Would like to automate more stuff


#1

What are some things you guys have automated with scripts in your security operations?

I have Nessus running scheduled scans and when the email is sent saying the Scan is complete it will run a script to parse the scan results and create issues in JIRA.

I want to learn to automate more stuff. I’d love to hear what you guys are doing.

Thanks!


#2

I’ve recently learned of an automated security use case, and while I’m fuzzy on the details, I think that it’s worth sharing:

  1. HR sends an e-mail to an inbox monitored by the SOC notifying of an employee who has given notice of voluntary termination in 3 weeks (I’m guessing that this is how the process begins)
  2. the SOC’s automation suite reacts to this email by querying Active Directory to find the entry for the person who has given notice
  3. once the person’s network identification returns from AD, the automation suite creates a new record (via HTTP POST) in a SEIM that does User Behavior Analytics to increase monitoring of the soon-to-depart person in an effort to prevent him/her from leaking privileged data during the final days of employment (I’m making a guess at the purpose of this last step, but it’s my best guess at this time)

It seems as though there a vast number of important but repetitive tasks out there to automate for security teams…


#3

I like this. I’m going to give this some thought!
I’ll keep you posted.


#4

Here’s another interesting use case successfully automated.

Context:

One firm’s cyber-awareness team sends periodic e-mails, phony Phishing messages, to all corporate employees to test their organization’s ability (individual and collective?) to detect malicious e-mails. The cyber-awareness team expects the SOC to provide a summary report of all of the phony messages that conscientious employees forward to the SOC phishing inbox. If I recall correctly, SOC team members were spending up to 20 minutes per message of this type. (SOC analysts had to search for hidden text within each such message to confirm that it was authored by the cyber-awareness team, and then they had to update a spreadsheet with their findings (and perhaps there was one other step that I’m not recalling).)

Implementation:

When any message is ingested from the SOC phishing inbox the automation suite automatically searches for the hidden text, and when confirmation is made, the automation sets appropriate fields in the record representing the ingested message so that it’s included in the report consumed by the cyber-awareness team.

Outcome:

During the first 6 weeks in production there were more than 1000 positively confirmed messages sent to the SOC team’s inbox originating from the cyber-awareness team. Happily, none of these had to be reviewed by a SOC Analyst.

ROI:

Assuming an average time of 7 min per phony phishing message when handled manually in former months, the SOC team saved ~7000 min, which is more than 116 hours of effort, for those first 1000 such messages post deployment of the automation.

That’s a win!


#5

Here’s another use case that’s been contemplated by one of my contacts.

He wants to run ssdeep against every candidate phishing message that comes to his attention, if I’m making a sound inference.

I’m not sure if he’ll use the command line version or other alternatives such as the Python wrapper for Windows described here: https://c0d.ist/ssdeep-python-windows-wrapper/. That cite describes ssdeep as “an essential tool to many researchers, malware analysts, reverse engineers, etc.”

I’d never heard of it before, and so I searched and found https://en.wikipedia.org/wiki/Locality-sensitive_hashing. I drew an initial conclusion about my contact’s intended purpose for ssdeep based on what I’d read there. But, I’ve found more clarity here: https://ssdeep-project.github.io/ssdeep/. ssdeep computes hashes against byte streams to find “sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length”.

So, ssdeep really can group similar candidate phishing messages together showing analysts which candidate phishing messages are partially equivalent.

That’s seems like a very worthwhile phishing analysis automation use case because it can help to identify phishing campaigns.

True?