Our partner Query AI has just released Query Splunk App 2.4, now available on Splunkbase, and it comes with several exciting updates designed to enhance usability and performance for security data operations. This latest version improves upon the app’s already powerful capabilities, making it easier to conduct federated searches and integrate data from a variety of sources into Splunk without driving up ingestion or compute costs.
Here’s a breakdown of the key updates and features that make this release noteworthy.
Expanding Data Access without the Costs
The Query Splunk App enables organizations to pull data from any connected source—data lakes, warehouses, object storage, or any other platform—without the need to ingest or store this data in Splunk. This federated search functionality is vital for security teams looking to access dispersed data without blowing up their Splunk licenses. Whether it’s security-relevant or observability data, you can now seamlessly extend your Splunk environment’s reach and leverage all your data from various sources.
What’s New in Version 2.4?
The Query Splunk App 2.4 brings several enhancements that focus on usability and performance:
Embedded Help and Intuitive Searching: To make the app more accessible to new users, the interface now includes embedded help directly in the Splunk console, with drill-down options that guide users through their searches.
Advanced Federated Search Filters: The new version allows users to fine-tune their searches with expanded filtering capabilities. Users can include or exclude specific event classes in their queries. For instance, filtering by events=”system_activity, detection_activity” or excluding events like exclude_events=”file_activity” can drastically improve search results and relevance.
Improved Error Detection: Handling search errors has been made more efficient. The app will now alert users if they mistype commands or apply conditions to mismatched data types. This prevents wasted time and effort by catching mistakes early(
Example Searches and Schema Updates: Query 2.4 also introduces example searches to help users get up to speed quickly. Additionally, the app has been updated to align with the latest Open Cybersecurity Schema Framework (OCSF 1.3), ensuring data normalization across multiple platforms for better interoperability.
Performance and Scalability
One of the most significant improvements in this release is the enhanced performance. Users experiencing search timeouts or performance lags in earlier versions will find version 2.4 noticeably faster and more responsive. It’s also designed to handle larger datasets, making it ideal for enterprises with vast amounts of distributed data.
Meta-Data Availability at Your Fingertips
Query 2.4 also aims to improve transparency and control by making search metadata more accessible. Users can now quickly see which connectors are configured, what entities (like IP addresses or file hashes) are available for searching, and what events and objects are part of the queryable dataset. This can all be done directly from the Splunk console.
Why Upgrade?
If you’re already using a previous version of the Query Splunk App, upgrading to 2.4 is a no-brainer. The new version not only resolves performance bottlenecks but also provides more control, better error handling, and enhanced support for a broader range of security use cases. Whether you are dealing with complex security investigations or optimizing your threat-hunting workflows, the Query Splunk App 2.4 will undoubtedly streamline your operations.
The new Query Splunk App 2.4 is available now on Splunkbase. To find out more or to start using it today, please contact .
LONDON, October 2, 2024 — DataBee®, fromComcast Technology Solutions (CTS), today announced that it has partnered with HOOP Cyber, a cyber data engineering consultancy, to deliver cybersecurity and compliance solutions to enterprises across EMEA.
Both companies have specific expertise in helping organisations address the ‘security data problem’. DataBee’s core offering is DataBee Hive™, a cloud-native security, risk and compliance data fabric platform that delivers the connected data and deep insights that cybersecurity and governance, risk and compliance (GRC) teams need to address security and compliance gaps faster and more affordably. The HOOP Cyber team of data engineers and cybersecurity experts deliver products and services that help clients assess and optimize existing security processes, starting with an understanding of the vast amounts of data that needs to be harnessed for better security and compliance outcomes.
“Both DataBee and HOOP Cyber understand that security is fundamentally a data problem,” said Ivan Foreman, Executive Director of DataBee in EMEA. “With the DataBee Hive platform addressing some of the most critical security use cases, and HOOP Cyber’s unique understanding of how to build and manage cost-effective, resilient security operations, we’re able to help our customers quickly extract greater value and insights from their security data and investments.”
