We touched base with Dustin Higgins, one of MindPoint Group’s Security Operations Center (SOC) Analysts.
I walk in around 10 p.m. to start my shift, and I'm excited to start the "day." As I'm walking to my desk, I begin discussing highlights and critical tasks from the outgoing shift lead. It's getting late, so the second shift is eager to get out of here and head home. The shift lead also sent me the routine turnover doc to review once I log in to my host for the evening. I quickly notice the security advisory we just discussed, as well as a few administrative tasks that my partner and I are required to complete. The turnover doc highlighted a few process changes that I need to review as well as a toolset validation acknowledgment. My partner and I plan to divide and conquer, with him taking on the process changes and triage channel while I begin the security advisory. Once I open the email on the security advisory, I pull open the ticket that the second shift created so I can double-check for any errors. It looks good, so I take the information provided and enter it into our standard template to send to our customers. I see that the information for the security advisory has some key areas that need to be expanded upon like threat vectors, affected products, and vendor patches. Once completed, I have my partner look at the product that I created for a "sanity" check. He gives me the go-ahead to send it to our client for the final approval.
At this point, it is 12:30 a.m., so I know not to expect a response until the morning. I switch my focus on reading the updated processes and completing the toolset validation task. Once I finish that, it's around 1 a.m.— time for my obligatory caffeine injection. Once I get more coffee, I open the triage channel and inbox and see that it is empty. The middle of the night shift can be a bit slow. Few alerts, few emails, sprinkle in an outage or two, occasionally some action occurs. However, tonight was no ordinary night. Around 2 a.m., our inbox is inundated with emails. The little red number next to the inbox starts to increase rapidly. It goes from 0 to 10 in about 5 seconds. My heart starts to race. What do I do next?
Our network is seeing an increase in network traffic well over the usual threshold. I immediately look at the emails to see what I can discern, contact our client leadership, and start the reporting procedures. Our network tools begin their auto-mitigation efforts. I call our network service provider for more details, and she begins to list source IPs, protocol types, destination IP, and duration. After a few minutes, the increase in network traffic subsides — we successfully got through a DDOS attack. I take the information provided to me by the network service provider and create a ticket. Next, I contact our client to provide the details of the attack, and I inform them that our network security tools auto mitigated the influx of traffic, and no service was disrupted. My heart starts to slow down, my partner and I begin to settle back into our normal routines.
It's now 3:30 a.m., and we have about 2.5 hours until our shift is over. My partner and I still have a few things to check off our list, so once again, we decide to divide and conquer. I will take the Misuse Report and the shift changeover while my partner will take the block list and the summary. I begin the Misuse Report by accessing a dashboard in our SIEM software to query IPs that have a certain amount of "hits" to domains that have classifications that are prohibited by the client. I review the logs that the SIEM software provides and create a couple of tickets to our customers. Meanwhile, my partner works on the block list and reviews submissions from the previous day. He removes a couple of duplicates and investigates a few domains that may be considered malicious.
It's 5:15 a.m., and my partner and I wrap up our shift by completing our summary and shift change reports. We get those documents created, check for quality, and send them out. We hear a succession of beeps, and our morning crew has arrived. As the night shift lead, I provide the morning shift with the updates and information that he needs to complete his morning reports for the client. I highlight the DDOS attack that occurred that night, as I know the client will surely expect to see that on the executive report this morning. It's now 6:10 a.m., so my partner and I clean up and log off our hosts. Another successful shift has been completed, and we exit the secure facility.
Want to join a team of cybersecurity experts and accelerate your career? Check out our current job openings to find the right fit for you!