Malware is nothing but malicious software that damages your system without your knowledge. There are many types of malware like Trojan horse, spyware, ransomware, worms, virus, or any other spiteful code that damages our system. And, when the SOC team detects this malware or is notified about this infectious application, then that situation is called Malware Incident. The SOC team begins an investigation of the malware immediately after identifying it to know the gravity of the problem.
There are four essential skills required for SOC
analyst and they are:
- Critical thinking
- Performing under
pressure
- Strong fundamental
skills
- Curious mind
In this blog, we will discuss about who notifies the SOC team about malware and the steps taken by the SOC team to investigate the malware. Let us discuss the life of a SOC analyst:
Who notifies the SOC team about malware?
There are various
stakeholders involved in notifying the SOC team about malware they are:
1. Customers, Employees, or Clients: Whenever a malware attack happens, you will observe the abnormal behavior of the system like pop-up messages, many irrelevant advertisements, system crashes, or Blue Screen Of Death. When this behavior is followed by Customers, Employees, or clients, they will notify Security Operations teams to investigate the problem.
2.
Defense and SOC security tools notify the malware: Due to the advanced technology nowadays, it is becoming challenging to
absorb the defects in the system; hence SOC teams use different defense tools
that will notify the malware in the system. These detections are differentiated
into two categories as given below, and without these tools and the improved
technologies behind them, the life of a SOC
analyst would be tough:
● Behavior-based detection.
● Signature-based detection.
Now let us discuss the Investigation and incident response steps taken by the SOC team:
1. Preparation: Preparation is the first important step in the process of responding to malware attacks. In this step, the SOC team installs a security system in a place that identifies an incident.
2. Identification: As SOC teams have set up a Security system, this will alert the Intrusion Detection Systems, and web filtering gateways detect the unusual external connection. And then, the SIEM solutions will connect the dots of an attacker passing through the endpoint solution or the internal network.
3. Containment: Containment takes place to stop the further spread of the damage or the malware to the network. Containment is needed to concentrate on the next stage of the response.
4. Eradication: Eradication is one of the most complicated stages in the incident response process because it includes forensic analysis to discover the degree of presence of the threat actor. Security staff must make sure they eliminate the entire existence. By re-imaging the machine, backdoors searching and determining the root cause analysis of the incident.
5. Recovery: Recovery is the final stage in the incident response. In this stage, we get the infected systems up and run them to reduce the potential monetary loss caused by the infected system.
So, these are the five steps taken by the SOC team to investigate and give the incident response.
Why Infosec Train:
InfosecTrain provides 80 hours of training with 4 hours per day with the industry-certified trainers who use this time to train you excellently and with real-life examples. You will get the recorded sessions by which you can learn at your own pace. To enroll in our course and get a deep understanding of the topic, please visit our website InfosecTrain