“DataBee’s security data fabric platform can support so many security and compliance needs that it can help reduce or eliminate the need for what might be redundant security tools, saving cost without compromising security,” said Simon Johnson, CEO and Founder of HOOP Cyber. “We also appreciate that DataBee has one of the largest catalogs of data sources integrations into a modern data lake, mapping data into the Open Cybersecurity Schema Framework (OCSF) to make it easy for customers to make their data usable for a variety of security use cases.”
DataBee and HOOP Cyber are working together to deliver the combination of technology and consulting services enterprises need to modernize and optimize their security operations and transform the way they process and use data to manage risk and compliance.
Comcast Technology Solutions, a division of one of the world’s leading media and technology companies, brings Comcast Corporation’s proven technologies to an evolving list of industries worldwide. We believe in continuous innovation, always looking for new and better ways to connect with our customers, as well as aggregate, distribute, and secure our own content, advertising, and data. We invest in and test these solutions, so you don’t have to — freeing you up to focus on accelerating your business, not your tech stack. Through our portfolio of solutions, we bring these innovations to the global marketplace, enabling our partners to think big, go beyond, and lead the way in media, technology, and cybersecurity. For more information, visit databee.buzz.
About Hoop Cyber
HOOP Cyber is a cyber data engineering consultancy dedicated to empowering organisations with data-driven security solutions that are both effective and cost-optimised. HOOP’s blueprinted and industrialised consulting outcomes ensure a rapid ROI and enhance your capability to respond to targeted threats quickly, safely, and securely. Learn more at www.hoopcyber.com
We are delighted to announce that our partner Query, a patented federated search solution for security data, today announced a strategic investment from Cisco Investments. The investment will drive the development and adoption of the Query federated search platform and Query Splunk app, advancing their mission to equip security teams with data driven answers for faster, more informed decisions that reduce cybersecurity complexity.
“The best security teams run on data. Cisco Investments’ support affirms the value of our approach to turn data into a strategic advantage for cybersecurity operators,” says Query CEO, Matt Eberhart. “Security practitioners told us that they need data driven answers fast. Working with these users, we designed Query to solve the data challenges they face every day.”
Query customers report their security relevant data is growing by an estimated 40% per year and is widely dispersed across many enterprise systems, platforms, and technologies. On average, more than twenty manual pivots into different tools are required to conduct one security investigation. Query removes these pivots by providing a single answer from all connected data sources, resulting in faster and more complete investigations, threat hunts, and incident response. An AI-powered Query Copilot assists users with data summaries, recommended remediations, follow up actions, and more.
“Query’s federated search technology amplifies the value of security tools, such as SIEM and XDR, as well as other data sources, such as data lakes, for SOC analysts by providing data visibility closer to the source, enabling real-time security operations,” said Janey Hoe, Vice President, Cisco Investments. “Effective security operations require teams to answer questions quickly using data from many sources, without long onboarding times and increasing data costs. Query is purpose-built to do just that. We are delighted to invest in Query.”
Query’s patented distributed federated search engine enables security teams to get complete data driven answers, without pivoting into dozens of tools, eliminating the need to learn multiple search languages, and removing the frustration that comes from too many platforms that don’t work together. Unlike traditional approaches, Query uses APIs to access and get answers from distributed data, removing the costs, challenges, and risks that come with bulk data centralization, without building data pipelines or automation playbooks.
All of us at HOOP cyber extend our warmest congratulations to Query on this news, and we look forward to working more closely with them.
HOOP Cyber customers rely on cybersecurity innovators to deliver a new, data-centric security architecture.
Atlanta, September 19, 2024: Query, the federated search solution for security teams, and HOOP Cyber, the cybersecurity modernization and resilient security operations specialists, announced a new solution to enable enterprise security teams to turn their existing security data into an advantage across all security operations, including threat hunting, security investigations, and incident response.
“Accessing, understanding, and putting security data to work, when you need it, is too difficult today. Security teams are faced with dozens of platforms, tools, and data formats, when what they need is an immediate data driven answer to their questions. HOOP Cyber brings vast experience with modern data forward security architectures, enabling security teams to unlock a true data advantage,” said Matt Eberhart, CEO of Query. “We’re excited to work with them to deliver effective, capable security programs, powered by data.”
