SOC Update (29 Jun - 03 Jul 2020)
Progress / Completed Projects & Tasks
- Onboard tvlk-dev AWS accounts to SSO(on-going)
- Notice crafted and sent to all major #tech channels for enforcing Final ETA 07/15
- Container Security
- Held internal discussion for feedback and collaboration on current best practices and proposed areas of focus / responsibilities.
- OpenSource EDR tools + DLP related capabilities
- Velociraptor all-in-one pkg install and ad-hoc collection script pkg tested in live case SOC-165.
- PST AirAsia fraud case
- SecOps involved and held initial meeting with stake holders for further context and information gathering.
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs and Ad-Audit Plus logs.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Continue researching best practices, tools and processes.
- Windows AD Hardening
- Re-prioritizing hardening guide work related.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- End-point AV Kaspersky policy audit.
- Finalise AV Policy Config Document with the recommendations.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold.
- Infra-cloud under cost reduction project, will re-prioritise our projects.
Notable Incidents
SOC-165 Botnet Type behaviour from one source IP 10.10.22.6 towards 147.32.221.X subnet over port 445
Status: Contained and investigation completed. Performed further analysis with velociraptor ad-hoc collection IR scripts dump (memory and files). No indications were found was a targeted attack and/or lateral movement. Old windows 7 unpatched system, with no antivirus that has been infected for sometime. PC to be retired.
Details at : https://29022131.atlassian.net/browse/SOC-166SOC Update (29 Jun - 03 Jul 2020)
Progress / Completed Projects & Tasks
- Onboard tvlk-dev AWS accounts to SSO(on-going)
- Notice crafted and sent to all major #tech channels for enforcing Final ETA 07/15
- Container Security
- Held internal discussion for feedback and collaboration on current best practices and proposed areas of focus / responsabilties.
- OpenSource EDR tools + DLP related capabilities
- Velociraptor all-in-one pkg install and ad-hoc collection script pkg tested in live case SOC-165.
- PST AirAsia fraud case
- SecOps involved and held initial meeting with stake holders for further context and information gathering.
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs and Ad-Audit Plus logs.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Continue researching best practices, tools and processes.
- Windows AD Hardening
- Re-prioritizing hardening guide work related.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- End-point AV Kaspersky policy audit.
- Finalise AV Policy Config Document with the recommendations.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold.
- Infra-cloud under cost reduction project, will re-prioritise our projects.
Notable Incidents
SOC-165 Botnet Type behaviour from one source IP 10.10.22.6 towards 147.32.221.X subnet over port 445
Status: Contained and investigation completed. Performed further analysis with velociraptor ad-hoc collection IR scripts dump (memory and files). No indications were found was a targeted attack and/or lateral movement. Old windows 7 unpatched system, with no antivirus that has been infected for sometime. PC to be retired.
Details at : https://29022131.atlassian.net/browse/SOC-166