SOAR Use Case – Ransomware Attack

 

Known for its extreme damages like financial loss, permanent loss of data, and confidentiality breach, a ransomware attack continues to keep security teams on their toes. Common attack vectors attributed to ransomware include:

  • Spear phishing
  • Drive-by download
  • The exploitation of one or more vulnerabilities
  • Removable media and misuse of valid account credentials, etc.

Ransomware attack containment involves multiple steps including (but not limited to):

  • Blocking malicious C&C (Command and Control) servers at the firewall.
  • Isolating infected endpoints.
  • Running periodic AV (Anti-Virus) scans.
  • Blacklisting malicious processes based on the latest threat intel.

The following image shows a typical kill chain for Ransomware.



With an extensive load of alerts coming from multiple controls at different stages of the attack cycle, a ransomware infection may be overlooked, causing great financial damage to an organization or irreparable data loss. Leveraging SOAR solutions helps swiftly contain such attacks, as they can automate major processes of the containment phase.

Workflow

Now, let’s have a look at one of the Ransomware cases. The following figure explains the steps to identify and contain a ransomware incident.

Observe

  • AV engines and EDR alerts help to detect the initial attempt of infection, behavior, or presence of ransomware on endpoint workstations and servers.
  • Firewall and proxy logs are used to monitor excessive outbound communication requests.
  • Internal firewalls and IPS solutions are used to detect abnormal network behavior and internal malware spreading.
  • Endpoints are monitored to identify unique and abnormal processes, encrypted files, and a ransom note that indicates a ransomware infection.
  • DLP alerts are monitored to identify data exfiltration attempts.

Enrich

  • Through SIEM correlation, outbound communication from an infected host is checked for known artifacts and IoCs.
  • EDR and AV detections are inspected for enrichment.
  • Identified artifacts are then scanned through OSINT platforms for further enrichment like file reputation, etc.
  • AD is queried to gather details of the affected user.
  • Additional SIEM logs are checked to see if any other systems are found communicating with the same IoCs.  

Decide

Based on the sensitivity of data and criticality of assets, the security team would take decisions about the severity of the incident. SIRP offers extensive Asset management and prioritization of alerts through its proprietary scoring mechanism called SIRP Security Score (S3). The asset register within SIRP is used in automation playbooks for automated and quick decision-making and reporting.

Assets inventory maps hostnames, IP address, category, classification, and value of each asset.

The containment strategies are decided according to business needs. The escalation matrix and isolation strategies are determined based on the severity of the compromised endpoint. A Server has a high severity and different containment strategy than a workstation.


Act

  • The incident response team would first isolate infected endpoints from all network traffic.
  • The malicious processes on the identified compromised endpoint(s) are terminated.

  • IoCs (malicious domains and IPs) are blocked at perimeter controls and detection engines, such as firewalls, web proxies, EDRs, NDRs, and IPS.
  • Reimaging and data recovery from a secured offline backup is performed, followed by an AV scan.
  • Finally, custom rules are tuned to detect the same threats in the future. 

Automating Ransomware Incident Response with SIRP

Now, let’s have a look at the SIRP automation playbook workflow for the Ransomware case. The following figure outlines a workflow to automate the ransomware attack remediation steps through the SIRP playbook.


Ingestion of Alerts

SIRP supports integration with different SIEM solutions, AV engines, and EDR solutions for the collection of alerts and offenses. Some of the popular solutions are listed below:

  • IBM QRadar
  • RSA NetWitness
  • Splunk Enterprise Security
  • Elastic SIEM
  • TrendMicro Deep Discovery Inspector (DDI)
  • Windows Defender Advanced Threat Protection (ATP)

Collection of Artifacts

SIRP integrates with different solutions for the collection of artifacts. For example:

  • IBM QRadar
    • Get events for query
  • Splunk Enterprise Security
    • Get user events
    • Get events from last time
  • FireEye EX
    • Get Email status statistics
    • Get Retroactive alerts
  • Windows Defender ATP
    • Collect machine information
  • Windows LDAP
    • Collect User Information
    • Collect User Group Information
    • Collect Manager Information

Enrichment

SIRP has OOTB integration available for the following Threat Intelligence portals and OSINT platforms:

  • IBM Xforce
    • Collect IP information
    • Collect URL information
  • Blueliv
    • Search CVE
    • Search FQDN
    • Search IP
    • Search SHA2S6
    • Search Threat Actor
  • AbuseIPDB
    • Collect IP reputation
  • AlienVault
    • Collect IP information
    • Collect Domain information
    • Collect Hostname information
    • Collect URL information
    • Collect hash information

Automated Incident Response Actions

SIRP integrates with several Firewalls, EDRs, and MDRs, allowing you to automate multiple remedial actions. For example,

  • FireEye HX
    • Block Hash
    • Isolate System
    • Acquire File
    • Acquire Triage
  • Trend Micro Apex Central
    • Isolate system
    • Create Scan
    • Block/Unblock IP, URL, Domain, and Hash
  • Cisco WSA 
    • Block/Unblock IP, URL, and Domain
  • PaloAlto Firewall
    • Block/Unblock IP address as source/destination
    • Block/Unblock URL

  • FortiGate Firewall
    • Block/Unblock IP address as source/destination

  • Cisco ASA
    • Block IP address as source/destination

  • Juniper SRX Firewall
    • Block/Unblock IP address as source/destination

  • Sophos WAF
    • Block/Unblock IP address as source/destination
    • Block/Unblock URL

  • Windows Defender ATP
    • Block/Unblock IP, URL, Domain, and Hash

  • IBM QRadar
    • Push IP address to the reference set
    • Push Email address to the reference set
    • Push Hash to reference set
    • Push URL to reference set

SIRP integrates with 100+ popular security tools, allowing 450+ actions to be completed or automated directly from the platform. SIRP also enables cross-platform integration. Therefore, complex and multi-tool processes can be completed in seconds with a single click. New integrations are available within 72 hours at no additional charge. A complete list of available integrations can be found here: https://www.sirp.io/integrations/

 
Start free trial