HOOP Cyber and Query are delivering a new security architecture, built around Amazon Security Lake, the purpose-built security data lake that enables customers to aggregate, normalize, and store data so they can better respond to cyber security threats. The two companies have worked together to leverage HOOP Cybers industry-leading Amazon Security Lake experience combined with the Query federated search capabilities.
“The Query federated search platform deployed with Amazon Security Lake provides the next generation features our clients demand,” said Simon Johnson, CEO of HOOP Cyber, “Query gives us a single interface for all the data types in Security Lake plus any outside data sources, with no specialized search languages to learn so our customers can increase the speed of adoption and get to insights faster.”
The combination of Query and Amazon Security Lake give customers a security data lake that aggregates, normalizes to the OCSF standard, and optimizes large volumes of disparate log and event data, accessible via the Query search and analytics interface that will feel familiar to security professionals of any skill level.
“HOOP Cyber is leading in helping enterprises gain immediate value from Amazon Security Lake,” added Eberhart. “Their knowledge and experience make them faster and more effective. We are excited to partner with HOOP Cyber as part of their ideal Amazon Security Lake customer solution.”
To learn more about HOOP Cyber’s Amazon Security Lake deployments with Query, please visit: www.hoopcyber.com. Or contact HOOP Cyber at
About HOOP Cyber
HOOP Cyber is a cyber data engineering consultancy dedicated to empowering organisations with data-driven security solutions that are both effective and cost-optimised. HOOP’s blueprinted and industrialised consulting outcomes ensure a rapid ROI and enhance your capability to respond to targeted threats quickly, safely, and securely. Learn more at www.hoopcyber.com.
About Query
Query is the federated search solution for security teams. Query provides security operators with the ability to access, search and draw insights from distributed data no matter where it resides. By making security-relevant distributed data readily available to SecOps professionals, Query provides vastly higher data visibility for investigations, incident response and threat hunting. And by allowing security teams to store data where they wish, Query decouples cost, vendor and platform from security operations performance. Learn more at www.Query.ai.
London, UK, 13 September 2024 – HOOP Cyber was proud to partner with Amazon Web Services for the 2024 European Security Lake Roadshow, with the first roadshow event taking place on Wednesday 11 September 2024 in London, and we were delighted to present our experiences of using and deploying Amazon Security Lake.
It was an incredible opportunity for attendees to discover the secrets of Amazon Security Lake and stay ahead of this exciting AWS service. The day was a fully immersive experience with AWS security experts on hand to guide attendees through strategies designed to streamline security operations and enable the centralisation of logging, the optimization of security analytics, and to show attendees how to conduct efficient security investigations.
The key takeaways from the event included:
The future direction of Amazon Security Lake
How customers are utilizing and using Security Lake to their best advantage, including a deep dive in the value of the OSCF Schema
What the strengths of Security Lake is, and how customers have overcome any challenges they encountered
Threat detection and alerting with Security Lake.
One of the main things we took away from the event was this – when your S3 buckets and your EC2 instances get scanned 24 billion and 2.6 trillion times respectively in a 12-month period, you know it is time for cloud security to be taken much more seriously. It was also a great opportunity for the audience to learn how HOOP Cyber and Amazon Security Lake embraces OCSF to enrich, normalize and combine security data from AWS and a broad range of enterprise security sources. From this, data accessibility across your organisation can be fully optimised, thus facilitating a more comprehensive approach to security operations. Security Lake can efficiently help you in consolidating and streamlining security logging at scale, and the integration of Splunk and Amazon Security Lake provides insights into security data wherever it resides.
HOOP Cyber will be supporting AWS Security teams at a number of other Security Lake Roadshows and events through the remainder of 2024 – if you would like to learn more or join our mailing list please send a note to .
The cyber threat and compliance landscape in Europe, the Middle East, and Africa (EMEA) is marked by a growing sophistication and frequency of cyber-attacks, which provide significant risks to organisations. In recent years, the region has witnessed a surge in ransomware attacks, data breaches, and advanced persistent threats (APTs) targeting critical infrastructure, financial institutions, and government entities.
