My Current Blue Team Operation

Any team that I lead will be the best, the finest.

PreviousWindows NextVLAN Monitoring Template

Last updated 1 year ago

Was this helpful?

My Current Blue Team Operation

Any team that I lead will be the best, the finest.

Inspired by my current years of experience: 1 year so some might be wrong and not necessary but hey! if you find some of my ideas useful, go ahead applied to your environment, and if it worked, feel free to send me a meme

BlueSwarm:
(Show how to do data analysis in Security)
(Some event that you should monitor or create alarm)

1. The Goals

Use Jupyter Labs to document the events and the finding each day create a chart and map of the VLAN they are in charge of, and create a routine that involves not just filling the ticket but somewhat active hunting, and monitoring (Not just waiting for the alarm but instead seeking and doing statistic on the event)

On 2/1/2023 my team has 4 people

2. The Rules of Engage

You can ask the last shift (The Analyst in charge of monitoring the VLANs about their finding and their documentation)
Always actively looking for IOC in your monitoring VLAN (Some form of threat hunting)
Always open to feedback

The tools will be:

Using Networkx and Pyvis to document the network topology
Jupyter Notebook (Centralized by using JupyterHub) -> Will use to document the finding and report
Pandas and Mathplotlibs for statistic and visualization

Each member will have a folder of Jupyter Notebooks stored on Jupyter Lab

The Folder Tree will look like this

SOC Analyst
- VLAN <number>
	- Analyst’s name
		- jupyter_notebook
		- markdown files
		- their report (draft mostly)
- SHARE (store share content like draw.io VLANs)

Each Analyst Will monitor and take notes in their Jupyter notebook like this, this picture is just a POC, and the VLAN is just made of.

3. Every Life Cycle

"After I read the BlueSwarm SOC Service I was amazed how they organize their SOC by creating flow chart and cycle for everything"

3.1 VLAN Monitoring Life Cycle

Updated: 7/2/2023 - Zeroska

The Life Cycle itself

We have tried 4 weeks but then it is too short, not enough time for our Analyst to understand a VLAN clearly (especially a big VLAN) -> 6 weeks then

Every 6 weeks the Analyst will be given a set of VLANs to monitor (at least 2 VLANs)
They will be given the task of documenting the VLAN using Jupyter Notebook, SIEM Dashboard, and contact with other departments
After 6 weeks the VLANs monitoring will be rotated
Each week you will generate a report on the VLANs you monitor (including the finding, and the abnormal) -> By using Jupyter Notebook -> Then Tier 2 will read and craft the weekly report

Analysts store the VLAN note on the JupyterHub -> Create a knowledge base about the organization's network (Analyst can see each other notes) -> When deviation happen you can notice it right way

In Detail

The analyst should have a dashboard that consists of how many servers are actively and inactively on that VLAN
Pick a server in that VLAN and find out what is it normally connected to (that including Internal IP Address and External IP Address), what kind of event it is usually generated at the network and host layer
What kind of protocol that it generally uses whether it is TCP or UDP -> you got to know how much amount of TCP and UDP
The ports that are opened on that server
What kind of operating system, and server business purpose, who is the owner?
The applications that are running ins this VLAN
Always look for the top 10 least in any chart you do

The list could go on forever but you get the idea, keep asking What, When, Who, Why, Where and, How. Applied security context on the host and, network level then you will be effective create dashboard and alarm that improve your monitoring and your undestanding, visiblity of the network.

Every solution has cons and pros

Pros

Cons

The analyst will have an in-depth understanding of the VLAN/System/Network they are in charge

Manual Operation

Centralized Knowledge Base

Need skilled staff and time

Proactive

Need to set up JupyterHub (I will create a guide for this thing)

Baseline, know normal

Could be an improvement list

Create a VLAN Monitoring template
Create a Report Template
Create a guideline to create a good or effective dashboard (I don't know about this but I got a feeling we need a guide on this subject)

I don't know whether create template (for this kind of operation) is a good thing or not, back in my day being a developer we create template for everything

3.1 Event/Incident Life Cycle

Everybody on the team knows this but I have to make it official and streamline it as possible look at the picture below and you will understand

Event/Incident Life Cycle is different for every company as I said it is well-known procedure but I think there is something wrong with it but I can tell, maybe after 2 more years I will figure it out
Zeroska - 31/1/2023

3.3 Data Analysis Life Cycle (By using the dashboard that you created in 3.1)

For me, statistics, charts, and graphs in Security will increase visibility on the system so the data analysis life cycle is a must-have when I'm doing tier 2 or tier 1. I'm still learning how to do anomaly detection on the data (learning about Z-score and chart, graph theory)

Some ref:

I will write about this in another post when I have implemented it and experienced it at hand

3.4

4. The Benefits:

Active Asset Management by monitoring and documenting VLANs
Streamline the Blue Team’s Operation by Using Jupyter Labs
Able to do statistical on each VLAN -> better insight
Might lower the turnover rate of the Analyst

The Notes

Build your own dashboard and monitor the internet facing first
Build your data analysis pipeline to do statistics on your IPS/IDS Alarm and compare each data every week and every day