working in a SOC - My experiences and takeaways

I have now worked in a SOC for almost 2 years and I have learned a huge amount. Having come from a job role that was consultancy-based, and not nearly as technical as a SOC role demands - I felt that the learning curve was very steep when I first started working in this role. I not only had to take on a lot of new skills, I also had to hone and apply a lot of the skills I already know to practial scenarios and situations where clients are being infected with ransomware for example.

This section will go through some of my thoughts and feelings regarding working in a SOC and a ‘SOC-as-a-service’ capability, that my employer provides for their clients. I will go through what I mean by a ‘SOC-as-a-service’ and what this means to my larger Cyber Security role.

What is a SOC? What is a SOC-as-a-service?

A SOC (Security Operations Centre), usually pronounced “sock” and sometimes called an information security operations center, or ISOC—is an in-house or outsourced team of IT security professionals dedicated to monitoring an organization’s entire IT infrastructure 24x7. Its mission is to detect, analyze and respond to security incidents in real-time. This orchestration of cybersecurity functions allows the SOC team to maintain vigilance over the organization’s networks, systems and applications and ensures a proactive defense posture against cyber threats. A ‘SOC-as-a-service’ (SOCaaS) is a cloud-based subscription model for managed threat detection and response.

What are my expriences? What things do I suggest people look into, to help them work towards a path in a SOC environment?

As I have mentioned before, when I first starting working in SOC, I found it hard initially. I found it challenging because I was worried about reporting something as benign, when it was in actuality a piece of malware. To combat this, I talked to some of the SOC management to learn more about the investigations I can do, I also refreshed my knowledge and the playbooks that are in place for the SOC - and I was assured that I could go to management if I was unsure of anything while on shift. I personally found that refresing my memory of the playbooks helped me the most, becuase reading is a learning format that works well for me - and I was able to have these playbooks open whilst I was on shift.

It may sound obvious, but learning and understanding common networking protcols and their flavours such as HTTP/HTTPS, SMB, FTP, DNS, TCP and SSH to name a few would help to give more context to the activty you see. Knowing what default ports are associtaed with each of these protcols will help, but this is not essential for understanding, and being a competant analyst. Remember, when you are threat hunting, you have a scope to keep in mind when you are looking for suspicious activty - so keep this in mind when you are looking for unexpected activity on the network. It is easy to lose sight and dive down a rabbit hole of trying to understand a nuance of a particular network without context. I personally find it it helpful to have the scope and expected client outcomes written down on a piece of paper next to me.

A lot of the time, unexpected activity that makes it’s way into a SOC queue could be the result of a pentest. As such, it is a good idea to keep in mind some of the indicators that would be visible in network traffic. For example, Nmap, whch can be run as a standalone program, but is most-commonly pre-packaged amongst OS’ such as Kali, has a default HTTP user agent (as of writing) of ‘Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)’. Searching for this string in logs sometimes yields results. Searching for default user agents or even URIs as indicators may not always be effective - because in most cases, these default values can be changed by a potential attacker with little effort. It is always best to do your research and learn as much as you can before embarking on a journey like this.

To summarise, I feel that you need to have an inqusitive mind in order to succeed in a role that requires you to work in a SOC. There will be a lot of things that you do not understand when starting out, and that’s okay. I’ve been lucky enough to have a very supportive team around me in my early days, that I can pose my ‘silly’ questions to. Having a team like this arround will help support your learning on the job, and hopefully inspire you to learn outside your role, as I did. I have a natural drive and desire to learn, which suits a SOC role because threats are constantly changing and in order to keep yourself up to date, you’ve got to be learning all the new ways threat actors are getting by in the wild.