Grandma, What Malicious Hashes You Have
Detonating suspicious files in sandboxes for malware analysis is an ever-present and important investigative step during incident response. As malware analysis tools are isolated from other security products, however, it’s taxing for security analysts to coordinate across consoles while executing this repetitive task. Pasting results onto another console for documentation is also time-consuming and increases chances of error.
How Orchestration Helps
Security orchestration playbooks can automate the entire file detonation process either as an isolated workflow or in concert with other enrichment activities. This ensures that analysts don’t waste time performing the activity but are still able to benefit from the results of the analysis. Since playbooks document the result of all actions on a central console, the need for post-fact manual documentation is also eliminated.
The playbook can ingest data from a variety of sources such as SIEMs, mailboxes, threat intelligence feeds, and malware analysis tools.
The playbook extracts the file that needs to be detonated.
The playbook uploads the file to the malware analysis tool where it is detonated and the ensuing malware analysis report is generated.
4. Display Report
The playbook displays the malware analysis report for analyst study and action.
5. Update Database
If the file is found to be malicious, the playbook updates relevant watchlists/blacklists with that information. From here, the playbook can branch into other actions such as quarantining infected endpoints, opening tickets, and reconciling data from other third-party threat feeds.
To access Demisto's malware analysis playbook and other orchestration use cases, visit our GitHub playbook repository and see what's possible
Unify security functions: The malware analysis playbook coordinates between detection sources (SIEM, malboxes etc.), malware analysis tools, and threat intelligence tools, enabling security teams to have improved, centralized visibility over security data. This results in maximal usage of all security tools but without the need for keeping multiple tabs open and dividing up work and focus among disparate consoles.
Automate repeatable steps: There are multiple security actions that, while important, are time-consuming to execute every time malware needs to be analyzed. Automating these steps shave off large chunks of response time while still providing overall control and decision-making power to the security team.
Improve investigation quality: Security orchestration platforms usually correlate intelligence from multiple tools so that security teams can quickly identify whether any malware instances are isolated or persistent within their environments. In this example, security teams can study the malware analysis report, see how many other incidents the same malware instances are present in, and identify larger attack campaigns at play.
A Good Playbook Should Be...
Simple and intuitive: The playbook should ideally be represented as a task/process flow through a simple drag-and-drop graphical interface. Coding expertise shouldn't be a 'must-have' to make even the most complex playbooks, although each playbook’s code should also be available for analysts to tweak if required.
Primed for automation: Analysts should be able to automate the entire playbook in response to a phishing attack, greatly reducing response time, effort, and the possibility of human error for large-volume attacks. However, analysts should also be able to include manual steps in playbooks and require human intervention for sophisticated attacks.
Customizable: Analysts should be able to make copies of the standard playbook, modify it, or embed it in other playbooks as needed.
We hope you found this use case walk-through helpful. This is only a skeletal workflow - your own 'playbook' can be as simple or complex as your needs merit.
To learn about more security orchestration use cases, download our whitepaper.