Security Operations

Level 1: Quick Reference

Incident Response Lifecycle (NIST 800-61 Rev 2)

┌──────────────────────────────────────────────────────────────┐
│                  INCIDENT RESPONSE PHASES                     │
├──────────────────────────────────────────────────────────────┤
│ 1. PREPARATION                                                │
│    └─ Policies, tools, training, communication plans          │
│ 2. DETECTION & ANALYSIS                                       │
│    └─ SIEM alerts, log analysis, threat intelligence          │
│ 3. CONTAINMENT, ERADICATION & RECOVERY                        │
│    └─ Isolate, remove threat, restore operations              │
│ 4. POST-INCIDENT ACTIVITY                                     │
│    └─ Lessons learned, documentation, process improvement     │
└──────────────────────────────────────────────────────────────┘

SOC Processes Overview

Tier 1 - Alert Triage:

• Monitor SIEM dashboards
• Initial alert validation
• Basic incident categorization
• Escalate to Tier 2/3

Tier 2 - Incident Response:

• Deep dive investigation
• Threat analysis and correlation
• Containment actions
• Forensic evidence collection

Tier 3 - Threat Hunting:

• Proactive threat hunting
• Advanced malware analysis
• Complex incident coordination
• Strategic threat intelligence

Essential Security Operations Checklist

SIEM Configuration:

• Log sources configured (firewalls, endpoints, servers, cloud)
• Correlation rules active (failed logins, data exfiltration, privilege escalation)
• Alert thresholds tuned (reduce false positives)
• Retention policy implemented (90-day hot, 1-year archive)

Incident Response Readiness:

• IR playbooks documented (phishing, malware, DDoS, breach)
• Communication plan established (internal, legal, PR, customers)
• Evidence collection tools ready (FTK Imager, dd, volatility)
• Backup verification (test restore monthly)

Threat Intelligence:

• Threat feeds integrated (MISP, AlienVault OTX, VirusTotal)
• IOC watchlists maintained (IPs, domains, file hashes)
• Vulnerability scanning scheduled (weekly internal, monthly external)

Security Metrics (NIST IR-4):

• MTTD - Mean Time To Detect (target: <1 hour for critical)
• MTTR - Mean Time To Respond (target: <4 hours for critical)
• Incident trends (weekly review)
• False positive rate (<10%)

Quick SIEM Queries

Failed Login Attempts (Splunk SPL):

index=security sourcetype=auth action=failure
| stats count by user, src_ip
| where count > 5

Suspicious Outbound Traffic (ELK KQL):

destination.port:(4444 OR 8080 OR 1337) AND NOT destination.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Privilege Escalation (Azure Sentinel KQL):

SecurityEvent
| where EventID == 4672
| where AccountType == "User"
| summarize count() by Account, Computer

Incident Severity Classification

Severity	Impact	Response Time	Escalation
Critical	Business-critical system compromised, active data exfiltration	<15 min	Immediate - CISO, Legal
High	Multiple systems affected, potential data breach	<1 hour	Tier 3, Management
Medium	Single system compromised, contained threat	<4 hours	Tier 2
Low	Failed attack attempt, no system impact	<24 hours	Tier 1

---

Level 2:

📚 Full Examples: See REFERENCE.md for complete code samples, detailed configurations, and production-ready implementations.

Implementation Guide

Security Operations Center (SOC) Structure

SOC Team Roles & Responsibilities

SOC Manager:

• Strategic planning and resource allocation
• Metrics reporting to executive leadership
• Policy and procedure development
• Vendor and tool management

Security Analyst Tier 1 (Alert Triage):

• 24/7 monitoring of SIEM alerts
• Initial alert validation and categorization
• Basic log analysis and correlation
• Ticket creation and escalation
• NIST Controls: SI-4 (Information System Monitoring)

Security Analyst Tier 2 (Incident Response):

• Deep-dive incident investigation
• Malware analysis and reverse engineering
• Forensic evidence collection
• Containment and eradication actions
• NIST Controls: IR-4 (Incident Handling), IR-6 (Incident Reporting)

Security Analyst Tier 3 (Threat Hunter):

• Proactive threat hunting campaigns
• Advanced persistent threat (APT) detection
• Threat intelligence analysis and dissemination
• Security tool development and automation
• NIST Controls: IR-5 (Incident Monitoring), AU-6 (Audit Review)

Incident Commander:

• Major incident coordination
• Stakeholder communication (legal, PR, management)
• Post-incident review facilitation

SOC Tools & Technologies

SIEM Platforms:

