SOC Design & Incident Response

Executive summary

I designed a 24/7 SOC architecture (Tier 1–3 analysts) and ran an end-to-end incident-response simulation modeled on a TD Bank LockBit ransomware scenario — correlating SIEM, EDR, and authentication logs to reconstruct the attack timeline, identify 18 indicators of compromise, and map adversary TTPs to MITRE ATT&CK under NIST SP 800-61.

The problem

A bank-scale environment needed a SOC capable of detecting and containing a live ransomware campaign without disrupting regulated operations.
Response had to satisfy PCI DSS and PIPEDA while preserving forensic evidence.
Analysts needed a repeatable, framework-aligned playbook rather than ad-hoc firefighting.

The solution

Designed a tiered SOC (Tier 1–3) integrating threat intelligence and incident-response functions.
Simulated the LockBit ransomware lifecycle through the NIST SP 800-61 phases — preparation, detection, containment, eradication, and recovery.
Correlated SIEM, EDR, and authentication logs to reconstruct the full attack timeline.
Mapped adversary tactics, techniques, and procedures to the MITRE ATT&CK framework.
Developed response playbooks aligned with PCI DSS and PIPEDA.

Technical architecture

How the system fits together - each layer reflects technology used on the real build.

Detection

Log collection & alerting

Splunk (SIEM)EDR

Analysis

Timeline reconstruction & TTP mapping

MITRE ATT&CKThreat Intelligence

Response

Containment & remediation playbooks

NIST SP 800-61

Compliance

Regulatory alignment

PCI DSSPIPEDA

Engineering challenges

Reconstructing the attack timeline

Correlating SIEM, EDR, and authentication logs into a single coherent timeline required careful log normalization and pivoting across data sources.

Framework-aligned response

Mapping every action to NIST SP 800-61 phases and MITRE ATT&CK TTPs turned an ad-hoc investigation into a repeatable playbook.

Compliance under pressure

Containment and evidence handling had to satisfy PCI DSS and PIPEDA without slowing the response.

Performance & SEO outcomes

Indicators of compromise

Identified across the simulated LockBit campaign.

Fully reconstructed

Attack timeline

From correlated SIEM, EDR & authentication logs.

MITRE ATT&CK

TTP coverage

Adversary techniques mapped to the framework.

PCI DSS · PIPEDA

Compliance

Playbooks aligned to regulatory requirements.

Technology stack

Splunk (SIEM)EDRMITRE ATT&CKNIST SP 800-61PCI DSSPIPEDA

Key learnings

Framework-aligned response (NIST SP 800-61 + MITRE ATT&CK) turns chaos into a repeatable, auditable process.

Log correlation across SIEM, EDR, and identity sources is where the real attack story emerges.

Compliance is a design input for incident response, not a clean-up step afterward.

Executive summary

The problem

A bank-scale environment needed a SOC capable of detecting and containing a live ransomware campaign without disrupting regulated operations.
Response had to satisfy PCI DSS and PIPEDA while preserving forensic evidence.
Analysts needed a repeatable, framework-aligned playbook rather than ad-hoc firefighting.

The solution

Designed a tiered SOC (Tier 1–3) integrating threat intelligence and incident-response functions.
Simulated the LockBit ransomware lifecycle through the NIST SP 800-61 phases — preparation, detection, containment, eradication, and recovery.
Correlated SIEM, EDR, and authentication logs to reconstruct the full attack timeline.
Mapped adversary tactics, techniques, and procedures to the MITRE ATT&CK framework.
Developed response playbooks aligned with PCI DSS and PIPEDA.

Technical architecture

How the system fits together - each layer reflects technology used on the real build.

Detection

Log collection & alerting

Splunk (SIEM)EDR

Analysis

Timeline reconstruction & TTP mapping

MITRE ATT&CKThreat Intelligence

Response

Containment & remediation playbooks

NIST SP 800-61

Compliance

Regulatory alignment

PCI DSSPIPEDA

Engineering challenges

Reconstructing the attack timeline

Correlating SIEM, EDR, and authentication logs into a single coherent timeline required careful log normalization and pivoting across data sources.

Framework-aligned response

Mapping every action to NIST SP 800-61 phases and MITRE ATT&CK TTPs turned an ad-hoc investigation into a repeatable playbook.

Compliance under pressure

Containment and evidence handling had to satisfy PCI DSS and PIPEDA without slowing the response.

Performance & SEO outcomes

Indicators of compromise

Identified across the simulated LockBit campaign.

Fully reconstructed

Attack timeline

From correlated SIEM, EDR & authentication logs.

MITRE ATT&CK

TTP coverage

Adversary techniques mapped to the framework.

PCI DSS · PIPEDA

Compliance

Playbooks aligned to regulatory requirements.

Technology stack

Splunk (SIEM)EDRMITRE ATT&CKNIST SP 800-61PCI DSSPIPEDA

Key learnings

Framework-aligned response (NIST SP 800-61 + MITRE ATT&CK) turns chaos into a repeatable, auditable process.

Log correlation across SIEM, EDR, and identity sources is where the real attack story emerges.

Compliance is a design input for incident response, not a clean-up step afterward.