FireEye and SIRP - Automated Threat Intelligence and Incident Response for Endpoint Security

Endpoints are usually the most lucrative and feasible entry points for attackers. The geographically dispersed work environments combined with an ever increasing list of both procured and offered services by an organization, has resulted in systems becoming increasingly vulnerable. Attackers are creating advanced techniques to compromise the endpoints. Without appropriate endpoint security monitoring and response measures, the endpoints are considered to be the easiest targets. The need for enhanced endpoint security paved the way for a new breed of technology called EDR (Endpoint Detection and Response) and EPP (Endpoint Prevention Platform). EDR goes beyond traditional controls like IPS and Antivirus by providing a set of tools and features that ensures extended endpoint security.

FireEye Endpoint Security (HX) is one of the leading Endpoint Detection and Response platforms. The unique feature of FireEye HX is its endpoint visibility coupled with threat intelligence. This allows organizations to adjust their defenses in real-time. Now FireEye customers can use SIRP’s security orchestration and automation capabilities with FireEye HX to respond from a unified console.

Integration Features

Run an effective incident response cycle using HX alerting combined with SIRP risk-based SOAR capabilities.
Lookup malicious files and indicators in across your endpoints using FireEye HX and SIRP integration, either in real-time or as a playbook action.
Upload IOCs (Hashes, Domains, URLs) from Threat Intelligence to HX using SIRP playbooks.
Leverage several other SIRP integrations to enrich HX alerts data and coordinate response across security functions.
Acquire on-demand or automatic triage of machines for further investigation and forensic analysis.

Challenge

Endpoints are among the most vulnerable and frequently targeted entities within a network. Usually every endpoint contains useful information (sensitive and nonsensitive data), therefore the protection of these endpoints is usually of utmost importance for the organizations. Even if an endpoint does not contain any sensitive information, it can still act as a hop for the attacker to reach to the final target. When a certain endpoint is compromised, it is usually either used to attack other endpoints or networks, to steal sensitive information, disrupt the services, or even hold the information they accessed as hostage to threaten the organization. Some of the key challenges with endpoint security are:

The location of endpoints as more and more staff are working remotely or bringing their own devices within the organization’s network.
Introduction of cloud based services and data storage
Unique requirements of partners, vendors, and customers
Advanced targeted attacks towards endpoints
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)

Solution

Security teams can create SIRP playbooks to automate their response to endpoint alerts by leveraging FireEye HX endpoint response functions. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute endpoint remedial actions.

Use Case 1: Malicious Hash Investigation

Consider an example in which SIRP received an alert containing potentially malicious SHA-1 hash. Based on the predefined rules, SIRP automatically executes a playbook. The playbook fetches the hash reputation from VirusTotal.

After getting the Hash Analysis Report, the playbook is set to perform the following actions.

If the reported score of the hash is greater or equal to 10:

Change disposition to “Incident”
Change priority to “Medium”
Get Asset details from Microsoft Active Directory
Check if asset belongs to an “end-user” and not server class or management group, then:

Isolate the endpoint using FireEye HX
Acquire triage of the endpoint
Send email notifications
Assign tasks to L2 analyst

Else:

Just acquire triage of the endpoint
Assign tasks to L2 analyst
Change incident category to “Malware”

If the reported score of the hash is less than 10:

Change disposition to “Investigation”
Assign task to L2 analyst for further verification
Change severity to “Medium”

The entire execution and decision flow of the playbook looks something like this:

The actual playbook in SIRP is shown below:

Use Case 2: Retroactive Email Alert Investigation

Retroactive email alerts are fired in FireEye EX when it considers email to be malicious, but doesn’t perform any remedial or prevention actions. The open-ended nature of these alerts makes them important to be investigated and responded accordingly.

Let’s review the following playbook which is developed in SIRP to handle such retroactive alerts automatically.

The purpose of this well crafted playbook is to ingest retroactive alerts from FireEye EX, gather intelligence against the ingested data, and finally perform remedial actions automatically.

After automatically ingesting the retroactive alerts within SIRP, the playbook first checks if the alert is fired against a “domain” or a “hash”.

If the alert is fired against a domain, the playbook performs following actions:

Get domain reputation from VirusTotal
Get domain reputation from AlienVault OTX
Check if reported “positives” and “count” is greater than or equal to 5. If Yes, then:

Change priority to “High”
Change severity to “High”
Create a case and add relevant members
Block the domain on Firewall
Send email notifications to relevant parties

If the alert is fired against a hash, the playbook performs following actions:

Get hash reputation from VirusTotal
Check if the reported score is greater than or equal to 5. If Yes, then:

Change priority to “Medium”
Push hash to FireEye HX

Else:

Change Sub disposition to “False positive”
Change status to “Close”

The entire execution and decision flow of the playbook looks something like this:

Benefits

The key benefits that can be realized out of this integration are:

Proactive monitoring and response by leveraging best of both products i.e. EDR capabilities of FireEye HX and automation capabilities of SIRP.
Reduced MTTD and MTTR
One window operation
Automatic execution of response actions
Automatic updates to the EDR threat library for future monitoring
Correlate the data ingested from FireEye HX, FireEye EX, and other security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.