The increasing reliance on digital technologies and the rapid shift to remote work due to the COVID-19 global pandemic have all expanded the attack surface, making organisations much more vulnerable. Cyber-criminals are leveraging more sophisticated tactics, such as exploiting zero-day vulnerabilities and utilising AI-driven techniques to bypass traditional security measures.
Recent cyber-attack trends in EMEA
There has been a marked increase in the sophistication and scale of cyber threats in EMEA, with ransomware attacks becoming particularly prevalent. Cybercriminals are increasingly targeting critical sectors such as healthcare, finance, and energy, leveraging advanced tactics like double extortion, where data is not only encrypted but also threatened to be published unless a ransom is paid. Additionally, there has been a notable rise in supply chain attacks, where cyber adversaries infiltrate through third-party vendors to access primary targets, as exemplified by high-profile incidents like the SolarWinds breach.
Phishing schemes have also evolved, with attackers using more convincing social engineering techniques to compromise credentials and deploy malware. The use of zero-day exploits has surged, allowing attackers to exploit vulnerabilities before patches are available. These trends underscore the necessity for organizations in EMEA to bolster their cybersecurity postures, adopt multi-layered defence mechanisms, and engage in proactive threat intelligence and incident response planning.
Statistical data on cyber incidents in EMEA
Recent statistical data on cyber incidents in the EMEA region highlights the growing severity and frequency of these threats. In 2023, ransomware attacks surged by 62%, with EMEA being one of the most targeted regions globally, accounting for approximately 30% of all ransomware incidents reported worldwide. According to the European Union Agency for Cybersecurity (ENISA), phishing attacks in EMEA increased by 38% year-on-year, reflecting the heightened use of social engineering tactics by cybercriminals. Moreover, data from Kaspersky Lab indicated a 25% rise in the number of zero-day vulnerabilities exploited in the region, underscoring the escalating sophistication of cyber threats.
Financial losses due to cybercrime have also been substantial. A report by Accenture estimated that the average cost of a data breach in EMEA reached £3.92 million in 2023, up from £3.75 million the previous year. The energy sector, a critical infrastructure component, saw a 50% increase in cyber-attacks, driven by geopolitical tensions and the strategic importance of these assets. Additionally, the healthcare sector experienced a 45% uptick in cyber incidents, exacerbated by the ongoing digital transformation and increased adoption of telehealth services. These statistics demonstrate the urgent need for enhanced cybersecurity measures and greater investment in cyber resilience across the EMEA region.
The regulatory landscape in EMEA
The regulatory environment in the EMEA region is also becoming much stricter, with a strong emphasis on data protection and privacy. The General Data Protection Regulation (GDPR) in the European Union has set a high standard for data privacy, imposing heavy fines for non-compliance and mandating strong data protection measures. Other regions within EMEA are also introducing similar regulations to safeguard personal data and ensure cybersecurity.
Organisations are required to comply with various local and international standards, such as the Network and Information Systems (NIS) Directive, the Digital Operational Resilience Act (DORA), the Payment Card Industry Data Security Standard (PCI DSS), and the ISO/IEC 27001. Compliance with these regulations not only mitigates legal risks but also enhances organisational resilience against cyber threats however, keeping up with compliance requirements can be difficult. If organisations have any compliance gaps, this can lead to them having security vulnerabilities.
The challenges in harmonising regulations and compliance in EMEA
Harmonising cyber security regulations and compliance across the EMEA region presents significant challenges due to the diverse political, economic, and legal landscapes within this vast area. The EMEA region encompasses a wide array of countries, each with its own regulatory frameworks, enforcement mechanisms, and levels of cyber security maturity. For instance, while the European Union has established comprehensive regulations such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive, other regions within EMEA may have less stringent or entirely different cyber security laws.
This disparity complicates efforts to create a unified approach to cyber security, as organisations operating across multiple regions need to navigate often complex requirements, which can be both costly and time-consuming. Additionally, geopolitical tensions and varying national interests can hinder collaboration and information sharing, which are crucial for addressing transnational cyber threats effectively.
