A Security Operations Centre is the modern defence centre against cyber attacks. But how does such a SOC work, and how does it interact with the "IT fire brigade", the CSIRT? A (fictitious) security incident shows how.
Text: Andreas Heer, Image: iStock
14. April 2022
Intensive silence. Only the rattling of the keyboards can be heard. The IT security specialists sit in front of their screens and analyse servers and notebooks over the network on which malware has crept in, despite all of the security measures. No one is in a frenzy, even if it is a sophisticated attack that requires the deployment of the Computer Security Incident Response Team (CSIRT). Due to the criticality, SOC security analysts had escalated the incident shortly before.
Because it had to happen quickly. The SOAR platform (Security Orchestration, Automation and Response) had reported unusual access by users to internal servers and to Internet addresses. The security analyst on duty then escalated the alert to an incident via the SOAR platform and forwarded it to his colleague from the incident response layer, so that a more in-depth analysis could be carried out
"Our central SOAR platform helps us to enrich alerts from different detection systems with additional information by means of automated analysis workflows, and to filter out false alarms so that we can quickly identify serious incidents," says Florian Leibenzeder, technical manager in the SOC at Swisscom. In this case, the initial analysis revealed a "true positive", i.e. a genuine security incident. This in turn resulted in an escalation.
What the experienced security analyst saw during the in-depth analysis did not please her at all. Because three notebooks showed the same suspicious behaviour. One of the users had contacted the "Cyberdefence" hotline because a document he had received seemed strange when he opened it.
The telephone enquiry revealed that this user had received an "offer" from an alleged potential supplier via a file-sharing platform. This step had already been preceded by an exchange of e-mails, so the person did not initially suspect anything and opened the document. And therefore executed a sophisticated, new type of malware. Because a known file-sharing platform was also misused for the attack, the cybercriminals were able to bypass the detection mechanisms of the EDR solution (Endpoint Detection & Response). Such a sophisticated and very targeted attack challenges security specialists when it comes to defence.
Human expertise is now needed, the expertise of the experienced incident responders of the CSIRT who are currently on duty in the Operations Squad. Nevertheless, everyone is calm. The experts sit in front of their screens, concentrating. In the meantime, it has been possible to isolate the malware and mitigate the attack - which is referred to as "containment" in this phase of the incident response. The standard procedure was brought to life by the cybersecurity training specialist, SANS Institute(opens in new tab). The "Incident Response Cycle" divides the defence procedure into six steps, from preparation to "lessons learned", where the experiences and insights from handling the security incident are evaluated and improvement measures derived. "This standardisation helps to maintain an overview in such cases instead of getting into a frenzy," says Stephan Rickauer, who heads the CSIRT service for business customers at Swisscom.
To "contain" the attack, the CSIRT had blocked the three affected user accounts and disconnected the notebooks from the network to make it more difficult for the malware to spread through the company network. But this alone does not ensure the attacker is no longer in the network. After a brief consultation, they prioritise the search for any further traces of the attack, the so-called Indicators of Compromise (IoC), as the next step. The experts want to make sure that the cybercriminals are not still hiding on another system or have not caused damage elsewhere. Now their expertise comes into play.
The experienced security staff continue the work of the SOAR system and manually examine the infrastructure for further signs of intrusion. The broad expertise and many years of experience help to ensure a structured examination. One of the experts searches the numerous log files for suspicious logins and activities of the malware, while another examines the network traffic for possible access to a "Command&Control" server. These activities help the experts to find any well-hidden malware files, network anomalies or registry entries.
Shortly afterwards, the security experts give the all-clear. No further alerts have appeared on the SOAR platform, and attempts to access the servers have been unsuccessful. The incident is downgraded and the people involved plan the evaluation of their intervention activities as part of the "lessons learned" step.
«Only through the progressive automation and harmonisation of tools can we keep pace with the increasing complexity of our infrastructures and the attacks on them.»
Florian Leibenzeder, technical manager, Swisscom SOC
How do the professionals in the CSIRT plan work that is determined by external events, that does not adhere to any specific times of day, and is therefore actually incapable of being planned? "The criticality of an event often determines prioritisation, which is the most important criterion," explains Stephan Rickauer.
Because of this, the security analysts postpone the task of forensically examining the devices until later. Such an investigation helps to better understand the attackers' approach, i.e. to identify the techniques, tactics and procedures (TTP). However, this step has lower prioritisation, because the notebooks no longer pose a threat.
The forensic analysis will be fed into the evaluation of the security incident. The security experts will not only discuss what went well and where there is potential for improvement; based on the analysis of the incident, they will also develop a new "Detection Use Case". This is basically a schematic illustration of the attack pattern - for example, which log entries on which systems indicate such an attack.
"Our goal in developing use cases is to automate the initial analysis, the triage, and if necessary, the response. The powerful EDR functions on the workstations and servers and the SOAR workflows for the automation of analysis and response help us to achieve this. Only through the progressive automation and harmonisation of tools can we keep pace with the increasing complexity of our infrastructures and the attacks on them", says Florian Leibenzeder. A SOC and CSIRT with automation tools are indispensable for modern cyber defence.
This enables the SOC to react automatically the next time an attack of this kind occurs. The CSIRT is then probably not used at all, because the attack is already stopped at an earlier stage during the incident response. "The attraction of working in a CSIRT is the wide variety of tasks. We don't like to do the same thing twice," says Stephan Rickauer grinning.
The attack described here is fictitious and is simply intended to illustrate how a SOC and CSIRT work.
What are the roles and tasks of a CSIRT and why is it becoming increasingly important for companies to use one?
Lorenz Inglin is head of the cyber defence team at Swisscom, which takes care of the security of the Swisscom infrastructure. He set up the current structure with its three-tier model.
This structure has long been standard in the industry. We have continuously developed our way of working. All three levels work closely together in our operations. The tier 3 employees from the CSIRT coach the security analysts from tier 1 and tier 2. In return, the colleagues from the SOC support the employees in the CSIRT. As a result of this, the activities are moving closer and closer together. In the two years that we have been working like this, it has really proven its worth.
There is not only a shortage of professionals, as the workload is also increasing at the same time. Automation is therefore all the more important. On the one hand, a modern EDR solution helps us with detection. On the other, we use a SOAR platform to automate analysis and response activities. In general, we invest a lot in prevention. If we reduce the potential attack area, we reduce our monitoring requirements, which means we can prevent possible attacks instead of just reacting to them. This then also benefits our customers because, for example, we can promptly recognise new phishing websites and block them in Swisscom's network. This, in turn, facilitates the analysis and reaction abilities in the SOC.
Yes, people are needed for in-depth analyses. Automation helps us a lot when it comes to correlating alerts and handling recurring tasks. However, not all cases are predictable, many are simply too complex for machine analysis, or the software is unable to classify the context: If an employee sends IBAN numbers by e-mail, does this now represent confidential bank data and, therefore, an undesired data outflow, or merely payment slips for an association in which the person is involved?