Handling the threats
Cyber security is fast-paced, so playbooks are being constantly updated, says Commsec's Ian O'Connell
12 February 2020 | 0
Working in a security operations centre (SOC) can be compared to working in the emergency services: we prepare to respond, we contain threats, and we investigate. When not responding to alarms triggered through our security information and event management systems (SIEM), we are actively sending out scans and probes to look for vulnerabilities. Our analysts conduct endpoint investigations to monitor and respond to threats. Threat intelligence is an important part of our job. When we encounter unknown malware, we upload our data to a community of other SOCs and send out alerts.
We also deploy honey pots. Should a client have a nosey employee, we could set up a dummy server designed to be actively exploited. We would create a word document with an enticing title – perhaps ‘Financial details 2020′. We would then be notified if that file was opened or copied.
Our process tends to be relatively rigid. We turn to playbooks when we observe a threat or when an alarm comes in. Designed by us, each threat has its own playbook detailing the steps to tackle it. Cyber security is fast-paced, so our playbooks are constantly being updated.
Most days tend to fly – any one of our clients could have 1.5 million events in a single day. Another might have half a million. We funnel these down to one hundred or so alarms to investigate. This fluctuates – the day Bluekeep was released we had 500 alarms.
It is the nature of the SOC that some days are more traffic heavy than others. When we have the time, we like to put on our threat hunting caps and investigate. We tend to propose a hypothesis, observe, take notes, and then go in depth. It can be a rabbit hole, but you can hit the jackpot. It is a proactive way of looking for unusual activity that has crossed a client’s network. I dedicate an hour or two each week to threat hunting. If we are not responding to an incident, we are finding one.
Threat hunting can be arduous, but it results in some of our biggest catches. Once, going through a client’s endpoint, we reached the stage where we would usually say the alarm was a false positive. Instead, we went hunting. When we dug deeper, we found IP addresses and URLs that it had contacted. Encrypted files emerged, as did a ransom note requesting 0.8 bitcoin, €5,500 or so then. Our client had been attacked by a known ransomware called Locky a few years ago. They purchased ransomware protection after we updated them on the situation. We were fortunate that, through threat hunting, we actively found the threat and mitigated the damage.
Most SOCs and MSSPs alert clients when an alarm is raised and respond accordingly. But the team is not always involved with the incident response. At CommSec, it is different. Our SOC is here from start to finish. We work hand-in-hand with clients’ IT teams and talk them through each step. Our attitude to threat hunting and honey pots set us apart. We do not treat them as add-ons or consultancy work, but as part of our SOC service. For clients with a small IT team, our services can save valuable time. For example, we can launch a vulnerability scan for a client and hand it back to their IT team to conduct their own patch management.
The only way to develop and maintain strong security posture is through engagement and communication. Our clients are open with us. We keep them in the loop with regular security reports. When a client is proactive, we know that we are doing our job to the best of our ability.
Ian O’Connell is the lead SOC analyst at CommSec