Curious About Incorporating a SOAR Solution in Your Organization’s Environment?
Now more than ever, Cybersecurity professionals are exploring and understanding the SOAR solution market, with the goal of identifying the applicability of incorporating SOAR in their environment. In the cybersecurity industry, it is common practice to evaluate attack scenarios and security incidents according to a common taxonomy. The Lockheed Martin Cyber Kill Chain® is an example of an industry standard framework used to enhance the understanding of the progression of cyber attacks. Cyber analysts use these frameworks as guidance while executing their missions to protect against, detect, and respond to cyber threats. While there are many benefits to evaluating each attack against a framework to provide visibility into the full attack lifecycle, it is a time consuming manual process for analysts that can slow down the response to an investigation. The time needed to resolve an incident is critical and correlates with its potential impact on an organization and it’s customers. Implementing a SOAR solution is an effective and reliable answer that many organizations have chosen to remedy some of the largest obstacles in cybersecurity including, alert fatigue, lack of qualified personnel, and increased efficiency.
CyberSponse is the industry-leading patented security orchestration and automation incident response SOAR platform that fills the gap between automation-only and human dependent security organizations. The CyberSponse CyOPs™ SOAR platform enables analysts to efficiently evaluate threats by automating the collection of data from hundreds of enterprise security tools. The raw log data collected and pre-processed by CyOPs™ SOAR is then presented to analysts in a concise, visually appealing way, enabling near real-time evaluation of an attacker’s progression in the attack lifecycle. In addition to presenting data to the analyst, the CyOPs™ SOAR platform documents this information as part of its incident management functionality. This approach ensures analytical outputs are available to all members of the team in real-time.
The CyberSponse CyOPs™ SOAR platform creates proven value and ROI through a significant increase in efficiency, over traditionally manual analysis. There are seven phases of an attack where an analyst would have data to review to understand if a malicious actor was successful. Let’s walk through a use case of a known threat actor actively targeting an organization with phishing emails and review the benefits [time, cost, accuracy, etc] the CyberSponse SOAR platform would provide.
Step 1. Reconnaissance
In this first phase during an attack, the malicious actor selects their target and performs reconnaissance (crawling social media, search engines, company web pages, forums, etc.) to identify how to best target systems and networks. Generally, the victim network isn’t attacked during this phase.
With CyberSponse SOAR: Ensuring your SOC is up to date with the latest CyOPs™ Connectors and Playbooks in place and having them configured to your environment is the best first defense at this phase. Our customers have access to our resource libraries filled with hundreds of CyOPs™ Connectors, CyOPs™ Playbooks, and CyOPs™ Training videos to be used to install, properly configure, and arm your SOC with confidence and ease.
Step 2. Weaponization
During this second phase, the actor creates malware which targets one or more vulnerabilities. Many actors upload custom or targeted malware to online scanning engine analyzers like Hybrid Analysis or VirusTotal to determine if the malware is detected by any particular AntiVirus engines. An analyst would want to know if a known threat actor is creating and testing AntiVirus engine evasion efficacy and if that specific piece of malware would successfully execute in the target network.
With CyberSponse SOAR: A CyOPs™ playbook which utilizes data from a connector to Hybrid Analysis can automatically pull down new or custom variants of known malware families and automatically send it to Cuckoo to determine if it would execute on a particular desktop or server image.
Step 3. Delivery
During this phase, the actor sends the weaponized file (created in step 2) to its target. In this scenario, the known threat actor delivers malware as an attachment in a phishing email. At this point an analyst would want to answer a few questions; how many emails came from the known threat actor, who were they sent to, and what malicious code or links they contained.
With CyberSponse SOAR: A CyOPs™ playbook automatically executes upon receipt of an alert from your mail filter. The mail filter reports that it has blocked 20 emails that contain malicious attachments. The CyOPs™ playbook queries Exchange for any successfully delivered emails that exhibit the same indicators. If any are found, the playbook instructs Exchange to delete the delivered emails from user inboxes.
Step 4. Exploitation
During this phase, the weaponized file is executed on the victim network with the intent to exploit a vulnerability. The analyst needs to determine whether or not the targeted systems are susceptible to the exploitation attempt from the malware in question.
With CyberSponse SOAR: A CyOPs™ playbook which calls data from a connector to Qualys can now use outputs from the most recent vulnerability scans of the workstations assigned to the users who received the phishing email to determine if their systems are vulnerable.
Step 5. Installation
After successful system exploitation, it is necessary for the malware to maintain persistence on the now compromised system. This is generally done by packing a backdoor or other implant in the weaponized file which was delivered, for the purpose of enabling continued access, post exploitation.
With CyberSponse SOAR: A CyOPs™ playbook which calls data from a connector to Anomaly, Carbon Black, or Cylance can analyze host level process data to inform the analyst whether or not specific processes exist and/or are currently running on a host. If the malicious processes are found to be running on a host, the CyOPs™ playbook can instruct the endpoint agent to quarantine the host, preserving forensic data and protecting the rest of the network.
Step 6. Command and Control
During this phase, the now installed implant successfully initiated bi-directional communication between the victim and internet infrastructure controlled by the actor. This communication channel enables the actor to maintain persistent access to the victim network.
With CyberSponse SOAR: If the attack gets to this phase without being detected, a CyOPs™ playbook which calls data from a connector to PaloAlto, Checkpoint or F5 can look for evidence of encoded or plaintext command and control traffic. When properly configured, these connectors also have the ability to automate searching within SSL decrypted PCAP. If command and control traffic is detected, the playbook can instruct the firewall to block the related IP address.
Step 7. Actions on Objective
During this final phase, the actor seeks to achieve their overall goal, which may vary in each intrusion. Some actors attack their victims to exfiltrate intellectual property for competitive advantage, though the majority do so for financial gain.
With CyberSponse SOAR: The CyberSponse SOAR platform enables the analyst to detect and respond to threats faster to prevent malicious actors from achieving their objective.
As laid out in this use case, the CyberSponse CyOPs™ SOAR platform enables analysts to start reviewing security alert processes armed with analytical outputs provided by the CyOPs™ SOAR platform, as compared to collecting and manually reviewing raw log data.
Learn More About Additional Time-Saving Use-Cases & ROI at our Website
Interested in Trying CyberSponse in your Environment? Try Our FREE Community Edition for a 45 Day Trial! For an Extended FREE 60 Day Trial of the CyOPs™ Community Edition, Reference “Marketing” in the Referred Field.
Find us on LinkedIn
Follow us on Twitter