Cortex XSOAR Marketplace a new way to SOAR
In these challenging times, when most of the workforce is remote and there’s no end to the influx of security alerts, security teams within a SOC are looking for new and innovative ways to automate their mundane tasks. Many of our customers have asked us about what other XSOAR customers are doing or using to solve a particular use case. What playbooks are they using or building that we can take advantage of and are different from what’s available out of the box?
These are all valid and important questions. Every SOC is different and requires a different approach. One thing is for sure; they all need security automation. Innovation is at the heart of automation. No matter how many built-in integrations a vendor provides, it cannot compare to what an open community can produce. They can build playbooks that no one has ever thought of before. The possibilities are endless!
Cortex XSOAR marketplace is the only security orchestration, automation, and response (SOAR) exchange that makes it easier for security teams to find and share security orchestration innovations built by the world's largest SOAR ecosystem. Built on an extensible SOAR platform, now you can accelerate automation usage within your SOC.
Fig 1: Cortex XSOAR Marketplace
This is the largest SOAR marketplace that consists of free and paid content packs offered by industry experts and more than 470 integration partners. Not only are they verified by Palo Alto Networks, but they include ratings and reviews by industry peers. Giving you peace of mind and confidence that these turnkey packs can be activated with a single click. These packs can consist of any of these capabilities:
Technology Integrations: Prebuilt actions that perform functions across the platform and the ecosystem of technology integrations
Orchestration Playbooks: Prebuilt automated orchestration playbooks for simplified security investigation and response
Automation Scripts: Prebuilt integrations with leading security products and technology vendors
Dashboard layouts: Curated dashboard views of specific data sets that support critical security use cases, playbooks, and integrations
Subscription Services: Content service offerings
Fig 2: Palo Alto Networks Cortex XDR Content Pack
With granular search capabilities, you can quickly discover content packs that are relevant to your environment and can address the toughest use cases. Enabling security teams to filter through use cases, integrations, categories, publishers, ratings, reviews, verifications and much more.
Fig 3: Cortex XSOAR Marketplace search capabilities
Your adversaries are not slowing down. They are using more automation to launch their attacks, and you need to adapt and stay ahead of the curve continually. XSOAR marketplace gives you that edge by harnessing the power of the largest SOAR ecosystem. Our technology partners introduce new, innovative packs combined with a community of thousands of users who are continually building and sharing new playbooks that solve the most challenging use cases.
To learn more about Cortex XSOAR Marketplace release, go here: https://blog.paloaltonetworks.com/2020/08/cortex-xsoar-marketplace/
Visit our Cortex XSOAR Resource Page for more information.
... View more
Cyberattackers look for fast and easy ways to steal your data. Among many techniques in their playbooks, using scripts is a quickly growing trend. Why? because:
Scripts are easier to obfuscate than PE
Scripts are harder to detect based on file type and syntax (since a script is merely a text file)
Scripts will run across platforms (no need to recompile to windows 7, XP etc..)
Scripts are easier to generate (no compilation process simple text changes)
Script languages are easier to learn than programming languages
Scripting is an extremely useful toolset. It allows administrators and power users a way to automate repetitive tasks and multitask effectively. If you have ever opened Microsoft Office file, you have probably encountered “macros” which may execute VBScript. These tools help accelerate productivity, but can also be used for a darker purpose. Adversaries can leverage scripting languages to ingest and execute code, exploit vulnerabilities in the system, and potentially gain privileged access.
They are continuously finding clever new ways to hide these malicious scripts in seemingly safe content. For example, they can use password protected archive formats (.ZIP, .RAR), or embed them in commonly used Windows PE (executables) files and documents, successfully evading legacy sandboxing tools. In most cases, attackers use social engineering techniques to build emails to deliver the script that appears to be from a trusted source within the company, increasing the changes of an employee engaging with it.
How WildFire Protects
The Palo Alto Networks WildFire malware analysis service has added an innovative new detection technique to mitigate script-based attacks. When scripts are identified traversing the network, our Security Operating Platform immediately identifies and forward the files to WildFire for analysis and execution. In order to reveal even the most evasive advanced attacks, WildFire utilizes multiple techniques including static analysis and dynamic analysis to identify the true intent of the script. Once the verdict is determined, protections are shared with the global community within minutes, spreading immunity worldwide.
WildFire now supports the following scripts filetypes:
PowerShell Script (.ps1)
Shell Script (.sh)
POP3, SMTP, IMAP
For example, a user receives and executes a malicious script delivered via email. WildFire receives and analyzes the script, delivering domain signatures and URL recategorization to block the secondary malicious payloads. Here is a visual representation of the lifecycle:
The next step would be to determine the purpose and potentially targeted nature of this attack. Palo Alto Networks AutoFocus Threat Intelligence service provides rich context and attribution, you get instant access to billions of public samples and trillions of artifacts collected and processed by WildFire global infrastructure . Security analysts can quickly identify potential impact by combining Unit 42 human intelligence and automated analysis. As a result, you have fast access to the right data, be more proactive and respond to future script-based attacks faster.
The Palo Alto Networks Unit 42 threat research team has discovered and dissected several of adversary playbooks which include scripts at several stages of the attack lifecycle, providing insight into how adversaries are employing this technique in the real world:
New Threat Actor Group DarkHydrus Targets Middle East Government
DarkHydrus in this attack uses email to deliver malicious scripts (custom PowerShell) in a password protected RAR file.
UNIT 42 Tag: DarkHydrus
Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
UNIT 42 Tag: Xbash
Learn more about WildFire and AutoFocus
... View more