Security orchestration, automation, and response (SOAR) solutions help SOC teams to streamline time-consuming tasks and improve their security posture without missing any critical processes. The SOAR playbook, in particular, provides SOC teams with a set of actions based upon rules and triggers to ensure that they are managing security as efficiently as possible.
While the playbook consists of numerous actions crucial to an organization's security maintenance, we'll focus on the top five.
Brute Force Attack
A brute force attack is a hacking method in which hackers crack passwords, login credentials, and encryption keys through trial and error. Hackers will continue trying multiple usernames and passwords until they gain access. The term "brute force" stems from the attacker's forceful and continuous attempts at gaining access until successful. While this may seem rudimentary compared to the advanced hacking tactics we often see today, it is a reliable method for hackers.
This hacking method can be time-consuming for attackers, which is why many utilize software to help them do so. Password-cracking applications allow attackers to quickly test variations of usernames and passwords, making it easier to access organizations' networks.
There are several tactics that organizations can use to protect themselves against brute force attacks, but some are more effective than others. One of the simplest ways to avoid these attacks is to implement stronger password practices. While it is still possible for attackers to get through, stronger passwords can make it more difficult for attackers and hopefully lead them to give up and take their efforts elsewhere.
Another tactic could be to perform a script running with the wrong password in hopes of sending the attacker on a wild goose chase. The SOAR playbook recommends a more strategic approach: mail the system owner to check activity.
With SOAR solutions, once a brute force attack is detected, IT managers and system owners will receive immediate notification. The system's owner is equipped to monitor unusual login attempts and can quickly stop any malicious actions. This drastically improves the response time to attacks and can even prevent them.
Phishing attacks are social engineering attacks made using fraudulent mail and are the most common attack method behind successful breaches. These attacks most often come in emails, designed to trick individuals into sharing information or clicking a link which then allows the attacker access to a company's network. Many organizations implement cybersecurity training to raise awareness in their workforce and prevent these attacks, but that does not serve as a concrete solution.
Many organizations utilize emailing platforms for their communications, but the wrong platform could expose them to a greater risk for cyber attacks. Some emailing platforms could be used to launch an attack by hackers. If this were to occur, organizations might block emails coming from them, but this would also block legitimate emails as well.
While some emails may be lost, security teams could use SOAR to block emails from any phishing attack sources or take actions on the URLs used for the phishing attempts or even act on the credentials of a phished user, which ultimately protects the organization most effectively, without creating additional tasks for the SOC team.
Command-and-Control (C2) Traffic
Command-and-Control traffic occurs when an attacker obtains persistent means to communicate with infected or compromised systems within a targeted network. Once permitted access to the system, the attack will issue controls and potentially exfiltrate data. The host of the compromised system usually initiates communication from inside a network to a server on the public internet, allowing the hacker access.
A situation in which C2 traffic could occur would be when an IP/URL address is wrongly categorized. Should this happen, SOAR would automatically block the domain at the proxy level, or the IP at the firewall level, denying the attacker further access to their system.
Insider Threat (Data Leakage)
An insider threat is data theft conducted either manually or automatically from within an organization, ultimately leading to a data leak. When this occurs, it is primarily to expose a company's intellectual property, customer information, and other regulated and private data.
Data leaks can be intentional or unintentional but need to be defended against regardless. A common way that insider threats such as data leaks occur is when a user transfers files to an FTP for further processing or vendor troubleshooting. While files are being transferred, they leave the security of the organization's protection and are more likely to be leaked.
One way to address this with SOAR is to have users isolate the host and contact their mail helpdesk. Users should contact the helpdesk by phone so that if a leak has occurred, they can explain any known activity and address it promptly.
The final SOAR playbook action on this list is impossible travel. When a user logs in to a system, it creates a timestamp of the event, even for multiple attempts. The system records the general amount of time it takes between attempts for a given user.
Impossible travel occurs when the time between login attempts is lower than the fastest possible travel time between the two locations from where the login attempts occurred. This means that login attempts are being conducted faster than a human possibly could, signifying malicious login attempts, likely from an attacker using hacking software.
Many people utilize third-party VPNs for their work, but this can open organizations up to considerable risks, such as hackers performing impossible travel attacks. The SOAR playbook suggests that if users are alerted of impossible travel, they should immediately reset their password and create an IP ban on the firewall. If performed quickly enough, users will be able to prevent the attacker from entering their system.
The SOAR playbook serves as a predefined process that is automatically followed given certain conditions. By automating these processes, the solutions significantly helps users in an age where cybersecurity threats are rampant and need to be addressed quickly. Should users become suspicious of unusual activity within their company's systems or determine an attack is occurring, the playbook is a list of best practices actions to take. By following these actions, users can react to cybersecurity threats proactively, protecting their organization from devastating damage.
By combining SOAR with Arcanna.ai, your playbooks are enhanced with the knowledge of your security team through the use of Deep Learning and Natural Language Processing. This enables your SOAR to leverage the contextual knowledge, specific to your organization, that your analysts have to improve the overall automation process.
These five actions are only the tip of the iceberg in the SOAR playbook. For more threats to look out for and actions to combat them, continue reading about this subject in our next blog.