Resilient Playbook and automated actions for Threat Hunting and DFIR

IBM Resilient SOAR, QRadar, Carbon Black Response, QRadar, A10 Proxy, MITRE ATT&CK

By Rukhsar Khan on Sunday, March 31, 2019

Figure 1.40 is further elaborating on how the playbook that is eventually providing task instructions to the analyst teams looks like. Some initial triage task instructions are listed under the Stage 1 Analysis phase of the incident which are processed by the Security Operations team. Once completed, the incident is handed off to the Threat Hunting team for scoping the attack and developing further intelligence. As you can see, all the TTP task instructions regarding APT28 have been loaded into the Stage 2 Analysis phase of this playbook.

Figure 1.40: MITRE Playbook loads TTPs for APT28

It is important to note that the Threat Actors are watching the endeavours of the Cyber defense community exactly in the same way as we are observing their movements. We expect them to change their attack vectors once they know that we have identified these. This means that we need to be agile in Incident Response and quickly adapt to changing attack vectors.

Figure 1.41 is showing the details of the MITRE: Threat Hunting: Preparations task. The goal of this task is to identify additional TTPs that have been used by an attacker as part of the local compromise. Additional TTP task are loaded into the playbook once the question in the left bottom corner “Which additional TTPs have been identified” is answered. However, answering this question requires to first trigger the action CB Response: Threat Hunting demonstrated in figure 1.42.

Figure 1.41: MITRE Threat Hunting preparations

This actions pulls in the findings of Carbon Black (CB) Response into a Resilient data table named “MITRE TTP staging table" via an integration with the Carbon Black API for Python (CBAPI). More precisely, we have activated the Threat Intelligence (TI) named “MITRE ATT&CK” within CB Response and configured it to generate alerts whenever some endpoint activity matches this TI.

Figure 1.42: MITRE TTP staging table – Threat Hunting

This allows the Threat Hunting team to triage the table details and switch to the CB Response UI as required in order to understand the individual TTP details by triggering ad-hoc queries and conducting live response.

Figure 1.43: Carbon Black Response UI – Threat Hunting

Once the Threat Hunting team works through the individual TTP tasks and scopes the attack, it provides additional intelligence to the Secops and DFIR teams. E.g. if it has identified that the attacker is about to exfiltrate data, they can advise the Secops team to limit the capabilities of the intruder. Also, as part of the scoping process the Threat Hunting team narrows down an attack to a few highly suspicious or confirmed compromised systems while scanning thousands or tens of thousands of endpoints.

Figure 1.44: Carbon Black Response UI continued – Threat Hunting

When a small amount of confirmed compromised systems has been identified, an automated action for creating a memory dump of each of these endpoints helps the Threat Hunting team in handing these images off to the DFIR team. The DFIR team can then go for the deep dive forensic analysis and work on a strategy for a fully-fledged remediation, eradication and recovery process.

  • Individual TTP analydid / CB Response UI / Resilient TTP tables - Threat Hunting
  • Develop further intelligence / Build lateral movement graph - Threat Hunting
  • Limit capabilities of intruders / Containment - Secops
  • Image highly suspicious endpoints and hand-off to forensic team for analysis - DFIR
  • Fully-fledged remediation, eradication and recovery - DFIR

Figure 1.45: Next steps

Figure 1.46 shows additional automated actions in IBM Resilient that aid in further streamlining the security and forensic analysis as well as limit the capabilities of the intruder. E.g. the action CB RESPONSE: Create memdump creates a memory dump for the selected endpoint, VOLATILITY: Scan memory image allows to analyze the memory dump with the open source tool Volatility, A10: Activate SSL interception and A10: Deactivate SSL interception enables and disables SSL interception on the A10 SSL interception proxy and the action A10: Block IP address allows to block an IP address.

Figure 1.46: Additional actions for Secops, Threat Hunting and DFIR

The ultimate goal of the automations provisioned in Resilient is to drastically reduce analysis and response time as well as understand and keep track of the full scope and complete impact of an attack while allowing multiple Cyber Security teams to collaborate in a single platform.

For the remainder of this publication we will demonstrate how we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. Integral parts will be to demonstrate how security analysts will stay focused by using these playbooks and how they can drastically reduce the time to respond by leveraging Resilient automation and orchestration techniques. The security analysts will be able to watch the movements of the intruder and limit their capabilities while the L2/L3 teams will be working on a strategy to completely remove the intruder’s foothold (fully-fledged remediation, eradication and recovery) from the compromised environment.