Tier 3 SOC Analyst
A Tier 3 SOC Analyst serves as a critical escalation point and deeper investigation resource within the SOC structure. They are expected to possess a more advanced skillset and broader knowledge base than Tier 2 analysts, allowing them to handle more complex security incidents and contribute to proactive security measures.
Principal Duties and Responsibilities
I. Incident Investigation and Analysis
Advanced Alert Triage and Analysis:
* In-depth Investigation: Thoroughly investigate security alerts escalated from Tier 2 or directly generated by security tools. Go beyond initial triage and reconstruct event timelines, analyze logs across multiple systems, and correlate disparate data points.
* Contextualization: Deeply understand the context of security incidents, including affected assets, business impact, and potential attack vectors.
* False Positive/Negative Analysis: Accurately differentiate between true positives, false positives, and potential false negatives. Analyze the root cause of false positives and propose tuning or improvement of detection rules. Investigate scenarios where detections might have been missed.
* Determine Scope and Impact: Precisely define the scope of security incidents, including the number of systems affected, data compromised, and potential business disruption. Assess the immediate and long-term impact of the incident.
* Containment and Remediation Guidance: Provide actionable guidance to Tier 2 analysts and relevant teams (e.g., IT, system administrators) on immediate containment steps and initial remediation actions based on the nature of the incident.
Complex Security Incident Handling:
* Lead Investigations for Complex Incidents: Take the lead in investigating more complex security incidents, such as suspected advanced persistent threats (APTs), sophisticated malware outbreaks, or significant data breaches.
* Malware Analysis: Conduct basic malware analysis, including analysis of malware sandbox reports, identify indicators of compromise (IOCs), and determine its capabilities and potential impact.
* Network Forensics: Perform network traffic analysis using tools like Wireshark or tcpdump to identify malicious network activity, analyze protocols, reconstruct network sessions, and extract relevant artifacts.
* Endpoint Forensics: Utilize endpoint detection and response (EDR) tools and perform manual endpoint analysis to investigate compromised systems, analyze process execution, registry modifications, file system changes, and identify malicious artifacts.
* Log Analysis: Perform log analysis across diverse systems and security devices (SIEM, firewalls, IDS/IPS, operating systems, applications). Develop complex queries and correlations to identify subtle indicators of malicious activity.
Incident Documentation and Reporting
* Detailed Incident Documentation: Create comprehensive incident reports documenting the entire investigation process, findings, analysis, containment steps, remediation actions, and lessons learned. Reports should be clear, concise, and actionable.
* Develop Actionable Recommendations: Based on incident analysis, develop specific and actionable recommendations for improving security posture, enhancing detection capabilities, and preventing future incidents.
* Incident Timeline Creation: Construct detailed timelines of security incidents, accurately mapping out the sequence of events to understand the attack lifecycle and identify critical points of compromise.
II. Threat Intelligence and Proactive Security
Threat Intelligence Utilization:
* Consume and Integrate Threat Intelligence: Actively consume threat intelligence feeds, reports, and briefings to stay updated on emerging threats, attack trends, and threat actor tactics, techniques, and procedures (TTPs). Integrate threat intelligence into investigations and detection strategies.
* Contextualize Threats with Intelligence: Use threat intelligence to contextualize security incidents, identify potential threat actors involved, and understand their motivations and capabilities.
* Proactive Threat Hunting: Participate in basic to intermediate threat hunting activities based on threat intelligence, anomaly detection, and observed patterns of malicious activity. Develop and execute hunt plans to proactively identify hidden or persistent threats within the environment.
Detection Engineering and Improvement
* Detection Rule Tuning and Optimization: Analyze false positive/negative incidents and proactively tune and optimize existing detection rules in security tools (SIEM, IDS/IPS, EDR) to improve detection accuracy and reduce alert fatigue.
* Detection Gap Analysis: Identify gaps in current detection coverage based on threat intelligence, incident trends, and known attacker TTPs. Propose new detection rules and strategies to address these gaps.
* Develop New Detections (Under Guidance): Contribute to the development of new detection rules and logic under the guidance of senior analysts or detection engineers, based on emerging threats and identified gaps.
III. Tooling, Technology, and Technical Proficiency
Advanced Security Tool Proficiency:
* SIEM Expertise: Proficiently utilize SIEM platforms for alert analysis, log investigation, correlation rule development, and report generation. Understand SIEM architecture and data flow.
* EDR Expertise: Expertly leverage EDR tools for endpoint investigation, threat hunting, containment actions, and forensic data collection.
* IDS/IPS Expertise: Understand IDS/IPS principles, analyze alerts, review signatures, and contribute to rule tuning.
* Firewall Analysis: Analyze firewall logs, understand firewall rule sets, and use firewalls for containment actions.
Scripting and Automation (Desirable, Increasingly Important):
* Scripting Skills (e.g., Python, PowerShell): Develop scripts for automating repetitive tasks, data analysis, and tool integration.
IV. Collaboration, Communication, and Escalation
* Collaboration with Tier 2 and Other Teams: Effectively collaborate with Tier 2 analysts, providing guidance, mentorship, and knowledge transfer. Work collaboratively with other teams (IT, Engineering, Incident Response Team) as needed during incident response.
* Clear and Concise Communication: Communicate technical findings and analysis clearly and concisely to both technical and non-technical audiences (e.g., management, other teams).
* Effective Escalation to Incident Response Team: Know when and how to appropriately escalate complex or high-severity incidents to the Incident Response Team, providing comprehensive context and analysis.
Level of Depth and Technical Proficiency:
* Deeper Technical Understanding: Tier 3 analysts require a deeper technical understanding of operating systems (Windows, Linux), networking protocols, security controls, and attack methodologies compared to Tier 2.
* Strong Analytical and Problem-Solving Skills: They must possess strong analytical and problem-solving skills to dissect complex security incidents, identify root causes, and develop effective solutions.
* Hands-on Experience: They should have demonstrable hands-on experience with security tools and technologies and be comfortable performing detailed technical investigations.
Knowledge of Threat Actor Tools, Tactics, and Behavior:
* Solid Understanding of TTPs: Tier 3 analysts must have a solid understanding of common threat actor tactics, techniques, and procedures (TTPs) across different attack stages (reconnaissance, initial access, persistence, lateral movement, exfiltration, etc.).
* Familiarity with Threat Actor Groups: They should be familiar with common threat actor groups (APTs, cybercrime gangs) and their associated TTPs and tools.
* Knowledge of Attack Vectors and Exploits: Understanding common attack vectors (phishing, malware, web application attacks) and exploit methods is crucial for contextualizing incidents and identifying potential vulnerabilities.
* Staying Updated on Emerging Threats: Tier 3 analysts must continuously stay informed about new and emerging threats, vulnerabilities, and attack trends to maintain effective detection and response capabilities