Ruslan Rakhmetov, Security Vision
The era of basic antivirus programs and firewalls is irrevocably a thing of the past, giving way to advanced detection tools and processes. The era of highly organized cybercrime, sponsored hacker groups, and automated malware campaigns has arrived: in an environment where compromising corporate data can lead to multimillion-dollar losses and reputational ruin, information security requires a centralized, structured, and continuous approach. The foundation of this approach is a specialized unit known as the Security Operation Center (SOC). The structure of this team is not just a group of system administrators, but a high-tech command post operating 24/7, which combines advanced monitoring technologies, strictly regulated response processes and highly specialized analysts. This is exactly what we will talk about in the current article.
Table of contents
1. Introduction
2. L1
3. L2
4. L3
5. Conclusion
Introduction
Traditionally, SOC is built according to a hierarchical pyramid-like model: support lines bear a direct resemblance to the classic technical support service. But in the context of cybersecurity, the first, second, and third lines of defense in SOC form not just an application routing system, but a defense system where each subsequent echelon has higher qualifications, deep access to infrastructure, and expanded powers to radically respond to incidents.
Pic 1.1 – Stages of an incident involving Security Vision products
Monitoring systems generate thousands and sometimes millions of events per day, so the difference between L1, L2, and L3 lies primarily in the scale of the tasks being solved, the level of analytical immersion, and the degree of proactivity. The whole point of this hierarchy is to optimize resources.
SOC analyst of the 1st line
The work of a first-line analyst is characterized by intensity, stress, and strict algorithms. The peculiar "eyes and ears" of the monitoring center, the most important first line of defense of the organization, are daily confronted with a huge stream of incoming notifications (alerts) generated by firewalls, antiviruses and intrusion detection systems. The main and most frequent request to specialists at this level is for continuous monitoring of security system screens in real time. The key process underlying the work of the first line is the triage of incidents: primary sorting and screening out false positives. Triage requires an analyst to be able to evaluate an incoming security event in a matter of minutes, compare it with the context of the corporate network, and decide whether this is a legitimate user action. For example, did the system administrator enter the password incorrectly three times due to a typo, or was this the beginning of a brute force attack by a hacker?
It's like the work of the emergency room in a hospital, which was perfectly shown in movies and TV shows. The term "triage" historically came from military medicine, and the SOC 1 line analyst is like a nurse in the waiting room: when a stream of patients arrives, the nurse does not perform complex neurosurgical operations, her task is to quickly measure temperature, pulse, pressure and assess symptoms in order to separate those who came with a common seasonal cold (which in cybersecurity, it is equivalent to false positives), from those who have a heart attack or severe injury (critical incident). Patients with critical indicators are immediately stabilized using basic methods and transferred to a specialized intensive care physician.
L1 analysts do not rely on intuition to accomplish their tasks. They mostly work according to ready-made instructions and playbooks. Playbook is a strictly regulated step-by-step algorithm of actions for standard, well-known incidents, which means it can be perfectly automated. The response scenario specifies which logs need to be checked, to which employee to send a confirmation request, and which IP addresses to block if the threat is confirmed.
The playbook works like an IKEA furniture assembly manual: it doesn't have any theoretical calculations about the resistance of materials or the properties of wood; it says simply and easily: "Take part A, insert it into part B, tighten screw C with a key by 8". The L1 analyst, following a high-quality playbook, can successfully isolate an infected computer from the corporate network by simply following steps 1, 2 and 3, without needing a deep understanding of the architecture of the malicious code or the memory of the operating system. Moreover, thanks to the dynamic playbooks in Security Vision SOAR, the incident management process adapts to the incident. The triage also results in a False Positive assessment, classification of the mapping incident into MITRE and FSTEC database techniques and tactics, search for similar ones, and recommendations at various stages, including initial analysis.
SOC Analyst 2 lines
The second-line analyst joins the work when the incident has already passed the triage, has been confirmed as a real threat and requires competencies beyond the standard scenario. He is engaged in an in-depth analysis of confirmed incidents, and not just their primary filtering. L2's main area of responsibility is an in–depth investigation of incidents: a specialist must restore a complete and reliable picture of a hacker attack: how the attacker was able to penetrate a secure network, which vulnerabilities were exploited, which servers and workstations were compromised, and most importantly, whether confidential corporate data was stolen or irreversibly altered.
If analyst L1 is an ordinary patrolman who was the first to arrive at the car alarm, scared off the hooligans and cordoned off the scene, then L2 is a highly qualified detective. He does not engage in routine street patrolling and arrives at the scene of an already confirmed complex crime. His task is to collect evidence, take fingerprints, interview witnesses, seize and study hours of video surveillance footage in order to meticulously restore the chronology of events, understand the motives of the criminal group and identify the distribution channel of stolen goods. This is exactly what the second-line specialist does, but instead of fingerprints, he analyzes gigabytes of system logs and network traffic.
