This document discusses building a next-generation security operations center (SOC) to better detect advanced persistent threats (APTs). It recommends taking a process-oriented approach to detection by visualizing engagement with threats, identifying detection phases, and connecting use cases for multi-phase threats. An advanced SOC (ASOC) model is presented that separates hunters to actively look for threats from SOC operations teams to react, respond, and resolve incidents, with metrics and continuous improvement. The document encourages building a threat mind map and playbook of use cases tailored to an organization's highest probability threats to anticipate attacks. It emphasizes focusing on indicators of compromise or attempt to compromise over individual events and iterating the SOC process weekly.

1. #SACON
Building the NextGen SOC
Shomiron DAS GUPTA (GCIA)
Founder, CEO
NETMONASTERY Inc.

2. #SACON
Agenda
■ Why are APTs difficult to detect
■ Revisit the cyber kill chain
■ Process orient detection
■ NextGen SOC process
■ Building your threat mind map
■ Implement and measure your SOC

3. #SACON
Why are we failing to pick them
■ Made to order
■ Exploit trust relationships
■ Multi stage deployments

4. #SACON
The Cyber Kill Chain
■ Reconnaissance
■ Weaponize
■ Delivery
■ Exploitation
■ Installation
■ Command and Control
■ Actions on objectives

5. So which are the phases you
should track to detect
Advanced Persistent Threats?

6. #SACON
The Cyber Kill Chain
■ Reconnaissance
■ Weaponize
■ Delivery
■ Exploitation
■ Installation
■ Command and Control
■ Actions on objectives

7. So, what are you looking for?
Indicators Of Compromise
or
Attempt To Compromise

8. Tackle Detection
with Process

9. #SACON
Process Orient Detection
■ Visualize your engagement with threats
■ Identify detection phases
■ Build a list of primary issues
■ Create use cases
■ Connect use cases for multi phase threats
■ Burn the context layer in to your SIEM for detection

10. #SACON
Concerns from the Old SOC
■ Lack of focus on detection
■ Push required to build new rules
■ Rules get out dated before you go production
■ Continuous improvement doesn’t exist
■ Lack of active pursuit

11. #SACON
ASOC One such option
Hunter
• Looking for threats
• Multiple toolkits
• No boundaries - laterals
• Finding loopholes
• Building content
• Writing process
• Handover and review
Process SOC Ops
• Understand threats
• React - FP Filtering
• Respond
• Resolve
• Metrics & Improvement
• Case retirement

12. #SACON
THREAT MAP
PLAY BOOK
USE CASES

13. #SACON
Building your Threat Mind Map

14. #SACON
What does it take?
■ Approach
IOC or ATC
■ Anticipation
High Probability Threats
■ Active Playbook
Build - Review - Improve

15. #SACON
Pre-breach Symptoms

16. #SACON
Post-breach Symptoms

17. #SACON
Bad Policy Symptoms

18. #SACON
WORKSHOP
BUILDING YOUR OWN PLAYBOOK

19. RandomHIT
Lateral
Exfil
InfectDriveBy
PWN
1
2 3
4

20. #SACON
Alerts v/s Incidents
■ Alerts are instant and descriptive
■ Incidents are usually delayed and vague
■ Alerts can be remediated
■ Incidents need handling
What would you work towards - Alerts or Incidents

21. #SACON
Watching the AfterLife
■ Sold in the underground unless a sponsored activity
■ Stolen data is segregated
■ Sometimes published
■ Mostly used quickly for monetary gain
How would you track your data in the AfterLife?

22. #SACON
Implement and Measure
■ Watch for primary issues not events
■ Connect multi phase threats automatically with tools
■ Selectively implement incident management
■ Look out for threat trends
■ Cyclically iterate and improve every week
#SACON

23. Shomiron DAS GUPTA
shomiron@netmonastery.com
+91 9820336050
Thank You!