AUTOMATED THREAT HUNTING

WITH DEMISTO PLAYBOOK

REDUCE ENTERPRISE RISK BY
AUTOMATING THREAT HUNTING
 Table of Contents

Introduction ..................................................................................................................... 2
Automated Threat Hunting Playbook............................................................................... 2
Automated Threat Hunting Playbook – Step by Step ...................................................... 4
Step 1: Retrieving the IOCs ......................................................................................... 4
Step 2: Has anything been communicating with the C&C IP Addresses?.................... 4
Steps 3 and 4: Interrogating Endpoints ........................................................................ 5
Step 5: Retrieve malicious file for further analysis ....................................................... 5
Steps 6 and 7: Incident Confirmation & Wiping the Endpoint in Case It’s Confirmed... 5
Step 8: Deployment of Some Preventive Measures..................................................... 6
Summary ......................................................................................................................... 6
About Demisto................................................................................................................. 7

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 1

Introduction
When it comes to incident response, it is a race against the clock. The more time an attacker
spends inside your network, the bigger the damage to your business can be. The best way to
isolate and eradicate threats before it gets too late is a combination of automation and pro-
active threat hunting. This paper provides an overview of how an intelligent automation platform
can protect your organisation from malicious activities sometimes long before you know that you
are already under attack.

To minimise further damage to your information assets, a timely response to the intrusion is
paramount. Although Security Operations Center (SOC) analysts and incident responders can
achieve high work efficiency with experience, their time-to-respond and time-to-resolution can
always be enhanced with an automated workflow. A pre-programmed playbook is available 24/7
and never gets tired with handling incidents.

Automation can also alleviate the shortage of security professionals. The hiring challenges are
well-known to many hiring managers out there. Automation technologies help fill the talent gap
by getting more things done with the existing human resources and freeing your analysts to
think more and waste less time on menial and repetitive tasks.

Automated Threat Hunting Playbook

Demisto is an automation platform that helps SOCs and incident response teams get things
done. It allows analysts to scale their time and effort during incident investigation stages while
sharing knowledge and working collaboratively for faster resolution.

In the following example, we will be building a playbook in Demisto to identify and block
malicious activity in a pro-active and semi-automated manner. The goal is to identify each
compromised endpoint on an infrastructure and to prevent further systems from being affected.

Our incident response workflow for this playbook is the following:

1. Retrieve Indicators of Compromise (IOC)

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 2

 2. Look up IP address IOC in the packet capture from network tools
3. Interrogate endpoints for the presence of malicious files
4. Interrogate endpoints for the presence of network connections to malicious sites

5. Retrieve malicious files for further analysis

6. Alert SOC analysts when a threat is found to confirm incident
7. Incident remediation

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 3

 8. Deployment of preventive measures

Automated Threat Hunting Playbook – Step by Step

Step 1: Retrieving the IOCs

By leveraging the Indicators of Compromises (IOCs) you receive from Threat Intelligence
sources you achieve immediate awareness of the presence of a threat in your infrastructure, as
the mere existence of an IOC in the IT environment is enough to trigger an investigation.
The very first step is retrieving new IOCs from an external source. Demisto is capable of
retrieving threat data from external Threat Intelligence (TI) feeds. In our case, the playbook
acquires a CSV file from a free TI service and extracts the IOCs from the public feed.
Our CSV contains two types of IOCs:
 File hashes in MD5 and SHA1 formats
 IP addresses that are known for hosting Command-and-control (C2) servers

Both indicators are associated with malware activity, which makes them ideal candidates for the
hunting activity on our infrastructure here.

Step 2: Has anything been communicating with the C&C IP Addresses?

Once the IP addresses are unpacked from the CSV file, we should scan if any of the endpoints
has been communicating with the IP address. Typically, endpoints build-up covert channels with
C2 servers to exchange ransomware file encryption keys or exfiltrate sensitive data.
As Demisto Enterprise can integrate with a wide variety of security tools out-of-the-box, as an
example we can easily configure the playbook to connect to the ProtectWise platform. This tool
captures and stores raw network packets then indexes them for threat hunting and ad-hoc
searches.

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 4

We use our playbook to scan for any network communication that occurred between the
endpoints on the internal network and the IP address IOC. If there is a hit in ProjectWise, an
analyst will be notified as at least one endpoint is likely to be compromised.

