SOC Diaries Article 1

Effective Communication Management for SOC (Security Operations Centre)

Audience of this Article: Mid Level Cyber Security audience, Security Operations Team, Cybersecurity Researchers and Security Consultants.

The topic being discussed: SOC Operations communication and attack scenarios.

Recently, I came across an article requesting feedback on a topic: “You’re facing a network security breach. How do you engage stakeholders effectively in the response process?” This inspired me to dive deeper into this critical topic and share my thoughts on stakeholder engagement during a breach response via my Substack and Medium channel called “SOC Diaries” In this I will be sharing my views based on experiences :

I have tried to explain this by aligning with the MITRE ATT&CK framework, which is more focused on this area of threat detection and precisely addresses the need for effective communication strategies which are the exact need of the hour to handle evolving security threats.

It is important to address both Technical and non-technical audiences at all levels, including senior management. Some might not agree with notifying Senior Management (Board), but unless the board is involved, all efforts to protect and mitigate are a waste of valuable resources.

My examples are aligned with the telecom domain (please excuse the mistakes), the TTP’s explained below are just examples and do not correspond to any live attack and are hypothetical situations.

This has been addressed via 4 strategic ways they are :

1. At an initial incident detection
2. During Threat Analysis and Containment
3. Stakeholder Impact briefings
4. Recovery Briefings

Detailed views :

1. Initial Notification & Incident Categorization

ATT&CK Tactics: Initial Access (TA0001)

• Scenario: A malicious actor gains access via spear-phishing attachment (T1566.001) attempts.
• Typical Action by the SOC team: The Security Operation Centre detects an abnormal email with a malicious attachment that triggers alerts. The incident is categorized as a potential phishing attack targeting network administrators.
• Stakeholder Engagement and Communication: Notify necessary stakeholders, including the CISO, IT leadership, and telecom operational managers, about the detection. The SOC provides an initial threat report, outlining the suspicious email and its impact on critical systems (e.g., network infrastructure components).

2. Threat Analysis & Containment

ATT&CK Tactics: Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004)

• Scenario: The attacker executes malicious code and establishes persistence by using Create Account (T1136.001) or leveraging Service Execution (T1569.002) to maintain control over the telecom network.
• Typical Action by SOC: The SOC identifies and analyses suspicious account creation on critical servers. This action maps to ATT&CK behaviours associated with maintaining persistence and escalating privileges in the system.
• Stakeholder Engagement and Communication: SOC briefs network engineers and system admins about observed behaviours, Similarly Security Engineering is also intimated, recommending immediate steps to contain the incident (e.g., disabling newly created accounts, halting critical services). Regular updates are provided to executive stakeholders on how the attacker is moving within the network.

3. Stakeholder Impact Briefings

ATT&CK Tactics: Impact (TA0040)

• Scenario: The attacker attempts to disrupt operations by Encrypting Data (T1486) in critical billing systems or subscriber databases, aiming for ransomware-style impact.
• Typical Action by SOC: The SOC discovers encryption activities targeting customer-facing services (like billing or provisioning platforms). They quickly assess the scope and mitigate by isolating affected systems.
• Stakeholder Engagement and Communication: The SOC provides timely updates to security teams, Management Executives and representatives of the Billing and Provisioning team, legal teams, and external partners (Regulatory bodies in case there is a data breach, known from investigations). They use ATT&CK’s specific TTPs (e.g., T1486) to explain how the encryption was attempted and what systems were affected, ensuring that business and legal implications are well understood. A brief bulletin board for management or board is also suggested to be rolled out at this stage so as to keep them posted.

4. Recovery Briefings for potential Recovery from Impacts

ATT&CK Tactics: Recovery (TA0040)

• Scenario: The SOC completes containment, and affected services are ready for restoration. The recovery process involves resetting all impacted systems and validating integrity through forensic analysis to confirm the absence of backdoors.
• Typical Action by SOC: SOC recommends restoring network services based on their analysis of the recovered systems using Endpoint Detection & Response (EDR) tools and ATT&CK techniques for ensuring no persistent threats remain. They prioritize restoring services that have a direct impact on customers, such as network availability for subscribers.
• Stakeholder Engagement and Communication: Coordinate with customer service or customer frontends teams to inform subscribers, Customers about potential downtimes. The SOC continues to work closely with security engineers to ensure service stability, providing recovery reports with ATT&CK-mapped indicators to executive management and legal teams. Board is informed of the efforts and measures taken not to make it a repeated incident.

References :

https://en.wikipedia.org/wiki/Security_operations_center

https://attack.mitre.org/tactics/enterprise

https://attack.mitre.org/techniques/enterprise/

https://attack.mitre.org/mitigations/enterprise/

please share your thoughts on the article to shaktigps@shreeatharvagyan.in