Automated Threat Intelligence and Response using TIP and SOAR
What is a TIP?
Threat Intelligence products and services deliver knowledge, information and data about cybersecurity threats and other cybersecurity-related issues. The output of these products and services aim to provide or assist in the curation of information about the identities, motivations, characteristics and methods of threats, commonly referred to as tactics, techniques and procedures (TTPs). The intent is to enable better decision making and improve security technology capabilities to reduce risk and the chance of being compromised.
By combining threat intelligence with internal telemetry, you can begin to get an understanding of not only what is happening within your network, but can also help you establish a proactive stance and be informed and better prepared for potential threats or blind spots in your defense.
What is a SOAR?
Gartner defines SOAR as solutions that combine incident response, orchestration and automation, and threat intelligence platform management capabilities in a single solution. SOAR tools can be used for many security operations tasks, including:
- To document and implement processes.
- To support security incident management.
- To apply machine-based assistance to human security analysts and operators.
- To better operationalise the use of threat intelligence.
Workflows can be orchestrated via integrations with other technologies, and automated to achieve desired outcomes — example use cases include: - Incident triage. - Incident response. - Threat intelligence (TI) acquisition curation, management and dissemination based on type of content, role, location and specific areas of interest of the recipients.
Before we jump into some of the use-cases of how we can automate let’s look at the type of intelligence.
Types of Cyber Threat Intelligence
Cyber threat intelligence comes in many forms but can largely be divided into human and machine-readable threat intelligence types.
- Strategic Threat Intelligence: High level information on changing risks
- Tactical Threat Intelligence: Attackers Tools, Techniques and Procedures
- Technical Threat Intelligence: Indicator of Compromise (IOCs)
- Operational Threat Intelligence: Details of Specific Attack, Member and Intel Sharing
Following diagram shows details of human readable vs machine readable threat intelligence types in detail:
Now that we looked at what TIP, SOAR and types of threat intelligence, we will explore some use-cases to perform automated threat response:
1. Credential Dumping
2. Brute Force Attempts
3. Ransomware Alert and Analysis
Let’s explore each of these incidents:
Automated Protection against Credential Dumping
In this use-case we will try to attack a Windows end-point with Mimikatz to perform credential dumping attack that will extract password hashes and plaintext to further gain control in the network. The end-point is running a Taegis XDR to collect logs. The Cyber Fusion platform will receive an automated alert from Taegis on the Mimikatz activities. Lastly from the automated threat response perspective the Cyber Fusion platform will isolate the Windows host from the network to prevent lateral movement and further compromise of the end-point.
Let’s run Mimikatz on the end-point:
An alert is now created in the Taegis XDR via Red Cloak agent as shown below:
Now from an automated actioning perspective a playbook from the Cyber Fusion platform is initiated that will isolate the client from the network:
As the playbook has been triggered successfully we can see the result on our Windows end point:
By automating the response against complex and diverse threats, playbooks prove to be effective at minimising response time thereby reducing overall risk exposure.
Automated Protection against Active Directory Password Bruteforce Attempts
A bruteforce attack uses a password list, which contains the credentials that can be used to bruteforce service logins. This attack automatically and systematically attempts to guess the correct username and password combination for a service. Its goal is to find valid logins and leverage them to gain access to a network.
Following are the common types of brute force attacks:
- Dictionary attacks
- Hybrid bruteforce attacks
- Password spray attacks
- Default password bruteforce attempts
For this use-case we will perform a bruteforce attempt against a domain joined Windows box which has remote desktop service (port 3389) exposed. The Windows end-point is running an Elastic agent which sends logs to SIEM. SIEM will collect Windows events related logs centrally in a separate server. Elastic SIEM will harness data at cloud speed and scale which will allow one to heighten host visibility and control. From a threat response perspective, the Cyber Fusion platform will create an incident ticket with all relevant information in the threat response platform for analysts to triage this event.
Additionally, the platform will automatically disable the user account to stop the attack and will also block the source FQDN on the firewall.
Let’s look at the account status before performing the brute force attack to check if the account is active:
Connecting to an end-point with an exposed RDP port:
Trying a login attempt on a domain user with a common password:
Multiple login attempts are made against the endpoint as seen in the below screenshot - The login attempt failed:
Alerts have been raised in the Elastic SIEM:
An automated playbook is initiated to log an incident:
Once the playbook finishes running it will create an incident for the analyst to perform further investigation:
Looking at the detection analysis tab:
Once the tickets been created we look at the account status:
Logging into the Fortigate Firewall to check the policy:
By automatically detecting bruteforce login attempts organisations can quickly detect and respond to possible attacks that are underway and rectify them before the attack succeeds.
Automated Protection against Ransomware and Malware
Ransomware attacks have grown in numbers and severity over the last few years. The average cost and downtime due to ransomware attacks have also been on the rise. Without implementing adequate detection and response measures, organisations can end up losing access to their valuable data and even incur damages to their reputation in cases of stolen data being leaked by threat actors.
Ransomware operators typically design their exploits to spread laterally across an organisation’s network in an attempt on as many devices as possible from a single execution. has proven to be an effective solution for containing such attacks in their early stages.
For this use-case we will run a wannacry ransomware binary file on the Windows box to spread the ransomware laterally to infect and encrypt data . The Windows end-point is running an Elastic agent which sends logs to SIEM. SIEM will collect Windows events related logs centrally in a separate server. From an automated playbook-driven response process, the Cyber Fusion platform will create an incident ticket with all relevant information on the binary file from VirusTotal and Hybrid Analysis for enrichment to fetch malware hash reputation in the threat response platform for analysts to triage this event.
Additionally, the platform will automatically queries Active Directory for fetching more information on the impacted user.
Let’s run a Wannacry binary file on one of the Windows end-points:
Ransomware execution was detected on the end-point:
Alerts have been raised in the Elastic SIEM:
An automated playbook is initiated to log an incident:
An incident ticket is now created for an analyst with all relevant information on the binary file from VirusTotal and Hybrid Analysis as an enrichment to have context around the incident for further investigation:
Malware hash successfully submitted to the Fortigate firewall:
Conclusion:
Cyberattacks can cause severe damage to the data and intellectual property of an organisation. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.
Additionally automation can help organisations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating security alerts within minutes.