New Educational Video Series for SOC Analysts by @collinsinfosec

In this video, Collins from the @collinsinfosec channel presents an educational series aimed at Level 1 and 2 analysts working in a Security Operations Center (SOC). The goal is to develop essential skills for investigating security alerts, analyzing suspicious files, and building solid investigation cases. The series starts with the basics and plans to progress towards creating a functional SOC integrated into a production environment. This first episode focuses on fundamental investigation skills, using the analysis of a potentially malicious file as an example.

The investigation process presented follows a structured methodology in several key steps. It begins with the collection of metadata, a crucial phase for understanding the origin and characteristics of a suspicious file. Collins explains that SOC analysts spend most of their time sorting through alerts generated by tools like Wazuh, a SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) platform. These alerts can come from logs collected on Windows machines, for example, and signal suspicious activities such as the execution of a malicious file. In the example shown, the alert concerns a file named "malware demo.log," which turns out to be an executable disguised with a double extension (.exe.bin), a common technique to deceive users or bypass certain protections.

Once the alert is identified, the analyst must acknowledge it to mark the beginning of the investigation. The first step is to gather basic information about the file: its name, type, size, and especially its hash (a unique digital fingerprint). The hash is particularly important because it allows searching for information about the file in databases like VirusTotal or sandboxes like Any.run. Collins shows how to use the "file" command to determine the file type and how to calculate its hash for precise identification. These metadata serve as a starting point for more in-depth research and allow pivoting to other analysis tools.

The second step of the investigation is the collection of indicators of compromise (IOCs). This involves searching for static or dynamic elements in the file that could reveal its malicious behavior. For example, an analyst can examine the strings embedded in the file, hardcoded URLs or domains, or suspicious IP addresses. Collins uses Any.run, an interactive sandbox, to analyze the file securely. Any.run executes the file in an isolated environment and generates a detailed report containing static information (such as the file type, PE32 in this case) and dynamic information (such as launched processes, file modifications, or network connections). In the example, the report reveals that the suspicious file communicates with domains and IP addresses, although some appear legitimate. The analyst must then evaluate whether these connections are suspicious or not.

The third step is detonation, i.e., the dynamic analysis of the file to observe its behavior in real-time. Collins shows how to use Any.run to track the process tree generated by the malicious file. In the example, the file launches a series of commands via cmd.exe and conhost.exe, then executes another malicious executable (identified as "ghost"). The analysis of file modifications reveals that the malware drops additional executables, one of which simulates a legitimate application like Adobe Acrobat to mask its malicious activity. Network analysis also identifies connections established by the malware, which could be used to exfiltrate data or receive instructions from a command and control (C2) server.

Once all this information is collected, the SOC analyst can conclude whether the file is malicious (true positive) or benign (false positive). In the presented example, the file is clearly malicious, and the analyst can then document the investigation in a "case file" to justify the decision. This file will serve as evidence for the next steps, such as escalating to a higher-level team or closing the alert. Collins emphasizes that these skills are essential for SOC analysts, as they help reduce incident response time and improve the accuracy of investigations. With experience, analysts develop a better understanding of normal and abnormal behaviors in their environment, making threat detection easier.

In summary, this video offers a practical introduction to cybersecurity investigation skills, focusing on using tools like Wazuh and Any.run. It shows how a SOC analyst can structure their work to effectively analyze an alert, from metadata collection to dynamic analysis of the suspicious file. These skills are crucial for anyone wishing to work in a SOC, as they allow for quickly sorting through alerts and making informed decisions. The series promises to continue exploring more advanced topics, such as configuring detection tools and creating an operational SOC.