💙My Current Blue Team Operation

Any team that I lead will be the best, the finest.

Inspired by my current years of experience: 1 year so some might be wrong and not necessary but hey! if you find some of my ideas useful, go ahead applied to your environment, and if it worked, feel free to send me a meme

• https://www.youtube.com/watch?v=ZfJ01ZFCMe0&ab_channel=SANSDigitalForensicsandIncidentResponse

• BlueSwarm: https://www.blueswarm.site/assets/images/soc_services.pdf

• https://pberba.github.io/security/2019/10/08/data-exfiltration/ (Show how to do data analysis in Security)

• https://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/soc-logging-and-monitoring-best-practices (Some event that you should monitor or create alarm)

VX Underground stuff hahaha

1. The Goals

Use Jupyter Labs to document the events and the finding each day create a chart and map of the VLAN they are in charge of, and create a routine that involves not just filling the ticket but somewhat active hunting, and monitoring (Not just waiting for the alarm but instead seeking and doing statistic on the event)

On 2/1/2023 my team has 4 people

2. The Rules of Engage

• You can ask the last shift (The Analyst in charge of monitoring the VLANs about their finding and their documentation)

• Always actively looking for IOC in your monitoring VLAN (Some form of threat hunting)

• Always open to feedback

The tools will be:

• Using Networkx and Pyvis to document the network topology

• Jupyter Notebook (Centralized by using JupyterHub) -> Will use to document the finding and report

• Pandas and Mathplotlibs for statistic and visualization

Each member will have a folder of Jupyter Notebooks stored on Jupyter Lab

The Folder Tree will look like this

SOC Analyst
- VLAN <number>
	- Analyst’s name
		- jupyter_notebook
		- markdown files
		- their report (draft mostly)
- SHARE (store share content like draw.io VLANs)

Each Analyst Will monitor and take notes in their Jupyter notebook like this, this picture is just a POC, and the VLAN is just made of.

The note standard is being developed but still you get the ideas

At the end it will look something like these by using pyvis and networkx

3. Every Life Cycle

"After I read the BlueSwarm SOC Service I was amazed how they organize their SOC by creating flow chart and cycle for everything"

3.1 VLAN Monitoring Life Cycle

Updated: 7/2/2023 - Zeroska

The Life Cycle itself

We have tried 4 weeks but then it is too short, not enough time for our Analyst to understand a VLAN clearly (especially a big VLAN) -> 6 weeks then

• Every 6 weeks the Analyst will be given a set of VLANs to monitor (at least 2 VLANs)

• They will be given the task of documenting the VLAN using Jupyter Notebook, SIEM Dashboard, and contact with other departments

• After 6 weeks the VLANs monitoring will be rotated

• Each week you will generate a report on the VLANs you monitor (including the finding, and the abnormal) -> By using Jupyter Notebook -> Then Tier 2 will read and craft the weekly report

Analysts store the VLAN note on the JupyterHub -> Create a knowledge base about the organization's network (Analyst can see each other notes) -> When deviation happen you can notice it right way

In Detail

1. The analyst should have a dashboard that consists of how many servers are actively and inactively on that VLAN

2. Pick a server in that VLAN and find out what is it normally connected to (that including Internal IP Address and External IP Address), what kind of event it is usually generated at the network and host layer

3. What kind of protocol that it generally uses whether it is TCP or UDP -> you got to know how much amount of TCP and UDP

4. The ports that are opened on that server

5. What kind of operating system, and server business purpose, who is the owner?

6. The applications that are running ins this VLAN

7. Always look for the top 10 least in any chart you do

The list could go on forever but you get the idea, keep asking What, When, Who, Why, Where and, How. Applied security context on the host and, network level then you will be effective create dashboard and alarm that improve your monitoring and your undestanding, visiblity of the network.

Every solution has cons and pros

Pros	Cons
The analyst will have an in-depth understanding of the VLAN/System/Network they are in charge	Manual Operation
Centralized Knowledge Base	Need skilled staff and time
Proactive	Need to set up JupyterHub (I will create a guide for this thing)
Baseline, know normal

Could be an improvement list

• Create a VLAN Monitoring template

• Create a Report Template

• Create a guideline to create a good or effective dashboard (I don't know about this but I got a feeling we need a guide on this subject)

I don't know whether create template (for this kind of operation) is a good thing or not, back in my day being a developer we create template for everything

VLAN Monitoring Template

3.1 Event/Incident Life Cycle

Everybody on the team knows this but I have to make it official and streamline it as possible look at the picture below and you will understand

Event/Incident Life Cycle is different for every company as I said it is well-known procedure but I think there is something wrong with it but I can tell, maybe after 2 more years I will figure it out

Zeroska - 31/1/2023

3.3 Data Analysis Life Cycle (By using the dashboard that you created in 3.1)

For me, statistics, charts, and graphs in Security will increase visibility on the system so the data analysis life cycle is a must-have when I'm doing tier 2 or tier 1. I'm still learning how to do anomaly detection on the data (learning about Z-score and chart, graph theory)

Some ref:

• https://towardsdatascience.com/statistical-techniques-for-anomaly-detection-6ac89e32d17a

I will write about this in another post when I have implemented it and experienced it at hand

Data Analysis as a Defender

3.4

4. The Benefits:

• Active Asset Management by monitoring and documenting VLANs

• Streamline the Blue Team’s Operation by Using Jupyter Labs

• Able to do statistical on each VLAN -> better insight

• Might lower the turnover rate of the Analyst

The Notes

• Build your own dashboard and monitor the internet facing first

• Build your data analysis pipeline to do statistics on your IPS/IDS Alarm and compare each data every week and every day