• Splunk Enterprise Security: Market leader, powerful SPL query language
• Elastic Stack (ELK): Open-source, KQL query language, cost-effective
• Azure Sentinel: Cloud-native, integrated with Microsoft ecosystem
• IBM QRadar: Enterprise-grade, strong compliance features

Endpoint Detection & Response (EDR):

• CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black
• Real-time process monitoring and behavioral analysis
• Automated threat remediation

Threat Intelligence Platforms:

• MISP (Malware Information Sharing Platform)
• ThreatConnect, Anomali, Recorded Future
• STIX/TAXII feeds integration

Forensic Tools:

• Memory Analysis: Volatility, Rekall
• Disk Forensics: Autopsy, FTK Imager, EnCase
• Network Forensics: Wireshark, NetworkMiner, Zeek

Incident Response Lifecycle (NIST 800-61 Rev 2)

Phase 1: Preparation (IR-4)

Organizational Readiness:

See REFERENCE.md for complete implementation.

Tool Preparation:

• SIEM with 90+ days of log retention
• Jump bag (USB drives with forensic tools, live Linux distros)
• Evidence storage (encrypted, chain-of-custody documented)
• Isolated malware analysis sandbox (Cuckoo, ANY.RUN)

Training & Tabletop Exercises:

• Quarterly incident response drills
• Annual red team/purple team exercises
• Phishing simulations monthly

Phase 2: Detection & Analysis (SI-4, AU-6)

Detection Sources:

See REFERENCE.md for complete implementation.

Alert Triage Process:

1. Initial Validation (5 minutes):

   • Is this a true positive or false positive?
   • Quick OSINT lookup (IP reputation, domain age)
   • Check asset criticality (production vs. dev)

2. Scoping (15-30 minutes):

   • Timeline: When did activity start?
   • Scope: How many systems affected?
   • Impact: What data/systems at risk?
   • Persistence: Is threat still active?

3. Categorization:

   • Incident Type: Malware, phishing, DDoS, data breach, insider threat, account compromise
   • Severity: Critical, High, Medium, Low (see Quick Reference table)
   • Confidence: Confirmed, likely, suspected

SIEM Analysis Techniques:

See REFERENCE.md for complete implementation.

See REFERENCE.md for complete implementation.

Threat Intelligence Integration:

See REFERENCE.md for complete implementation.

Phase 3: Containment, Eradication & Recovery (IR-4)

Containment Strategies:

Short-Term Containment (Immediate - 15 minutes):

• Isolate infected host from network (EDR quarantine, VLAN switch)
• Block malicious IPs/domains at firewall/proxy
• Disable compromised user accounts
• Preserve evidence (memory dump, disk image)

See REFERENCE.md for complete implementation.

Long-Term Containment (1-4 hours):

• Implement network segmentation
• Apply emergency patches
• Enhanced monitoring on related systems
• Communication blackout (deny attacker intel)

Eradication:

See REFERENCE.md for complete implementation.

Recovery:

1. System Rebuild (Gold Image):

   • Wipe and reinstall from known-good backup
   • Verify integrity (file hashes, AIDE/Tripwire)

2. Credential Reset:

   • Force password reset for affected accounts
   • Rotate service account credentials
   • Invalidate all active sessions

3. Monitoring Enhancement:

   • Deploy additional sensors on recovered systems
   • Create custom SIEM alerts for re-infection indicators

Phase 4: Post-Incident Activity (IR-5)

Lessons Learned Meeting (Within 2 weeks):

See REFERENCE.md for complete implementation.

Evidence Retention (IR-6):

• Preserve all forensic images for 1 year minimum (legal hold: 7+ years)
• Document chain of custody
• Store in encrypted, access-controlled repository

SIEM Integration & Log Management

Log Source Configuration

Critical Log Sources (Priority 1):

See REFERENCE.md for complete implementation.

Log Parsing & Normalization:

See REFERENCE.md for complete implementation.

SIEM Correlation Rules

Rule 1: Brute Force Attack Detection

See REFERENCE.md for complete implementation.

Rule 2: Data Exfiltration Detection

See REFERENCE.md for complete implementation.

Rule 3: Privilege Escalation

See REFERENCE.md for complete implementation.

Threat Hunting Methodologies

Hypothesis-Driven Hunting

Process:

1. Formulate Hypothesis:

   • "Attackers are using stolen credentials to access sensitive file shares"
   • Based on: Recent credential phishing campaign, increased SMB traffic

2. Define Success Criteria:

   • Identify unauthorized SMB access to finance file shares
   • Detect access outside business hours

3. Data Collection:

See REFERENCE.md for complete implementation.

