Playbook of the Week: Automating Attack Surface Management with Cortex XSOAR

Modern organizations have no defined perimeter anymore. Your attack surface spans on-premise, in the cloud, and across your supply chain, and it is constantly changing as internet-connected assets are created, moved, or configurations changed. Manually maintaining an accurate and up-to-date inventory of these internet-connected assets is an impossible task, but luckily you don’t have to do it alone.

Cortex Xpanse by Palo Alto Networks protects the world's largest organizations by discovering and monitoring every asset you have connected to the internet and provides complete visibility into everything you own, including IP addresses, domains, certificates, and cloud infrastructure. Xpanse gathers data from DNS records, domain registrars, business registration databases, and dozens of other data sources to not only comprehensively discover, but also accurately identify every single one of your internet-connected assets.

This data is used to create an intelligent, continuously updated inventory of assets unique to each organization, complete with potential exposures and attribution information. With this wealth of knowledge and information, you can easily identify, prioritize, and route issues to the relevant stakeholders for remediation. And you can also build resilient security processes to automate actions regarding risky services and exposures with Cortex XSOAR’s automation capabilities.

Cortex Xpanse and XSOAR work together to enable automated attack surface management. Xpanse’s global internet collection and attribution platform continuously discovers and monitors your organization’s attack surface for exposed internet assets and risky services. When integrated with Cortex XSOAR, the two products can help you discover and manage shadow IT assets that are exposing confidential services to the internet and automate the entire process of detection and risk mitigation to drastically reduce your attack surface.

What is Cortex Xpanse and Attack Surface Management?

Cortex Xpanse brings a unique level of visibility to security through the continuous scanning of exposed assets. Xpanse scans the entire internet for publicly exposed assets allowing you to discover, evaluate and mitigate cyber attack surface risks. You can also evaluate supplier risk and assess the security of acquired companies with Xpanse Link.

Because Xpanse provides a complete, accurate and continuously updated inventory of all global internet-facing assets, this ensures that your security operations team has no exposure to blind spots or assets that the IT staff may be unaware of or not monitoring. This includes exposure categories such as:

1. Remote access service
2. Insecure file sharing or exchanging services
3. Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems
4. IT admin system portals
5. Sensitive business operation applications
6. Unencrypted logins and text protocols
7. Directly exposed Internet of Things (IoT) devices
8. Weak and insecure/deprecated cryptography
9. Exposed development infrastructure
10. Insecure or abandoned marketing portals

What does the Cortex Xpanse Content Pack do?

Palo Alto Networks Cortex product suite already provides enterprise-wide visibility, prevention, detection and response capabilities, and Xpanse extends these capabilities across exposed and untracked externally-facing assets. The Palo Alto Networks Cortex Xpanse content pack enables an automated approach to attack surface management and risk mitigation by operationalizing Xpanse’s findings to drastically reduce an enterprise’s attack surface.

The integrations included in the pack enable fetching and mirroring of Xpanse Issues into Cortex XSOAR incidents, and ingestion of indicators (IPs, domains, and certificates) referring to the corporate network perimeter as discovered by Xpanse.

Through a powerful set of playbooks, analysts can correlate the discovered information with data provided from internal security systems (Palo Alto Networks Cortex Data Lake, Prisma Cloud, and Panorama, Active Directory, Splunk SIEM, etc.) to pinpoint asset owners and automate remediation.

What does this content pack do?

• Provides the Cortex Xpanse integration, which allows XSOAR to collect Xpanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update issues and assets in Xpanse. The integration also supports the services API.
• Provides a feed integration named Xpanse Expander Feed, which is compatible with the Cortex XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, domains, certificates) in Cortex XSOAR for analysis and correlation.
• Provides an Xpanse Issue incident type with dedicated fields and layouts.
• Provides a rich set of playbooks and sub-playbooks that handle the investigation and remediation of Xpanse Issues.
• Provides dashboards that display the network perimeter as discovered by Xpanse and the status of Xpanse Issues.

How do I use this pack?

• Configure the Xpanse integration to ingest Xpanse issues and data.
• Select “Incident - Attribution Only” as the default playbook to perform enrichment only (no remediation).
• This pack also includes a generic playbook called Xpanse Incident Handling - Generic. In order to use it, configure the instance and choose Xpanse Issue - Generic as the incident type.

For more information on the Cortex Xpanse Attack Surface Management Content Pack, visit our Cortex XSOAR Developer Docs

For more details on how you can maximize the entire Cortex product line, check out the blog “Building a Virtual SOC with the Cortex Suite of Products”.

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.

Please Suggest Other Ideas or Vote!

If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: https://xsoar.ideas.aha.io/ideas