The Report II
Assalamu Alaikum Wa Rahmatullah. How are you hackers??
Today I am writing this blog/article after solving The Report II. I wrote this based on How I Solve this lab.
Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.
This challenge is an extension for an existing ‘The Report’ challenge where you are working in a newly established SOC where there is still a lot of work to do to make it a fully functional one. As part of the SOC improvement process, you were assigned a task to study a report released by MITRE and suggest some useful outcomes for your SOC. Note: Answer the questions with the answers as the way you see in the document to avoid formatting issues. Report Link: https://www.mitre.org/sites/default/files/publications/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
Summary of the Scenario : You are join as a member of a SOC team. Now they give you a PDF. You need to analysis that PDF and Try to answer those questions.
First Download the zip file and extract it. The password is : BTLO.
Inside the folder you will see a pdf. Open it in a browser. Why Browser?? You Will get the answer soon.
Lastly, most of the question’s answer hidden in the question. Now lets Solve the Lab.
Lab Solving
Question 1) Submit the name of the units/teams (in short form) that are responsible for maintaining network and other IT equipment, incident detection and response, and security compliance and risk measurement (Format: Team1, Team2, Team3)
Answer :
NOC, SOC, ISCMExplanation: If you read the full pdf you will find that. But reading the full pdf is time consuming. But if you are in Defensive Security the you know this. Because in the question you will find “Network”, Network means network Operations center in short (NOC). Then in the quesiton you will find “Incident Detection and Response”, That means it is Security Operations Center in short (SOC) and Lastly you will find in the pdf Information Security Continuous Monitoring (ISCM).
Question 2) After investigation, what are the 4 suggested ‘Response Options’ Explanation? (Format: Option1, Option2, Option3, Option4)
Answer
Block activity, deactivate account, continous watching, refer to outside partyExplanation : If you look a the question you will find that “mentioned in Basic SOC Workflow”. Ok, copy the text Basic SOC Workflow. and open the pdf in a browser. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 3) What is the name of a military strategy used in SOCs to achieve a high level of situational awareness? (Format: Strategy Name)
Answer :
OODAExplanation : Again look at the question. Humh..?? Here is the keyword that you can use to find the answer “situational awareness” Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 4) What is the name of the suggested organisational model if the constituency size is between 1000 to 10,000 employees (Format: Organisational Model Name)
Answer :
Distributed SOCExplanation : Looking for “Constituency Size” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 5) In a Large Centralised SOC, who is responsible for generating SOC metrics, maintaining situational awareness, and conducting internal/external trainings? (Format: Role Name)
Answer :
SOC Operations leadExplanation : Looking for “Large SOC” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 6) In Coordinating & National SOCs model what are the 2 functions mentioned as Optional Capability under Expanded SOC Operations Category? (Format: Function1, Function2)
Answer :
Deception, Insider ThreatExplanation : Looking for “Expanded SOC Operations” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 7) What are the two virtual console technologies (in short form) mentioned to support Virtual SOC/ Remote Work scenarios during pandemics? (Format: Technology1, Technology2)
Answer :
iLO, iDRACExplanation : Looking for “Virtual SOC” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find the answer.
Question 8) What is the name of the model used to distribute work load of SOC 24/7 across different timezones to eliminate working at night hours? (Format: Model Name)
Answer :
Follow the SunExplanation : For this answer you can search in google or you can tried to find the answer. But searchng google is more easier. Here is the search keyword “Which SOC model work for 24/7”.
Question 9) Submit the priorities(Low, Medium, High) assigned to Phishing, Insider Threat and Pre-incident Port Scanning activities respectively as per the Incident Prioritization mentioned in the document (Format: Priority1, Priority2, Priority3)
Answer :
Medium, High, LowExplanation : Looking for “Phishing” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 10) Mention the name of the Open source Operating system mentioned, that can help in mobile incident investigations (Format: OS Name)
Answer :
SantokuExplanation : Looking for “Open-source tool” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find the answer.
Question 11) Before choosing a CTI tool, the document suggests tool support for 2 open threat intelligence standards (short forms), what are they? (Format: Standard1, Standard2)
Answer :
STIX,TAXIIExplanation : Looking for “CTI tool” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find the answer.
Question 12) Name the Data Source which consumes the highest volume (typically TB’s/day)? (Format: Data Source Name)
Answer :
PCAPExplanation : Looking for “Data Source” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find the answer.
Question 13) In order to support forensics, what is the recommended data retention period (in months) to store logged EDR data? (Format: # of Months)
Answer :
6Explanation : Looking for “EDR” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find the answer.
Question 14) According to the threat intelligence concept the ‘Pyramid of Pain’, what indicators are Trivial, Easy, Challenging, Tough for adversaries to change? (Format: Indicator1, Indicator2, Indicator3, Indicator4)
Answer :
hash vALUES, ip addresses, tools, ttpsExplanation : Looking for “Pyramid of Pain” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Question 15) Name of the Red Teaming approach to mimic the TTPs of an adversary? (Format: Approach Name)
Answer :
Adversary emulationExplanation : Looking for “Red Teaming” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.
Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.
Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.
Here is my social Link :
Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/
GitHub : https://github.com/r3dw4n48m3d
Website : https://r3dw4n48m3d.github.io/Portfolio/
YouTube : https://www.youtube.com/@R3DW4NA8M3D
