The Level 1 CSOC Analyst Team is at the forefront of the Excellium Cyber Security Operations Centre. These analysts, also known as first responders, work in 8-hour shifts every day of the year to ensure full-time coverage of infrastructure and guarantee that there is always someone ready to act; no matter the time or day. The actual number of people on any given shift is increasing to meet the growing needs of the expanding client base as well as influxes in activity caused by external circumstances such as the Russo-Ukrainian war or American presidential election.
With that said, what exactly does a level 1 analyst do?
Putting the O in SOC
When a security alert is received, the analyst follows an internally developed and prescribed investigation path known as a triage, the methodology of which varies depending on the security alert under investigation. This can be visualized as a series of questions that the analyst must answer in order to determine the severity of an alert. For example, the main questions an analyst would answer for most alerts are:
- Is this a false alarm?
- Is this behaviour known for this client, asset, or user?
- What activity caused this alert to trigger?
- Is this normal, the result of an error, or the work of a malicious actor?
However, the actual activity might be a device that is not sending data and the analyst would ask themselves:
- What is the log activity baseline over the last 30 days?
- Is the entire log source that is not sending data, or just this specific host?
- Do the last few logs point to the cause? Such as a manual shutdown for decommissioning or maintenance works.
The answers to these questions lead to the analyst classifying the alert as a true positive (TP), benign true positive (B-TP), or false positive (FP). A true positive indicates correctly identified malicious activity such as an exploit execution attempt from an employee workstation. While a false positive, is activity that is incorrect identified as being malicious but is actually normal, such as the company’s communication’s lead being flagged as performing data exfiltration when they are uploading marketing material to social media. Finally, there is B-TP, which indicates that the activity has been correctly identified but the context is not malicious and thus there is no real threat. To use the previous example, exploit execution could be performed by a penetration tester that is being paid by the company to assess its defences and meet compliance needs.
When an analyst finds a true positive, the case is typically escalated to the customer and creates a ticket on our Customer Care Portal, an Information Technology Service Management (ITSM) tool that sends an email notification to all designated stakeholders. The platform allowing for a secure means to communicate and work between Excellium and its clients to resolve the incident. For cases where dangerous activity is found that can have a serious impact on the customers infrastructure, the analyst performs a high priority escalation directly contacting a designated on-call individual, or individuals if the first contact is unavailable, depending on the time of day.
At external CSOCs, the customer’s security team is responsible for conducting the bulk of the investigation when an escalate occurs; however, at Excellium Services, where the analyst is empowered to conduct the entire investigative process, escalation occurs only when they are unable to complete the process themselves. This happens for one of two reasons: the analyst either lacks the necessary access or lacks the necessary context to reach a definitive conclusion. In the previous example, this could be due to an analyst account not having direct access to the unavailable device’s logs because it is logs contain highly sensitive data and is thus unable to check its status, or it could be due to Excellium not being in the communication loop for that device’s maintenance.
Although the standard investigative process may appear to be a repetitive, mechanical process better suited for a robot than a human, the true value of a human analyst becomes clear as an analyst gains confidence with use cases and the customer SIEM (Security Information Event Management) infrastructure. This added value is manifested primarily in their ability to comprehend, master, and deviate from the standard investigation path in order to produce more precise and succinct case resolutions. This ultimately pleases client-side stakeholders, ranging from engineers looking to quickly resolve escalated incidents, to auditors scrutinizing the service.
This is the core of an Analyst’s role in the Excellium CSOC, with the rest consisting of administration, service improvement, troubleshooting, and customer communication.
The Investigatory Process
Following notification, the analyst moves to investigate the log activity that generated this alert. For this particular use case, they gather relevant fields such as:
- The username and source IP, to determine where the attempt came from,
- The time of the activity and log source, to aid in investigations that happen afterward,
- The HTTP method, response code, and filter result, to determine the nature of the request being sent to the website and whether the activity was blocked,
- And finally, the website URL and destination IP, which are put through Threat Intelligence.
Excellium Services’ Threat Intelligence platform is an internally developed and maintained security platform that stores evidence-based information, commonly referred to as Indices of Compromise (IoC), for security incidents from around the world such as the IP of the C&C server used by ransomware actors in Thailand to a malicious URL found in phishing campaign against the medical sector. It is primarily used by analysts as a one stop destination for assessing the threat, given the vast amount of information that becomes accessible and the built in functionality of the platform that allows the information to be converted into intelligence that is bolstered by guidance from trusted security stakeholders.
For example, one function of the platform allows for the detection of the popular QBot malware that in recent times has been targeting the banking sector. The malware, which finds its way onto a targets computer by means of an infected Word document delivered to a user by email, performs a web request to a C&C server to download a malicious payload and run it. However, our Threat Intelligence has the names and IPs of the various servers and flags the activity for review by an analyst who within minutes is checking the device logs. Upon validation of this true positive, the analyst immediately proceeds to escalation to either notify or prompt the client-side security team to action. However, given the immediate danger posed by such activity, the analyst directly contacts the clients designated on-call security specialist to warn them of the ongoing threat.
Although rare, this is high priority true positive alert and one of the more dangerous circumstances that would typically entail engaging Excellium’s Cyber Security Incident Response Team (CSIRT), who would take direct control of managing the alert, which only at this point as evolved into a security incident.
Overtime, the analyst role at Excellium is evolving towards them being able to immediately respond to the threats observed with intention of reducing escalations and thus the operation load on the client side and impact of malicious activity. As of this writing, a current example is temporarily blocking external IPs that are performing malicious actions, and the CSOC is working on developing new countermeasure-based services such as account disablement or workstation isolation, using processes defined with Endpoint Detection Response (EDR), Security Orchestration, Automation and Response (SOAR), and of course our customers.
Conclusion
To conclude, level 1 analysts serve as the backbone and the first line of defence for the Cyber Security Operations Centre, performing the bulk of data processing to ensure the lowest impact to the confidentiality, availability, and integrity of the client in ways automation cannot. It is a dynamic role that requires flexibility and a multitude of technical and soft skills to deliver consistent performance across the various infrastructures that can only be gained through Excellium’s dedication to the personal and practical development of its analyst team.
