McVey’s 37 Questions for a SOC


The Basics: Do you have…
1. Authority to operate, a defined scope of operation, authority to act
2. Enough staff to meet the desired scope of operation
3. Accurate inventory of endpoints (hosts and serves)
4. Accurate inventory of networks, their design and use
5. Accurate inventory of egress points, VPNs, DMZs, externally accessible servers, and externally hosted resources (“the cloud”)
6. Contact lists for groups of users (departments, offices, etc.), system owners, other IT teams, service providers, and external response organizations
7.  A list of high value assets and the data they hold (PII, financial data, HIPPA, etc.)
   
Visibility: What is your access to… 
8. Logs (Active Directory, DHCP, DNS, firewall, proxy, servers, VPN, etc.)
9. Flow data (source, destination, ports, session time, volume, etc.)
10. Endpoints (disk, memory, and processes)
11. Network shares and home drives
12. Full packet capture (consider SSL interception as well)
13. Email metadata
   
Monitoring: What are your…
14. Sources of endpoint and network alerts (security appliances, Endpoint Detection and Response (EDR) solutions, HIPS, Next Generation Firewalls (NGFW), SEIM
alerts, Snort, external sources, etc.)
15. Enterprise specific threats (risks) (application versions, hardware types, externally accessible services, active directory trusts, etc.)
16. Threat feed and Open Source Intelligence (OSINT) monitoring processes
17. Automated blocking and block list processes
   
Response Actions: Can you…
18. Quarantine systems (via HIPS, MAC address, or other means)
19. Request drive pulls and system refreshes
20. Freeze/reset accounts (Active Directory, VPN, etc.)
21. Perform remote remediation
22. Perform active defense
23. Hunt and pivot off of collected event data
   
Operations: How does the SOC…
24. Communicate during incidents
25. Track open cases, requests, IOCs, and incidents (ticketing system, MISP, etc.)
26. Report findings, after action reports (AARs), and inform stakeholders about risks, and activities
27. Track collected media and devices
28. Document processes (Standard Operating Procedures (SOPs), templates, etc.)
29. Automate response processes
30. Communicate resource needs, process gaps, weaknesses, and risks
   
Information Technology Processes: How effectively does your organization…
31. Manage patching and end of life software
32. Manage server and desktop builds (Security Technical Implementation Guides (STIGs), Group Policy Object settings, etc.)
33. Network filtering and blocking (website category, autonomous systems, email attachment types, etc.)
34. Enforce an acceptable use policy
35. Train users on IT risks and use
36. Test user awareness and compliance (phishing tests, etc.)
37. Encourage user reporting of suspicious emails, pop-ups, and other abnormal events

Popular posts from this blog

OS X Location Information: Where Has That MacBook Been?

Image
Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.    Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes: WiFi Access Point (WAP) MAC Address  Latitude and Longitude  Time Stamp Data WiFi Channel Information Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this: The WiFi access points found in the database don’t ne...
Read more

Malware Fingerprinting

My malware fingerprinting arrival was finally published in the very excelent Excelcior College Cyber security Journal: http://ecwp.s3.amazonaws.com/wp-content/uploads/sites/34/2016/11/nci-journal-vol-2-no-3.pdf
Read more

Apple Location Service Seed Database

Following my last post, folks may be interested to learn that OS X also ships with a seed database of WAP and other locations (think WiFi access points in and around public places like airports). As part of the Core Location framework factory.db , a SQLite database, holds WAP MAC addresses and locations. The file is located in: Macintosh HD/System/Library/Frameworks/CoreLocation.framework/Versions/A/Support/ The WifiLocation table holds MAC addresses, Latitude, and Longitude information. Other tables may be worth exploring as well. Since this database does not seem to track the location of the device this database is of little use to most people though if you live around an airport it may be interesting to see if your WAP is included. 
Read more