What makes a good playbook

Posted on by Andy S

I’ve asked myself this many times, when is a automation a good solution? When is it not?

Let’s look analyse how an analyst might perform a Phishing query:

  • Copy paste the email into a new ticket
  • Inform the end user their request was acknowledged
  • Extract the URLs, copy paste them into Threat Intel platforms
  • Extract the IPs, copy paste them into Threat Intel Platforms
  • Get the file hash, copy paste them into Threat Intel Platforms
  • Copy the file, upload to a sandbox, paste results back into the ticket
  • Check if the URL in the email was similar to your corporate domain
  • If not malicious, email the end user and close the ticket
  • If malicious then we do more….
  • Email the end user saying “yes”, update the ticket
  • Update severity to “high”
  • Query SIEM, query other mailboxes for known IOC

Let’s analyse the workflow:

  • Most of this is simply copy pasting
  • The data structure is always the same
  • The process is always the same (and it’s extremely repetitive and boring!)
  • Analyst is logged on and is interacting with half a dozen different interfaces (leads to eye fatigue)
  • All the involved solutions (ticket systems, threat intel, SIEM, mail… ) all have APIs.

Let’s now analyse a potential workflow for insider data theft:

  • Analyse evidence to identify the Threat Actor
  • Identify scope of breach across network
  • Attempt to identify the intent
  • Inform the relevant parties (HR, Legal, etc), maybe include the Law
  • When appropriate, lock the user out of the appropriate system
  • Analyse potential losses, whether that’s IP theft, PII theft, financial, reputational and act accordingly
  • etc

Let’s analyse the workflow:

  • This is a process that happens infrequently (hopefully)
  • Whilst this process is standardised at a conceptual level, which can be represented in a playbook for process definition…
  • …every run through will be completely different
  • You will often interact with different data, in different systems
  • Original notifications to teams will be the same, but every communication will be completely unique
  • Humans don’t have API
  • Intent, reputation and loss need dedicated human input to determine.

To be clear, there is a great value in formally mapping this second scenario to a playbook, but I wouldn’t call it a primary use case for SOAR.

Summary

So what tasks are no-brainers for a SOAR platform? I believe it’s a process that…

  • …is always the ~same
  • …has many steps
  • …takes time to do
  • …is boring!
  • …can access/utilise API

I originally listed “…works across multiple platforms”, and whilst that’s fascinating to see in motion, I’ve taken it out because even SOAR enriching and empowering a single isolated technology can be a great solution for the right usecase.

Andy