SOC Analyst 101 Part 2: Analyst Mindset
If you haven’t already, please read my prior SOC analysts 101 posts:
Part 0: Overview & Prerequisites
Part 1: Logs & Security Models
From part 1 we covered the basics of security models and logs and at the end I gave you some homework to explore how to read logs. If you have not done so, I recommend checking out the resources section in part 1. At this time, you should have a decent understanding of enterprise networks, logging, and the ability to read logs. For this next section, I am going to introduce you to some lessons I have learned from working as a SOC analyst that you should keep in mind while continuing your journey. This will help you with your career and get you in the right mindset for future SOC Analyst 101 posts.
Work Ethic
Your Mindset
Working in this field, you will go through many different emotions. You’ll have anxiety, you’ll fail, and you’ll have imposter syndrome. Anxiety can be felt from many different aspects; whether it’s working your first true positive alert or feeling like you are not knowledgeable enough to be in the position you are in.
Just know that this is normal and to be willing to ask for help. If you get stuck on something, try your best to figure it out in a reasonable amount of time (dependent on the situation). Once you’ve exhausted your own options, ask someone for help. I’m sure your current or future coworkers would rather help you than to have something go wrong.
Your Coworker Mindset
This mindset is regarding how you are to work with. Although the cybersecurity industry can be a meritocracy, remember that at one point everyone did not know what they know now. As a result, you should not only be willing to ask questions, but to also teach others. Your experience and education might lead you to see things differently. Pass along things that you learn to others to help your organization. Remember, in the end it’s our community vs adversaries and we must be willing to be a collective group and share information to better our own understanding as technology and attackers evolve.
Keep this in mind when extending to other organizations you work with. Whether you work at a MSSP and provide security for clients, receive security services for your organization, or consulting, we should be willing to help each other and not dismiss an individual if they do not know something. Be open to questions and be as helpful as you can, we’re all in this together.
Analyst Mindset
This section covers what mindset is beneficial when conducting investigations. This includes methodologies, biases, and approaches.
OODA Loop – Conducting Analysis
The OODA loop was created by United States Air Force Colonel John Boyd. The acronyms are Observe, Orient, Decide, Act, and is summarized as a “a four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision, while also understanding that changes can be made as more data becomes available” (tech crunch reference). I believe this model fits with the analysis that is conducted through an IR investigation. Each step can feed back into itself as depicted by the model below.
Source: https://www.researchgate.net/figure/OODA-loop-for-cyber-security_fig3_330839827
Observe
The first step of the loop is to identify the problem and gain an overall understanding. In cybersecurity terms, this is asking the question “what is the reason the detection was created?” then identifying the key artifacts associated with the detection. After identification, collection of data associated with the detection and artifacts begins. This can be conducting searches in SIEMs, investigating process trees, identifying account behavior, conducting baseline searches, and enriching data through OSINT. During your investigation, remember to stay within scope of why the detection was created to obtain useful observations.
Orient
The orient step is the act of analysis of the obtained information and understanding the root cause (more on this later). The OODA loop considers how your previous experience and knowledge will impact your perceptions. At this stage, it is good to ask questions and opinions from other analysts to gain a deeper understanding and more perspectives on the situation. Remember that you will be constantly re-orientating as your understanding changes and new information is obtained.
Decide
At this point, information has been collected and contextualized, so it is time to decide on a plan of action. This step is not about taking action but debating it until the final course of action is determined. In SOC analyst terms, this can be deciding if something is a false positive or malicious and it is malicious, what remediation steps should be taken to contain the threat.
Act
The act phase is implementing the decision from the previous phase. This can be documenting the false positive detection or conducting remediation actions. The OODA loop is a cycle and will feed into your future investigations and build upon your own personal lessons. This is one of the most important takeaways in my opinion, if through the loop you made a wrong decision, own it and learn from it.
Analytical Bias
Cognitive bias are errors that can distort our perception leading to incorrect decisions. Below are several bias types that you should be aware of and should keep in mind during your analysis to lead to an accurate decision.
