9 SOAR Use Cases for Effectively Mitigating Cyber Threats (Part 2)

March 29, 2019 • The Recorded Future Team

In our last blog, we examined how SIEM solutions have fallen short in helping IT security teams automate incident response processes, and how a new, more effective approach is emerging — security orchestration automation and response (SOAR).

In this blog, we present several security use cases in which a SOAR platform can streamline and accelerate how quickly threats are discovered, contained, and mitigated. As the use cases demonstrate, a key factor to building an effective SOAR platform is to tie the platform into the right threat intelligence sources. Doing so helps ensure that IT security teams take the correct, prioritized actions in eliminating security threats and reducing risks to digital assets.

Combining the Right Threat Intelligence

When it comes to SOAR solutions, it’s important to understand that effective automation and orchestration can only reliably work if you have the correct threat intelligence to make decisions on how to act. A machine, algorithm, or rule might be able to use some data to make an assumption on what to do, but the likelihood of false positives or misdirection is high if you don’t have the right intelligence to support the direction you are taking.

For example, if you want to implement a new firewall rule to block certain ports to defend against a recently discovered threat, you might react by automating the process to close the port on every firewall across the network. However, the threat may only apply to data coming in to Linux machines. So if you don’t have a Linux machine, there’s no need to make that change.

But without the right intelligence, you might be prompted through other means to make the change anyway; it may also end up impacting the business negatively by blocking legitimate communications that come through those firewall ports. To handle security incidents like this one — a fairly simple case, indeed — you need threat intelligence that factors in the context of your business operations, mapped to the context of your industry, coupled with the likelihood of a threat becoming a problem within your environment.

Here, we present a series of use cases that further illustrate the importance of connecting SOAR platforms to the right threat intelligence feeds:

9 SOAR Use Cases

1. Phishing Attacks

Alerts to suspected phishing emails come from a variety of detection sources, such as SIEMs and logging services, as well as end-users who forward emails that look like they contain malicious content. As the SOAR platform aggregates the suspected phishing emails, it automatically triggers a process to inform affected end users about the possible malicious emails that are being investigated.

As part of the triage process, the SOAR platform extracts compromised indicators. By looking at the header and content of the email — such as the subject, email address, and attachments — the SOAR platform assigns an incident severity value and checks for reputation red flags by cross-referencing the data against external threat intelligence databases. If any malicious indicators are found, affected users are informed with instructions on what to do. The SOAR platform also scans all email accounts and endpoints to identify other instances of the malicious email and then deletes all instances. The SOAR platform then adds the malicious compromised indicators to blacklists tracked by other security tools.

In cases where malicious indicators are not detected, the SOAR platform checks if any attachments arrived in the suspected email and detonates them in a sandbox for further analysis. If that analysis doesn’t set off any alarms, the SOAR platform forwards the incident to the IT security team for manual investigation. If the team is satisfied that the email isn’t malicious, the SOAR platform sends an email to the affected user, notifying them of the false alarm.

2. Endpoint Attacks

Here, the SOAR platform ingests threat feed data from an endpoint detection tool and queries the tool for machine and endpoint names that have malicious indicators, such as SHA1, MD5, and SHA256. The SOAR platform then cross-references retrieved files and hashes with SIEM data and verifies whether any indicators were picked up and resolved by SIEM actions. The SOAR platform also notifies analysts if SIEM actions have already resolved any malicious indicators.

For any indicators that have not been picked up by the SIEM, the SOAR platform communicates with the same endpoint tool to run queries across multiple endpoints that kill malicious processes and remove infected files. After the queries have been run, the SOAR platform updates the endpoint tool database with new indicator information to eliminate repeat offenses.

3. Failed User Logins

When the number of failed logins on an end-user device exceeds the allowed maximum attempts (usually three to five attempts), the SOAR platform automatically informs the affected user and asks them to confirm whether they made the attempts. If the end-user responds with a “yes,” the SOAR platform resets the password and sends a new email to the affected user with revised login credentials.

