Ruslan Rakhmetov, Security Vision
Last time we looked at the basic skills of analysts that help them develop in this field, and in the current article we will discuss the technical knowledge that makes SOC (Security Operations Centre) employees real Swiss knives for security. As in the last part of the review, we propose to divide all knowledge by areas: network technologies, logging and logging, operating systems and scripts.
Networking skills help the analyst understand how the network is structured, how it works, and what happens within it. This knowledge is necessary to effectively protect networks from cyber threats, identify anomalies, and respond to incidents. Let's take a closer look at each of the components.
The OSI (Open Systems Interconnection) model is a framework that describes how data is transmitted across a network through separate layers that work together to transport data from one device to another. A few years ago we looked at the OSI model, focusing on layers 3 and 4, but this time we will look at all seven layers in detail:
1) The lowest layer is the physical layer. It is responsible for transferring data through physical media (cables or radio waves). In real life, it is like a railway on which trains move like data over physical cables;
2) The data link layer, in which data is broken down into frames and transmitted over a communication channel. It is like transferring goods to stations: each carriage or van has to be delivered to the right station, and afterwards the data is assembled from the frames together;
3) The network layer is responsible for routing data across the network. It is like a navigator who decides the fastest way to get a parcel from the sender to the addressee, only instead of navigating a city map, IP routing is provided for the data;
4) The transport layer ensures reliable data transfer. It is like a delivery service, which guarantees that the parcel will be delivered at the right time and in one piece, for which TCP and UDP protocols are used;
5) Session layer establishes, maintains and terminates communication sessions between devices. It is like a call between people: you need to start a conversation, keep in touch while there is something to talk about, and when the conversation is over - end the call;
6) The representation layer is responsible for data transformation, such as compression or encryption. Imagine that before dispatch a parcel was packed for safety in a film with pimples, which will protect the contents during falls, or pumped out excess air from a bag with a huge blanket and thus reduced its size;
7) The application layer is where applications, web browsers, email clients, and other programs that interact with the network run.
Network protocols are like rules of the road for data transmission over a network that ensure that data is transmitted and delivered in integrity:
a) TCP/IP (Transmission Control Protocol and Internet Protocol), the core set of protocols that ensure that data is transmitted over the Internet (TCP ensures that all data reaches in the correct order, and IP is responsible for routing packets through the network, allowing them to find their way from one device to another);
b) HTTP (Hyper-Text Transfer Protocol) makes websites work and is responsible for transferring data between the web browser and the server (e.g. when you open our website, the browser sends an HTTP request and the server returns a page with the current text);
c) DNS (Domain Name System) is a kind of ‘phone book’ for the Internet that translates the name of a website (e.g. securityvision.ru) into an IP address so that the computer knows where to send the request;
d) DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses to devices on the network so they can communicate. This is similar to registering for a conference where each participant is given a unique badge to identify themselves.
In addition to data layers, links, and protocols, network knowledge includes an understanding of devices and topologies, which helps the SOC analyst determine how data flows through the network and where attacks or failures may occur (network devices and topologies are like the infrastructure of a city: roads, intersections, and traffic lights. The analyst needs to understand how it all works in order to identify threats).
- Basic devices include routers (routers), which are like a dispatcher that tells you where to send data packets (e.g., your home router sends requests to websites through your ISP), switches (switches) that connect devices within the same network (e.g., computers in an office), and firewalls (firewalls) that are like gatekeepers that decide what data can enter or leave the network.
- Network topologies are diagrams that show how devices are connected together, such as star, where all devices are connected to one central switch or router (like smart home devices to a single speaker for voice control), bus, where one common communication line is used.
The pinnacle of network knowledge for a good security professional is the ability to analyse network traffic. While normal traffic is standard requests (accessing websites, sending emails or downloading files), abnormal traffic can be, for example, a suspicious data stream that points to an attack. For example, if the same IP address starts sending multiple requests to a server, this could be a sign of a DDoS attack. Or, if a user's computer suddenly starts sending data to unknown servers, it could be a sign of a hack.
The SOC analyst must have a good understanding of how the two key operating systems, Windows and Linux, work. This is necessary to effectively analyse logs, work with the systems and identify potential threats.
Logs (log files) contain records of events that occur on a system or device and help identify security incidents. Different systems and devices use different log formats:
Linux Syslog records events in multiple files such as:
- /var/log/syslog is the main system log that records the events of all processes on the system;
- /var/log/auth.log contains events related to authentication, such as successful and failed login attempts;
- /var/log/kern.log is the system's kernel log, where you can see errors and messages related to drivers and hardware.
Windows Event Log contains events divided into categories, for example:
- in the Security section, an analyst might see that someone tried to log in under a different user name;
- The System section records system errors and warnings, so if the system crashes or an important process is running, this will be recorded;
- Application - these are logs of programs when an application gives an error or behaves abnormally - you can see this here.
You can think of operating system logs as a general notebook that records all events from process startup to network services, but technically it's more like a database of all activities (from user logins to software errors).
Network devices such as firewalls and routers also keep logs. Because they control and direct network traffic according to the rules we described above, their logs are important for detecting network threats. In these logs, you can see successful and unsuccessful connection attempts, blocked IP addresses that may have attempted an attack, attempts to use forbidden ports or protocols, routing history of data packets, attempts to redirect traffic to suspicious addresses (such as the man-in-the-middle attack we described in our review of DLP and IPS class systems), and failures or delays in data transmission (which could indicate a DDoS attack).
In addition to operating systems and network devices, applications and servers also keep logs that can be a source of information about attacks. Web server logs (Apache, Nginx, etc.) will have records of all requests, including suspicious requests (which may be SQL injection attempts or XSS attacks), unusual IP addresses that send multiple requests (a possible indication that a DDoS attack is being prepared). Database logs may show attempts of unauthorised access to data (which violates the privacy principle from the first part of the review), query errors (typical, for example, for SQL injection attacks).
The SOC analyst, like a detective, must be able to read and analyse logs from various sources: operating systems, network devices, applications and servers. He or she is not just looking for bugs, but for traces of possible attacks and anomalies in order to detect and prevent threats in time.
Knowledge of shells and scripting languages for automation (e.g. PowerShell for Windows systems and SSH for Linux) will be a huge plus in the job.
Thus, the skills of a top-notch SOC analyst include not only knowledge of cybersecurity principles, techniques and tactics of attackers, but also an understanding of operating systems, knowledge of virtualisation and cloud technologies, data transmission methods and the principles of devices that are connected in topologies and constantly transmit some information to each other. While devices keep companies running and our daily lives pleasant with constant access to the network, analysts in cybersecurity centres face a huge number of challenges, such as a lack of colleagues and a huge flow of events. Therefore, we propose to automate everything we can to make their work not only easier but also better by focusing on complex and creative tasks.
.jpg)
.jpg)
.jpg)