Another major challenge is the varying levels of technological infrastructure and resource allocation dedicated to cyber security across the EMEA region. While some countries in Western Europe boast advanced cyber security capabilities and significant investments in technology and personnel, other regions, particularly in parts of Africa and the Middle East, may lack the necessary resources and expertise to implement and enforce robust cyber security measures. This imbalance creates vulnerabilities that can be exploited by cyber-criminals and undermines regional efforts to establish a cohesive security posture.
The launch of DORA
The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to enhance the operational resilience of financial institutions against digital disruptions and cyber threats. Enacted in response to the increasing frequency and sophistication of cyber-attacks targeting the financial sector, DORA aims to ensure that financial entities can withstand, respond to, and recover from a wide range of ICT-related incidents. The regulation mandates comprehensive risk management practices, including stringent cyber-security measures, regular testing of ICT systems, and robust incident reporting protocols.
DORA officially came into force on January 16, 2023. Financial entities within the European Union are required to comply with its provisions by January 17, 2025. This two-year implementation period allows financial institutions and other affected entities sufficient time to align their operations, risk management practices, and governance frameworks with the stringent requirements outlined in DORA. The transition period is crucial for ensuring that organizations can systematically enhance their digital resilience capabilities and integrate appropriate cyber security measures into their daily operations.
How can HOOP Cyber help?
To help organisations across EMEA successfully address these threats and compliance issues, HOOP Cyber is perfectly placed as they firmly believe that security is fundamentally a data problem, and they work closely with their customers to go through the vast amounts of data organisations has to find the right data and right places to focus on. They are a cyber security consulting and vendor partner and pride themselves on delivering resilient security operations.
HOOP Cyber has a deep understanding of security operations defence. As they are a team of ex-SPLUNK’ers, CISO’s and industry experts, they bring together collaborative expertise and a strong understanding of targeted SecOps architectures to solve some of the most relevant challenges in defending organisations today.
Interested in working with HOOP Cyber?
To find out more about working with us, get in touch via .
Are you located in London or Paris and interested in Amazon Security Lake? We have partnered with Amazon Web Services for the 2024 European Security Lake Roadshow! This is your chance to discover the secrets of Amazon Security Lake and stay ahead of this exciting AWS service.
Join HOOP Cyber and AWS for an immersive, full-day, in-person event. AWS Security Experts will guide you through strategies to streamline your security operations, enabling you to centralise logging, optimize security analytics, and conduct efficient security investigations.
Explore the powerful capabilities of Amazon Security Lake, AppFabric, Quicksight Q, and Amazon OpenSearch and gain insights from customers who will share their first-hand experiences leveraging these services.
The need for effective and efficient incident response has never been more critical when it comes to securing organisations against the growing cyber threat. Security Orchestration, Automation, and Response (SOAR) platforms have become indispensable tools for organizations looking to bolster their security operations. A key component of these platforms are playbooks; these are predefined workflows that automate and streamline the incident response process.
As we progress through 2024, the complexity and frequency of cyber threats continue to grow, making it essential to have the right playbooks in place. In this blog, we will explore the top 10 SOAR playbooks, focusing on the five playbooks that every security team should consider implementing. These playbooks not only enhance your response capabilities but also ensure that your organisation stays ahead of the curve in defending against the latest threats.
Whether you are new to SOAR or looking to optimize your existing strategies, this guide will provide valuable insights into the most effective playbooks you can deploy this year.
1. Cryptojacking
Cryptojacking is a type of cyber attack where an attacker hijacks a victim’s computer or device to mine cryptocurrency without the victim’s knowledge or consent. This type of attack is becoming more and more common due to the increasing popularity of cryptocurrencies and the ease of setting up mining operations. The aim of this SOAR playbook is to provide a framework for responding to a cryptojacking incident, minimising the impact and preventing further damage.
