Table of Contents
SOC in My Pocket (SOCIMP) is my very first and flagship cybersecurity project so far. This basic SOC project is designed for Security and SOC Analysts, centered around the core pillars of People, Process, and Technologies (PPT) – the foundation of effective SOC operations.
By focusing on adversaries' Tactics, Techniques, and Procedures (TTPs) for threat detection and response, SOCIMP helps me learn how to proactively defend against complex cyber threats.
With its advanced monitoring, automation, and response capabilities, this SOC setup showcases my knowledge of cybersecurity and reflects my vision of a safer digital world for everyone.
2 THINGS: ME AND A DEDICATED WORKSTATION
Since SOCIMP includes essential SOC components designed to deliver comprehensive cybersecurity operations:
-
SIEM: The Elastic Stack is my SIEM solution of choice. All logs and data sources (Workstations, Servers, Firewalls, Web Applications, etc.) are forwarded into the Elastic Stack and centrally managed through a Fleet Server.
-
EDR: Elastic Agent, integrated with Elastic Defend, provides robust endpoint detection and response (EDR) capabilities that work seamlessly within the Elastic ecosystem.
-
SOAR: Tools like Shuffle, TheHive, and Cortex offer high levels of automation, flexibility, and extensive integration across various components for streamlined security operations and incident response.
-
TIP: MISP is a powerful threat intelligence platform that integrates smoothly with TheHive and Cortex for effective incident enrichment. OpenCTI enhances this with visually rich dashboards and multiple connectors to gather comprehensive threat intelligence data.
-
Firewall: I opted for OPNSense, which offers a user-friendly dashboard, advanced traffic inspection, and a variety of built-in security features to protect the network.
You might be wondering: Where is the Vulnerability Management like Tenable, Qualys, or OpenVAS? While these tools are important, my current focus is on gaining in-depth experience with incident analysis and hands-on practice using the tools mentioned above.
To serve those things, the SOCIMP project is built on a Workstation powered by:
- CPU: Intel Xeon (18 cores / 36 threads)
- RAM: 96 GB
- Storage: 1 TB SSD
This infrastructure hosts multiple VMs and containers, ensuring scalability and performance across all SOC components.
For adversary emulation, I chose to use Atomic Red Team. It’s lightweight, portable, and allows me to quickly test my environment. And i also used Parrot-OS
In the future, I may also explore Caldera for more advanced adversary simulation capabilities.
For incident response, I rely on the well-structured NIST Framework to handle security incidents effectively. This framework provides a standardized approach, ensuring a thorough and consistent response to potential security threats. Four main stages of the NIST Incident Response Lifecycle:
-
Preparation – Establishing and maintaining an incident response capability. This involves creating an incident response policy, identifying resources, and training the response team.
-
Detection and Analysis – Monitoring systems to detect suspicious activities and analyzing potential incidents. This stage focuses on identifying and validating incidents accurately to minimize false positives.
-
Containment, Eradication, and Recovery – Limiting the impact of the incident, eliminating the root cause, and restoring systems to normal operation. This stage is crucial for controlling the spread and impact of the incident on the organization.
-
Post-Incident Activity – Learning from the incident to improve future responses. This involves documenting the incident, conducting a post-mortem analysis, and updating policies and procedures.
See more details on NIST Framework Incident Response.
In the SOCIMP project, I will guide you through all stages, starting with installation notes, followed by the deployment where i config and integrate all components, preparation for adversary emulation, and threat hunting, analysis, response to security incidents (blue teaming).
This project will also cover future development plans.
- Installation Notes: My setup processes, challenges encountered, and troubleshooting techniques for various components.
- Deployment: Procedures for deploying and integrating tools to create a functional SOC infrastructure.
- Adversary Emulation: How i setting up adversary environments, building attack plans, and replicating real-world behaviors using the MITRE ATT&CK Framework.
- Blue Teaming: Processes for monitoring alerts, detecting threats, and responding to incidents. This is the location that you might need to see since its the main part of my project and also WHY I'M HERE !
Pham Thanh Sang - @telegram - sang3112002@gmail.com
My Projects:
My Blog site: https://phamthanhsang-cs.site/