4. Analysis & Validation:

   • Cross-reference user's normal access patterns (UEBA baseline)
   • Check if source IP is VPN or internal
   • Verify user's job role requires access

5. Document Findings:

   • Create IOCs for detected malicious activity
   • Update SIEM alerts
   • Brief SOC team

Data-Driven Hunting (Stack Counting)

Technique: Rare Process Execution

# Splunk: Find rare parent-child process relationships
index=security sourcetype=sysmon EventCode=1
| stats count by ParentImage, Image
| where count < 5
| sort count

Technique: Beaconing Detection

See REFERENCE.md for complete implementation.

Digital Forensics & Evidence Collection

Live System Forensics

Linux Memory Capture:

See REFERENCE.md for complete implementation.

Windows Memory Capture:

# Using Magnet RAM Capture (free tool)
.\MagnetRAMCapture.exe -output C:\forensics\memory.dmp

# Using WinPmem
.\winpmem.exe memory.raw

Disk Forensics

Evidence Collection (Forensically Sound):

See REFERENCE.md for complete implementation.

Timeline Analysis:

See REFERENCE.md for complete implementation.

Network Forensics

PCAP Analysis:

See REFERENCE.md for complete implementation.

Security Metrics & KPIs (NIST IR-4, AU-6)

Primary Metrics

Mean Time To Detect (MTTD):

See REFERENCE.md for complete implementation.

Mean Time To Respond (MTTR):

See REFERENCE.md for complete implementation.

Incident Trends:

See REFERENCE.md for complete implementation.

False Positive Rate:

# Calculate FP rate
total_alerts = 1000
true_positives = 150
false_positives = 850

fp_rate = false_positives / total_alerts * 100
print(f"False Positive Rate: {fp_rate:.1f}%")
# Target: <10%

Dashboard Visualization

Grafana Dashboard (JSON Export):

See bundled resource: templates/security-metrics-dashboard.json

Key Panels:

• MTTD/MTTR trend line graph
• Incident severity distribution (pie chart)
• Top 10 alert sources (bar chart)
• SOC analyst workload (heatmap)
• Threat actor attribution (world map)

Incident Response Playbooks

Playbook 1: Phishing Response

Trigger: User reports suspicious email OR email security gateway flags malicious attachment

Actions:

1. Containment (5 minutes):
   • Quarantine email from all mailboxes (Exchange PowerShell)
   • Block sender domain at email gateway
   • Disable any compromised accounts

# Exchange: Delete phishing email
Search-Mailbox -Identity * -SearchQuery 'Subject:"Urgent: Password Expiration"' -DeleteContent

2. Analysis (30 minutes):

   • Extract email headers (sender IP, SPF/DKIM/DMARC results)
   • Analyze attachments in sandbox (ANY.RUN, Hybrid Analysis)
   • Check for payload delivery (EDR alerts, web proxy logs)

3. Eradication:

   • Remove malware from infected endpoints (EDR remediation)
   • Reset passwords for affected users

4. Recovery:

   • Restore deleted files from backup
   • Re-enable accounts after credential reset

5. Post-Incident:

   • Update phishing training materials
   • Add IOCs to threat intelligence platform
   • Tune email security rules

Playbook 2: Ransomware Response

Trigger: EDR detects mass file encryption OR user reports encrypted files with ransom note

Actions:

1. Immediate Containment (<5 minutes):

   • Isolate infected host (network disconnect)
   • Identify ransomware variant (ransom note, file extensions)
   • Preserve memory image for forensics

2. Impact Assessment (30 minutes):

   • How many systems encrypted?
   • What data affected? (finance, PII, IP)
   • Are backups intact?

3. Eradication:

   • Do NOT pay ransom (FBI/CISA guidance)
   • Wipe infected systems
   • Remove ransomware from network shares

4. Recovery:

   • Restore from backups (test integrity first)
   • Rebuild systems from gold image
   • Verify decryption (if free tool available from No More Ransom)

5. Post-Incident:

   • Review backup strategy (offline/immutable backups)
   • Patch vulnerable systems
   • Implement application whitelisting

Playbook 3: Data Breach Response (IR-6)

Trigger: Unauthorized data access detected OR external notification of leaked data

Actions:

1. Containment (15 minutes):

   • Revoke API keys/credentials
   • Block attacker IP addresses
   • Enable enhanced logging

2. Scope Determination (2-4 hours):

   • What data was accessed? (query database audit logs)
   • How many records? What PII fields?
   • Timeline of unauthorized access

3. Legal/Regulatory Notification:

   • Notify legal counsel immediately
   • GDPR: 72-hour breach notification to supervisory authority
   • CCPA: Notify California Attorney General if >500 residents affected
   • HIPAA: Notify HHS within 60 days

4. Customer Communication:

   • Draft notification letter (legal review required)
   • Offer credit monitoring services
   • Set up dedicated support line

5. Remediation:

   • Fix vulnerability that led to breach
   • Implement additional access controls
   • Conduct third-party security audit

NIST 800-53 IR Control Implementation

IR-4: Incident Handling

See REFERENCE.md for complete implementation.