Here is an example SOAR playbook for investigating and responding to a cryptojacking infection:
Detection Triggers:
Alerts for suspicious unrecognised processes eating CPU
Detections of unauthorised mining pools connections
Abnormal GPU usage spikes
Antivirus alerts for known mining malware
Investigation Playbook:
Isolate affected host(s) from the network
Capture running processes list, process trees
Analyse process binaries for malware signatures
Inspect registry for persistence mechanisms
Identify mining pool connections and wallet addresses
Educate employees on cryptojacking methods and risks
Post Incident:
Determine infection vector to prevent reoccurrence
Calculate costs associated with cryptojacking
Report details to management and CISO
Develop metrics to measure effectiveness of detection capability
The goals are rapid containment, elimination of the infection and closing gaps to prevent future cryptojacking incidents.
2. Vulnerability Management
Vulnerability Management is a use case that involves identifying, prioritising, and remediating vulnerabilities in an organisation’s systems and applications. This playbook will provide a framework for responding to a vulnerability management incident, minimising the impact and preventing further damage.
Here is an example SOAR playbook for automating the vulnerability management lifecycle:
Integrations:
Vulnerability scanners (Qualys, Nessus, etc)
IT ticketing systems
CMDB
Active Directory
Security monitoring tools
Workflows:
Scheduled vulnerability scans on in-scope assets
Automated intake of scan results
Parsing of results, mapping CVEs to assets
Prioritisation based on CVSS scores
Creation of tickets assigning vulnerabilities
Enrichment with asset data from CMDB
Notification to asset owners via email
Tracking of vulnerability status changes
Verification scans after remediation
Metrics on vulnerability KPIs
Playbooks:
Weekly full scans of production assets
Daily scans of new systems and vulnerabilities
Re-scans of systems flagged as remediated
Reporting – dashboards for new vulns, stats, trends
Post-remediation actions:
Determine root causes
Evaluate compensating controls
Develop remediation standards
Improve scanning coverage
Identify detection opportunities
Response options:
Emergency patching
Isolate vulnerable systems
Enforce multi-factor authentication
Develop temporary workarounds
The goal is to utilise SOAR to automate the vulnerability management process end-to-end – from scanning to ticketing to remediation verification – increasing efficiency, visibility and reducing organisational risk.
3. Potential Malicious External Communications (Splunk ES – SIEM)
Here is a potential SOAR (Security Orchestration, Automation and Response) playbook for detecting and responding to malicious external communication using a SIEM (Security Information and Event Management) system:
Detection Triggers:
Increased outbound network traffic to suspicious IPs
Traffic to known malicious domains
Anomalous traffic patterns that deviate from baseline
Automated Response Actions:
Quarantine suspicious IP addresses
Block outbound traffic to detected malicious IPs/domains
Kill processes associated with suspicious connections
Disable user account(s) associated with anomalous activity
Notifications:
Alert SOC team via email, SMS about malicious activity
Create high priority ticket in incident response platform
Notify CISO if scale of malicious activity is widespread
Manual Response Options:
Review full packet capture logs for malicious packets
Analyse malware samples associated with communication
Initiate forensic investigation if necessary
Develop IOCs (Indicators of Compromise) for newly detected threats
Add malicious domains/IPs to security platforms like firewalls
Unblock legitimate traffic that was misidentified
Enable enhanced network monitoring for further detection
Post-incident Analysis:
Root cause analysis to understand initial compromise vector
Review visibility gaps that delayed detection/response
Tune detection rules to improve accuracy of alerts
Develop defensive measures against newly identified threats
Update network and host-based security tools as needed
4. Malicious Network Behaviour
Here is an example SOAR playbook for detecting and responding to malicious network behaviour:
Data Sources:
Firewall logs
Netflow records
IDS/IPS alerts
Endpoint detection alerts
Detection Triggers:
Known malicious IP address communication
Anomalous bandwidth usage/data transfer
Increase in denied outbound network traffic
Detections of network scans
Flagged connections to botnet C2 servers
Activity on non-standard ports
Automated Response:
Isolate affected host(s) at the switch port level
Quarantine file(s) identified as malicious – [RA3302]
Block outbound network communication to malicious IPs -[RA3107]
Disable abnormal user accounts
Kill unexpected processes and services
Notifications:
Create high severity ticket in service desk
Page on-call SOC responder
Email network security distribution list
Manual Response:
Collect logs and relevant artefacts for analysis
Check for lateral movement in the network
Conduct forensic investigation of compromised hosts
Block additional IOCs at the firewall
Reset account passwords per incident response procedures
Post Incident Activity:
Root cause analysis
Develop hardening measures for security gaps
Generate new analytics correlations/hunting rules
Update firewall policies and IDS signatures
Provide comprehensive report to management
The goal is rapid detection, containment, and in-depth analysis of malicious network activity leveraging automation and human expertise. Adjust response steps as needed based on business needs and IT environment.
