IncMan Use Case: Malicious Outbound Network Traffic
This use case demonstrates how to use IncMan’s integrations and R3 Rapid Response Runbooks to quickly respond to an alert indicating potentially malicious network traffic originating from an internal host, destined for an unknown host on the Internet.
Automatically receive alerts for potentially malicious outbound network traffic from a device such as a web gateway or IDS/IPS, create an Incident and perform automated Notification, Enrichment and Containment tasks assess and mitigate any potential risk to the organization.
Creating an R3 Rapid Response Runbook
The first step in creating an automated response to this type of incident is to create an R3 Rapid Response Runbook which will perform Enrichment, and if necessary, Containment actions as part of the response. We will assume that the alert has provided a minimum of a source IP address and a destination IP address, although the alert will likely contain much more detailed information. In this use case, we will use integrations with Cisco Threatgrid, Hacker Target, McAfee Web Gateway, PostgreSQL and VirusTotal, as well as some of IncMan’s built-in Enrichment functions, to perform Enrichment and Containment actions. The specific integrations used in this use case could easily be replaced with other similar technology already deployed in the organization.
The Runbook begins by performing several basic information gathering Enrichment actions; IP Geolocation, a WHOIS query and a reverse DNS query. In this case, this information is not used as part of the automated decision-making process (although it easily could be). Instead, this information will be automatically saved as part of the Incident and will be available to the security analyst to review at any time.
Following these basic information gathering Enrichment actions, additional Enrichment actions are utilized to query two different threat reputation services. In this case, we have chosen to use both VirusTotal and Cisco Threatgrid, although IncMan also has integrations with several other threat reputation and intelligence services, such as Recorded Future and Threat Connect. Following each of these two queries, an automated decision point is reached. These automated decision points will examine the information returned by each threat reputation service and determine if the results meet a certain user-defined threshold. This user-defined threshold could be based on any of the information returned by each service, such as the overall threat score or the number o records returned.
If neither threat reputation service returns information which meets or exceeds the user-defined thresholds, no further automated actions will be taken and the information will be saved as part of the Incident and will be available to the security analyst to review at any time.
If either threat reputation service returns information which meets or exceeds the user-defined thresholds, the Runbook will continue by performing a query of the IT asset inventory using a PostgreSQL Enrichment action. Like the previous basic information gathering Enrichment actions, this information will not be used directly for automated decision making; however, it will also be available to the security analyst to review as part of the Incident record.
The final Enrichment action utilizes the same PostgreSQL integration, this time to query a database of known-good, or whitelisted hosts to see if the external destination IP address matches a known-good host. This assumes that the organization has pre-populated the table with the IP addresses, hostnames and other information regarding hosts which are known to be non-malicious or should not be blocked for one reason or another.
Following this final Enrichment action, another automated decision point is reached. This decision point will determine if the query of the known-good host database yielded any results. If the external destination IP address matches a known-good host, the runbook will conclude without further actions. If no matches were found, a special type of decision point will be reached; a User Choice decision. A User Choice decision will temporarily halt the automatic execution of the Runbook and will prompt the security analyst to make a manual decision. In this case, the security analyst is prompted with the question “Would you like to block the destination IP address?” While the Runbook is temporarily paused, the security analyst has the opportunity to examine the results of all the previous Enrichment actions as part of the manual decision-making process. This step is entirely optional, however, adds an additional layer of assurance that the blocking the destination IP address will not result in adverse consequences. Once the security analyst makes a decision and selects the appropriate option, the automated execution of the Runbook will continue.
If the security analyst determines that the destination IP address should not be blocked, the Runbook will conclude without further action. If the security analyst determines that the destination IP address should be blocked, a Containment action will utilize IncMan’s integration with McAfee Web Gateway to block the address. Following this Containment action, the Runbook will conclude.
Utilizing the R3 Rapid Response Runbook
Once the new Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated for potentially malicious outbound network traffic. Through this incident template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.
From the Runbook tab of the Incident Template wizard, the previously created Malicious Outbound Traffic Runbook is selected and set to autorun. Each time this template is used to generate an incident, the appropriate information such as the source and destination IP addresses will be used as inputs to the Runbook and the Runbook will be automatically executed.
In this use case, an alert received from a simulated web gateway is used to initiate automatic incident creation within IncMan. However, a SIEM integration or email could also be utilized to achieve the same outcome. A new syslog Incoming Event Automation rule is added and the defined action is to generate a new incident from the previously created Malicious Outbound Traffic Incident Template.
Solution in Action
When a syslog message matching the criteria pre-defined for the detection of malicious outbound network traffic, IncMan will automatically generate a new incident based on the Malicious Outbound Traffic Incident Template.
Without requiring any action on the part of an analyst, the Malicious Outbound Traffic Runbook is automatically initiated, performing the Enrichment actions and pausing at the User Choice decision point. At this point, the security analyst has the opportunity to review all of the information gathered from the previous Enrichment actions, including the information returned from VirusTotal.
In this case, VirusTotal has returned dozens of results matching the destination IP address. Based on this information, the security analyst has determined that blocking the destination IP address is the appropriate action and approves the User Choice decision. At this point, the automation continues and the McAfee Web Gateway Containment action is executed before the Runbook execution concludes.
This entire process, from receipt to containment, has taken place in a matter of minutes, likely before a security analyst would have been able to even manually acknowledge the alert under normal circumstances. IncMan’s automation and orchestration functions automated the initial response and provided the security analyst with all the information necessary to make an informed decision and contain the threat immediately.