​Why Good SOC Analysts Know Offense & Defense

​Why Good SOC Analysts Know Offense & Defense

Alberto: Right off the bat, get your Google on, pfSense is a great open-source router firewall you can use. You can also use VirtualBox for virtualization, meaning you have a host operating system, and then you build smaller virtual machines on that host operating system to build that lab. You’re definitely going to need resources like RAM. So if you can afford it, build your own server, it’s typically cheaper that way. PCPartPickers is a great website to get going on that.

You can create a virtualized infrastructure that includes pfSense for routing and firewall network segmentation, whether it’s through a virtual LAN or you have an entirely separate network, a /24 to play around with; you want to get after some Windows servers, some windows workstations, Windows 10s, Windows Server 2016, and build virtual machines with these operating systems. And then create what’s called an Active Directory Domain. Once you have an Active Directory Domain, which is very similar to what you’ll see in an enterprise domain, you want to then build a Linux machine. You can use a different distribution like Kali or ParrotOS, etc. to have an attacking machine, and then you just go after it. And if you don’t want to buy one of those big bulky servers, I recommend maybe Raspberry Pis, or an Intel NUC. Those are great places to start if you want something more compact that can bring some resources into that virtualized environment. Ricky: What does your loadout look like? Some of the tools you use day-to-day. Alberto: For the blue side of things, really understand log management, so tools like a SIEM. Go out there and get Security Onion 2.0, it was just released. It’s a great toolset to get started off with. You’re going to get exposure to ELK, you’re going to get exposure to TheHive, which is a case management tool.

Check out tools like MISP for intelligence feeds, Wazuh or OSQuery for endpoint protection. Sysmon is an amazing tool you can deploy on a Windows environment to get some really good security login and plays. Take a look at ESXi for virtualization. And I’m huge into scripting from a defensive standpoint. So PowerShell; I can use PowerShell to query any data source that I want from a Windows enterprise environment, and also Python. So integrating with APIs and different tooling with Python is also kind of in my tool suite. From an attacker perspective, I think GitHub is the best place for an attacker. Just to name a few for Open-source Intelligence, take a look at SpiderFoot. Do so responsibly. Tools like Amass to do some subdomain enumeration. Active Directory tooling like Impackets, or Rubeus, Bloodhound. If you haven’t deployed Bloodhound and ran it on an Active Directory environment, go ahead and pause the video. Go out and get it done because Bloodhound is a great tool to map out an entire Active Directory Domain. And then I’ll finish it from the offensive aspect of some command-and-control tooling, so like Covenant or Mythic, Empire; PowerShell Empire still very popular, day-to-day, and maybe Merlin is another great one. Ricky: How do you keep track? Are you pen and papering?

Alberto: For me, keeping track of everything on a Google Drive is essential in terms of documents. If I find a really good PDF or white paper out there, I have a Google Drive where I put some of those tech articles or blog posts, before they could get taken down, or I lose the link. Having solid bookmarks also helps. I keep tons of bookmarks depending on the different topics within security, whether it’s blue teaming or pentesting. From a tooling perspective, you can definitely keep a OneNote of all the tools that you’ve experienced and keep a running tab of that. I think that’s one of the best things you can do in security is just have solid notes for yourself. Ricky: There’s a lot of people who are only interested in Kali, hacking, Red Team, that kind of stuff. And there’s people who are only in the PCAPS, and logs, and the forensics. What would you say to those people having a day-to-day experience in both? Alberto: I would say as a defender, we tend to focus a lot on logs, host-based artifacts, network traffic, etc. But until you understand from a tactical level how the adversary tactics are performed, you won’t get to that deep level of understanding those tactics, which will lead into your detection engineering efforts. And then as an attacker, most pentesters or red teamers I know, they really don’t like the blue teaming side of things.

  Why Cyber Security is Hard to Learn

All they want to do is pwn, get root, call it a day, etc. But it’s really understanding how can I improve this organization from a security posture. You can gain huge value in focusing on how can you help the blue team, how can you help the defense understand your tactics, understand those TTPs, so that next time you try those TTPs, they already know how to detect it. Ricky: Tell me, what is your personal take on certifications? Alberto: I think training yourself in your home labs and getting a few certifications that meet some of those criterias and you’re taking those certifications seriously based on the curriculum and the learning objectives, not so much a check-off-the-box. I think that’s where the value of certifications come from. But other than, I’m not a huge fan of certifications. Especially like you mentioned, if you just go out and get the plethora of CompTIA certifications just to have them. It really doesn’t give you those skills that you’re going to need to be successful on the job. Some of the certifications I do recommend for anyone in security are something like the OSCP, some of the E-learning security certifications are pretty good as well. And whether they’re valuable or not, I would just grab the take of certifications as a way for you to improve yourself. You really want to make sure you take that specific topic and you focus on that topic.

