- The Components of a Blue Team
- Specialty / Auxiliary Capabilities
- Threat Intelligence: Collecting information to improve attack detection.
- Forensics: Supporting I.R. with deep research and reverse engineering.
- Self-Assessment: Inventory, config monitoring, vuln. assessment, Red Team, etc.
- Documents Analysts Must Be Familiar With
- Policies: High level, broad, direction setting, mandatory.
- Standards: Also mandatory, define how or how much.
- Procedures: Step-by-step instructions for a process.
- Guidelines: Discretionary, suggested actions/recommended procedures.
- Baselines: Highly specific settings list (CIS benchmarks).
- Use Case/Playbook: SOC Specific prescriptive rules/procedures for detection
- people: Performing analysis and investigation, design and run processes.
- process: The defined sequence of events performed to achieve an end goal.
- technology: Hardware and software used to accomplish the mission.
• Core SOC Activities
▪ Data Collection: What’s happening on the network / devices [NSM , CSM].
▪ Detection: Identifying items of interest from data collected.
▪ Triage and Investigation: Confirming and prioritizing detected issues.
▪ Incident Response: Responding to and minimizing the impact of attacks .
