How Cyber Kill Chain Can Be Useful for a SOC Team? (Part 2)

09.09.2020 Read
How Cyber Kill Chain Can Be Useful for a SOC Team?

Installation: At this stage, SOC analysts are advised to deploy a Security Information and Event Management (SIEM) and Host-Based Intrusion Detection System (HIDS) to detect attacks. To deny an attack, Cyber Kill Chain recommends using Two-Factor authentication, strong password, and privilege separation as well as disrupting attack using data execution prevention. If the attackers successfully penetrate corporate critical IT infrastructure, SOC teams must contain them in a timely fashion to mitigate damages. To this end, Cyber Kill Chain recommends employing Inter-Zone Network Intrusion Detection System, App-aware firewall, and trust zones.

Command & Control: The Command & Control (C2) is a server that is controlled by hackers to send commands to systems exploited by malware and receive stolen data from a targeted system (s). C2 servers often blend in with normal traffic and avoid detection. Many of their activities have been detected in cloud-based services, such as file-sharing services, and webmail.

At this stage, these attacks can be detected using the Host-based Intrusion Detection System (HIDS) and Network Intrusion Detection System (NIDS). The HIDS also assists in disrupting the attack. Cyber Kill Chain also helps the SOC team to deny C2 server attacks using network segmentation, firewall, and Access control Lists (ACLs). Besides, these attacks can be degraded using the Tarpit scheme, which is used on systems to purposely delay incoming connections. This security control is effective against computer worms. To deceive the hackers, always use domain name system redirect. Finally, SOC teams should contain C2 server attacks using trust zones and domain name system sinkholes.

Actions on Objectives: To detect and disrupt an attack, Cyber Kill Chain recommends utilizing endpoint malware protection as well as using data-at-rest encryption to deny an attack. Other security controls include using “quality of service” to degrade attacks, employing Honeypots to deceive attackers, and conducting incident response to contain attacks.

Exfiltration: Exfiltration or Data Exfiltration is also a malicious attempt to steal data and information. SOC team can use the SIEM system and DLP techniques to detect data exfiltration. DLP also helps in disrupting the attack. They can use Egress Filtering to deny an attack. Lastly, exfiltration can be prevented using firewalls and ACLs.

You can also perform malware and malicious traffic investigation with the Security Orchestration, Automation, and Response (SOAR) system.

What do I need to know about SOC 1 Audit?

Nowadays, organizations mostly rely on outsourcing companies or service providers, such as cloud computing, Software-as-a-Service (SaaS), and data centers, to streamline their day-to-day business operations and continuity. However, it is vital to make sure that the services are being provided through the effective implementation of internal controls. To this end, the role of SOC 1 Audit is indispensable.

The SOC 1 Audit is used in the auditing of 3rd party service providers whose services are pertinent to their client’s impact over financial reporting. This auditing system is based on an attestation standard developed by the American Institute of Certified Public Accountants (AICPA).

There are two types of SOC 1 reports – namely SOC 1 Type 1 report and SOC1 Type II report. The former is an attestation of controls at a service provider at a specific point in time whereas the latter is an attestation of control at a service provider over a specified period of time.

The Significance of SOC 1 Compliance Checklist

The SOC 1 checklist explains the specifics of each system’s component that will be assessed by your auditor during your SOC 1 audit. To prepare your SOC 1 Compliance Checklist, you need to follow it on KrkpatrickPrice.


After taking a deep dive into this article, it has been realized that all stages of Cyber Kill Chain are very useful for a SOC team. Cyber Kill Chain involves all stages of a potential attack and recommends various security solutions to detect, deny, disrupt, degrade, deceive, and contain attack at each of the stages. Among them, SIEM is very valuable.

Selecting an effective SIEM tool is not an easy decision for enterprises as there are a lot of similar products in today’s IT market.  A wise approach is required to select your product. Logsign SIEM is a next-gen Security Information and Event Management solution that focused on combining Security Intelligence, Log Management, and Compliance.

In the last section: Exfiltration, we discover that how Logsign SOAR helps in performing malware and malicious traffic investigation. In addition to this, you can also carry out Email Phishing Investigations, Vulnerability Management, Case Management, Compromised Credentials, and more importantly, the automated Threat Hunting.

A vast library of integrations and free services on demand
See All Integrations
See Logsign Unified SO Platform in action!
Watch Demo