Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate.

Let’s create our first “playbook”, an easy one: we’ll get an alert about a file download, we’ll access the endpoint and we’ll remove the file. Easy.

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Get the alert)

1. Detection tool sends syslog to my system

2. Regex extracts• File Hash• Endpoint IP• File Name

That was easy!

AlertsSyslo

g

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Access the endpoint)

Now let’s access the endpoint.• Remote WMI calls & power shell

script• How do I verify that it works?

• Run it on a small subset, run script• What user account should I use?

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Credentials and authentication)

• How do I store the credentials?• TODO: Figure out how to store

credentials securely (should be easy)• What about authentication?

• TODO: Figure out authentication.

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Testing)

• Let’s run the script on past alerts.• It worked 63% of the time. Not

bad.• Some PCs disabled PowerShell• Others have an old PowerShell version• Few network problems, and a few I’m not

sure about

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Testing #2)

• It worked 71% of the time. Not bad.

• Couldn’t connect to some PCs• Firewall issue?• Network Issue?

• WMI can’t run behind NAT (Remote employees)

• Access denied (who knows….)

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate. (Production)

• Ignore TODO list for now and run the script

• First alert worked! Yes!!• Second one failed. Access denied. Need

to fix that. (I have it on my TODO)• Aha, I know why. Running process. Easy.

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate.• How can I find the right process?? • Process image file and from there the

process ID• Get all processes and their image file script

• Let’s connect it together……

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Let’s Automate – (Production #2)

• It didn’t work. • Grrrrrrrr.

• It had another file handle, locking the file

• How can I find that with PowerShell ?

AlertsSyslo

g

Automation Framework

Intelligent Security Orchestration and Automation hexadite.com

Back to that to-do list…What TimeFigure out how to store credentials securely 4 DaysFigure out authentication 2 DaysResearch how to “fight” process with file handles ?How can I exclude my work (scripts) from security tools we have in our organization?

?

Figure out access issues (permission denied…) ?Firewall issues – GPO policy? 2 DaysWMI can I use WinRM? How do I secure it? (What about Linux and Mac?) ? :-\Documentation (I need to document the code) GrrrrrrrQA and Testing What have I missed?