Security Orchestration, Automation, and Response for Security Analysts E-Book

Security Orchestration, Automation, and Response for Security Analysts

Learn the secrets of SOAR to improve MTTA and MTTR and strengthen your organization’s security posture

Benjamin Kovacevic

BIRMINGHAM—MUMBAI

Security Orchestration, Automation, and Response 
for Security Analysts

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Senior Editor: Athikho Sapuni Rishana

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Nilesh Mohite

Marketing Coordinator: Shruthi Shetty, Marylou De Mello

Business Development Executive: Prathamesh Walse

First published: July 2023

Production reference: 1230623

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-80324-291-0

www.packtpub.com

Foreword

In today’s threat landscape, it’s very important to respond to incidents and alerts in a timely manner. An organization’s Security Operations Center (SOC) can become overwhelmed if too many alerts are generated and there are not enough SOC analysts to triage them, or skilled cybersecurity workers to fill the positions needed to respond. This is why an automated response to security incidents is a must. Security Orchestration, Automation, and Response (SOAR) is the answer to an organization’s SOC overcoming these challenges. SOAR can be used to reduce the amount of alerts that need investigation and triage, to automate parts of normal investigations and save SOC analysts’ time, and more importantly, to automate remediation, leading to quick actions to resolve security incidents.

In this book, you will learn about security orchestration, automation, and response in depth, both in theory and principle, using real playbook examples to automate a response. You will learn about the tools available and the various methods to implement them as a partial or complete security incident response. Benjamin is a skilled professional and expert in SOAR, helping customers implement it and creating samples, shared through open source to help organizations enable their security automation.

Nicholas DiCola,

Vice President of Customers

Zero Networks

Contributors

About the author

Benjamin Kovacevic is a cybersecurity enthusiast with hands-on experience with Microsoft XDR and SIEM platforms. Currently working with Microsoft Sentinel as a product manager, he focuses on the SOAR component of Microsoft Sentinel and works on new capabilities that help SOCs improve their investigations and responses. Benjamin constantly works to improve his knowledge about cybersecurity and also shares his knowledge about Microsoft SOAR. He is the author of Microsoft Sentinel Automation training blog, as well as many other blog posts containing tips and tricks to get started quickly with Microsoft Sentinel Automation.

Benjamin is originally from Bosnia and Herzegovina, but he currently resides in Ireland with his wife and two sons.

I want to thank my wife, Dzenana, and my sons, Adi and Mak. Thank you for all the sacrifices you have made and for supporting me through this journey. Also, a big thanks to all the people who have made a big impact on my security journey!

About the reviewers

Guven Boyraz boasts over a decade of experience in the computer science and IT industry, specialising in cybersecurity and software product development. Throughout his career, he has provided cybersecurity consultancy services to a wide range of clients, including both enterprise-level customers and startups, primarily in London, UK. With a BSc in electrical and electronics engineering and several certifications in computer science, Boyraz has acquired a strong educational foundation. In addition to his consulting work, he has also made significant contributions as a trainer and speaker at numerous international conferences.

I truly believe all of us in the technical world and science are standing on the shoulders of giants. The giants for me are the open communities, such as OWASP, Linux Commuties, and GitHub, where access to information is unrestricted and people are interested in helping one another. I am deeply indebted to all the communities and the people running them. I am also thankful to my family for providing all the lifelong support and love.

Javier Soriano has more than 15 years of experience as an IT solutions architect. He has worked in multiple areas within the IT field, such as storage, virtualization, automation, and security. His current role is Senior Program Manager in the Security Engineering division at Microsoft, where he helps customers and partners implement and operate their security operations with Microsoft Sentinel.

Table of Contents

Preface

Part 1: Intro to SOAR and Its Elements

1

The Current State of Cybersecurity and the Role of SOAR

Traditional versus modern security

The current state of cybersecurity

What is SOAR?

Summary

2

A Deep Dive into Incident Management and Investigation

What are SOC tiers?

