22 Apr 2024

Essential Playbooks for Your SOC

Mario Rojas

Security Operations Center (SOC) teams stand on the front lines in cybersecurity, keeping our cyber world safe from endless threats. For these teams, every second counts as they work tirelessly to identify and mitigate cyber threats targeting their organizations.

Balancing a rapid response with thorough initial assessments, all while juggling a myriad of tools, processes, and alerts, is a challenge that the teams face every single day, making efficiency both a goal and a must for survival. This is where the strategic importance of SOC playbooks comes into play.


An Overview of SOC Playbooks πŸ”—︎

SOC Playbooks are essential for cyber defense, providing clear, step-by-step instructions tailored to various threat scenarios. They serve not merely as documents, but as lifelines that streamline decision-making processes, ensuring that every team member understands their role and actions to take before, during, and after a security incident. Additionally, playbooks facilitate prompt communication with stakeholders in case of a security breach, thereby enhancing transparency and stakeholder relations.

Although no one-size-fits-all format exists for the SOC playbooks, most teams follow the National Institute of Standards and Technology (NIST)‘s standards, including the following sections.

INVESTIGATOR NOTE

It is important to recognize that not every SOC is involved in every stage of incident response. Often, SOCs serve primarily in initial detection and analysis, assisting with tasks that Computer Security Incident Response Teams (CSIRTs) or Incident Response (IR) teams might later expand upon. Thus, in many instances, SOCs act as the foundational layer of incident response. In some scenarios, the term β€œSOC” might encompass the entire incident response spectrum, though this broader involvement is less typical. Remember these insights as you tailor playbooks to fit your team’s needs!


A typical SOC playbook process

  1. Preparation: Establishing and maintaining the capability to respond effectively to incidents, including developing policies, plans, and procedures, defining roles, training personnel, and acquiring necessary tools and resources.
  2. Detection & Analysis: Identifying and investigating incidents to determine their nature and scope. This includes monitoring for and analyzing potential incidents, effectively using detection tools, and correctly identifying and documenting incidents.
  3. Containment, Eradication & Recovery: Limiting the spread of an incident, removing its components, and restoring systems to normal operation. This involves executing a containment strategy, eradicating the incident’s cause, and recovering affected systems and data.
  4. Post-Incident Activity: Learning from the incident to improve future incident response efforts and overall security posture. This includes conducting a post-incident review, documenting lessons learned, and implementing improvements to policies and controls.

Amplifying SOC Playbooks with Maltego: Ransomware πŸ”—︎

Security teams are constantly evolving their strategies to respond to and combat the ever-changing cyber threats. Maltego amplifies the SOC playbook’s effectiveness by automating data collection and visualization, turning complex datasets into clear, actionable insights, which saves precious time and helps analysts make informed decisions faster. We will focus on the Detection & Analysis phase, identified as the pivotal segment of the entire process. It is within this phase that Maltego’s capabilities prove most advantageous.

Let’s discuss how Maltego can be used for the ransomware playbook and elevate the SOC operation with the world’s most used cyber investigation platform! For insights into enhancing incident response workflows with Maltego, and to streamline investigative processes, consider delving into the Maltego Handbook for Incident Response.

Ransomware πŸ”—︎

Maltego enables teams to quickly assess the impact and scope of a ransomware attack and understand the methods through which threat actors control their victims, including uncovering malicious infrastructure such as command and control servers. By speeding up the aggregation and analysis of indicators of compromise (IOCs), Maltego helps identify patterns and connections that might go unnoticed.

Preparation πŸ”—︎

  • Attack Surface: Perform an attack surface assessment to identify and catalog all externally exposed hosts, including those potentially unknown to the organization. Regularly update the asset list to reflect the current state of the network environment.

  • Automated Level 1 Network Footprint: Efficiently conduct network footprinting with Maltego Machines, saving you considerable time on information gathering, processing, and visualization.

  • Drills: Conduct annual cybersecurity exercises to simulate ransomware attack scenarios. This practice helps validate the effectiveness of the playbook and the organization’s readiness to respond to actual incidents.

  • Threat Landscape Monitoring: Continuously monitor and analyze threat intelligence to stay informed about emerging threats to the organization, industry-specific risks, and evolving ransomware tactics. Incorporate various sources to obtain a comprehensive threat perspective.

Detection and Analysis πŸ”—︎

  • Identify Threat Indicators: Aggregate and analyze indicators from security solutions such as SIEMs like Splunk, AV/EDR, ticketing systems, and notifications from security personnel or users to identify potential ransomware incidents quickly.
  • Data Collection: Collect detailed information on indicators like Bitcoin addresses, emails, file hashes, file behaviors, domain reputations, and IP communications. Enrich this data using third-party sources to assess the severity and impact of the threat.
  • Triage: Evaluate the impact (e.g., data destruction, proliferation) and scope (e.g., number of affected hosts, additional IOCs) to prioritize response efforts. Determine if the event is a false positive; if yes, stop; if no, proceed with analysis.
  • Live Threat Actor: If a live threat actor is identified, utilize Maltego for real-time investigations and support to block new IOCs as they are identified.
  • Identify Ransomware Family: Use OpenCTI to identify the ransomware’s TTPs, determine decryption possibilities, and identify the targeted OS. This information aids in tailoring the response strategy.
  • Identify Affected Systems Type: Determine the types of affected systems (servers, workstations) using tools like Splunk to understand the attack’s breadth and depth.
  • Data Exfiltration: If data exfiltration is suspected, activate the Data Loss Playbook to mitigate and assess the damage.
  • Pay the Ransom: Assess the legality and advisability of paying the ransom, acknowledging that not all ransomware threat actors are sanctioned entities, paying criminals is illegal in some jurisdictions and generally discouraged according to Business Continuity Plans (BCPs). Perform a thorough blockchain analysis to fully understand the implications and potential risks associated with a ransom payment.
  • Root Cause Analysis: Conduct a thorough analysis to identify the attack’s root cause, which is crucial for preventing future incidents.
  • Send Communication: Communicate effectively with all stakeholders throughout the incident to ensure coordinated and informed response actions.

