Block Malicious Hashes on Crowdstrike
Category: Endpoint, Data Enrichment and Threat Intelligence
Cyware Products Used:
Orchestrate
Third-Party Integrations Used:
Polyswarm: To enrich malicious MD5 and SHA256 hashes
Crowdstrike Falcon: To analyze and block malicious hashes.
Problem Statement
Security analysts receive advisories from different sources containing IOCs. The IOCs are further sent for correlation and analysis to make the intel relevant and eventually block the IOCs. The malicious IOCs include MD5 and SHA256 hash values.
When evaluating the ever-widening threats and the time consumed by human analysts on threat-hunting tasks, the need for automated analysis and actioning of malicious threats become the need of the hour.
Solution
Intel Exchange and Orchestrate applications work together to help your analyst perform continuous analysis of threat data and take necessary action to defend against malicious hashes. This section describes how to automate the detection and response workflow for analysts.
How do we solve this problem?
The Block Malicious Hashes on Crowdstrike Falcon playbook triggers as part of any threat hunting workflow. When analysts want to enrich and automatically block malicious hashes on the Crowdstrike Falcon application.
Retrieve Indicators: The playbook starts by receiving malicious indicators from threat hunting activities.
Filter Hashes: The MD5 and SHA256 hashes are filtered out from other indicator types and sent for enrichment.
Enrichment: The identified hashes are sent to the Polyswarm application for enrichment. You can also use a preferred enrichment tool for hash enrichment.
Filter Hashes: The hashes that are not found in the enrichment are filtered out from the list. The playbook formats a list of malicious hashes from enrichment and sends them to Crowdstrike Falcon for blocking.
Block Malicious Hashes: The identified malicious hashes from Polyswarm enrichment are sent to Crowdstrike Falcon for blocking. If any of the hashes are already blocked, the details are just updated to the hash details.
Send Email: The playbook now collates the following information about the activity and sends an email to security teams.
Newly Blocked: Prepares a list of newly blocked hashes along with the details and adds to the email communication.
Already Blocked: Prepares a list of hashes that are already blocked with the details and adds to the email communication.
Enrichment Failed: Prepares a list of hashes that are not present in Polyswarm with the details and adds to the email communication.
Benefits
Accelerated Incident Response
Cyberattacks can cause severe damage to the data and intellectual property of an organization. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.
Reduced MTTD and MTTR
The solution helps organizations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating security alerts within minutes.