5. Threat Hunting
Finally, we will take a look at Threat Hunting. SOAR is really a framework that will greatly accelerate an Analyst’s workflow. If set up properly an analyst will be grateful. Threat Hunting can be improved by various avenues:
– Ingest a wide range of alerts and integrate with most if not all tools that there are integrations for.
– Build hunting playbooks and enable analysts in a SOAR mindset – Enable analysts and allow them to automate their workflows by creating their library of playbooks that automate cross-referencing, correlation, and data enrichment to uncover anomalous activity.
– Employ threat intelligence – Incorporate threat feeds and intelligence into hunting playbooks to pivot on IOCs and high-risk events.
– Automate repetitive tasks – Use the SOAR tool to automate retrieval of data, event correlation, list comparisons so analysts can focus on decision making.
– Document discoveries & insights – Log all findings, new IOCs, suspicious activity within SOAR for maintaining institutional knowledge.
– Iterate on playbooks – Continuously improve hunting playbooks based on findings, new data sources, and enhanced techniques. Bring the engineering team closer to the analyst/security team and build a culture of collaboration.
– Collaborate & centralise – Share playbooks, findings, and best practices across analyst teams to improve hunting organisation-wide. A SOAR tool creates a common ground for the security teams to share and collaborate on their workflows and investigations.
– Track effectiveness – Set metrics for hunting success like new detections, time-to-discovery, meaningful findings to gauge impact over time. Use SLAs when possible, ideally set SLAs on every task/activity.
– Automated recovery – Build in automated response and remediation actions like killing processes, isolating systems, and disabling accounts. These small playbooks can allow analyst’s to perform quick 2-5 action activities with one-click.
Final Thoughts
As cyber security threats continue to evolve, having robust SOAR playbooks is essential for any organization aiming to stay ahead of potential breaches. The first five playbooks we’ve discussed lay a strong foundation for automating and streamlining your incident response processes. By implementing these playbooks, you not only enhance your security posture but also empower your team to respond more quickly and efficiently to the most pressing threats.
The need for effective and efficient incident response has never been more critical when it comes to securing organisations against the growing cyber threat. Security Orchestration, Automation, and Response (SOAR) platforms have become indispensable tools for organizations looking to bolster their security operations. A key component of these platforms are playbooks; these are predefined workflows that automate and streamline the incident response process.
As we progress through 2024, the complexity and frequency of cyber threats continue to grow, making it essential to have the right playbooks in place. In this blog, we will explore the top 10 SOAR playbooks for the upcoming year, focusing on the first five that every security team should consider implementing.
These playbooks not only enhance your response capabilities but also ensure that your organisation stays ahead of the curve in defending against the latest threats. Whether you are new to SOAR or looking to optimize your existing strategies, this guide will provide valuable insights into the most effective playbooks for 2024 and beyond.
1. Phishing
The most common use case customers want to automate and for good reasons. Although phishing is a very complicated use case and it requires a human-in-the-loop approach, it still is a use case that is worth exploring automation avenues as it takes a long time to identify and remediate, while the risk is still very high and makes for a good way to infiltrate and target organisations.
From an automation perspective, a Phishing use case will require several phases and multiple playbooks to respond. Now, it’s not uncommon to try and deal with such a use case through one big playbook, although we wouldn’t recommend it.
Some example tasks/actions could be:
Integrating and extracting email headers
Triaging and determining the scope of the probable infection
Passive enumeration
Escalation notification
Active enumeration
Separate activities if attachments are involved w/ Sandboxing
With Ransomware still topping the charts of cyber attacks and most importantly cost of breach, having a well documented and also automated approach in responding to such incidents is super important.
