SIRP = (SOAR + SOC + MDR)
Co-Author: Adair Collins
In our prior articles, we have covered on maldocs, sandbox model, security stack and others, but we found the need to talk about the evolving SIRP domain. Security Incident Response Platforms (SIRP) is the combination of Intelligence, Orchestration, Automation and Response. This also includes risk, incidents and vulnerability management data being fed back into the loop that was described in our security stack article. In this article, we will go over SIRP, how to integrate multiple open-source resources and what is an ideal response piece that should be performed by any of the above.
TheHive Project - Capabilities & Integrations
A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
TheHive is an open-source project that enables SIRP to the fullest capabilities, by combining intelligence / threat feeds (Hippocampe), powerful observable analysis and active response engine (combining automation, enrichment, analysis and response through Cortex), create cases (TheHive4Py) and more.
Hippocampe
Hippocampe is a threat feed aggregator. It gives your organization a threat feed ' memory' and lets you query it easily through a REST API or from a Web UI.
This is the neural network of TheHive project which enables bringing in the intelligence feed gathered from various sources such as abuse.ch, DShield, PhishTank and more.
We can aggregate the threats based on the hipposcore, which is a scoring system that hippocampe allows analysts to use to score the sources of intelligence. This is to establish the context behind the source and determine the validity of the threat.
Cortex
Problem Statement: how to analyze observables they have collected, at scale, by querying a single tool instead of several?
Cortex is the TheHive project's Security Orchestration, Automation & Response (SOAR) technology implementation. Two of the core components are, the Analyzers and the Responders.
Analyzer is the way to integrate with various sources such as MISP, DomainTools, VirusTotal, PassiveTotal and others, for our IR component to be enriched with the various TTPs that we have obtained from IOCs and Incidents. Responder on the other hand, would help the analysts to automatically respond to an incident. Responders currently have lesser integrations than the Analyzers, although it is a work in progress. With community support, Cortex can turn into the a complete SOAR platform.
Integration into Host: EDR
There are several best-in-the-market commercial and open-source EDRs, although the problem that we have defined in our prior blog post on security stack has made it evident that the integration between the NSM and EDR is the key. Let us consider the following network response,
SIRP is what integrates NSM and EDR, with good response methodologies being followed. Network-level response would be to block domains, IPs, URLs or other parameters, based on IOCs gathered from intelligence sources, threats identified in the network and more.
In the host-level response, we would have to consider the registry keys, file-hash, network connections, running processes and services, file carving, quarantine, auto-runs, application certificates and their associated attributes as listed below:
Please note that the EDR capabilities may vary based on Operating Systems, Networks, Applications and Usage, and the artifacts and IOCs vary accordingly. When EDR and host-level security is involved, SIRP can perform even better with the file-carving, processes, registries, memory dump and forensics that can pull more granular information on the PE/EXE that ran with a specific PID/PPID, enabled a function, module or DLL or created/edited a registry key. The most powerful functionality in such a case, would be the carving of the malware itself from the memory, along with its drivers that it was linked to at the time of execution but it was either in the cache, page table or the file-system itself.
Facebook osquery, Netflix diffy, PowerShell Mafia CimSweep, and many others out there, integrate well and enables response to the most granular levels from gathering a file to querying WMI, Registry, command-line history, PowerShell, Windows Event Logs, Yara, and more. These methods of detecting and preventing attacks at the host-level makes response most effective to detect malware while compromising hosts/systems or spreading further. This is what we would want to achieve with any of the SIRP-based implementations, from network to host. If we expand Cortex or theHive project by integrating it with these tools and others, they will have the capability to integrate host-based intelligence along with the network-based IOCs, risk and vulnerability metrics of these hosts defining what these hosts really have, and bringing the complete scope of the resources within the network, ideally transforming it into a full-fledged SIRP implementation.
Kindly, share your comments on what you think about the article, or your personal observations and experiences. We value your opinion!
“A smart man makes a mistake, learns from it, and never makes that mistake again. But a wise man finds a smart man and learns from him how to avoid the mistake altogether.” ― Roy H. Williams
Disclaimer: Please note that these posts and what is described in them are for educational purposes only. Opinions expressed are solely my own and do not express the views or opinions of my employer.