If you are running a SOC or setting up a SOC, automation is key. In this multi-part series, we will talk about some of the most common use cases that our customers have implemented for the automation of their security operations. Remember, no SOAR can automate a process that does not exist. So work on your processes first, then you can use automation. Refer to our earlier blogs written that lays out the correct approach to deploy SOAR platforms.
We will start with the most common use case that is configured in a SIEM / Analytics / Threat detection system. Most SIEM deployments consume connection data from firewall logs and compare that with a threat intelligence system. This alert/rule can be put under the category of Command and Control(C&C) from the Cyber Kill Chain perspective or MITRE ATTACK ID(TA0011) for Command & Control.
If there is a match, an alert/offense/incident is created in the case management system. this alert is further validated by the analyst manually. The analyst checks the reputation of the Indicator (URL, Domain, IP address) against multiple third-party reputation sources. Once confirmed, the alert is closed immediately(In case of false positives/Low severity results from reputation checks). Or the alert might need further investigation(Reputation confirms high severity Indicator). This is dependent on workflows that are approved by your organisation. The steps involved in the analysis depend on the resources you have at your end. Most of our customers deploying Securaa, our comprehensive SOAR platform, use a mix of both open-source as well as Commercial threat intelligence tools.
Here is a typical set of steps to automate the Command and Control(C&C) use case
- Extract Indicators: The playbook will extract all the relevant indicators(IP addresses, URL’s Domains) from the incoming alert
- Check Reputation Score for each indicator involved in the alert(URL, IP Address, Domain)
- Check Reputation Score: Is the Reputation Score > 95 from a threat Intelligence tool ( Assuming the reputation check returns score in form of risk scores). Some systems might return the score in values of severity (high, Medium, Low) etc. Adjust the logic accordingly.
- Check FirstSeen Value: Is the indicator reported recently by the Threat intelligence system or has a very old entry. Some organizations want to assign low severity to Indicators who were not active in the last 30 days or more.
- If yes for both (4) and (5) then, Send the indicator to the Firewall blocklist.
- Else Change the alert status to Closed/False Positive
- Change the alert status to Closed/Resolved
Pls note this approach is just one way to handle the Command and Control(C&C) alert, there can be multiple ways depending on the organization’s security policies. A list of threat intelligence feed that Securaa support for threat intelligence reputation analysis is on https://tinyurl.com/fe9szud2