IR-5: Incident Monitoring

See REFERENCE.md for complete implementation.

IR-6: Incident Reporting

See REFERENCE.md for complete implementation.

SI-4: Information System Monitoring

See REFERENCE.md for complete implementation.

AU-6: Audit Review, Analysis, and Reporting

See REFERENCE.md for complete implementation.

Security Operations Best Practices

SOC Efficiency Tips:

1. Automate Tier 1 Tasks:

   • Use SOAR (Security Orchestration, Automation, Response) for common playbooks
   • Auto-enrich alerts with threat intel (IP reputation, domain age)
   • Automated containment for high-confidence alerts

2. Reduce Alert Fatigue:

   • Tune SIEM rules quarterly (disable low-value alerts)
   • Implement alert grouping/deduplication
   • Use risk-based alerting (asset criticality × threat severity)

3. Continuous Improvement:

   • Post-incident reviews for every P1/P2 incident
   • Track false positive sources, fix root cause
   • Share lessons learned across team (monthly knowledge sharing)

4. Threat Intelligence Integration:

   • Subscribe to relevant ISAC feeds
   • Correlate internal incidents with global campaigns
   • Contribute anonymized IOCs back to community

5. Training & Development:

   • Certifications: GCIH, GCFA, GCIA, OSCP
   • Hands-on labs: TryHackMe, HackTheBox, CyberDefenders
   • Conference attendance: DEF CON, Black Hat, BSides

Common Pitfalls to Avoid:

• Alert Overload: Tune, don't just forward all logs to SIEM
• Inadequate Documentation: Every incident must have a ticket
• Poor Communication: Keep stakeholders updated (no surprises)
• Neglecting Backups: Test restore process regularly
• Single Point of Failure: Redundant SIEM collectors, analysts on-call

---

Level 3: Deep Dive Resources

Bundled Resources

This skill includes 6 ready-to-use templates and scripts:

1. templates/incident-response-playbook.md

   • Complete IR playbooks for phishing, malware, DDoS, data breach
   • Step-by-step checklists with NIST control mappings
   • Communication templates (internal, external, regulatory)

2. templates/siem-queries.md

   • 50+ production-ready SIEM queries
   • Splunk SPL, ELK KQL, Azure Sentinel KQL
   • Categorized by MITRE ATT&CK tactics

3. scripts/forensics-collection.sh

   • Automated Linux forensics evidence collection
   • Memory dump, disk imaging, log preservation
   • Chain-of-custody documentation

4. templates/post-incident-report.md

   • Post-incident report template with root cause analysis
   • Lessons learned framework
   • Action item tracking

5. templates/security-metrics-dashboard.json

   • Grafana dashboard for security metrics
   • MTTD, MTTR, incident trends, SOC workload
   • Ready to import

6. resources/nist-ir-controls.md

   • NIST 800-61 incident response guide mapping
   • NIST 800-53 IR control implementation details
   • Compliance checklist

Advanced Training Paths

Incident Response Certifications:

• GCIH (GIAC Certified Incident Handler): Industry-standard IR certification
• GCFA (GIAC Certified Forensic Analyst): Advanced forensics
• GCIA (GIAC Certified Intrusion Analyst): Network traffic analysis
• OSCP (Offensive Security Certified Professional): Penetration testing (know the attacker mindset)

Hands-On Labs:

• TryHackMe: "SOC Level 1" and "Cyber Defense" paths
• CyberDefenders: Blue team challenges with real incident data
• SANS NetWars: Capture-the-flag style incident response

Recommended Reading:

• Incident Response & Computer Forensics by Jason Luttgens (McGraw-Hill)
• The Art of Memory Forensics by Michael Hale Ligh (Wiley)
• Blue Team Handbook: SOC, SIEM, and Threat Hunting by Don Murdoch (CreateSpace)

NIST Framework References

• NIST 800-61 Rev 2: Computer Security Incident Handling Guide
  • https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
• NIST 800-53 Rev 5: Security and Privacy Controls (IR Family)
  • https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• NIST 800-86: Guide to Integrating Forensic Techniques into Incident Response
  • https://csrc.nist.gov/publications/detail/sp/800-86/final

Tools & Resources

Open-Source SIEM:

• Wazuh: https://wazuh.com
• Elastic Security: https://www.elastic.co/security
• Graylog: https://www.graylog.org

