八百标兵奔北坡

作为一个初级的安全分析师,你需要成为一个分类专家(Triage Specialist).每天需要花许多时间在事件日志和报警的监视与分类上.

在公司里,你一般处于Tier 1 SOC的位置(最底层,第1线)

• Monitor and investigate the alerts (24 x7 )
• Configure and manage the security tools (这个好像基本不做,或者供应商带着设定一遍后就不改了)
• Develop and implement basic IDS signatures 不太清楚
• Participate in SOC working groups, meetings 例会是有的
• Create tickets and escalate the security incidents to the Tier 2 and Team Lead if needed 大公司可能有多层结构,小公司就只有几个人,没有分级的必要

一般你需要满足的条件

• 0-2 years of experience with Security Operations
• Basic understanding of Networking (OSI, TCP/IP, OS(Windows, Linux), Web applications, etc.)
• Scripting/Programming skills are a plus 这个主要是用于日志分析方面或是自动化处理

Desired certification:

• CompTIA Security+ 这个证我今年准备去考

每个Tiers的具体分工如下:

Tier1

Junior Security Analyst, Triage

• Monitors the network traffic logs and events
• Works on the tickets, closes the alerts
• Performs basic investigations and mitigations

Tier2

Security Operations Analyst, Incident Responder

• Focuses on deeper investigations, analysis and remediation 修复
• Proactively hunts for adversaries 找出敌人
• Monitors and resolves more complex alerts

Tier3

Security Operations Analyst, Threat Hunter

• Works on more advanced investigations
• Performs advanced threat hunting and adversary research
• Malware reversing

:question: What will be your roles as a Junior Security Analyst?

SOC定义:

Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. As the implementation component of an organization's overall cyber security framework, security operation teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.

Preparation and Prevention

作为初级安全分析师,你需要了解当下的网络安全风险,日语用「脅威」比较多.这个可以从Twitter(现在叫X,但日本还是叫Twitter Japan,没改)和Feedly来跟踪动态.

发现并跟踪风险,按照预备的应对方案来保护组织,并为最坏的情况作好准备.

危险到来前,要做的事情是,收集风险,攻击向量和TTPs的相关信息,同时也要更新FW的签名,及时打补丁,更新BlackList和WhiteList.

为了更好的理解TTPs,可以看一下CISA的一份报告 ,关于APT40的,https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a

这个单独写一篇报告在Blog中吧(链接后补)

Monitoring and Investigation

工欲善其事,必先利其器,SOC团队经常要用的就是SIEM和EDR工具来监视可疑的网络活动,他们就是消防队员,哪里有火情就要灭火.根据火情的严重程序判定优先级和处置方法(比如是用干粉灭火还是湿粉灭火).把优先级分为Low,Medium,High和Critical,也有的公司划分为P0,P1,P2,P3等.在面对威胁时,要经常自问,How,When and Why,通过深挖数据日志和报警信息,并结合开源工具来判定后续处理流程.

Response

接下来就是处置被害主机,比如隔离网络,结束危险进程,删除文件等.

作为一线人员,每天要接触来自不同工具的日志源,监视网络流程,包括IPS和IDS,可疑邮件,排查取证数据并分析潜在风险,使用OSINT来帮助我们下判断.

最有成就感的是,搞定了一个Incident并消除了威胁.这通常需要花费数小时,数天甚至几周时间.每天需要思考许多问题和可能性.每天的第一件事是查看工单或是系统报警.

:question: What was the malicious IP address in the alerts?

根据上图报警信息,可知攻击IP地址为

:question: To Whom did you escalate the event associated with the malicious IP address?

:question: After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you?