Building SOC and CERT/CSIRT Teams

ComCERT, as the first commercial CERT in Poland, has expertise and experience in building and managing SOC and CSIRT/CERT units. We use these competences to support our Customers in building such units. The service consists in designing and implementing a SOC/CSIRT unit in the Customer’s environment. The project is implemented in a manner based on recognised industry standards taking all statutory requirements into account.
ComCERT analyses processes of cybersecurity monitoring and incident handling currently applicable at client’s organisation and moves to develop the concept of SOC.

SIM3 analysis/ Analiza SIM3

In the firsts stage of the project, ComCERT conducts an examination of the organisation’s maturity level in cybersecurity incident management using the SIM3 methodology. The use of this methodology enables an objective check whether structures responsible for incident management operate in accordance with the best standards and practices. A detailed report enables setting appropriate directions of development of a future or present SOC/CSIRT unit

FIRST analysis

The next step of the analytical stage is to complete questionnaires and conduct workshops based on a list of services provided by computer security incident response teams. This list is contained in the “FIRST CSIRT Framework – Computer Security Incident Response Team (CSIRT) Services Framework” document. This step enables determination of what services the newly formed team should provide.

MITRE analysis

In the final step, ComCERT conducts a workshop to jointly identify attack models that will be applicable to SOC operations. The application of the MAM in threat modelling also takes identification of links and flows between techniques spread across 12 tactics (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact) into consideration. The advantage of this approach is that almost every successively analysed MAM technique has information on how a threat is detected (detection) and neutralised (mitigation).
Based on this analysis, ComCERT gains knowledge regarding the necessary response actions to a specific incident and what cybersecurity systems and data sources will be used to detect and neutralise an incident.

SOC/CSIRT Concept

Based on the information collected and analysed, ComCERT specialists can propose an organisational model for the SOC. It is presented in the form of a graphic diagram and adapted to the specific nature of the Customer’s organisation. In its methodology for building cybersecurity teams, ComCERT follows the best practices of MITRE, SANS, and ENISA. Once the high-level organisational diagram has been accepted, ComCERT SA proceeds to create descriptions of organisational units as well as tasks and services to be provided. The tasks at this stage of the SOC construction project include: defining the catalogue of the services to be provided by the SOC, defining the area of tasks covered by the SOC activity, and assigning tasks and services to SOC departments, including defining positions (functions and roles) necessary in particular departments, and defining scopes of tasks for these positions.

As part of building the SOC unit concept in an organisation, ComCERT develops or customises a set of SOC processes. It contains a definition of roles and responsibilities, a process diagram in BPMN notation, a description of activities to be performed within the process, required procedures and checklists as well as document templates. ComCERT also proposes creation a set of playbooks that address the handling (detection, classification, prioritisation, analysis, containment, and neutralisation) of specific types of incidents. All these scenarios correspond to predefined threat models for the SOC area of operation and are presented in the form of a procedure.

Implementation

As part of SOC unit implementation, ComCERT can also support the organisation in providing necessary equipment and training of their staff. If required by the organisation, ComCERT delivers necessary technological solutions of leading manufacturers as well as supports their implementation in the client’s environment.