Understanding incident management

Why do we need incident management in SOAR?

Exploring incident management features

Investigating NIST and SANS incident management frameworks

Preparation

Detection and analysis/identification

Containment, eradication, and recovery

Post-incident activity/lessons learned

Incident tasks – to do or not to do

Investigation starting point – incident investigation page

The incident investigation process

Execute incident prioritization

Conduct incident triage

Dig deeper for better context

Don’t reinvent the wheel

Understanding threat hunting

Summary

3

A Deep Dive into Automation and Reporting

An in-depth view of automation

What should be automated?

Automation versus the SOC analyst

Utilizing the SOC analyst or user input for automation

Pros and cons of automation

An in-depth view of reporting

What is reporting and why is it crucial?

Are reports the new incident management?

What is the proper way to utilize reporting?

TI and TVM – how important are they?

Summary

Part 2: SOAR Tools and Automation Hands-On Examples

4

Quick Dig into SOAR Tools

Microsoft Sentinel SOAR

Incident management

Investigation

Automation

Reporting

TI and TVM

Splunk SOAR (Phantom)

Incident management and investigation

Automation

Reporting

TI and TVM

The administration pane

Google Chronicle SOAR (Siemplify)

Incident management

Investigation

Automation

Reporting

TI and TVM

Administration pane

Summary

5

Introducing Microsoft Sentinel Automation

The purpose of Microsoft Sentinel automation

All about automation rules

Navigating the automation rule GUI

Permissions

Triggers

Conditions

Actions

Rule expiration and order

All about playbooks

Navigating the playbooks GUI

Permissions

Logic Apps connectors and authentication

Triggers

Actions

Dynamic content

Monitoring automation rules and playbook health

Summary

6

Enriching Incidents Using Automation

Why should you use automation for incident enrichment?

Creating your own Microsoft Sentinel trail

VirusTotal playbook – IP enrichment

Creating a playbook

Testing a playbook

VirusTotal playbook – URL enrichment

Creating a playbook

Testing a playbook

Summary

7

Managing Incidents with Automation

Automated false-positive incident closure with a watchlist

Creating a playbook

Testing a playbook

Closing an incident based on SOC analyst input

Creating a playbook

Testing a playbook

Auto-closing incidents using automation rules

Creating an automation rule

Testing an automation rule

Summary

8

Responding to Incidents Using Automation

Automating responses to incidents

Blocking a user upon suspicious sign-in

Creating a playbook

Testing a playbook

Isolating a machine upon new malware detection

Creating a playbook

Testing a playbook

Summary

9

Mastering Microsoft Sentinel Automation: Tips and Tricks

Best practices for working with dynamic content and expressions

Understanding the HTTP action and its usage

Elements of the HTTP action

Utilizing the HTTP action

Applying API permissions to a managed identity

Exploring more playbook actions

Switch

Select and Create HTML table

Compose

Parse JSON

Summary

Index

Other Books You May Enjoy

Part 1: Intro to SOAR and Its Elements

In the first part, we will introduce cybersecurity and explain why we are speaking about new security tools such as SOAR, as well as introducing SOAR and its importance. In addition to this, we will go over the main elements of SOAR and why they play such a crucial role in SOCs.

This part contains the following chapters:

1

The Current State of Cybersecurity and the Role of SOAR

Ransomware, data leaks, phishing, denial of service… these are some of the terms that everyone, even those who aren’t in the IT industry, will have repeatedly heard in the last few years. Everyone has received an email from a Nigerian prince or some long-lost rich, relative from Africa at least once. These are basic examples of cyberattacks called phishing attacks, which still have an acceptable success rate. If we were to talk about more tailored phishing attacks (common ones being a request to change your password or a notification that your account will be deleted if you don’t click on a link), those have an even better success rate – why is that so? Because bad actors are smart.