After understanding the scale of the disaster, L2 develops and implements a containment strategy to stop the further spread of the threat across the network, and then coordinates the process of restoring the IT infrastructure to a known safe state. At this level, specialists are required to have fundamental knowledge of network protocols, operating system architecture, and the psychology of intruders, going far beyond standardized instructions.
Second-line analysts work like firefighters in oxygen masks who drive straight into the epicenter of a disaster. Their primary task is to localize the fire, that is, to cut off its path of spread to neighboring floors (incident containment). They must then find the original source of the fire (root cause investigation) and eliminate it completely, minimizing collateral water damage to the rest of the building (system restoration process). The response process itself is also automated by the SOAR module, which uses the results of the work of first-level analysts and all possible information security tools to manage the consequences.
SOC Analyst 3 lines
A third-line expert represents the cybersecurity elite within an organization: when an incident is brought to his desk, it means that the company is facing an extraordinary, extremely complex, or completely new (Zero-Day) threat that neither the automated security systems nor the analysts of the first two lines could identify. They do not wait for alerts from the systems, but purposefully search for hidden and complex threats in the infrastructure that were not detected automatically, and the process itself is called Threat Hunting.
While the nurses of the registry (L1) sort patients, the therapists (L2) treat the obvious, manifested symptoms of the disease (cough, fever), an L3 specialist is like an epidemiologist who works in a closed laboratory of the maximum level of biological protection. He is studying the mutations of a new virus in bats on the other side of the world in order to create a vaccine even before the disease crosses the borders of his country and a pandemic begins. He can also be compared to a professional oncologist looking for microscopic, hidden metastases that a routine ultrasound scan did not show, because he knows that if he waits for the pain to appear, it will be too late.
The analyst formulates a hypothesis based on global data on new global cyber threats (Threat Intelligence, TI) and begins to "comb" the corporate network in search of the slightest, atypical anomalies (User and entity Behavioral Analysis, UEBA), which may indicate that the hacker has been inside for a long time and is quietly collecting data. This makes it possible to critically reduce the so-called Dwell Time of an attacker on the network.
In addition, L3 experts are engaged in architectural tasks: They develop new, highly complex event correlation rules for monitoring systems, adapt the infrastructure to new types of attacks, and create training materials for L1 and L2 analysts. Cybersecurity aerobatics, which is also L3's exclusive area of responsibility, includes two highly complex technical areas: forensics and reverse engineering.
Digital Forensics is a rigorous process of collecting, storing, and analyzing digital evidence that attackers leave on hacked servers. Experts remove RAM dumps, copy the contents of hard drives byte by byte (so as not to change a single bit of information on the original) and restore deleted files. It's like the work of a criminologist (CSI) at the scene of a serious crime: he does not catch a criminal with a gun in his hands, but carefully collects DNA samples, microscopic fibers of clothing, fills shoe marks with plaster and searches for the smallest drops of blood washed with bleach. From these invisible fragments, he reconstructs the picture of the murder with millimeter accuracy.
This is done not only to understand how the hacking occurred, but also to form a legally significant evidence base that can later be presented in an international court.
Reverse Engineering is used when analysts encounter a completely new virus unknown to science. The defenders do not have its source code written by a programmer, there is only a compiled binary file (unreadable machine code). Like a chef who comes to a famous restaurant, orders their signature, secret dish, and, slowly tasting it, tries to sort the finished product into its base ingredients by taste buds: how much salt is there, whether there is rosemary, how long the meat has been stewing. The goal is to recreate the recipe blindly, with only the final result in hand.
The L3 expert uses special disassembler programs to disassemble this virus into the smallest processor instructions and examines which command servers (C2) the virus accesses, which cryptographic algorithms it uses to encrypt the victim's files, and exactly how it bypasses antivirus protection. The result of this herculean work is the creation of an "antidote" – the so-called compromise indicators (IoC), which are then uploaded to security systems around the world, rendering this virus useless.
Сonclusion
The difference between L1, L2, and L3 is not limited solely to the length of service of employees, because it is more a fundamental difference in thinking, methodology, and tools. The responsibilities of SOC analysts are rigidly and logically stratified by levels, and advanced tools such as those developed by Security Vision help them in their work. The synergy of advanced technologies, processes, and people with their analytical mindset and amazing creative problem solving capabilities are the three pillars on which effective incident management in SOC is built.