Steps 3 and 4: Interrogating Endpoints

If the IOC is a file hash, we should confirm whether the IOC has been seen already. If the file is
already present in our environment, then we need to take quick action to either block execution
and/or delete the file. We can use Demisto’s integration with Carbon Black to search for the file.
Demisto is capable of querying a broad range of Endpoint Detection and Response (EDR)
platforms, including CrowdStrike Falcon Host and Carbon Black Enterprise Response. Our
playbook will run the file hash and the IP address IOCs through both platforms.
If CrowdStrike or Carbon Black manages to identify a file with the given hash or any network
connections with the given IP address, the system in question has probably been compromised.
The preferred remediation action may vary from organisation to organisation. While the endpoint
should immediately be taken offline in high-risk environments, follow-up steps such as re-
imaging the endpoint can also be defined in the playbook.

Step 5: Retrieve malicious file for further analysis

If the presence of a file or a hash is confirmed using one of the endpoint tools above, then the
file should be fetched for deeper analysis. The file can be fetched using the integration with
Carbon Black or other endpoint tools as well. Once the file is retrieved, it should be analysed
using advanced malware sandboxing tools like Fireeye AX, Palo Alto Network Wildfire or others.

Steps 6 and 7: Incident Confirmation & Wiping the Endpoint in Case It’s
Confirmed

Once the automation platform retrieves and attaches the suspicious files and packet captures
(step #5), the incident is ready to be verified by an incident analyst.

There can be several reasons why an incident needs human interaction. No matter what the
source of the IOCs is, false positives happen from time to time. Also, non-automatable tasks
may need to be carried out, such as reverse-engineering of the binary file.

We configure our playbook to alert a SOC analyst on Slack, and it will also send a text message
through Twilio.

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 5

As all related files and information have been collected automatically, the analyst can start
analysing them as soon as possible without wasting any precious time. The less time spent on
manual (and menial) tasks, the shorter the time-to-resolution becomes.

If the analyst confirms that the endpoint is genuinely compromised, the PC should be wiped and
reinstalled from a clean media.

Step 8: Deployment of Some Preventive Measures

To stop the threat from infecting further endpoints, the IOCs should be deployed onto preventive
security controls at certain key points in the infrastructure. Once our analyst confirms that the
incident is a true positive, the playbook can deploy some pre-configured preventive measures to
prevent further incidents.

The firewall integration (with such vendors as Check Point, Palo Alto Networks and others)
allows Demisto to implement firewall rules to block traffic reaching the command and control
(C2) server. Firstly, it can stop sensitive files from leaving the corporate network. Secondly, the
rules may prevent ransomware from encrypting the files, because the endpoints will not be able
to exchange the encryption keys with the remote C2 server.

Another security control where we can push IOCs out is Carbon Black. This platform is not just
an EDR but an application blacklisting and whitelisting tool as well. What we need is to instruct
the playbook to push the IOC file hashes to Carbon Black Protection. The CarbonBlack agent
will block the endpoints from executing the blacklisted files.

Summary
Successful incident response programs have one thing in common – and it is the short incident
resolution time. The sooner the threat is eliminated, the better chance is to keep the information
assets safe and secure.

Automation helps incident responders and SOC analysts identify, confirm and contain threats
throughout the full lifecycle of any incident. Demisto Enterprise is an intelligent automation and
ChatOps platform that can automate menial and repetitive tasks as well as allow analysts to
focus on high-value activities. Its playbooks can integrate with dozens of popular tools used by
incident responders around the world.

In this playbook example, we took a new list of IOCs from an external source and scanned the
infrastructure for their presence. IP address and file hash IOCs were used to interrogate
endpoints and scan raw network packets for suspicious activity. In case a threat was identified,
the playbook pulled the relevant files for further analysis by an incident responder. The
remediation steps did not require human interaction, as firewall rules and file blacklists were
deployed by the Demisto integrations in an automated manner.

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 6

Are you interested in the platform? Click here to sign up for the free edition of Demisto.

About Demisto
Demisto is an incident response platform that combines security orchestration, automation, and
decision support for managing all alerts. Demisto uses an innovative chat-bot (named Dbot)
that works with analysts to automate key security tasks, track incident response processes, and
enable real-time collaboration throughout the organization to optimally execute security
playbooks.
By using Demisto, companies can leverage the most out of every security product in their
arsenal including SIEM, end-point and network security, and malware analysis. The plethora-
product integration provides a competitive advantage over hackers while improving analyst
efficiency.

Demisto | Automating Threat Hunting Playbook © 2017 Demisto, Inc. 7