SOC 101: Real-time Incident Response Walkthrough

Exabeam

6 Jan 202112:30

Summary

TLDRThis video explains how Security Operations Centers (SOCs) play a critical role in identifying potential threats and guiding incident response teams to investigate specific machines or actions. Using an example from a SIEM tool (Exabeam), the presenter walks through how a VPN session from an unusual location (Ukraine) triggered a deeper investigation, ultimately uncovering a rootkit. The process highlights the importance of efficient dashboards, memory dumps, and comparative analysis in identifying hidden threats, while emphasizing the invaluable role of SOC teams in cybersecurity.

Takeaways

😀 SOC teams are often the unsung heroes in cybersecurity, responsible for identifying and focusing on potential threats across vast networks.
😀 SIM tools, like Exabeam, play a critical role in detecting anomalies and helping SOC teams prioritize threats that could indicate cyber attacks.
😀 A good SIM system provides intuitive dashboards that highlight notable users, assets, and activities that may warrant further investigation.
😀 VPN connections from unfamiliar locations, like the Ukraine in the script, can trigger alerts in the SIM and prompt a deeper look into user activities.
😀 A medium-level alert, such as an unusual VPN connection, can still be the starting point for a full-blown threat hunting investigation.
😀 Even if there are no immediate signs of malware or suspicious behavior, it's important to perform triage (e.g., taking a memory dump) to investigate further.
😀 Memory dumps, despite being time-consuming, are essential for identifying hidden malware like rootkits that can’t be detected through regular processes or connections.
😀 Using a tool like Volatility for memory dump analysis can reveal discrepancies between what the machine reports and what is actually running, such as hidden rootkits.
😀 Rootkits often go undetected by standard antivirus scans and require deeper forensic techniques to uncover.
😀 The overall message is that cybersecurity detection and incident response require both proactive tools (like SIM systems) and reactive measures (like memory dumps and analysis).

Q & A

What is the main focus of this video?
-The video focuses on how Security Operations Centers (SOCs) use SIEM (Security Information and Event Management) solutions, specifically Exabeam, to detect anomalies and initiate threat hunting or incident response. It demonstrates the process of identifying a potential issue using a VPN connection anomaly and proceeding with investigative steps like memory dumps and analysis.
Why are SOC teams considered crucial but underrated in cybersecurity?
-SOC teams are crucial because they monitor and detect threats in real-time, guiding incident response and threat hunting efforts. Despite their importance, they are often underappreciated and overlooked because their work is behind the scenes, not often in the spotlight.
What does the video explain about the relationship between SOCs and SIEM solutions?
-The video explains that SOC teams rely heavily on SIEM solutions to monitor network activity, detect anomalies, and prioritize incidents. The SIEM system helps analysts focus on specific alerts and suspicious behaviors, such as unusual VPN connections, that may require deeper investigation.
What was the suspicious activity that led to further investigation in this case?
-The suspicious activity involved Barbara Salazar, who logged in via VPN from Ukraine, a location she had never connected from before. This anomaly raised suspicion and prompted the investigation to verify if it was a legitimate action or a sign of a security breach.
What is the significance of taking a memory dump during an investigation?
-A memory dump is crucial because it allows investigators to analyze the state of a machine at the time of the incident. In this case, it helped uncover discrepancies between the machine's reported processes and actual running processes, revealing the presence of a rootkit.
How does the SIM dashboard help SOC teams during an incident response?
-The SIM dashboard provides a clear and intuitive overview of network activity, including notable users, assets, and abnormal behaviors. This makes it easier for SOC teams to identify anomalies, prioritize threats, and decide where to focus their investigative efforts, as seen in Barbara Salazar's case.
What steps were taken to investigate Barbara Salazar’s VPN connection anomaly?
-The investigation started by reviewing her VPN session logs, confirming that the login from Ukraine was unusual. From there, the SOC team performed additional checks on the VPN concentrator, ran system diagnostics, and eventually decided to take a memory dump for further analysis.
What was the outcome of the memory dump analysis?
-The memory dump analysis revealed two unusual running processes that were not visible through standard system tools. This led to the discovery of a rootkit, which was not detected by regular scans but could be identified through memory analysis.
Why is a comparative analysis between live data and memory dump important?
-Comparative analysis helps identify discrepancies between what a system reports as active processes and what is actually running in memory. In this case, it exposed the presence of a rootkit that was hiding its activity from standard system tools.
What role does the tool 'Volatility' play in this investigation?
-Volatility is used to analyze memory dumps and extract detailed information about running processes. In this case, it was instrumental in identifying the rootkit by comparing the memory dump data to the live system data.