What is SOAR? Why You Need SOAR in Your Organization’s Environment
SOAR Solutions Create Proven Value and ROI Through a Significant Increase in Efficiency, Over Traditionally Manual Analysis
Now more than ever, Cybersecurity professionals are exploring and understanding the SOAR solution market, with the goal of identifying the applicability of incorporating SOAR in their environment. In the cybersecurity industry, it is common practice to evaluate attack scenarios and security incidents according to a common taxonomy. The Lockheed Martin Cyber Kill Chain® is an example of an industry-standard framework that enhances the understanding of the progression of cyber attacks. Cyber analysts use these frameworks as guidance while executing their missions to protect against, detect, and respond to cyber threats.
There are benefits to evaluating each attack against a framework to provide visibility into the full attack lifecycle. However, it is a time-consuming manual process for analysts that can slow down the response to an investigation. The time needed to resolve an incident is critical, correlating with its potential impact on an organization and its customers. Therefore, implementing a SOAR solution is an effective and reliable answer that many organizations have chosen to remedy some of the largest obstacles in cybersecurity including, alert fatigue, lack of qualified personnel, and increased efficiency.
CyberSponse is the industry-leading patented security orchestration and automation incident response SOAR platform that fills the gap between automation-only and human dependent security organizations. The CyberSponse CyOPs™ SOAR platform enables analysts to efficiently evaluate threats by automating the collection of data from hundreds of enterprise security tools. The raw log data collected and pre-processed by SOAR is then presented to analysts in a concise, visually appealing way. This enables near real-time evaluation of an attacker’s progression in the attack lifecycle. In addition to presenting data to the analyst, SOAR documents this information as part of its incident management functionality. This approach ensures analytical outputs are available to all members of the team in real-time.
The CyberSponse CyOPs™ SOAR platform creates proven value and ROI through a significant increase in efficiency, over traditionally manual analysis. Further, there are seven phases of an attack where an analyst would have data to review to understand if a malicious actor was successful. Let’s walk through a use case of a known threat actor actively targeting an organization with phishing emails and review the benefits [time, cost, accuracy, etc] the CyberSponse SOAR platform would provide.
Step 1. Reconnaissance
In this first phase during an attack, the malicious actor selects their target and performs reconnaissance to identify how to best target systems. Examples of this reconnaissance include crawling social media, search engines, company web pages, forums, etc. Generally, the actor doesn’t attack the victim network during this phase.
With CyberSponse SOAR: Ensuring your SOC is up to date with the latest CyOPs™ Connectors and Playbooks in place and having them configured to your environment is the best first defense at this phase. Our customers have access to our resource libraries with hundreds of CyOPs™ Connectors, CyOPs™ Playbooks, and CyOPs™ Training videos. These videos can help install, properly configure, and arm your SOC with confidence and ease.
Step 2. Weaponization
During this second phase, the actor creates malware which targets one or more vulnerabilities. Many actors upload custom or targeted malware to online scanning engine analyzers like Hybrid Analysis or VirusTotal to determine if any particular AntiVirus engines can detect the malware. Moreover, an analyst would want to know if a known threat actor is creating and testing AntiVirus engine evasion efficacy and if that specific piece of malware would successfully execute in the target network.
With CyberSponse SOAR: A CyOPs™ playbook that utilizes data from a connector to Hybrid Analysis can automatically pull down new or custom variants of known malware families and automatically send it to Cuckoo to determine if it would execute on a particular desktop or server image.
Step 3. Delivery
During this phase, the actor sends the weaponized file (created in step 2) to its target. In this scenario, the known threat actor delivers malware as an attachment in a phishing email. At this point an analyst would want to answer a few questions; how many emails came from the known threat actor, to whom they were sent, and what malicious code they contained.
With CyberSponse SOAR: A CyOPs™ playbook automatically executes upon receipt of an alert from your mail filter. The mail filter reports that it has blocked 20 emails that contain malicious attachments. The CyOPs™ playbook queries Exchange for any successfully delivered emails that exhibit the same indicators. If it finds any, the playbook instructs Exchange to delete the delivered emails from user inboxes.
Step 4. Exploitation
During this phase, the weaponized file executes on the victim network with the intent to exploit a vulnerability. Additionally, the analyst must determine whether the targeted systems are susceptible to the exploitation attempt from the malware in question.
With CyberSponse SOAR: A CyOPs™ playbook which calls data from a connector to Qualys can now use outputs from the most recent vulnerability scans of the workstations assigned to the users who received the phishing email to determine if their systems are vulnerable.
Step 5. Installation
After successful system exploitation, the malware maintains persistence on the now-compromised system. This is generally done by packing a backdoor or other implant in the weaponized file which was delivered, for the purpose of enabling continued access, post-exploitation.
With CyberSponse SOAR: A CyOPs™ playbook which calls data from a connector to Anomaly, Carbon Black, or Cylance can analyze host-level process data to inform the analyst whether or not specific processes exist and/or are currently running on a host. If SOAR finds malicious processes running on a host, the playbook can instruct the endpoint agent to quarantine the host. This preserves forensic data and protects the rest of the network.
Step 6. Command and Control
During this phase, the now-installed implant successfully initiates bi-directional communication between the victim and internet infrastructure controlled by the actor. Additionally, this communication channel enables the actor to maintain persistent access to the victim network.
With CyberSponse SOAR: If the attack gets to this phase without being detected, a CyOPs™ playbook which calls data from a connector to PaloAlto, Checkpoint or F5 can look for evidence of encoded or plaintext command and control traffic. When properly configured, these connectors also have the ability to automate searching within SSL decrypted PCAP. If it detects command and control traffic, the playbook can instruct the firewall to block the related IP address.
Step 7. Actions on Objective
During this final phase, the actor seeks to achieve their overall goal, which may vary in each intrusion. Some actors attack their victims to exfiltrate intellectual property for competitive advantage, though the majority do so for financial gain.
With CyberSponse SOAR: The CyberSponse SOAR platform enables the analyst to detect and respond to threats faster to prevent malicious actors from achieving their objective.
The CyberSponse CyOPs™ SOAR platform enables analysts to review security alert processes and analytical outputs provided by SOAR. Moreover, this is much more efficient compared to collecting and manually reviewing raw log data.
Written By Natalie Spaniol
Learn More About Additional Time-Saving Use-Cases & ROI at our Website.
Interested in Trying CyberSponse in your Environment? Try Our FREE Community Edition for a 45 Day Trial! For an Extended FREE 45 Day Trial of the CyOPs™ Community Edition, Reference “Marketing” in the Referred Field.