Embrace the Chaos?

So there you are, at your desk, daydreaming (about not being at your desk perhaps), when it hits your inbox.  

An email, from an internal employee, asking you to do something that is clearly Phishy.  

Since you’re a finely tuned Security Professional, you immediately recognize this for what it is. Looking around at your colleagues, a few are right there with you, while a few others are reading the email with a slight head tilt, and catch on a few moments later.

This employee, henceforth known as 'Mike', has had their account compromised, and being that Mike is rather unimportant, the attacker is casting a wider net in hopes of landing a bigger prize. 

Mike’s email is asking for his co-workers to click a link, login, and update their contact information as it’s bonus season! To make it worse everyone trusts Mike, he’s adorable, so we might have a problem here.

Let’s read as this scenario plays out shall we? 

You: “We need to contain this! Can we start with blocking that url?”

Team: “Absolutely!”

You: “How do we do that?”

Team: “No idea! Let’s call Bob the Firewall Guy!”

Bob the Firewall Guy: “Of course I can block it, but I’ll need a change request.”

Insert 2 hours of paperwork, an ad hoc implementation, test, and backout plans, and pleading with the Aileen the Change Manager to approve the Emergency Change.

Bob the Firewall Guy:  “Ok we’re done, it’s blocked!”

Everyone cheers! Sally tests it, and… 

Sally: “Uh Bob the Firewall Guy? It’s not being blocked?.”

Bob the Firewall Guy:  “Whoops, ok I think I know what I did wrong, never fear, I got this!”

Aileen the Change Manager: “You’ll need a new change for that!”

Everyone glares.

You: “While Bob the Firewall Guy works his magic, can we get these emails out of people's inboxes as well?”

Team: “Absolutely!”

You: “How do we do that?”

Team: “No idea!”

You: 

8 hours later, you and the team lock this one down, after:

• Blocking the URL and Domain on the Firewall (Took 4 tries and 2 and a half hours, but Bob the Firewall Guy got it in the end)
• Searching for and removing the emails (After paging out the Doug on the Email team because no one else had access)
• Manually resetting the passwords for the 158 users that clicked that link (that you know of.)
• Figuring out that you got an alert about a suspicious email to Mike 14 days ago, an alert that was waiting for the first person to read it… in the Teams Inbox.

Did we make this all up, or are we reliving past traumas?  We’ll let you argue that like the ending to the movie Inception.

Tame the Chaos?

If the situation above resonates with you, we’re sorry, but the real point of this is to show where Cortex XSOAR can help you to tame the chaos!

Imagine the same scenario, but as a finely tuned Security Professional you have used Cortex XSOAR to respond to the same Incident by: 

Blocking the IOCs by running a playbook that adds the Domain and URL to XSOARs indicator database. The playbook then uses the Generic Indicator Export Service integration to add them to external dynamic lists that your Next-Gen Firewall uses for blocking.   

And this time it works flawlessly because you and Bob the Firewall Guy built and tested it ahead of time for just this kind of situation!  You even made Aileen the Change Manager happy by having the playbook create a Standard Change in ServiceNow as part of its run!

Searching for and deleting the emails sent by the Attacker from Mike’s account, by once again kicking off a playbook and removing them before most employees even noticed they were there.

Resetting the passwords for Mike and Joe (the only other employee that clicked the link in the time it took you to do the above two actions) and emailing their Managers their new passwords. 

And more importantly, perhaps this event never even happened, because you setup Cortex XSOAR to ingest the alert that you missed in the first place! The playbook evaluated the alert, determined the IOCs to be malicious, and already took corrective action ahead of time! 

You Have Our Attention

We hope you enjoyed our story!

Whether you’re just starting your Security Automation journey or are a finely tuned Security Professional who is well down the path; know that 

Cortex XSOAR offers a myriad of use cases to help you tame the chaos!

Cortex XSOAR is most effective when used to:

• Centralize and respond to your most important security events, to make sure nothing is missed!
• Implement automated and/or semi-Automated workflows for those events or the most common triage, enrichment, or containment and recovery processes that your team uses.
• Leverage Threat Intelligence to provide more context to IOCs, enabling the team or your playbooks to make more accurate and informed decisions.
• Empower your Security Team to make decisions quicker and take response actions quickly and efficiently. 
• Create meaningful metrics to build out confidence in SOC processes. 
• Automate as much manual work and communication as possible!

If you’ve read this far,  we’ll leave you with a potential picture of what this could look like in your organization, in the event you have a Mike who rains chaos down on your daydreams!  

Imagine playbooks for responding to our most important alerts, or for quickly implementing our most common workflows, leaving no question as to what to do when you need to do it!

You can find more information about the above picture in our Case Management with XSOAR Webinar. 

For more information on working with XSOAR, check out our XSOAR Engineer Training series as well!

Fin.