So I wouldn’t necessarily put a certification as, “This is needed because it is a job requirement.” But it’s also a way for you to focus on, “I need to learn this specific topic.” So you put a goal to get that certification to push you to understand that specific topic. Ricky: You mentioned the Tier 1 through Tier 3 SOC analysts. Can you break apart some of the skills and even salary ranges? Alberto: I’ve seen ranges starting at $75,000 to higher than $250,000. I think that salary range; definitely location; will depend on what your salary is. And then your experience level and your problem solving. Not only from a keyboard standpoint, technically speaking, but also being that entrepreneur-mindset: understanding the operational risk, understanding how you tie into a bigger picture of that company. But the ranges are pretty crazy and it really just depends on the industry. So as a Tier 1, I expect the SOC analysts to really understand the foundations of networking, of operating systems, architecture; maybe even a basic level of reading code. Really once you get into the middle-tier, that means you understand a deeper level of traffic, PCAP, host-based artifacts. It’s not just you going through alerts and seeing what’s going on, but you really can get deep into certain investigations. And at that Tier 3, I think you’re really more of a standalone analyst where you can do a lot for the organization. To include writing your own tools, maybe your own scripting, you can build your own detection engineering rules or specific tooling. It’s really more of a development work role with all the analysis already fine-grained in your arsenal. Ricky: What was the interview process for you getting into your job role? Alberto: I would say it was almost a full-time job having interviews all the time. You have to keep track of good notes of all the conversations. Because these tech interviews, they may go back and ask you deeper details of a topic they asked you in interview number one. All my offensive interviews all I kept doing is hacking boxes on HackTheBox, so I can stay fresh on some of the tactics. I was reading blog posts every day. I had a fine-grained methodology to exploitation. I was following different Twitter accounts. I was staying up-to-date with all the latest tactics and how to detect. For me, it was just surfing the internet and just staying really up-to-date with everything going on. And then writing down my talking points. I think I can’t emphasize enough to keep track with a notebook. I had a physical notebook for my interview process where I would have different talking points whether it’s an adversary tactic, or how to detect against a specific common tactic. For this specific work role, I had first a managerial interview with senior exec of the company to make sure culture and things of that nature were going to be a fit. Then I had three technical interviews with some of their senior engineers. After those three tech interviews, I went back to another exec to make sure culture, etc. was going to be good. And then the final piece was having an offer letter delivered to me. Ricky: What was your journey like in terms of your skill progression? Alberto: I would say a lot of the times while I was in my initial first tech job there at the sleep apnea company was really self-taught. Teaching myself what a domain is, what is the domain controller, what is an IP address, etc. So a lot of the fundamentals, I had to teach myself as I was going through my undergraduate degree. But it was great because I got that first-hand experience of being a Windows system administrator the hard way prior to going into security. I was a one-person shop, so I couldn’t turn to any co-workers regarding questions on the domain or any sort of configurations. So for me, it was really just being alone and having to Google my way to finding answers to the problems that I was facing. I think some of the best resources are actually blog articles by other security researchers and other companies. So I’m heavily into Twitter, companies like SpecterOps, Black Hills Information Security, Red Siege, etc. And even some of the overseas companies like MDSec from the UK. Following some of that research and some of those employees that are within the security spectrum really helped me learn some of the tradecraft that they’re doing. I’m not huge on books, simply because some of the security books are really dry. I’m bigger into YouTube channels like Heath Adams, this one specifically. IppSec for the HackTheBox walkthroughs. I like to learn via videos. Some of the podcasts I have listened to from Hak5 and the Coalfire team have also been helpful. But for me, it’s really just blog posts, Twitter, and YouTube videos. I know a lot of people do CTFs in my industry. But I typically just wait for the walkthroughs. I like to start at the beginning and just walk through some of the blog posts of the solutions. Though it is beneficial to get involved, but it can be time-consuming if you’re participating in a couple. But for me really where I gained most of my value of my time is banging my head against the keyboard in my home lab. So I like to go out and build infrastructure, break it, test it, and learn the ins and outs of those specific TTPs and adversary leverage and how I can detect against it. Ricky: You are a pretty technical manager or leader in your team. What are some words of wisdom or advice you might have for less technical people. Alberto: I would say to be a leader in anything that you do and not just security, you have to understand what your subordinates are going through. Meaning you have to understand some of the technical implications of what they go through and what jobs they do. I’m not asking every security manager out there to be a reverse engineer. But what I’m asking for is allocate some of your personal time, if you don’t have it at work, to understand the technical aspects that your analysts have to go through to do their jobs well. Because at the end of the day, nothing gets done unless the tactical echelon executes those tasks. For me that leadership aspect that was ingrained in me through the military and up was take care of those people, understand them at a personal level, understand their goals, challenge them technically, give them meaningful work. And then sometimes, even some of the not so awesome work, whether it’s writing reports, etc. Give them that sense of importance that their work is really towards a greater cost for the company. Giving them that level of satisfaction and thanking them for everything that they do for you, I think goes a long way. Ricky: Awesome. What are some things that you do personally to stay secure? Alberto: My mother had a phishing email saying that they had her email account and password, which was true. Because her account was leaked somewhere else and she never changed her credentials. And they tried to blackmail her for that information. We did go through it. We change her credentials immediately all across the board. I implemented multi-factor authentication on all her banking websites, etc. Some of the things I do and I always preach to my family members are implementing a good password policy internally. Using password managers is a big recommendation I give to everyone. The times of having your personalized, your own passwords be repeated across every single platform that you use: those times are gone and it’s pretty dangerous. So implementing multi-factor on everything and changing credentials with a password manager on everything. I think those are some of the initial wins that people can get after improving their security.

  Life of a SOC Lead
You cannot copy content of this page