This week’s email might feel a little different than previous weeks. Today, I’m going to take you on a tour of our Security Operations Center (SOC). Before you ask, yes, it’s still completely locked down and secure at all times due to the very sensitive nature of our work and, of course, DFAR / ITAR requirements. We’ll be doing this through a written narrative, so if you don’t have about seven free minutes to dive into a new world, go ahead and do what you need to do and come back to this. I’ll wait.
Back!? Alright, good. Now let’s proceed.
As you park your car and exit across the parking lot, a warm, 84-degree breeze rushes past you and the sun beats down on the back of your neck. “It’s a nice day,” you think to yourself, “a welcomed break from this crazy heat.” You notice the building, not because anything specific stands out, but because it looks like every other building in the area with the exception of “Milton Security” etched in the glass door.
“Welcome to the Milton Security Operation Center, I’m Patrick,” a gentle voice greets you. “I’m so glad you found the place. Since we don’t allow visitors very often, everyone usually drives right past it.” You don’t have the nerve to tell him you actually drove past it twice, but left early enough that you wouldn’t be late even if you got a little lost.
“Great! Now that you’ve filled out all the required paperwork for a tour of our SOC, let’s step inside. It might take a moment for your eyes to adjust,” he says, as you step through the door into what seems like a pitch black room except for the dim blue glow emitting from what you assume would be a computer monitor across the room.
“Just give it a minute before you try to move,” comes another voice that you haven’t heard before. “I’m Susan, the SOC Manager here at Milton, and I’ll be giving you a tour of the SOC today. With as bright and sunny as it has been the past few days, it takes a while for your eyes to adjust.”
It really seems cliché that a bunch of threat hunters would be working in a dim room staring at a bunch of screens, you think to yourself. Almost as if Susan heard you think that out loud, she responds, “I know it seems like the movies, but there’s a perfectly valid reason that our Threat Hunters like the room dim. First, we don’t want the windows and blinds open for just anyone to look in and see what we’re doing. After all, this is all sensitive and confidential information and DFARS / ITAR standards are in play. Second, how do you typically feel after 8 hours under fluorescent lights staring at a computer screen, much less five of them. We make it as comfortable as possible for our Team.”
She’s got a point, you think to yourself. It does make sense to not have all the extra input from all the lights. Your eyes begin to adjust and you now make out a handful of computer stations along with a few TVs on the front wall.
“This is Nate,” Susan says. “He’s actually working through your data right now. Whatcha got Nate?”
“It looks like we have some attempted lateral movement through the network,” Nate says. “I was scouting when I noticed an admin account signing on in what would be the middle of the night which was unusual, so I started a hunt and then backed up a few hours to do what we call a retro-hunt, focusing on that account at first. It looks like the attacker has been signing in from different IP addresses and geolocations. See here,” he points to the monitor, “the same user signs in from Warsaw, then Hong Kong, and Amsterdam, all within 4 hours and using valid credentials and valid 2FA. Either they’re on a really fast plane, or something’s up.”
“They are also attempting to elevate their privilege,” Susan says as she stands up and you see her eyes looking right at you. You feel helpless at this moment. Something’s going sideways and you can’t control it.
“I just sent an SAA and called the IT Director per the Playbook,” says Nate. Before you can ask, Susan interjects, “that’s a Suspicious Activity Alert which documents all of Nate’s findings. And since it’s a ‘High’ level based on your playbook, Nate has already started calling the people, like your IT Director, who are responsible for mitigation. It looks like your IT Director engaged our Incident Response team. I’m seeing here that our IR Team booted the user and changed the credentials before any malware or ransomware could be installed or data exfiltrated. We caught it in time.”
You notice your heart rate is elevated and your breathing is quick and shallow. “Wow, that all happened so fast,” the words just roll off your tongue before you know what’s happening. “That’s why our Threat Hunting team is so valuable,” you can almost see the smirk behind Susan’s words. “Data doesn’t interpret itself. Sure, we can build out models and document IoCs, TTPs and IoAs, but sometimes it really takes a human to put it all together and make sense out of it. Now you understand why our Certified SOC Analyst, Threat Hunting, team of awesome humans means so much in this process. Before you even settled on what was actually happening, they took action and shut down the threat, keeping your network and data safe.”
You squint as you feel a burning on your eyes. You step out of the darkness and back into the lobby where Patrick greets you again, “So, how was it? Sounds like things got a little tense there.”
“Boy, did they ever,” you mention as you rub your eyes to try and get them to adjust a little faster. “And they do that all day?”
“24x7x365,” comes the response. “Remember the last time you laid down at night and woke up the next morning feeling completely refreshed? That’s what it feels like when you know you have a dedicated team of Milton Threat Hunters watching over your network while you sleep. It’s more than just a checkbox for compliance - it’s a team for tranquility. You know you can go about your day and our SOC Analysts are standing the watch.”
You’re suddenly sitting in your car. The windows are down and the music is tuned to your favorite station. You look up and the light turns from red to green. As you cruise down the road, you take a deep breath in and feel all the tension in your shoulders just release out the window. “I’m good,” you think to yourself. “I’m covered.” You drive home, have dinner with friends and family, and rest well that night, waking up the next morning feeling refreshed and ready for the day.
Sounds like a pretty intense tour you had there! As always, if you have any questions, I’d love to answer them, so feel free to hit reply to this email and fire away. If you’re interested in seeing what our human Threat Hunters can find in your network, why not take a 15-day free POV trial? Shoot me a message and let’s make sure you get a good night's sleep tonight.
Until next time. Stay safe!