If the end-user confirms that they were not the one making the failed login attempts, the SOAR platform sends a new email notifying them of the account takeover attempt. The SOAR platform also executes investigative actions such as extracting the IP and location where the failed attempts were made from and quarantining the affected endpoint.

4. Logins From Unusual Locations or Devices

When end-user logins occur from an unusual location or on a new device, the SOAR platform queries the VPN service for the originating IP address and checks the GeoIP lookup for each timestamp on those IPs. Queries can also be sent in cases when logins occur from two geographical locations at points in time that cannot realistically be traveled to as quickly as the two logins occur — such as a user account logging in from Boston and then from Los Angeles just 15 minutes later.

To reconcile the VPN data, the SOAR platform queries Active Directory for all email addresses and checks them against a cloud-access security broker (CASB) to retrieve IPs and once again gets GeoIP to look up each timestamp on the IPs. The SOAR platform then cross-references IPs gathered from the VPN service with IPs gathered from the CASB. When spotting a VPN IP from one country that differs from the country of the CASB IP, the SOAR platform sends an automated email to the affected user to confirm their location. If the user responds confirming the breach, the SOAR platform blocks the concerned IP and notifies the IT security team for further investigation.

5. SSL Certificate Management

For this use case, the SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. For problematic certificates, the SOAR platform pulls user details from the Active Directory of the affected user and sends an automated email to the user and their manager, informing them of the certificate in question and directing them to make updates.

The SOAR platform then rechecks the status of problematic certificates at a preset amount of time later to confirm if appropriate changes were made. If any certificates still haven’t been updated, the SOAR platform sends automated emails to the affected user, their manager, and other relevant administrators to escalate the situation.

6. Endpoint Diagnostics

Here, the SOAR platform identifies unmanaged endpoints, adds contextual notations, and opens a ticket to investigate the issue. If any endpoints are outside the scope of communications of agents, the SOAR platform attempts to kick-start the agents by using pings. If this fails, the SOAR platform notates its actions and opens a service incident ticket.

7. Vulnerability Management

After receiving a potential threat notification from a vulnerability management tool, the SOAR platform correlates the data with data from other relevant security tools and then adds notations on the newly gathered data. The SOAR platform also queries the vulnerability management tool for any diagnoses, consequences, and remediations tied to the vulnerability.

If any vulnerability context is found, it’s added to the incident data. Based on the gathered context, the SOAR platform calculates the severity of the incident and hands over control to security analysts for manual investigation and remediation of the vulnerability.

8. Compromised Indicator Hunting

For this use case, the SOAR platform ingests a list of compromised indicators as attached CSV or text files and extracts any compromised indicators (such as IPs, URLs, and hashes). The SOAR platform then hunts for the extracted compromised indicators on any threat intelligence tools that are deployed. Where applicable, the SOAR platform checks endpoints and identifies if any endpoint has been compromised by a malicious compromised indicator. If malicious indicators were found on any threat intelligence tool, the SOAR platform updates the databases of other tools and watch lists.

9. Malware Analysis

The SOAR platform ingests data from SIEMs, email boxes, threat intelligence feeds, and malware analysis tools, and then extracts any files that need to be detonated. The SOAR platform also uploads the file to the malware analysis tool, which detonates the malware and generates a report. If the file is found to be malicious, the SOAR platform updates relevant watchlists and takes further action such as quarantining infected endpoints, opening tickets, and reconciling data from other third-party threat feeds.

The Criticality of Threat Intelligence

As you consider a SOAR platform to help you address these security uses cases, keep in mind that while standard solutions typically integrate threat intelligence feeds, they may not have the right feeds relative to your environment, and they may not be able to properly consolidate all of the data into one single view you can use to make decisions on your response tactics.

In the next blog in this series, we’ll take yet another deeper dive by taking a slice through many of these same use cases to look at this from a threat intelligence perspective. Until then, to learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.