[Chris Crowley is a cybersecurity instructor and industry analyst. This is Part 3 of his series of easy-to-use “best practice” documents – a veritable Swiss Army Knife of security operations assets on topics ranging from email writing to shift handoffs to training – created to help SOC professionals save time on common housekeeping tasks. You can read Part 1 and Part 2 here.]
Security operations centers (SOCs) exist to deliver sustained monitoring and response capabilities. Staff members are a core pillar of this mission.
Each SOC should have clearly articulated roles and levels for its personnel. This helps to establish fair practices for hiring, training, promotion, compensation and performance expectations.
In many SOCs, the level (or tier) of a staff member is also articulated by their area of responsibility: for example, SOC monitoring analyst, incident responder, forensic analyst, penetration tester and vulnerability management evangelist.
Typically, however, areas of responsibility are combined, presuming the SOC is staffed by many general-purpose analysts. In such a setup, most SOC personnel share duties, with individuals taking on tasks as the primary performer according to a skill matrix. This is a common practice in SOCs because of the budget reality: The average size of a SOC is about 10 people.
There are several ways to separate staff levels within a SOC, including junior, moderate and senior.
Let’s start by characterizing these three levels before defining the competencies of each. The competencies are intended to be applicable to both generalists and specialists within their varying domains of expertise.
(By the way, if you are seeking a per-role task, knowledge and skill matrix depiction, the NICE framework, produced by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), is an exceedingly thorough reference.)
Junior staff ranges from having no experience to only a small amount of cybersecurity experience. Previous experience in the domain of information technology (IT) is useful, but cybersecurity experience is specific.
Moderate staff has experience in varying domains of cybersecurity knowledge and may have some expertise in one domain, but wouldn’t be considered a subject-matter expert in any given area.
Senior staff are subject-matter experts. Because cybersecurity staff are often generalists for much of their careers, it is not uncommon for someone with expertise in one domain of cybersecurity to have extensive, perhaps expert-level knowledge, in other domains as well.
This section defines competencies for each level. It does not intend to assign the competencies based on job role. Specific job roles in your organization will place a greater or lesser emphasis on each competency.
For junior staff, the focus is, fundamentally, on understanding how computers talk to one another. This includes a massive volume of information including, but not limited, to
Knowledge of common successful adversary techniques and tactics (MITRE ATT&CK is a good list) for command-and-control (C2) attacks (service side, client side, phishing, web app attacks, etc.) is another area that the junior staff focus on comprehending and using.
Tactical task performances (aka ingestion of threat intelligence) include:
Report writing fundamentals are also necessary to clearly articulate the activities taken by staff and the important information derived from these actions.
Each step-up in level indicates a tiered growth upon previous competencies. Few people will have a firm grasp of all of the competencies from the junior level, but the expectation is that basic familiarity and comprehension exists across all of the identified items (with the understanding that refamiliarization may be needed and that most will have comprehensive experience in some of the areas).
Staff members in the moderate level continue to work with threat intelligence (TI), whereby relevant data for specific inquiries is selected. TI work at this level includes extraction of elements of information from incidents handled.
Meanwhile, continued task development at this level includes host-based memory collection and analysis of memory; basic reverse engineering of software, including assembly-level instructions across all standard processors; and architecture and security specifications for assets of all types, such as:
Technology use (such as the above-mentioned tools) includes deploying playbooks (sometimes referred to as runbooks), plus the ability to leverage tools in new ways when circumstances dictate. In the interest of capturing the application of this sort of tool use, development of SOAR modules and/or capture of playbooks is appropriate. New tools included are more sophisticated cyber-specific technologies like web application firewalls. Testing of emerging technologies (e.g. AI, deception, cloud asset monitoring) is performed to see what should be added to the technology portfolio.
In addition at this level, organization-focused OSINT (open-source intelligence) research is understood and may be conducted.
Report writing focus continues and may include critical review of reports either publicly available or written by other analysts on the team.
The senior stage sees further accretion of duties, built upon the expected competencies of the junior and moderate levels.
At the senior stage, staff members develop and deploy advanced assessment creation: for example, a novel C2 development of an advanced adversary capability, involving perhaps a unique take on DNS tunneling or tunneling ICMP4 with embedded data over IPv6 to confuse detection capabilities.
Analysts at this level also will be familiar with advanced memory, host and forensic analysis capabilities, which are required to collect the assets necessary to perform this analysis at scale.
In addition to the use of technologies previously mentioned, senior-level staff develop standard procedures, such as a coherent flow of operations that enables less experienced staff to perform optimally with the tools available.
Staff at this level also anticipate future technology trends and needs, facilitating the inclusion of new tools in ways that provide seamless integration into deployed systems, as well as offering support to less experienced staff with smooth on-ramps of training and documentation.
Proficiency in insider threat profiling of potential internal digital risks (which often take the form of external threat actors operating with stolen credentials) is also expected.
At this level, acumen around threat intelligence advances so that it can be applied at large scale, often via automation. Senior-level staffers also lead hunt activities by choosing appropriate hunts based on current threat intelligence and organization-relevant OSINT.
Report writing evolves into graphical depiction of complicated information and development of cybersecurity-related metrics, which help SOCs forecast their need and optimize their use of resources like staff and technology.
If you don’t have staff roles and levels identified and assigned yet, get that done first. Next, take the suggestions in this post and customize them to your organizational needs.
After that: find, develop and purchase training that fulfills the needs of your staff. Don’t neglect the option of using the training time to develop training for others on the team.
Lay out the metrics for training. This should likely include completion of the training, credit for developing new training, and some incentives to go above and beyond. Certifications should also be part of your portfolio, as they compel people to study and verify knowledge acquisition.
Build a program that provides a clear pathway for everyone and leaves some latitude for individual preference in learning style and topics of interest. Some people prefer videos, others like written content, some need to sit in a classroom to be able to pay attention.
Each person has personal goals and aspirations. Align the individual train plan with them by leaving some time for self-selected topics!