A collection of sources of documentation, and field best practices, to build and run a SOC (including CSIRT).
Those are my view, based on my own experience as SOC/CSIRT analyst and team manager, as well as well-known papers. Focus is more on SOC than on CERT/CSIRT.
My motto is: without reaction (response), detection is useless.
Quoted from this article:
Following the arrows, we go from log data sources to data management layer, to then data enrichment layer (where detection happens), to end-up in behavior analytics or at user interaction layer (alerts, threat hunting...). All of that being enabled and supported by automation.
Based on CYRAIL's paper drawing, that I've slightly modified, here is an example of architecture of detection (SIEM, SIRP, TIP interconnections) and workflow:
Cf. SOAR page
Cf. management page.
Cf. HR and training page.
As per NCSC website:
Indications of an attack will rarely be isolated events on a single system component or system. So, where possible, having a single platform where analysts have the ability to see and query log data from all of your onboarded systems is invaluable. Having access to the log data from multiple (or all) components, will enable analysts to look for evidence of attack across an estate and create detection use-cases that utilise a multitude of sources. By creating temporal (actions over a period of time) and spatial (actions across the estate) use-cases, an organisation is better prepared to address cyber security attacks that occur system wide.
The goal is to prevent an attacker from achieving lateral movement from a compromised monitored zone, to the SOC/CSIRT work zone.
Implement SOC enclave (with network isolation), as per MITRE paper drawing:
only log collectors and WEF should be authorized to send data to the SOC/CSIRT enclave. Whenever possible, the SOC tools pull the data from the monitored environment, and not the contrary;
on top of a SOC enclave, implement at least a level 2 of network segmentation;
SOCs assets should be part of a separate restricted AD forest, to allow AD isolation with the rest of the monitored AD domains.
Yann F., Wojtek S., Nicolas R., Clment G., Alexandre C., Jean B., Frdrique B., Pierre d'H., Julien C., Hamdi C., Fabien L., Michel de C., Gilles B., Olivier R., Jean-Franois L., Fabrice M., Pascal R., Florian S., Maxime P., Pascal L., Jrmy d'A., Olivier C. x2, David G., Guillaume D., Patrick C., Lesley K., Grald G., Jean-Baptiste V., Antoine C. ...