The first aspect to consider is that they will use many techniques to make their email seem as legitimate as possible, and the second, which is not connected to IT, is the psychological part. The psychological part manifests itself in a few different ways. It can be someone pretending to be your boss (using spoofing methods), an email containing a sense of urgency, or an email sent at the end of working hours when employee concentration is at its lowest. Because of this, organizations are on the lookout for more advanced systems to help them respond to these in a matter of minutes. That is where Security Orchestration, Automation, and Response (SOAR) comes in to save the day.

In this chapter, we will cover the main aspects of changes within cybersecurity and how those changes impact our everyday lives. A few years back, cyberattacks mainly impacted organizations, but today, their impact is felt by ordinary people as well. And this is something that will not change overnight. As one way of fighting back and improving their security posture, organizations can use many security tools. One of them is SOAR, and we will explain why SOAR is a must in every organization today.

In a nutshell, this chapter will cover the following main topics:

Traditional versus modern security

Security plays a significant role in our everyday lives. Even from the start of civilization, security played a role in that people built their fortifications. If we go back through history, we can see how people built their fortifications on the top of a hill or on a river fork, or if something of this kind was not applicable, people dug canals around fortifications, built big walls, and so on. All this had one thing in common – the aim of securing the people and their properties against attacks from other tribes or countries.

As those fortifications were built, attackers always sought a way to penetrate those defenses. Some of them were massive attacks directly made on fortifications, sending a single person to breach the front or back entrance or create a diversion.

Probably the most famous of these, with the equivalent in IT appearing every day, is when ancient Greece attacked Troy. Because of Troy’s fortifications, Greece couldn’t penetrate the city, even though they had a massive army and the numbers were on their side. That all changed when Odysseus came upon the idea of a diversion. Greek forces pretended to retreat and left a giant wooden horse as a present from the gods to the people of Troy. And what did they do? The people of Troy took that wooden horse into the city. They didn’t know that Odysseus and his best fighters were hiding inside that wooden horse. In the early morning, while everyone was sleeping, Odysseus and his selected army exited the wooden horse and opened the door for the rest of the army to enter Troy. After that, all the defense mechanisms in place fell apart, and Troy was defeated.

If you are in cybersecurity, even if you don’t know this story about Troy, you will be aware of what a Trojan horse is: a term for malware that misleads users about its true purpose. While it appears to be secure software, it can contain malicious code. It works in much the same way as it did 3,000 years ago.

We can see that many types of historical attacks and defenses are similar throughout history; the only part that changes is how they are performed. We can look at a full army attack on a fortress as a Distributed Denial-of-Service (DDoS) attack, a Trojan horse as a payload being delivered, a ransomware attack as Vikings asking for gold and valuables to halt their attack on Britain, a spyware intrusion as sending a spy to gather information on fortress defenses from the inside, and so on. From a defense perspective, we can see how everyone started with a perimeter defense by building walls or creating a fortress at the top of a hill. Then, they moved to layered defense by adding water canals in front of walls. The best example of a historic, layered defense was Constantinople. It started with a single wall, and in the end, it contained a moat, a low wall, an outer wall, and an inner wall. If we look at cybersecurity, we can see that there was a similar approach with a single barrier to protect the perimeter – a firewall. This was followed by adding additional layers such as DDoS protection, a Web Application Firewall (WAF), antivirus solutions, and so on.

Looking at this parallel, we all can agree that these defense strategies weren’t enough and that even the most robust defenses fell under heavy attack. Even the great Constantinople, probably the city with the best defenses of all time, fell under heavy Ottoman attacks.

Why? As methods of attack evolved faster than methods of defense, it was harder to cover this gap.

The same is true for cybersecurity. As mentioned, we start with perimeter defense and then add layered defense, but even that isn’t sufficient. Methods of attack evolve, and bad actors always find a way to surpass existing systems. One thing is certain: traditional systems are outdated, and many organizations are in the process of updating their cybersecurity as a result.

There are a few reasons why this is happening:

Today, organizations either need to update their defense strategies to stay ahead of bad actors or risk a significant cybersecurity incident resulting in considerable financial losses – initially or in the long run.

