SOC Incident Response

SOC Incident Response

A Security Operations Centre (SOC) analyst should be able to follow a playbook for determining whether a file is dangerous to provide a quick triage procedure. Read What is a Security Operations Center (SOC) for a modern analysis of a SOC centre’s function.


Effective Incident Response: Six Steps

Six stages are provided by the SANS Institute for efficient incident response:

1. Preparation

The most crucial stage of incident response is preparation, which involves getting ready for an unavoidable security breach. Policy, response plan/strategy, communication, documentation, identifying the CIRT members, access control, tools, and training should all be included in preparation as it aids organisations in deciding how well their CIRT will be able to respond to an incident.

2. Identification

Identification is the process through which incidents are found, ideally without delay to allow for quick action and, as a result, lower costs and losses. In order to detect incidents and ascertain their breadth, IT personnel accumulates events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls.

3. Containment

When an event is discovered or recognised, its containment becomes a primary concern. Containment’s primary goal is to contain the harm and stop it from getting worse (as noted in step number two, the earlier incidents are detected, the sooner they can be contained to minimise damage). It’s crucial to remember that all of the containment phase recommendations from SANS should be followed, especially in order to “avoid the loss of any evidence that may be needed later for prosecution.” Long-term containment, system backup, and short-term containment are some of these steps.

4. Eradication

The goal of a good incident response is to eliminate the danger and return affected systems to their pre-incident state, ideally with the least amount of data loss possible. The major activities involved in eradication are making sure that the right procedures have been followed up to this point, including measures that not only eliminate the malicious content but also guarantee that the afflicted systems are entirely clean.

5. Recovery

The key activities involved with this stage of incident response are testing, monitoring, and validating systems while bringing them back into production to make sure they are not re-infected or hacked. Making decisions about whether to resume operations, testing and verifying the compromised systems, keeping an eye out for unusual behaviours, and using tools for testing, monitoring, and validating system behaviour are all part of this phase.

6. Post Incident

Lessons learned are an essential stage of incident response since it aids in educating and enhancing subsequent incident response efforts. In this step, organisations can add details to their incident response plans that might have been overlooked during the occurrence as well as comprehensive documentation to help with future problems. Lessons learned reports provide a thorough analysis of the entire incident and can be utilised as training materials for new CIRT members, benchmarks for comparison, or at recap sessions.


An effective incident response depends on careful planning and preparedness. It’s frequently too late to coordinate efficient response actions once a breach or assault has happened without a clear plan and path of action. By allowing you to quickly restore control over your systems and data when an inevitable breach occurs, creating a thorough incident response strategy can save your business a lot of time and money.

There are many internet tools that can help you decide whether a file is good or bad. One such service,, was made known to us. Trojan vs antivirus is like a game of cat and mouse, however, it should be emphasised that there are several tools available for threat hunting and incident response. One weapon in your inventory for reducing the danger of a cyber assault on your company is VirusTotal. Users can upload file samples to VirusTotal, a Google-owned public service, to have them checked against a variety of antivirus manufacturers. Over 70 antivirus scanners and URL blacklisting services are used by VirusTotal to gather their results, index them, and make them searchable on
You can scan IP addresses and domains with VirusTotal as well. A domain search’s results page will display DNS, WHOIS, and blacklist details.



You can use one of several searches to look for results in the VirusTotal data set:

  • File hash
  • URL,
  • IP address,
  • domain name,
  • and comment tags for a file.


We may upload our trojans to VirusTotal to observe how they are analysed, If there is no match for those that already exist, you can upload samples to VirusTotal. Remember that any file you upload to VirusTotal becomes publicly available. Any files you upload will also be available for download by the antivirus (AV) suppliers and business clients.

These documents can also be located using a search. If a sophisticated actor is after you, they might also keep an eye on VirusTotal to see if any of the malware they developed pops up there.
It’s critical to realise that this behaviour would show that your SOC is aware of the attack vector if you are conducting an investigation as part of the incident response and don’t want the threat actor to know.



An overview of the scan’s findings can be found on the detection page. The detection outcomes are displayed by each AV vendor (if identified). Each AV will additionally display the name by which it recognises that specific infection. Static files, not run-time files, are the subject of this analysis.