Automated Threat Hunting Playbook

|

When it comes to incident response, it is a race against the clock. The more time an attacker spends inside your network, the bigger the damage to your business can be. What can isolate and eradicate threats before it gets too late is an effective incident response – which is a combination of automation and pro-active threat hunting activities. This article provides an overview of  how an intelligent automation platform can protect your organization from malicious activities sometimes long before you know that you are already under attack.

To minimize further damage to your information assets, a timely response to the intrusion is paramount. Although Security Operations Center (SOC) analysts and incident responders accomplish extraordinary things daily, their time-to-respond and time-to-resolution will never beat an automated workflow. Unlike analysts a pre-programmed playbook is available 24/7 and never gets tired with handling incidents.

Automation is also the answer to the shortage of security professionals. The hiring challenges are well-known to many hiring managers out there. Automation technologies could fill in the talent gap by getting more things done with the existing human resources.

Building a Playbook in Demisto

Demisto is an automation platform that helps SOCs and incident response teams get things done. It allows analysts to scale their time and effort during incident investigation stages while sharing knowledge and working collaboratively for faster resolution.

In the following example, we will be building a playbook in Demisto to identify and block malicious activity in a pro-active and semi-automated manner. The goal is to identify each compromised endpoint on an infrastructure and to prevent further systems to be affected.

Our incident response workflow that goes to the playbook is the following:

  1. Retrieve Indicators of Compromise (IOC)
  2. Look up IP address IOC in the packet capture database
  3. Verify whether file hash IOC has already been processed
  4. Interrogate endpoints for the presence of malicious files
  5. Interrogate endpoints for the presence of network connections to malicious sites
  6. Retrieve malicious files for further analysis
  7. Alert SOC analysts when a threat is found to confirm incident
  8. Incident remediation
  9. Deployment of preventive measures

Step #1: Retrieving the IOCs

We rely on Indicators of Compromises (IOCs) for finding threats on the infrastructure, as the mere existence of an IOC in the IT environment is a good indicator of an intrusion.

 

The very first step is retrieving new IOCs from an external source. Demisto is capable of retrieving threat data from external Threat Intelligence (TI) feeds in various formats. In our case, the playbook acquires a CSV file from a free TI service and extracts the IOCs from the public feed.

Our CSV contains two types of IOCs:

  • File hashes in MD5 and SHA1 formats
  • IP addresses that are known for hosting Command-and-control (C2) servers

Both indicators are associated with malware activity, which makes them ideal candidates for the hunting activity on our infrastructure here.

Step #2: Has anything been communicating with the C&C IP Addresses?

Once the IP addresses are unpacked from the CSV file, we should scan if any of the endpoints has been communicating with the IP address. Typically, endpoints build-up covert channels with C2 servers to exchange ransomware file encryption keys or exfiltrate sensitive data.

As Demisto Enterprise can integrate with a wide variety of security tools out-of-the-box, as an example we can easily configure the playbook to connect to the ProtectWise platform. This tool captures and stores raw network packets then indexes them for threat hunting and ad-hoc searches.

We use our playbook to scan for any network communication that occurred between the endpoints on the internal network and the IP address IOC. If there is a hit in ProjectWise, an analyst will be notified as at least one endpoint is likely to be compromised.

Step #3: Has the file hash already been processed?

If the IOC is a file hash, we should confirm whether the IOC has been processed already. It is to prevent scanning our endpoints for the same IOCs over and over again.

We can use Demisto’s integration with Carbon Black to cross-check the file. Our playbook will stop processing the IOC if the search in the Carbon Blackdatabase reveals that the  file hashes were already scanned and did not yield any results.

Step #4 and #5: Interrogating Endpoints

If the IOC has not been processed before, our endpoints should be interrogated for the presence of the file hash and open network connections. Luckily, Demisto is capable of querying a broad range of Endpoint Detection and Response (EDR) platforms, including CrowdStrike Falcon Host and Carbon Black Enterprise Response. Our playbook will run the file hash and the IP address IOCs through both platforms.

If CrowdStrike or Carbon Black manages to identify a file with the given hash or a network with the given IP address, the system in question has probably been compromised.

The preferred remediation action may vary from organisation to organisation. While the endpoint should immediately be taken offline in high-risk environments, follow-up steps such as re-imaging the endpoint can also be defined in the playbook.

Steps #7 and #8: Confirming the Incident and wiping the endpoint in case it is confirmed

Once the automation platform retrieves and attaches the suspicious files and packet captures (step #6), the incident is ready to be verified by an incident analyst.

There can be several reasons why an incident needs human interaction. No matter what the source of the IOCs is, false positives happen from time to time. Also, non-automatable tasks may need to be carried out, such as reverse-engineering of the binary file.

We configure our playbook to alert a SOC analyst on Slack, and it will also send a text message through Twilio.

As all related files and information have been collected automatically, the analyst can start analysing them as soon as possible without wasting any precious time. The less time spent on manual (and menial) tasks, the shorter the time-to-resolution becomes.

If the analyst confirms that the endpoint is genuinely compromised, the PC should be wiped and reinstalled from a clean media (Step #8). Also, the analyst need to approve the next action in Demisto to let it proceed with the deployment of some preventive controls.

Step #9: Deployment of Some Preventive Measures

To stop the threat from infecting further endpoints, the IOCs should be deployed onto preventive security controls at certain key points in the infrastructure. Once our analyst confirms that the incident is a true positive, the playbook can deploy some pre-configured preventive measures to prevent further incidents.

The firewall integration (with such vendors as Check Point, Palo Alto Networks and others) allows Demisto to implement firewall rules to block traffic reaching the command and control (C2) server. Firstly, it can stop sensitive files from leaving the corporate network. Secondly, the rules may prevent ransomware from encrypting the files, because the endpoints will not be able to exchange the encryption keys with the remote C2 server.

Another security control where we can push IOCs out is Carbon Black. This platform is not just an EDR but an application blacklisting and whitelisting tool as well. What we need is to instruct the playbook to push the IOC file hashes to Carbon Black Protection. The CarbonBlack agent will block the endpoints from executing the blacklisted files.

Summary

Successful incident response programs have one thing in common – and it is the short incident resolution time. The sooner the threat is eliminated, the better chance is to keep the information assets safe and secure.

Automation helps incident responders and SOC analysts identify, confirm and contain threats throughout the full lifecycle of any incident. Demisto Enterprise is an intelligent automation and ChatOps platform that can automate menial and repetitive tasks as well as allow analysts to focus on high-value activities. Its playbooks can integrate with dozens of popular tools used by incident responders around the world.

In this playbook example, we took a new list of IOCs from an external source and scanned the infrastructure for their presence. IP address and file hash IOCs were used to interrogate endpoints and scan raw network packets for suspicious activity. In case a threat was identified, the playbook pulled the relevant files for further analysis by an incident responder. The remediation steps did not require human interaction, as firewall rules and file blacklists were deployed by the Demisto integrations in an automated manner.

Are you interested in the platform? Click here to sign up for the free edition of Demisto.