soar.md

SOAR

This page deals with Security Orchestration Automation and Response.

Table of content

• Must read
• What is SOAR?
• Simple and commonly needed automation tools
• Common automations

Must read/watch

• PaloAlto, Security orchestration for dummies;
• ThreatConnect, SIRP / SOA / TIP benefits;
• Swimlane, Cyber Threat readiness report 2023;
• Swimlane, Automating SIEM alert triage;
• Gartner, Market Guide for Security Orchestration, Automation and Response Solutions;
• Microsoft, Microsoft Defender XDR , Security Copilot and Sentinel integrated into 1 portal;
• RecordedFuture The Automation Advantage: Transforming Cybersecurity and Efficiency in Organisations
• PaloAlto, Top security orchestration use cases
• PTP, SOAR-based security monitoring

What is SOAR?

As per Gartner definition:

Hence the statement that SOAR is in fact made of 3 critical tools (see drawing above):

• SIRP;
• TIP;
• SOA.

And on top of that, SIEM.

Thus, in my view and probably as well in Gartner's mind when they invented the name, SOAR is more an approach, a vision, based on technologies and processes, than a technology or a tool per say.

More especially, SOAR mainly aims at:

• reducing human error;
• offloading repetitive and valueless tasks for humans, to an automate (security orchestrator);
• improving integration between tools (thanks to API);
• increasing performance of SOC/CERT teams (higher workload with the same team size), constant quality, and improved processes (quicker processes runs);

SOAR need for security monitoring

Here is an example of a SOC workflow leveraging SOAR approach, with the following technology layers in place:

• SIEM: Fluency,
• SIRP: TheHive,
• SOA: Shuffle,
• TIP: MISP,
• ITSM: ConnectWise

Simple and commonly needed automation tools

• Online automated hash checker (script):

  • my recommendation: Munin, or with PowerShell Posh-VT

• Online URL automated analysis:

  • my recommendation: CyberGordon, URLScan.io

• Online automated sample analyzer:

  • my recommendation, via script and without sample submission: Malwoverview;
  • my recommendations for online dynamic analysis: Hybrid-Analysis, Joe's sandbox

• Offline automated sample analyzer:

  • My recommendation: Qu1cksc0pe

• (pure) Windows tasks automation:

  • My recommendations: AutoIT, Chocolatey

• SaaS-based (and partly free, for basic stuff) SOA:

  • Shuffle

Common security automation use cases

My recommendations for detection (alerts handling):

Try to implement at least the following automations, leveraging the SOA/SIRP/TIP/SIEM capabilities:

• Make sure all the context from any alert is being automatically transfered to the SIRP ticket, with a link to the SIEM alert(s) in case of.
  • Leverage API (through SOA) if needed to retrieve the missing context info, when using built-in integrations.
• Automatically query the TIP for any artefacts or even IOC that is associated to a SIRP ticket.
• Automatically retrieve the history of antimalware detections for an user and/or endpoint, that is associated to a SIRP ticket.
• Automatically retrieve the history of SIEM detections for an user and/or endpoint, that is associated to a SIRP ticket.
• Automatically retrieve the history of SIRP tickets for an user and/or endpoint, that is associated to a new SIRP ticket.
• Automatically query AD or the assets management solution, for artefact enrichment (user, endpoint, IP, application, etc.).

My recommendations for detection (artefacts investigation):

• Search for a list of IP addresses in the TIP:
  • My recommendation: use a script to query OpenCTI for with a CSV file, and make sure the output will confirm known malicious IP addresses (+ OpenCTI link to the IOC).
• Extract a list of fresh IOCs from the TIP, and embed them in an IOC scanner:
  • My recommendation: use a script extract IP/URL/domains over the last month, MD5 over the last year, and embed them in Thor Lite or DFIR-ORC.

My recommendations for response (incident response, containment/eradication steps):

• Block an IP on all firewalls (including VPN), SWG and CASB.
• Block an URL on SWG.
• Block an email address (sender) on SEG.
• Block an exe file (by hash) on endpoints (leveraging antimalware/EDR or AppLocker).
• Block an exe file (by hash) on gateways and CASB: SWG, SEG, CASB.
• Block an internal IP, on internal routers/FW, thanks to ACL (to prevent lateral movement).
• Block an IP address on web servers, linux firewalls, etc. based on community-driven CTI:
  • My recommendation: CrowdSec bouncer.
• Reset an ID-provider (AD, Entra ID, etc.) account password.
• Disable an AD account (both user and computer, since computer account disabling will block authentication with any AD account on the endpoint, thus preventing from lateral movement or priv escalation).
• Report a (undetected) sample to security vendors, via email. Here are a few addresses, in case of:
  • Files samples (to be attached in a password-protected Zip file, with 'infected' as password): [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected];
  • URL/IP samples: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected].
• Report a false positive to security vendors, via email;
  • You may want to have a look at this page to know the required email address;
  • Report false positive on VT (ML scanner) to CrowdStrike: [email protected].
• Report a malicious URL (for instance, phishing) to a security vendor for takedown steps
  • My recommendation: Netcraft via API, or PhishReport.

Automation example around identity-based detections

• Cf. my page

End

Go to main page.