Top 10 SOAR Playbooks for 2024 – 1 to 5
The need for effective and efficient incident response has never been more critical when it comes to securing organisations against the growing cyber threat. Security Orchestration, Automation, and Response (SOAR) platforms have become indispensable tools for organizations looking to bolster their security operations. A key component of these platforms are playbooks; these are predefined workflows that automate and streamline the incident response process.
As we progress through 2024, the complexity and frequency of cyber threats continue to grow, making it essential to have the right playbooks in place. In this blog, we will explore the top 10 SOAR playbooks for the upcoming year, focusing on the first five that every security team should consider implementing.
These playbooks not only enhance your response capabilities but also ensure that your organisation stays ahead of the curve in defending against the latest threats. Whether you are new to SOAR or looking to optimize your existing strategies, this guide will provide valuable insights into the most effective playbooks for 2024 and beyond.
1. Phishing
The most common use case customers want to automate and for good reasons. Although phishing is a very complicated use case and it requires a human-in-the-loop approach, it still is a use case that is worth exploring automation avenues as it takes a long time to identify and remediate, while the risk is still very high and makes for a good way to infiltrate and target organisations.
From an automation perspective, a Phishing use case will require several phases and multiple playbooks to respond. Now, it’s not uncommon to try and deal with such a use case through one big playbook, although we wouldn’t recommend it.
Some example tasks/actions could be:
- Integrating and extracting email headers
- Triaging and determining the scope of the probable infection
- Passive enumeration
- Escalation notification
- Active enumeration
- Separate activities if attachments are involved w/ Sandboxing
- File Analysis
- Notify affected users (i.e. domain takedown notice)
Phases involved:
- Detection
- Triage
- Response
- Containment
- Credential Resets
- Remediation
- Review
2. Ransomware investigation
With Ransomware still topping the charts of cyber attacks and most importantly cost of breach, having a well documented and also automated approach in responding to such incidents is super important.
The ransomware investigation playbook uses multiple input sources of alerts (EDR, SIEM etc.) and follows various verification checks to triage the alerts before escalating and proceeding with necessary response steps.
- Monitor ransomware IOCs, EDR Alerts and odd emails
- Look for rare connections, abnormal web activity
- Block C2 traffic, any IPs associated with the attacker
- Isolate affect systems
- Disable affect user accounts or users created by attacks
- Disconnect all affected computers/systems
- Identify and remove binaries used by attackers
- Identify and remove initial access used by attackers
- Remove any associated accounts/users
3. Malware investigation (EDR alert)
EDRs are one of the most common tools Security teams use nowadays to identify attacks/breaches in their organisation. This use case can have multiple phases and a workbook consisting of multiple playbooks is encouraged. Phases can be triage, determine scope, remediate affected systems/users and post-investigation.
- Malware detected or reported on user device
- Analyst is notified of the adverse security event and is provided with details of the next steps and progress against the orchestrator playbook.
- Toolset is orchestrated via one or more playbooks to search for additional instances of malware using intelligence from initial detection.
- Orchestrator contains other affected devices in order to stop spread
- Information required for investigation and to determine criticality are captured in alerts which are sent to analysts for further analysis.
- Support ticket created for each contained device and assigned to the end user support team to manage further communications.
- SOAR tool learns and updates IOC information.
4. IOC Investigation (multiple CTI feeds)
Here is an example SOAR playbook for IOC investigation covering multiple CTI feeds:
- Orchestrator ingests a list of IOCs (possibly .csv) from a threat feed or through manual input and extracts all IOCs.
- Security tooling is orchestrated to hunt for the extracted IOCs (reputation and detonations) through a dedicated playbook.
- IOC ‘hits’ are enriched with further context to increase true positive confidence level.
- Once a predefined confidence level is met, an alert is triggered.
- Information required for investigation and to determine criticality are captured in alert which is sent to the analyst for investigation – subsequent phase.
- Feedback on IOC hits shared with the threat intelligence team.
5. Privileged user data exfiltration
This use case typically starts through a detection on a SIEM system (such as Splunk ES). This is a use case where data exfiltration activity is detected on a privileged user account, for example, DevOps user transferring large amounts of data between environments when compared to historic baseline threshold. Some steps involved are:
- Automated alert sent via email to the privileged user to validate activity
- Validate the activity with the involved user
- When Validated monitor subsequent activity through enabling additional rule in SIEM
- If not validated, termination of user sessions, credentials etc should be actioned
- Information regarding criticality should be captured and followed up with the investigation.
Final Thoughts
As cybersecurity threats continue to evolve, having robust SOAR playbooks is essential for any organization aiming to stay ahead of potential breaches. The first five playbooks we’ve discussed lay a strong foundation for automating and streamlining your incident response processes in 2024. By implementing these playbooks, you not only enhance your security posture but also empower your team to respond more quickly and efficiently to the most pressing threats.
Stay tuned for the next part of this series, where we’ll explore the remaining five playbooks that will complete your toolkit for a comprehensive and proactive defence strategy. By integrating these proven playbooks into your SOAR platform, you’ll be well-equipped to navigate the ever-changing cybersecurity landscape in the year ahead.