The current state of cybersecurity

The last few years have changed how businesses operate, and standard working will never be the same. Digital transformation and the COVID-19 pandemic have foundationally changed the way that we work. Modern tools for collaboration, such as Microsoft Teams, Slack, Zoom, and so on, make it possible for people to work from any location and still relate to their peers. When the COVID-19 pandemic started, everyone had to work from home. And something that started as a temporary solution has changed how people work permanently. However, it hasn’t just changed the way people are working. It has also changed how people connect and what network they use – it has changed cybersecurity. A traditional perimeter does not help anymore; people are expected to be outside their bubbles, and we must find new ways to protect them. The second thing to consider is that people don’t just use corporate devices to connect to corporate resources: they use personal devices as well.

Creating boundaries is becoming harder and harder, and organizations must find a new way to protect their resources. Traditional systems aren’t enough anymore. The first tools that people are turning to have been available for years in the market, such as Mobile Device Management/Mobile Application Management (MDM/MAM), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR) platforms, Data Loss Prevention (DLP), and so on.

Introducing more security tools and hardening the working environment has a direct impact on productivity. Employees are expected to enroll devices to MDM, set up and pass MFA, avoid copying data to USBs, refrain from continuing their work on other devices, and avoid sharing any links with anyone. This significantly hampers the ability of employees to collaborate efficiently. Cybersecurity experts need to find a golden middle ground between productivity and security; often, this equates to sacrificing security under this pressure until a cybersecurity incident occurs.

To be able to detect security incidents as they happen, more advanced solutions are required: traditional ones such as Security Information and Event Management (SIEM), more modern ones such as Extended Detection and Response (XDR), and the Zero Trust methodology. SIEM allows us to collect logs from various solutions and correlate these events to detect threats more easily. However, on its own, it is ineffective. SIEM tools are only as good as the events they have as logs. We also need to have excellent Security Operations Center (SOC) analysts who can define detection rules, do cyber threat hunting, and react to security incidents in these SIEM solutions. This is why most new SIEM solutions add Artificial Intelligence (AI), Machine Learning (ML), User and Entity Behavior Analytics (UEBA), Threat Intelligence (TI), and so on, into the mix to help with detection – but what about the response? How do we acknowledge and resolve security incidents?

One of the more modern tools is XDR – this is not a single tool but a group of tools that work together to correlate cyber threat detections. In most cases, XDR will cover identities, emails, endpoints, servers, and cloud workloads. It will use AI and ML in the background to connect security incidents from these layers, which are often handled separately by different solutions, into a single incident that outlines the kill chain of an attack as it happens throughout an organization. While XDR is a must-have solution for most organizations, it still doesn’t cover the whole stack of security. You cannot ingest TI data, firewall logs, third-party solution detections, and so on. Typically, XDR will be connected to SIEM for correlation with other sources.

One thing we have seen with XDR is a change in the complexity of organizations’ cybersecurity. 10 years ago, organizations did not use the same vendor for different layers of protection. The idea was that if one failed, you would still have another vendor in line for protection – but how wrong was that?

First, our security experts had to learn to work with and manage multiple solutions and vendors. Multiple portals would therefore need to be logged in to daily. For big organizations, the number of security solutions and vendors used could exceed 40! And second, those solutions did not speak to each other. That means that they did not share intelligence; they did not correlate their shared data. Without SIEM collecting events from all devices, it was almost impossible to make connections between different security incidents. XDR changed this, as the idea behind it has been for solutions to speak with each other, share intelligence, and correlate events for better detection. Another significant benefit is that it is all in one portal, which is essential for security experts to focus on one unified product and not on five different ones.

