fox-it.com

Confessions of a Cyber Defender: Truths from the SOC trenches

For a More Secure Society

Yiğit Borucu & Bram van Dooremaal

fox-it.com

$whoami

Introduction

For a More Secure Society

3

fox-it.com

$whoami /groups

A big team with a lot of knowledge

• Monitoring, analysing and reporting
• 24/7 coverage
• First SOC in Europe
• Around 63 Analysts
• Full and Part-timers

For a More Secure Society

4

fox-it.com

We want to know more about you!

For a More Secure Society

5

fox-it.com

From calm to chaos

• Every second matters
• TU Eindhoven
• Analyse & Communicate

A ticking time bomb

For a More Secure Society

6

fox-it.com

Anomalous IoT Devices

• IoT devices can be fun
• Unexpected scans all over the place

​

When the Coffee Machine becomes a threat

For a More Secure Society

7

fox-it.com

Has your IoT device acted differently?

For a More Secure Society

8

fox-it.com

Geopolitics

Real World impacts the digital

For a More Secure Society

9

Real world influences the threat assesment in�both directions

​

Sometimes there are also ethical questions as a�result of geopolitics.

​

Aftermath of Israel-Palestine escalation.�HAMAS affiliated Domain in DNS Lookup (alqassam .ps)

“One interesting trend we see is, in the last month or two, ransomware is actually down. There’s probably a lot of different reasons why that is, but I think one impact is the fallout of Russia-Ukraine. As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them be less effective – and ransomware is a big part of that.”

~ Rob Joyce, NSA Director of Cybersecurity, 2022

fox-it.com

Stronger Together

• We are not alone
• From a NATO summit to pentest

​

Collaborations

For a More Secure Society

10

SDM

Red Team

Forensic Experts

Threat Intell.

SOC

fox-it.com

Triple A: Alarms, Alerts and Adrenaline

The challenge you have to face

Fatigue + unpredictable events = intense day

Routine

Adapt and thrive

Smart routines, good playlists, and coffee save the day

Shifts

Waking up at 5am for a 7am shift

SOC Analyst

Adrenaline

Analyse Incident

For a More Secure Society

11

fox-it.com

The SOC Jet Lag

• 3 shifts. Endless Rotation.
• Constant jet lag... But long weekends rock! (A hair cut on a Tuesday afternoon!)
• Good night shifts

​

The good and the bad

For a More Secure Society

12

fox-it.com

Fatigue

• Alert fatigue is real, for both sides
• Backlogs grow - Queues flood
• Repetition = exhaustion
• Filtering & feedback loops
• Focus on what really matters

A single needle in a mountain of haystacks

For a More Secure Society

13

fox-it.com

The cycle of growth

• The best place to start
• Frontline experience difficult to get anywhere else
• Exposure to tools, tactics and attacker mindset
• Constant knowledge
• From SOC -> Red Team, IR, Threat hunting, Engineering

​

How Foxers stay Foxers

For a More Secure Society

14

fox-it.com

What kind of security incident or challenges did you face and how did you deal with it?

For a More Secure Society

15

fox-it.com

When silence is not the answer

• SSH keys & AWS credentials exfiltrated

​

​

For a More Secure Society

16

fox-it.com

When silence is not the answer

For a More Secure Society

17

fox-it.com

When silence is not the answer

For a More Secure Society

18

fox-it.com

When silence is not the answer

For a More Secure Society

19

fox-it.com

When silence is not the answer

• SSH keys & AWS credentials exfiltrated
• 30 calls no answer

​

​

For a More Secure Society

20

Would you want us to keep calling?

fox-it.com

Thank you

Q&A Time!

For a More Secure Society

fox-it.com

fox-it.com