Containment, Eradication, and Recovery πŸ”—︎

  • Network Isolation: Block system-to-system communication to prevent the spread of ransomware. Disconnect affected systems from the network as well as any shared drives. And make sure that threat actors can no longer control the infected systems.
  • Stop Backups: Temporarily halt backup processes to prevent backup data encryption. Verify the integrity of the latest stable version of backups and preserve the latest backups with additional security measures.
  • Malware Infection: Follow the Malware Playbook to remove ransomware and other implants to remotely control and preserve access from infected systems and prevent reinfection.
  • Monitor for New IOCs: Continuously monitor new IOCs and the evolution of TTPs from the same incident or campaign during and after the containment phase to detect any lingering threats or additional points of compromise.

Post-Incident Activity πŸ”—︎

  • Incident Visualization: Use Maltego to create a comprehensive visualization of the incident, depicting the relationships between hosts, IOCs, and the attack’s progression. This visualization aids in understanding the incident’s full scope and can be used for debriefing and lessons learned.

A Brief Investigation in Maltego πŸ”—︎

This investigation represents the detection and analysis phase of the ransomware investigation with Maltego. Our starting point is the IPv4 address from the malware sample; Rhysida ransomware.

Step 1: Drop an IPv4 Address and update it with the address of the affected host.

Step 2: Run the Transform Get Malware Attacks Events [Splunk] to identify any malware events associated with the host. Other early unclear events could lead to identifying an infection by investigating suspicious outbound connections. However, in our case, we will focus directly on malware attack events.

Step 3: Select all events Entities and run To FileHash [Hash] to extract the associated hashes. You will see hash Entities as a result.

Step 4: Select the hash Entities and run Lookup by Hash [Polyswarm]. This Hub item is included in the Maltego Selection for CTI.

Step 5. Select the result with the red dot and run the Transform To Tags [Polyswarm] to identify the malware family. This will help verify if there’s a connection to the identified malware.

INVESTIGATOR TIP

To find additional affected hosts, run the Search All Events [Splunk] Transform on the hashes associated with the same Polyswarm Entities.


Step 6: Select the hashes associated with the ransomware and run the Transform To VirusTotal File [VirusTotal Public API] to gather more IoCs.

Step 7: Select the file Entities and run To Contacted IP Addresses [VirusTotal Public API] and To Contacted Domains [VirusTotal Public API] Transforms. After this step, if the team wants to know about the malware(Rhysida) as much as possible, they can use the OpenCTI integration on a new graph.

Step 8: Paste the name of the ransomware family as a phrase Entity and run the Transform Search by Phrase [OpenCTI].

Step 9: Select the STIX2 intrusion set and run the Set to Indicators [STIX2].

Step 10: Select all STIX2 indicator Entities and run the Indicator to all Observables [OpenCTI].

Step 11: Check email logs for emails generated from the identified Domains as well as connections made to/from the IP addresses by using the Get All Mail Events [Splunk] Transform.



In our playbooks, we detail the step-by-step process for four widely recognized use cases, making them ready for investigation so you can easily implement them in your Maltego platform.

  1. Ransomware
  2. Phishing Attack
  3. Malware Infection
  4. Vulnerability Response
  5. Insider Threats (Data Leakage)

You can also find out about how to enhance the investigations with automation and the benefits of the automation in the playbooks!

Embracing a playbook goes beyond just meeting immediate challenges; it’s about evolving into a constantly adaptive presence against cyber threats. With these playbooks, you can assess your team’s current methods and discover ways to boost efficiency and the direct impact of your operations on the business!

Download SOC Playbooks πŸ”—︎

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

As cybersecurity professionals, we are committed to continuously refining our strategies and tools, which is crucial to staying ahead of adversaries. Embracing the synergy between SOC playbooks and Maltego’s capabilities offers a pathway to enhanced security and a more empowered stance in the digital domain. The journey of bolstering our cyber defenses is ongoing, and with a platform like Maltego at our disposal, it’s a journey that we can undertake with greater confidence and success.

To truly understand the immediate impact Maltego can have on your operations and see how it translates into enhanced efficiency for your organization, consider calculating a tailored ROI today.

Happy investigating!

About the Author πŸ”—︎

Mario Rojas

Mario Rojas is a former Cyber Security and Threat Intelligence Subject Matter Expert at Maltego with more than 14 years of experience in the cybersecurity field. His expertise in open-source intelligence (OSINT) allows him to effectively map and visualize complex relationships and connections between entities, from IP addresses and domain names to social media profiles and Darkweb forums.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.