Unit 10 Reading: Security Operations Center (SOC)

Scene: 08:12 in the SOC war room. Overnight alerts spiked. A major client portal is timing out for some users in Europe. CISO: Morning. Bring me up to speed. SOC Analyst: At 02:41 our intrusion detection system flagged anomalous lateral movement from an engineering workstation. By 03:05 the SIEM correlated it with a surge of failed logins that look like a brute force attack. At 03:12 we saw encrypt-and-rename behavior—classic ransomware. DevOps Lead: We also had intermittent outages that resemble a small DDoS from a rented botnet. Could be noise to distract us. CISO: Root vector? SOC Analyst: Likely phishing leading to social engineering. The user clicked a fake SSO prompt. The actor then bypassed weak push-based multi-factor authentication with “MFA fatigue” spam approvals. No biometric authentication on that account yet. Incident Responder: We’ve initiated the incident response runbook: containment, then eradication, then recovery. We’ve isolated three subnets, revoked tokens, and rotated high-risk secrets. Legal Counsel: Any signs of data exfiltration that would trigger breach notification obligations under GDPR? SOC Analyst: No confirmed exfil yet. NetFlow shows outbound spikes to an anonymized VPS, but packet samples look like command traffic, not bulk data. We’re preserving audit logs for forensics. CISO: Good. What about preventive gaps? DevOps Lead: Two issues. First, the build agent cluster missed last week’s patch management window because of a failed pipeline. One node still has an open CVE the vendor patched yesterday; an emergency hotfix is out, but we hadn’t rolled it. Second, some shared services still violate least privilege—service accounts can see more than they need. Incident Responder: Also, our east-west firewall rules are permissive. If we followed a stricter zero trust posture, lateral movement would’ve been much harder. CISO: Understood. Current blast radius? SOC Analyst: Encryption hit a fileshare backing the reporting service. The volume itself is under encryption at rest, so the threat actor encrypted ciphertext—annoying, but not a confidentiality leak. Production databases show no tampering; write-ahead logs are clean. DevOps Lead: Backups? Incident Responder: Verified. Nightly immutable snapshots are intact. We can restore the reporting share in under an hour. CISO: Ransom note? SOC Analyst: Yes—HTML dropped in user desktops. They claim a “zero-day exploit” and threaten release. Likely bluster; their TTPs are off-the-shelf. No unique loader, just commodity malware. Legal Counsel: Regardless, we’ll document the extortion attempt and preserve evidence. Do not engage with the actor outside the playbook. CISO: Actions, now. IR, continue containment. DevOps, restore, then rotate credentials and re-deploy with tight scopes. SOC, increase detections for suspicious OAuth grants and impossible travel. Legal, prep draft notifications in case exfil shows up. Comms, a holding statement: “Service degradation under investigation; no customer action required.” DevOps Lead: Copy. Post-restore we’ll force device re-enrollment and require phishing-resistant MFA for privileged roles. We’ll also gate production via access control lists and short-lived tokens. Incident Responder: I’ll seed a decoy share as a honeynet light—if the actor still has hands-on-keyboard we’ll catch them touching the honeypot. SOC Analyst: One more thing: the compromised user reused a weak pattern. Our last vulnerability assessment flagged poor password hygiene, but remediation lagged. CISO: Schedule a targeted penetration test after we’re stable—focus on identity abuse, OAuth consent, and workstation hardening. I also want a posture review on VPN split-tunneling and unmanaged endpoints. Legal Counsel: And we’ll update the Board. If indicators of exfil appear, we start regulatory clocks. — 10:02, later — Incident Responder: Containment complete. EDR quarantined four hosts. No callbacks in the last 45 minutes. The decoy share hasn’t been touched. DevOps Lead: Reporting service is back. We tightened east-west rules, rotated secrets, and enforced privileged access just-in-time. Rolling out phishing-resistant MFA to admins today; staff cohort tomorrow. SOC Analyst: Forensics update: no evidence of bulk exfil. The “exfil” claim looks like boilerplate intimidation. Indicators map to a known affiliate group; playbook matches. CISO: Good work. Post-incident, we’ll publish a blameless report with corrective actions: mandatory security awareness, stronger MFA enrollment, service isolation, quarterly pen-tests, stricter zero-trust segmentation, and automated patch SLAs. Legal Counsel: We’ll retain artifacts for any future proceedings and close with a written assurance to clients about measures taken. CISO: Ship it. And book a retro—failure is tuition; let’s learn fast. End of dialogue.