Why is it essential to find new ways to protect organizations? Because bad actors are improving their game daily. Just in the last few years, we have had significant cyberattacks, including the Colonial Pipeline ransomware attack, the Maersk ransomware attack, the SolarWinds breach, and the Log4j vulnerability, plus many data breaches in which bad actors have stolen terabytes of personal data. These are only some of the attacks that have been top news worldwide. Even people who don’t know what a cyberattack is have started asking questions about what is happening. The reason for this is the significant impact of each attack. The Colonial Pipeline attack raised a lot of concern and panic among people in the United States. Because of this attack, a few states even reported shortages of fuel. Even though Colonial Pipeline paid the ransom (in total, around 5 million US dollars), restoring operations took them a few days. As a direct connection to the attack, fuel prices in most of the United States went up.

This is only one of the examples of how a cyberattack on critical infrastructure can impact an organization and a whole country. Let’s consider that most of the critical infrastructure in countries (electricity, water, fuel, gas, etc.) is controlled using computers. We can see why staying at least one step ahead of bad actors is crucial.

There are many different figures for the average cost of a cyberattack, and in most cases, the average cost is around $4 million. This cost is not only connected to paying a ransom but also returning to an operational state, plus the cost of losing customers. If we take a look at the Marriott hotel data breach, the total cost at the end could be in the billions, as we include the GDPR and user lawsuits. We can say that, on average, we have millions of reasons to think about cybersecurity at a time.

However, cyberattacks don’t just impact organizations; they are methods of modern warfare. We have had a few examples throughout history, but the latest one is probably the best example. As the Ukrainian-Russian war started, it didn’t start solely with typical military conflicts – guns, tanks, planes, and so on. Cyber warfare was a big part of it, and numerous attacks on Ukrainian infrastructure were reported.

Considering that we have more and more drones in the sky that are remotely managed, it shows us how serious it can be in the future if technological infrastructure is not protected.

While we can invest a lot of money into security equipment, we still have two significant issues at the top of the list regarding how a cyberattack starts. The first will be misconfiguration, and the second will be the user.

As mentioned, many organizations invest a lot in security equipment, but not in security experts or their personnel so that they can learn how to configure solutions correctly. Even a minor misconfiguration can affect the system in a manner that will leave a backdoor that a bad actor can use. Hiring security experts and continuous investment in cybersecurity personnel is more important than security solutions. Cybersecurity personnel must stay ahead of bad actors to protect critical infrastructure. While AI and ML play a significant role in cybersecurity, they will (maybe) never be able to replace security experts. Most sophisticated attacks are not initially detected by cybersecurity tools but rather by experts hunting for anomalies in raw system logs.

Users are probably the most considerable cybersecurity risk each organization faces. It is a common saying in cybersecurity that in each organization, there is at least one user who will click on every link. That is why phishing attacks are still the most common attacks on organizations. Every organization must invest in user education to reduce the risk of users clicking on a link in an obvious phishing email or downloading attachments from unknown sources. It is a long process to educate users and still, the risk will exist. As mentioned earlier, bad actors are smart and target users strategically – for example, when they know their focus will be at the lowest at the end of working hours.

On top of that, think about every conversation had with users – passwords. It is common for users to pick the same password for business and personal use and reuse it across all platforms. Some people use two different passwords, but rarely three or more. This directly impacts an organization’s security because many platforms don’t have advanced password protection – but that is not the only problem! Users incorporate personal information when creating these passwords (such as a place of birth or residence, names of pets or children, important dates, and so on) and then have all of that information publicly available on social media (pictures, About Me, favorite movies, quotes, and more). Because of all this, it is easy for bad actors to strategize their attacks. First, they have all the necessary info to create a dictionary for brute-force attacks on social media. Second, they can use a less secure platform to perform that attack and reuse the password on corporate logins. This is essentially why many organizations implement MFA.

The biggest challenge for modern SOCs is the high number of raw data and security incidents. This affects the time needed to acknowledge and respond to security incidents. The initial triage of an incident can take some time, even an hour, if a SOC is inefficient or there are not enough SOC analysts (which is more common). This can lead to detecting the cyberattack too late, and the attack can spread through the system.