Table of Contents
SOC in My Pocket (SOCIMP) is my very first and flagship cybersecurity project so far. This SOC project is designed for Security and SOC Analysts, centered around the core pillars of People, Process, and Technologies (PPT) – the foundation of effective SOC operations.
By focusing on adversaries' Tactics, Techniques, and Procedures (TTPs) for threat detection and response, SOCIMP helps me learn how to proactively defend against complex cyber threats.
With its advanced monitoring, automation, and response capabilities, this SOC setup showcases my knowledge of cybersecurity and reflects my vision of a safer digital world for everyone.
2 THINGS: ME AND A DEDICATED WORKSTATION
Since SOCIMP includes essential SOC components designed to deliver comprehensive cybersecurity operations:
-
SIEM: The Elastic Stack is my SIEM solution of choice. All logs and data sources (Workstations, Servers, Firewalls, Web Applications, etc.) are forwarded into the Elastic Stack and centrally managed through a Fleet Server.
-
EDR: Elastic Agent, integrated with Elastic Defend, provides robust endpoint detection and response (EDR) capabilities that work seamlessly within the Elastic ecosystem.
-
SOAR: Tools like Shuffle, TheHive, and Cortex offer high levels of automation, flexibility, and extensive integration across various components for streamlined security operations and incident response. I changed from Shuffle to n8n for my SOAR platform
-
TIP: MISP is a powerful threat intelligence platform that integrates smoothly with TheHive and Cortex for effective incident enrichment. OpenCTI enhances this with visually rich dashboards and multiple connectors to gather comprehensive threat intelligence data.
-
Firewall: I opted for OPNSense, which offers a user-friendly dashboard, advanced traffic inspection, and a variety of built-in security features to protect the network.
You might be wondering: Where is the Vulnerability Management like Tenable, Qualys, or OpenVAS? While these tools are important, my current focus is on gaining in-depth experience with incident analysis and hands-on practice using the tools mentioned above.
To serve those things, the SOCIMP project is built on a Workstation powered by:
- CPU: Intel Xeon (18 cores / 36 threads)
- RAM: 128 GB
- Storage: 1 TB SSD
This infrastructure hosts multiple VMs and containers, ensuring scalability and performance across all SOC components.
For adversary emulation, I chose to use Atomic Red Team. It’s lightweight, portable, and allows me to quickly test my environment. And i also used Parrot-OS
In the future, I may also explore Caldera for more advanced adversary simulation capabilities.
Also, beside of Atomic Red Team, i also developed my own simple kill-chains to understand from adversary's perspective
In the SOCIMP project, I will guide you through all stages, starting with installation notes, followed by the deployment where i config and integrate all components, preparation for adversary emulation, and threat hunting, analysis, response to security incidents (blue teaming).
This project will also cover future development plans.
- Installation Notes: My setup processes, challenges encountered, and troubleshooting techniques for various components.
- Deployment: Procedures for deploying and integrating tools to create a functional SOC infrastructure.
- Adversary Emulation: How i setting up adversary environments, building attack plans, and replicating real-world behaviors using the MITRE ATT&CK Framework.
- Blue Teaming: Processes for monitoring alerts, detecting threats, and responding to incidents.
Pham Thanh Sang - @telegram - [email protected]
My Projects / Write-ups:
My Blog site: https://phamthanhsang-cs.site/