Confirmation Bias
Confirmation bias is favoring information that confirms a preexisting belief or theory. This can affect how information is observed and interpreted. Leading to evidence that can provide an alternate decision being ignored. To mitigate this bias, remember to consider contrary evidence and alternative viewpoints. Asking for others’ opinions and being a devil’s advocate can help provide insight. For example, confirmation bias can be stating that “this detection is always a false positive” and then only looking for evidence that supports this claim.
Anchoring Bias
Anchoring bias is the act of giving weight to the first piece of information. This leads to all judgements being based off this anchor. For example, suppose an analyst is working an alert and a colleague states, “this is definitely a nation state attacker from ___ country”. This will lead to the analyst deciding off this one piece of information that can lead to an incorrect conclusion. To mitigate this bias, gather more information and consider the opposite.
Availability Bias
This bias is more cognitive and is that if something can be recalled quickly from memory, the importance of it can be overestimated. I am going to add to this bias; which is making decisions off data that can only be obtained and not considering what might not be available. In the case of a SOC analyst, just because something was not logged, does not mean it did not happen. Furthermore, this bias can manifest from media coverage and alert frequency. For example, if an attack is common in the media, this can cause a bias in your thinking if you are investigating a detection that at first glance, appears to be related. Remember to consider alternative viewpoints and understand the context of what you are investigating, it is possible a lack of logging in the environment could be present.
Mirroring Bias
This is the act of projecting your own perspectives onto others thinking they act the same way. In cybersecurity, analysts know how attacks are conducted and likely to conduct hands on exercises for practice. This can lead to an analyst projecting their understanding to what they might be seeing an adversary attempting during an investigation. This can be stating “what I would have done” compared to what the adversary would or would not have done. This can lead to wrong conclusions, such as “there is no way an attacker would be doing this” as opposed to understanding the behavior. SOC analysts can be the first ones to see a new attack behavior, it is important to keep an open mind.
Approaches
Guilty until proven innocent
When a detection is created for an analyst to investigate, there is a reason why this detection occurred. When starting an investigation, it is safer to assume something is malicious and then disprove this theory with information gained. This is not to say that you should automatically determine everything to be a true positive, but to be slightly skeptical that the behavior is safe while understanding its context. Once context is understood, this can influence your assumption if it is a threat or not.
Root cause analysis
Root cause analysis is the process of understanding the cause of a problem or incident. This goes past the approach of only identifying the symptoms, but the reason for the problem. During an investigation, this is determining the root cause of why a detection was created in the first place. This is considering any signatures generated and the detection itself, then searching for what caused this detection.
Slow is smooth and smooth is fast (within reason)
This mantra is from the Navy SEALs and depicts that accuracy is more important than quick actions during high pressure situations. I add the catch “within reason” as an analyst should keep in mind that time does matter for remediation and any agreements for time allocated for triage. The analysis should have a steady tempo but not be rushed, as rushing can lead to a lack of understanding and mistakes being conducted. Going back and fixing any previous mistakes or a false negative that does not contain the attack, causes the triage process to be more prolonged.
Your Homework
Now that you understand the mindset to conduct investigations, your homework is to find hands on exercises and practice (recommendations are below). Although these exercises are for predetermined malicious situations, keep in mind the above information.
Resources
Hack The Box Sherlocks
Hack The Box recently released “Sherlocks” which are blue team orientated labs. The active challenges can be played for free and I highly recommend them. If you would like access to retired labs which contain walkthroughs, consider a VIP or VIP + subscription. https://hacktheboxltd.sjv.io/XYVaJa (Affiliate)
Lets Defend https://letsdefend.io/
Blue Team Labs https://blueteamlabs.online/
Try Hack Me https://tryhackme.com/
Hack The Box Academy SOC Analyst Job Role Path
Hack The Box offers the SOC Analyst Job Role path. When completed, students can take an exam to earn the HTB Certified Defensive Security Analyst (CDSA). https://hacktheboxltd.sjv.io/jrv7q5 (Affiliate)
Social Media Links
I hope you found this post useful; I will continue to write more as I get the chance. Feel free to follow me with the links below-
Instagram: https://instagram.com/cybersec.reviews
Twitter: https://twitter.com/CybersecReviews
YouTube: https://www.youtube.com/channel/UCVzwIAJplnpwm-56g9cYqFA