The ransomware investigation playbook uses multiple input sources of alerts (EDR, SIEM etc.) and follows various verification checks to triage the alerts before escalating and proceeding with necessary response steps.
Monitor ransomware IOCs, EDR Alerts and odd emails
Look for rare connections, abnormal web activity
Block C2 traffic, any IPs associated with the attacker
Isolate affect systems
Disable affect user accounts or users created by attacks
Disconnect all affected computers/systems
Identify and remove binaries used by attackers
Identify and remove initial access used by attackers
Remove any associated accounts/users
3. Malware investigation (EDR alert)
EDRs are one of the most common tools Security teams use nowadays to identify attacks/breaches in their organisation. This use case can have multiple phases and a workbook consisting of multiple playbooks is encouraged. Phases can be triage, determine scope, remediate affected systems/users and post-investigation.
Malware detected or reported on user device
Analyst is notified of the adverse security event and is provided with details of the next steps and progress against the orchestrator playbook.
Toolset is orchestrated via one or more playbooks to search for additional instances of malware using intelligence from initial detection.
Orchestrator contains other affected devices in order to stop spread
Information required for investigation and to determine criticality are captured in alerts which are sent to analysts for further analysis.
Support ticket created for each contained device and assigned to the end user support team to manage further communications.
SOAR tool learns and updates IOC information.
4. IOC Investigation (multiple CTI feeds)
Here is an example SOAR playbook for IOC investigation covering multiple CTI feeds:
Orchestrator ingests a list of IOCs (possibly .csv) from a threat feed or through manual input and extracts all IOCs.
Security tooling is orchestrated to hunt for the extracted IOCs (reputation and detonations) through a dedicated playbook.
IOC ‘hits’ are enriched with further context to increase true positive confidence level.
Once a predefined confidence level is met, an alert is triggered.
Information required for investigation and to determine criticality are captured in alert which is sent to the analyst for investigation – subsequent phase.
Feedback on IOC hits shared with the threat intelligence team.
5. Privileged user data exfiltration
This use case typically starts through a detection on a SIEM system (such as Splunk ES). This is a use case where data exfiltration activity is detected on a privileged user account, for example, DevOps user transferring large amounts of data between environments when compared to historic baseline threshold. Some steps involved are:
Automated alert sent via email to the privileged user to validate activity
Validate the activity with the involved user
When Validated monitor subsequent activity through enabling additional rule in SIEM
If not validated, termination of user sessions, credentials etc should be actioned
Information regarding criticality should be captured and followed up with the investigation.
Final Thoughts
As cybersecurity threats continue to evolve, having robust SOAR playbooks is essential for any organization aiming to stay ahead of potential breaches. The first five playbooks we’ve discussed lay a strong foundation for automating and streamlining your incident response processes in 2024. By implementing these playbooks, you not only enhance your security posture but also empower your team to respond more quickly and efficiently to the most pressing threats.
Stay tuned for the next part of this series, where we’ll explore the remaining five playbooks that will complete your toolkit for a comprehensive and proactive defence strategy. By integrating these proven playbooks into your SOAR platform, you’ll be well-equipped to navigate the ever-changing cybersecurity landscape in the year ahead.
We are thrilled to announce the official launch of our newly redesigned website! At HOOP Cyber, we are committed to staying ahead of the curve, and our fresh, modern website is a reflection of that commitment.
What’s New?
User-Friendly Interface: We’ve streamlined the navigation to make it easier for you to find all the information you need. Whether you’re seeking our latest cyber security solutions or insights from our blog, everything is just a click away.
Enhanced Resources: We will soon be launching a wide range of resources including whitepapers, case studies, and webinars.
Mobile Optimized: Our website is now fully responsive, offering a seamless browsing experience on all your devices.
New Features: Explore our updated service offerings designed to provide more value and convenience to our partners.
Why the Change?
We wanted to create a site that reflects our growth and innovation at HOOP Cyber while continuing to provide our HOOP Lake solutions and first-class support you’ve come to expect from us.
Explore Today!
We invite you to explore our new site and discover the enhancements designed to improve your experience. Visit us at www.hoopcyber.com and let us know what you think.