Threat Intelligence Platforms:

• MISP (Open Source): https://www.misp-project.org
• AlienVault OTX: https://otx.alienvault.com
• STIX/TAXII: https://oasis-open.github.io/cti-documentation/

Forensic Tools:

• Volatility (Memory Analysis): https://www.volatilityfoundation.org
• Autopsy (Disk Forensics): https://www.autopsy.com
• Wireshark (Network Analysis): https://www.wireshark.org

Incident Response Frameworks:

• MITRE ATT&CK: https://attack.mitre.org
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• SANS Incident Response Process: https://www.sans.org/blog/the-importance-of-incident-response-planning/

Community & Collaboration

ISACs (Information Sharing and Analysis Centers):

• FS-ISAC (Financial Services)
• H-ISAC (Healthcare)
• MS-ISAC (Multi-State, government)
• ICS-ISAC (Industrial Control Systems)

Conferences:

• DEF CON (Las Vegas, August)
• Black Hat (multiple locations)
• RSA Conference (San Francisco, April)
• BSides (local chapters worldwide)

Online Communities:

• Reddit: r/AskNetsec, r/blueteamsec
• Discord: SANS Cyber Defense Initiative, TryHackMe
• Twitter: #infosec, #threatintel, #dfir

---

Summary & Next Steps

You've learned:

• Security Operations Center structure and processes
• Incident response lifecycle (NIST 800-61 Rev 2)
• SIEM integration and log analysis
• Threat hunting methodologies
• Digital forensics and evidence collection
• Security metrics and KPIs
• NIST 800-53 IR control implementation

Validation Exercise:

Set up a mini SOC lab:

1. Deploy Wazuh SIEM (Docker or VM)
2. Forward logs from 3 systems (Linux, Windows, network device)
3. Create 5 custom correlation rules
4. Simulate an incident (Metasploit attack)
5. Respond using IR playbook
6. Write post-incident report

Time estimate: 8-12 hours

Related Skills:

• Security Fundamentals
• Network Security
• Linux Security
• Cloud Security

Compliance Mapping:

• NIST IR-4, IR-5, IR-6, SI-4, AU-6
• ISO 27001: A.16.1 (Incident Management)
• PCI-DSS: Requirement 12.10 (Incident Response Plan)
• SOC 2: CC7.3 (Security Incidents)

Examples

Basic Usage

// TODO: Add basic example for security-operations
// This example demonstrates core functionality

Advanced Usage

// TODO: Add advanced example for security-operations
// This example shows production-ready patterns

Integration Example

// TODO: Add integration example showing how security-operations
// works with other systems and services

See examples/security-operations/ for complete working examples.

Integration Points

This skill integrates with:

Upstream Dependencies

• Tools: Common development tools and frameworks
• Prerequisites: Basic understanding of general concepts

Downstream Consumers

• Applications: Production systems requiring security-operations functionality
• CI/CD Pipelines: Automated testing and deployment workflows
• Monitoring Systems: Observability and logging platforms

Related Skills

• See other skills in this category

Common Integration Patterns

1. Development Workflow: How this skill fits into daily development
2. Production Deployment: Integration with production systems
3. Monitoring & Alerting: Observability integration points

Common Pitfalls

Pitfall 1: Insufficient Testing

Problem: Not testing edge cases and error conditions leads to production bugs

Solution: Implement comprehensive test coverage including:

• Happy path scenarios
• Error handling and edge cases
• Integration points with external systems

Prevention: Enforce minimum code coverage (80%+) in CI/CD pipeline

Pitfall 2: Hardcoded Configuration

Problem: Hardcoding values makes applications inflexible and environment-dependent

Solution: Use environment variables and configuration management:

• Separate config from code
• Use environment-specific configuration files
• Never commit secrets to version control

Prevention: Use tools like dotenv, config validators, and secret scanners

Pitfall 3: Ignoring Security Best Practices

Problem: Security vulnerabilities from not following established security patterns

Solution: Follow security guidelines:

• Input validation and sanitization
• Proper authentication and authorization
• Encrypted data transmission (TLS/SSL)
• Regular security audits and updates

Prevention: Use security linters, SAST tools, and regular dependency updates

Best Practices:

• Follow established patterns and conventions for security-operations
• Keep dependencies up to date and scan for vulnerabilities
• Write comprehensive documentation and inline comments
• Use linting and formatting tools consistently
• Implement proper error handling and logging
• Regular code reviews and pair programming
• Monitor production metrics and set up alerts

---

---

Last Updated: 2025-01-17 Version: 1.0.0 Maintained by: Security Operations Team