Automating Threat Intelligence Actions With Splunk SOAR Playbooks

Posted: 12th August 2022
By: Zane Pokorny
Automating Threat Intelligence Actions With Splunk SOAR Playbooks

Splunk SOAR helps security professionals work smarter, respond faster, and strengthen their defenses through automation and orchestration. Splunk SOAR playbooks enable clients to create customized, repeatable security workflows that can be automated, and – through a seamless integration with Recorded Future – these playbooks can be enriched with threat intelligence.

To better explain how this integration improves security functions across the board, we’ll cover two different use cases: enrichment and correlation.

Enrich Your Data With Threat Intelligence

Recorded Future's enrichment action provides external details and context on indicators of compromise (IOCs). An indicator like an IP address, a server domain, or a list of hashes can be useful information when responding to an incident, or on the other hand, it can be completely useless. Irrelevant data and false positives are rampant in lists of indicators of compromise. Analysts need context to sort the wheat from the chaff; for example, context like whether or not an IP address has already been associated with suspicious activity.

But looking for this kind of context by hand is a time-consuming and inexact process. What single human analyst – or team of 10 or 20, for that matter – has the bandwidth to exhaustively research every indicator they come across daily?

Automating this process is a major use case for SOAR playbooks that integrate threat intelligence. When an IOC is passed over to Splunk SOAR, whether it’s via an IOC alert from Splunk Enterprise Security or as a new artifact in an incident, a playbook can be automatically invoked to obtain risk scores and associated context for those IOCs from Recorded Future.

Then, the playbook’s decision logic can immediately escalate the IOC to a human analyst if it’s deemed risky, or pass over it if not.

With this context, analysts can discover real threats faster and prioritize the highest-risk ones while ignoring the alerts that don’t matter.

Correlate Internal and External Data

Threat actors are not, by and large, criminal masterminds who concoct unique schemes for carrying out their attacks every time they undertake a new operation. They do what works, and keep doing it the same way as long as they see results.

That means pattern recognition is an often reliable way to quickly identify suspicious activity and predict attacks – if you’ve got the right tools to do so. Splunk itself is a powerful tool for detecting these patterns, given its ability to correlate internal log data with malicious behavior and high-fidelity indicators. In addition to providing those high-fidelity indicators, Recorded Future can enhance the correlated events with external threat context through a Splunk SOAR correlation action. Specific outcomes for each correlated event can be automatically chosen from the resulting threat intelligence, and repeatable "hands free" actions can take place without requiring analyst oversight for each action.

For example, if Splunk should issue a breach-IOC alert to Splunk SOAR based on suspicious log data, the playbook can enrich that IOC using threat intelligence from Recorded Future. If the IOC risk score crosses a certain threshold or the risk string contains malware, then the playbook will bring the alert to the attention of an analyst, or have it blocked at the level of the firewall or SDN. Furthermore, external threat context can be added back into Splunk for later review and record keeping.

This proactive, intelligent, and automatic blocking means the suspicious activity can be instantly cut off without needing human oversight, lowering your risk profile, preventing breaches, and saving your analysts valuable time.

Monitor for External Threats and Keywords

If the internet is like a vast library of information, then it’s a library with a very big and dark basement, full of piles of books that haven’t been cataloged (but no spiders, luckily). Even trying to keep up with one narrow topic – say, mentions of your own organization across the internet – can be an insurmountable task without automation.

Recorded Future alerting helps security professionals stay on top of external information like news, events, and risk factors important to your organization, such as company mentions on social media or the dark web. Then, SOAR playbooks can speed up a team’s workflow review with alerting on company-specific entities found in that external data.

For example, this external monitoring might uncover some new typosquat domains, which may be the first sign of an impending phishing attack or form of fraud. A Splunk SOAR playbook can then be used to automate and orchestrate precautionary and remediation actions, like initiating takedown efforts.

Hunt Down Threats Proactively

Okay, we said before that most threat actors are not criminal masterminds – but some of them are quite clever. Advanced persistent threats like actors funded and directed by nation-states are responsible for many of the most significant and devious cyberattacks as of late. And regardless of the source, some attacks are just new and cunning. Though statistically a minority, zero-day attacks do happen. What can be done?

More mature security operations may wish to go on the offensive and do some threat hunting. With Splunk SOAR and Recorded Future, threat hunters can proactively and iteratively search through networks to detect and isolate advanced threats that evade existing security solutions. It enables analysts to quickly pull together related evidence and possibly reveal a larger threat.

For example, let’s say Splunk generates a suspicious event. Maybe it’s not an incident that demands an immediate response. But for a security team that has the expertise and the capacity to investigate further, they can use Recorded Future and Splunk SOAR together to gather risk scores on those IOCs and expand the investigation to include related entities.

This playbook can significantly lower risk by giving analysts more time to spend on analysis rather than doing manual data collection. It’s a more advanced application of correlation – not something that every organization needs to focus on, but for those that can deploy an informed hunting capability, this represents a way to get off the back foot and switch from a defensive to offensive security posture.

Learn More

For more information about how Recorded Future’s integration with Splunk SOAR helps security teams strengthen their defenses, feel free to request a demo today.