Security
Reader small image

You're reading from  Effective Threat Investigation for SOC Analysts

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781837634781
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Mostafa Yahia
Mostafa Yahia
author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Right arrow

Investigating Network Flows and Security Solutions Alerts

In most digital networks, there are network devices such as routers that generate flows and security solutions that generate security alerts. That information and data are useful to detect and investigate various cyber threats. As an SOC analyst, you should be aware and take advantage of the flow metadata provided by network devices such as routers and layer 3 switches, and the alerts generated by security solutions such as Antivirus (AV), Endpoint Detection and Response (EDR), an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), a network sandbox, and a network AV.

The objective of this chapter is to learn how to detect and investigate cyber threats by utilizing the flow metadata provided by network devices such as routers and layer 3 switches, and the alerts generated by security solutions such as AV, EDR, IPS, IDS, a network sandbox, and a network AV.

In this chapter, we’ll cover the following...

Investigating network flows

The flow, also commonly known as NetFlow, is network session information generated by network devices, such as routers and layer 3 switches, to aid network engineers during network issue troubleshooting. The flows have several names, based on the device vendor – for example, the used protocol for Cisco devices’ flow control is NetFlow (which is the most common and well-known flow protocol), Jupiter devices’ flow protocol is J-Flow, and HP devices’ flow protocol is Netstream.

Regardless of the name of the protocol used to generate the network session information, the generated information includes at least the following details:

  • Timestamps (start and finish)
  • A source IP
  • A destination IP
  • A source port
  • A destination port
  • Transferred bytes

Most SIEM solutions provide an integration capability to receive flows from different network devices. As an SOC analyst, you should take advantage of the network...

Investigating IPS/IDS alerts

The Intrusion Prevention System (IPS) is a security appliance that is deployed inline in a network to constantly watch the network traffic, preventing threats and any malicious attempts to exploit a known vulnerability (see Figure 13.1):

Figure 13.1 – An IPS layout

Figure 13.1 – An IPS layout

As you see in the preceding figure, the IPS is implemented inline for data communication, which allows it to monitor the network traffic between networks to prevent cyber threats.

The Intrusion Detection System (IDS) is a security appliance that is deployed out of band from data communication by using port mirroring, a SPAN port, or a network tap to capture network traffic, detecting threats, anomalies, and any malicious attempts to exploit a known vulnerability (see Figure 13.2):

Figure 13.2 – An IDS layout

Figure 13.2 – An IDS layout

As you can see in the preceding figure, the IDS is implemented out of band from data communication by using a...

Investigating endpoint security solutions alerts

Endpoint security solutions are security solutions that are implemented on an organization’s hosts to protect them against cyber threats such as malware infections, credential theft, and suspicious behavior. There are several types of endpoint security solutions; the most common and widely used types are AV and EDR solutions. In this section, we will learn how to investigate samples of the alerts received from both AVs and EDRs.

Investigating AV alerts

The AntiVirus (AV) is an endpoint security solution that is designed to detect and prevent different malware types such as Trojans, worms, and ransomware, based on a signature, which could be a file hash or malware code characters.

The alerts received from the AV solutions contain at least the following details:

  • An infected machine name
  • An infected filename
  • An infected file path
  • An infected file hash
  • A malware name
  • A malware category

While...

Investigating network sandbox and AV alerts

The network AV solution is a crucial network security control that organizations implement to scan all files and URLs that are either transferred internally or sourced from external resources, such as emails and web servers. This solution scans files and URLs against malware signatures and bad URLs database before transmitting them to end users.

The network sandbox solution is a network security solution implemented in an organization’s network to render or execute and analyze the behavior of files and URLs, including those internally transferred and downloaded from external resources such as email and a web server in an isolated environment, before sending them to an end user. Sandbox technology will be discussed in detail later in Chapter 15, Malware Sandboxing – Building a Malware Sandbox.

Both devices can be deployed either as a standalone device or come with another security control, such as a Next-Generation Firewall...

Summary

In this chapter, we discussed how to detect and investigate cyber threats by utilizing the flow metadata provided by network devices such as routers and layer 3 switches, and the alerts generated by security solutions such as AV, EDR, IPS, IDS, a network sandbox, and a network AV.

In the next chapter, we will learn about the threat intelligence platforms that should be used by SOC analysts to investigate cyber threats.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 18 of 22
Next Chapter
You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023Publisher: PacktISBN-13: 9781837634781
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages