Security Orchestration Automation and Response (SOAR) can be a culture shift for your operations team and possibly your entire organization.
There are many approaches to SOAR in an operations team. Given new out of the box capabilities, some tools can shift how a security operations team function. For a long time, geeks around the world threatened, “Go away or I will replace you with a very small shell script.” I think of this attempt at humor any time an analyst on my team says the words, “Oh, I will just go automate that quickly.” And my team says it a lot. The team was told a long time ago, if you do something more than three times, it is time to automate.
In early April of 2024, security researchers announced a vulnerability in the XZ project, assigned CVE-2024-3094. That morning, my threat intelligence team greeted me with multiple text messages and reports from public intelligence sources. It was a long day. The XZ utility is commonly used, and this vulnerability had a known exploit in the wild. Luckily, a Microsoft software engineer, Andres Freund, noticed a system running oddly. His discovery cascaded through my Cyber Threat Intelligence (CTI) team to my Operations (Ops) team, Vulnerability Management (VM), IT, and on down line.
Not surprisingly, the teams jumped into action, but remediation would take time. While VM, IT, and other teams tested the patch and prepared to roll it out, Ops needed to hold the line. In the world of block and tackle defensive operations, there would be a lot of noise. In my role, it is important to step back and let the smart people do the work. I patiently waited for an update that seemed to never arrive. When it did, I was pleased to see that not only had signatures been built but alert validation had been automated. In the SOAR, the alerts had been validated through the vulnerability scan results. Once the SOAR determined a system vulnerability, it sent an alert and created a rule to block the traffic. It documented this rule in a ticket, elevated the ticket’s priority, and sent a Slack message to the Ops team so they could copy the new rule and apply it.
This was all done in an hour. Of course, there are many ways for an Ops team to correlate the data within a security information and event management (SIEM) or a VM platform. But this was how my team decided to handle it.
My team also recognized that automation was not needed for every step in the workflow. There can be both manual and automated tasks throughout the workflow. An example of this is the “report phishing” workflow. Most of the major SOAR vendors have their salespeople swoop in with this solution first. It is low hanging fruit because analysts find responding to phishing reports tedious. It is a quick win that can result in many people hours saved immediately.
The workflow is simple. Every user in the company has a button they can click to report phishing. Some of the less sophisticated phishing report buttons report the suspicious email to the Ops team. Sometimes this is done without a button. Your organization might just have a distribution list that users are told to forward the email to.
Ops will review the headers, detonate links and attachments, make a determination, and respond to the user. The last step is more important than you think. But we will come back to that. If the email is determined to be malicious, a search for other such emails needs to be performed. Proxy logs need to be reviewed to see if any other workstations communicated with links or IP addresses in the email. Blocks need to be put in place. Of course, all this needs to be logged in the case management system. In a large organization, this can be tens or hundreds of emails reported daily. And each report can take upwards of an hour to fully analyze and respond.
It would be easy to just say “automate the entire thing.” But in reality, it is better to approach this in smaller chunks. First, automate the receipt of the report and ticket creation. Simple enough. Now when the user clicks on “report phishing,” a ticket is created, headers are extracted, artifacts are attached to the ticket (attachments, hash, URLs etc.), and an analyst is notified of the new ticket. Now the analyst has all the data to determine whether the email is malicious.
Second, automate the analysis of the artifacts. Before the ticket is created, your SOAR sends the attachments and URLs to your sandbox. The items are detonated, and the ticket is populated with the analysis. The ticket can be upgraded to a higher priority if the email is malicious. All blocks and mitigations put in place are done manually at this point. This allows the analysts to decide the efficacy of the determination and adjust.
This is also when automation can be used to look for other instances of the email or communications to the known bad URLs/IP addresses. Emails can be removed from inboxes before they are ever seen by the user.
Third, send the reporting user a Slack message with the determination. The importance of this step cannot be overstated. Over my many years in security the best way to ensure the “see something say something” mantra is followed is with reinforcement. Users want to know if it is a valid email. Sometimes they want to know if they CAN click on the link. When they report phishing and never hear back, they never know if it was really a malicious email. And don’t get me started on the people that use the report phishing button instead of the delete button.
In our situation, a message is sent to the user that says one of three things:
“This email appears to be malicious. An analyst is reviewing it and will reach out with more information. Excellent work identifying a phishing email and protecting the company.” A similar message is sent to the user’s manager to inform them of the accomplishment.
“This email has been reviewed by our automated system and appears to be benign. If you still believe it to be malicious, type yes and an analyst will review the email manually. You will receive a response from the analyst with their determination.”
“Our automated systems were not able to determine if this email is malicious or benign. An analyst will manually review the email and report back to you.”
This is a clear example of improving the corporate culture through continuous education and communication. You should do quarterly training with phishing assessments and communicate the results. But a simple compliment during a routine report goes a long way to reinforcing training.
The last iteration of this SOAR workflow is to implement the mitigations. This is the most sensitive and can be impacting. Doing it last is critical to ensure a low false positive rate. There can still be human intervention prior to rolling out blocks or deleting emails from the mail server.
There are many other low hanging fruits to grab using SOAR. Working for large enterprises, I have found that data loss prevention (DLP) alerts are a good start also. Using new Generative AI (GenAI) technologies allows us to take automation to another level when responding to DLP alerts. That’s for a future post.
Ready to dive deeper into Security Orchestration Automation and Response (SOAR) and other cutting-edge security operations strategies? Enroll in or register for a demo of our LDR512 course today and gain the knowledge and skills to transform your organization's security posture. Don't miss this opportunity to become a leader in cybersecurity! Check out the LDR512 course here.
