General Documents

Threats can take many forms such as malware infections, compromised credentials attacks, or gaining unauthorized access to data using ransomware. Threat response involves the standardization and implementation of a set of processes, policies, and procedures used to triage and respond to various security threats. Having a standard response plan in place helps security analysts to respond faster and more effectively to threats and decrease risk exposure.

Security teams can use playbooks to automatically perform tasks while responding to threats. Playbooks can be triggered either when an incident is created or when you run them manually as part of an investigation. When triggered as part of incident creation, the playbooks will run based on the configured incident type. Analysts can also manually run playbooks that are relevant to the investigation and response.

This use case document describes the different use cases to run playbooks from Cyware Fusion and Threat Response (CFTR) platform while responding to incidents.

To learn more about how to configure the Orchestrate integration in CFTR and run playbooks from CFTR incidents, see Run Playbooks.

The following video shows the procedure to integrate Orchestrate and CFTR and run the Incident Analysis playbook from CFTR.

This section describes commonly applied use cases for running playbooks from CFTR incidents.

Analysts can trigger a playbook to quarantine a host system in the organization’s network if the system is identified as infected. For example, while responding to a phishing incident, the affected host systems must be quarantined to restrict the attack from spreading to other host systems.

Analysts can remove a malicious file from the host system in the organization’s network. For example, an internal user has clicked on a phishing URL and downloaded a malware file to the computer. While responding to this incident, the analyst can remove the malicious file by running a playbook from the incident. The playbook utilizes an endpoint management solution to perform this action.

IOCs identified as non-malicious after investigation can be added to an allowed list. This allows threat intel teams to ignore the allowed listed IOCs when performing threat intel analysis. The playbook uses a threat intelligence platform integration to update the IOCs to the allowed list.

Email addresses identified as malicious during the incident investigation can be directly blocked on the email gateway using a playbook. This blocks all incoming emails from the malicious email address. The playbook utilizes an email gateway solution such as Mimecast to perform this action.

Domains identified as malicious during the incident investigation can be directly blocked on the firewall using a playbook. This block internal users from accessing the malicious domains. The playbook utilizes a firewall solution such as Azure firewall to perform this action.

With the threat intelligence enrichment playbook, indicators are enriched automatically with more details and context to improve incident investigation with CFTR. The playbook can be triggered for any indicator of compromise (IOC) observed during an incident investigation. The playbook utilizes SIEM and Endpoint solutions to perform internal enrichment and a threat intelligence platform to perform external enrichment from a variety of feed sources.

Analysts can perform response actions such as blocking malicious emails, isolation of infected endpoints, and more from the incident details page using playbooks. Thus playbooks play an important role in countering the threat at machine speed instead of relying on slower, manual processes.

Playbooks allow analysts to automatically perform indicator enrichment when investigating or responding to an incident. This takes the burden off of SOC analysts and provides immediately actionable information for incident response teams.

An automated playbook simplifies the governance of security teams to perform the threat response process with limited resources.