Continuing off of our previous blog, we will be discussing five more critical SOAR playbook actions. These actions include some of the most practical use cases for security orchestration and automation and best practices for dealing with common cybersecurity attacks.
Indicator of Compromise
An indicator of compromise (IoC) is forensic evidence that a cybersecurity attack occurred. IoCs essentially serve as the clues IT security experts and SOC teams look for to conclude that a system has been compromised. Unfortunately, most IoC can go undetected for months, if not longer. To proactively stop attacks, organizations must identify IoCs as quickly as possible.
That said, not all IoCs are malicious. In one example, only one platform out of three correctly identified an IoC as not malicious. Still, it is crucial to investigate and identify all IoCs.
One way to address this attack with SOAR is to check the reputation of IoCs and IP/HASH/URL in multiple threat intel sources (paid and/or osint). Once an IoC is indicated, the solution will automatically block the hash at EDR level, block the IP at firewall level, or block the domain at proxy level.
Multiple Authentication Failure
Most organizations utilize some level of user authentication in their login process to validate users and ensure that they are only permitting access to those authorized. But, if users conduct multiple authentication failures, where they have multiple failed login attempts in a given time, the system will flag the attempts.
This prevents unauthorized users from accessing an organization’s system, but it isn’t always a sign of attack. Occasionally, a user’s Active Directory password will expire without their knowledge, resulting in non-malicious multiple authentication failures. Still, there are other incidents where this is a sign of an attacker trying to gain access.
Regardless of the intent, security teams can use SOAR to open an incident report for AD administrators to investigate the cause when multiple authentication failures are identified. In the best-case scenario, they will notify the user that their password has expired and move on. In other cases, an attacker will be identified, and security analysts will begin taking corrective action.
Ransomware attacks, which are cybersecurity attacks indicating a ransomware infection, are at an all-time high. For organizations to protect themselves against ransomware attacks, they must proactively identify and stop cybersecurity threats.
On occasion, the threat of a ransomware attack occurs when there are file changes by a process or service. While these may be legitimate changes the majority of the time, there are occasions when this creates an opportunity for a ransomware attack or identifies an attempt.
Should the system become alerted of a suspicious attack such as this, SOAR will immediately stop the process of performing the file changes. In doing so, it can stop any attacks being made on the file.
Abnormal Authentication and Access
Similar to multiple authentication failures, organizations may also experience abnormal authentication and access. When users log in to their organization’s system, the system often monitors the users’ behavior so that when abnormal or unusual activity occurs, it can be flagged as a threat. Abnormal authentication and access, in particular, refers to any authentication outside of working hours or an attempt to access a server never accessed before by that user.
There are circumstances where what seems an authentication and access seem abnormal but are actually legitimate activities, such as maintenance. System maintenance may not be performed on a regular basis (although it should be) and often occurs outside of working hours so as not to disrupt team members. As a result, it may be flagged as abnormal access when it is not.
Still, if any abnormal authentication is detected, security teams can use SOAR to mail the user owner to confirm activity. While the activity is being verified, the user’s password should be immediately changed and/or the user should be disabled. .
Monitoring of Off-boarded Employees
The final SOAR playbook action is the monitoring of boarded employees. In modern organizations, some turnover is normal, but organizations must regularly monitor accounts not yet deleted for employees that have left the company. If an employee leaves the company, even on good terms, their account must be deleted promptly to ensure that they can no longer access any organization data.
While this is the general use of SOAR in this situation, there are some extenuating circumstances. An example of this would be if an organization chooses to enable the account of an employee that left the company at the request of their manager for business continuity purposes. That is the exception to the rule, but the user should be deleted from all directory catalogs in most cases.
Automation: The “A” in SOAR
SOAR stands for the security, orchestration, automation, and response solutions that IT security analysts and SOC teams use to improve their security posture. While every aspect of SOAR is critical, we like to emphasize automation. Security automation enables all of the other components of SOAR, allowing security teams to operate faster, more accurately and more efficiently.
For each of the 10 SOAR playbook actions we have discussed in our last two blogs, they require ongoing security monitoring and intervention. For security teams to identify threats and stop attacks, they must proactively perform the SOAR actions. That said, most security teams are working with a limited workforce and they only have so much time in the day.
While it’s crucial to address each and every threat identified, doing so is time-consuming and often leads to many false positives. This leaves little time for security teams to improve their security posture - which is the defining purpose of SOAR. Fortunately, by implementing security automation solutions such as AI-Assisted Cybersecurity, following the SOAR playbook is easier than ever. By combining SOAR with Arcanna.ai, your playbooks are enhanced with the knowledge of your security team through the use of Deep Learning and Natural Language Processing. This enables your SOAR to leverage the contextual knowledge, specific to your organization, that your analysts have to improve the overall automation process.
SOAR solutions will automatically take action when an incident occurs and AI-Assisted Cybersecurity can facilitate this automation. Consequently, security teams can run tedious monitoring tasks with little to no human intervention while handling cybersecurity tasks more effectively and consistently than ever before.