forks Stargazers Issues MIT License LinkedIn


Logo

Security / SOC Analyst

To be a part of y'all
Explore the docs »

My Demo · Your Suggestion / Review · Other Projects

Table of Contents
  1. About The Project
  2. Introduction
  3. Incident Response
  4. Let's go
  5. Contributing
  6. Contact

About The Project

screenshot
Bird's Eye View of my SOC Infrastructure (Oct/2024)

(back to top)

Built With

  • OPNSense
  • Elastic
  • Shuffle
  • Cortex
  • TheHive
  • MISP
  • OpenCTI
  • AtomicRedTeam

(back to top)

Introduction

SOC in My Pocket (SOCIMP) is my very first and flagship cybersecurity project so far. This basic SOC project is designed for Security and SOC Analysts, centered around the core pillars of People, Process, and Technologies (PPT) – the foundation of effective SOC operations.

By focusing on adversaries' Tactics, Techniques, and Procedures (TTPs) for threat detection and response, SOCIMP helps me learn how to proactively defend against complex cyber threats.

With its advanced monitoring, automation, and response capabilities, this SOC setup showcases my knowledge of cybersecurity and reflects my vision of a safer digital world for everyone.

Prerequisites

2 THINGS: ME AND A DEDICATED WORKSTATION

Since SOCIMP includes essential SOC components designed to deliver comprehensive cybersecurity operations:

  • SIEM: The Elastic Stack is my SIEM solution of choice. All logs and data sources (Workstations: Windows/Linux, Servers, Firewalls, Cloud, Web Applications, etc.) are forwarded into the Elastic Stack and centrally managed through a Fleet Server.

  • EDR: Elastic Agent, integrated with Elastic Defend, provides robust endpoint detection and response (EDR) capabilities that work seamlessly within the Elastic ecosystem.

  • SOAR: Tools like Shuffle, TheHive, and Cortex offer high levels of automation, flexibility, and extensive integration across various components for streamlined security operations and incident response.

  • TIP: MISP is a powerful threat intelligence platform that integrates smoothly with TheHive and Cortex for effective incident enrichment. OpenCTI enhances this with visually rich dashboards and multiple connectors to gather comprehensive threat intelligence data.

  • Firewall: I opted for OPNSense, which offers a user-friendly dashboard, advanced traffic inspection, and a variety of built-in security features to protect the network.

To serve those things, the SOCIMP project is built on a PC powered by:

  • CPU: Intel Xeon (18 cores / 36 threads)
  • RAM: 96 GB
  • Storage: 2 TB SSD

This infrastructure hosts multiple VMs and containers, ensuring scalability and performance across all SOC components.

(back to top)

Adversary Emulation

For adversary emulation, I chose to use Atomic Red Team. It’s lightweight, portable, and allows me to quickly test my environment.

In the future, I may also explore Caldera for more advanced adversary simulation capabilities.

(back to top)

Incident Response

For incident response, I rely on the well-structured NIST Framework to handle security incidents effectively. This framework provides a standardized approach, ensuring a thorough and consistent response to potential security threats. The NIST Incident Response Lifecycle includes four main stages:

  1. Preparation – Establishing and maintaining an incident response capability. This involves creating an incident response policy, identifying resources, and training the response team.

  2. Detection and Analysis – Monitoring systems to detect suspicious activities and analyzing potential incidents. This stage focuses on identifying and validating incidents accurately to minimize false positives.

  3. Containment, Eradication, and Recovery – Limiting the impact of the incident, eliminating the root cause, and restoring systems to normal operation. This stage is crucial for controlling the spread and impact of the incident on the organization.

  4. Post-Incident Activity – Learning from the incident to improve future responses. This involves documenting the incident, conducting a post-mortem analysis, and updating policies and procedures.

See more details on NIST Framework Incident Response. Following this structured approach allows me to respond to incidents efficiently and continuously improve my SOCIMP project’s security posture.

NOTE: You could follow SANS Framework instead or maybe both dependancy

(back to top)

Let's Go

In the SOCIMP project, I will guide you through all stages, starting with installation notes, followed by the deployment where i config and integrate all components, preparation for adversary emulation, and threat hunting, analysis, response to security incidents (blue teaming).

This project will also cover future development plans.

(back to top)

Contributing

(back to top)

Top contributors:

contrib.rocks image

Contact

Pham Thanh Sang - @telegram - sang3112002@gmail.com

Project Link: https://github.com/phamthanhsang-cs/SOC-in-my-Pocket

(back to top)

About

SOCIMP: design, build, implement and become a SOC Analyst in a foundational Security Operation Center enviroment.

Topics

open-source security project cybersecurity soc soc-analyst

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages