Top 10 SOAR Playbooks for 2024 – 6 to 10
The need for effective and efficient incident response has never been more critical when it comes to securing organisations against the growing cyber threat. Security Orchestration, Automation, and Response (SOAR) platforms have become indispensable tools for organizations looking to bolster their security operations. A key component of these platforms are playbooks; these are predefined workflows that automate and streamline the incident response process.
As we progress through 2024, the complexity and frequency of cyber threats continue to grow, making it essential to have the right playbooks in place. In this blog, we will explore the top 10 SOAR playbooks, focusing on the five playbooks that every security team should consider implementing. These playbooks not only enhance your response capabilities but also ensure that your organisation stays ahead of the curve in defending against the latest threats.
Whether you are new to SOAR or looking to optimize your existing strategies, this guide will provide valuable insights into the most effective playbooks you can deploy this year.
1. Cryptojacking
Cryptojacking is a type of cyber attack where an attacker hijacks a victim’s computer or device to mine cryptocurrency without the victim’s knowledge or consent. This type of attack is becoming more and more common due to the increasing popularity of cryptocurrencies and the ease of setting up mining operations. The aim of this SOAR playbook is to provide a framework for responding to a cryptojacking incident, minimising the impact and preventing further damage.
Here is an example SOAR playbook for investigating and responding to a cryptojacking infection:
- Detection Triggers:
- Alerts for suspicious unrecognised processes eating CPU
- Detections of unauthorised mining pools connections
- Abnormal GPU usage spikes
- Antivirus alerts for known mining malware
- Investigation Playbook:
- Isolate affected host(s) from the network
- Capture running processes list, process trees
- Analyse process binaries for malware signatures
- Inspect registry for persistence mechanisms
- Identify mining pool connections and wallet addresses
- Determine infection source (phishing email, drive-by download, etc)
- Response Playbook:
- Kill malicious processes related to cryptojacking
- Delete registry keys associated with persistence
- Quarantine and delete malware files
- Reset account credentials that were compromised
- Reimage infected hosts if needed
- Block mining pool connections via firewall
- Recovery:
- Scan for additional infections across the network
- Install updated antivirus signatures
- Implement firewall rules blocking mining activities
- Increase logging and monitoring of CPU usage
- Educate employees on cryptojacking methods and risks
- Post Incident:
- Determine infection vector to prevent reoccurrence
- Calculate costs associated with cryptojacking
- Report details to management and CISO
- Develop metrics to measure effectiveness of detection capability
The goals are rapid containment, elimination of the infection and closing gaps to prevent future cryptojacking incidents.
2. Vulnerability Management
Vulnerability Management is a use case that involves identifying, prioritising, and remediating vulnerabilities in an organisation’s systems and applications. This playbook will provide a framework for responding to a vulnerability management incident, minimising the impact and preventing further damage.
Here is an example SOAR playbook for automating the vulnerability management lifecycle:
- Integrations:
- Vulnerability scanners (Qualys, Nessus, etc)
- IT ticketing systems
- CMDB
- Active Directory
- Security monitoring tools
- Workflows:
- Scheduled vulnerability scans on in-scope assets
- Automated intake of scan results
- Parsing of results, mapping CVEs to assets
- Prioritisation based on CVSS scores
- Creation of tickets assigning vulnerabilities
- Enrichment with asset data from CMDB
- Notification to asset owners via email
- Tracking of vulnerability status changes
- Verification scans after remediation
- Metrics on vulnerability KPIs
- Playbooks:
- Weekly full scans of production assets
- Daily scans of new systems and vulnerabilities
- Re-scans of systems flagged as remediated
- Reporting – dashboards for new vulns, stats, trends
- Post-remediation actions:
- Determine root causes
- Evaluate compensating controls
- Develop remediation standards
- Improve scanning coverage
- Identify detection opportunities
- Response options:
- Emergency patching
- Isolate vulnerable systems
- Enforce multi-factor authentication
- Develop temporary workarounds
The goal is to utilise SOAR to automate the vulnerability management process end-to-end – from scanning to ticketing to remediation verification – increasing efficiency, visibility and reducing organisational risk.
3. Potential Malicious External Communications (Splunk ES – SIEM)
Here is a potential SOAR (Security Orchestration, Automation and Response) playbook for detecting and responding to malicious external communication using a SIEM (Security Information and Event Management) system:
- Detection Triggers:
- Increased outbound network traffic to suspicious IPs
- Traffic to known malicious domains
- Anomalous traffic patterns that deviate from baseline
- Automated Response Actions:
- Quarantine suspicious IP addresses
- Block outbound traffic to detected malicious IPs/domains
- Isolate compromised host(s) exhibiting suspicious network activity
- Kill processes associated with suspicious connections
- Disable user account(s) associated with anomalous activity
- Notifications:
- Alert SOC team via email, SMS about malicious activity
- Create high priority ticket in incident response platform
- Notify CISO if scale of malicious activity is widespread
- Manual Response Options:
- Review full packet capture logs for malicious packets
- Analyse malware samples associated with communication
- Initiate forensic investigation if necessary
- Develop IOCs (Indicators of Compromise) for newly detected threats
- Add malicious domains/IPs to security platforms like firewalls
- Unblock legitimate traffic that was misidentified
- Enable enhanced network monitoring for further detection
- Post-incident Analysis:
- Root cause analysis to understand initial compromise vector
- Review visibility gaps that delayed detection/response
- Tune detection rules to improve accuracy of alerts
- Develop defensive measures against newly identified threats
- Update network and host-based security tools as needed
4. Malicious Network Behaviour
Here is an example SOAR playbook for detecting and responding to malicious network behaviour:
- Data Sources:
- Firewall logs
- Netflow records
- IDS/IPS alerts
- Endpoint detection alerts
- Detection Triggers:
- Known malicious IP address communication
- Anomalous bandwidth usage/data transfer
- Increase in denied outbound network traffic
- Detections of network scans
- Flagged connections to botnet C2 servers
- Activity on non-standard ports
- Automated Response:
- Isolate affected host(s) at the switch port level
- Quarantine file(s) identified as malicious – [RA3302]
- Block outbound network communication to malicious IPs -[RA3107]
- Disable abnormal user accounts
- Kill unexpected processes and services
- Notifications:
- Create high severity ticket in service desk
- Page on-call SOC responder
- Email network security distribution list
- Manual Response:
- Collect logs and relevant artefacts for analysis
- Check for lateral movement in the network
- Conduct forensic investigation of compromised hosts
- Block additional IOCs at the firewall
- Reset account passwords per incident response procedures
- Post Incident Activity:
- Root cause analysis
- Develop hardening measures for security gaps
- Generate new analytics correlations/hunting rules
- Update firewall policies and IDS signatures
- Provide comprehensive report to management
The goal is rapid detection, containment, and in-depth analysis of malicious network activity leveraging automation and human expertise. Adjust response steps as needed based on business needs and IT environment.
5. Threat Hunting
Finally, we will take a look at Threat Hunting. SOAR is really a framework that will greatly accelerate an Analyst’s workflow. If set up properly an analyst will be grateful. Threat Hunting can be improved by various avenues:
– Ingest a wide range of alerts and integrate with most if not all tools that there are integrations for.
– Build hunting playbooks and enable analysts in a SOAR mindset – Enable analysts and allow them to automate their workflows by creating their library of playbooks that automate cross-referencing, correlation, and data enrichment to uncover anomalous activity.
– Employ threat intelligence – Incorporate threat feeds and intelligence into hunting playbooks to pivot on IOCs and high-risk events.
– Automate repetitive tasks – Use the SOAR tool to automate retrieval of data, event correlation, list comparisons so analysts can focus on decision making.
– Document discoveries & insights – Log all findings, new IOCs, suspicious activity within SOAR for maintaining institutional knowledge.
– Iterate on playbooks – Continuously improve hunting playbooks based on findings, new data sources, and enhanced techniques. Bring the engineering team closer to the analyst/security team and build a culture of collaboration.
– Collaborate & centralise – Share playbooks, findings, and best practices across analyst teams to improve hunting organisation-wide. A SOAR tool creates a common ground for the security teams to share and collaborate on their workflows and investigations.
– Track effectiveness – Set metrics for hunting success like new detections, time-to-discovery, meaningful findings to gauge impact over time. Use SLAs when possible, ideally set SLAs on every task/activity.
– Automated recovery – Build in automated response and remediation actions like killing processes, isolating systems, and disabling accounts. These small playbooks can allow analyst’s to perform quick 2-5 action activities with one-click.
Final Thoughts
As cyber security threats continue to evolve, having robust SOAR playbooks is essential for any organization aiming to stay ahead of potential breaches. The first five playbooks we’ve discussed lay a strong foundation for automating and streamlining your incident response processes. By implementing these playbooks, you not only enhance your security posture but also empower your team to respond more quickly and efficiently to the most pressing threats.