security automation approach: scripting
TRANSCRIPT
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate.
Let’s create our first “playbook”, an easy one: we’ll get an alert about a file download, we’ll access the endpoint and we’ll remove the file. Easy.
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Get the alert)
1. Detection tool sends syslog to my system
2. Regex extracts• File Hash• Endpoint IP• File Name
That was easy!
AlertsSyslo
g
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Access the endpoint)
Now let’s access the endpoint.• Remote WMI calls & power shell
script• How do I verify that it works?
• Run it on a small subset, run script• What user account should I use?
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Credentials and authentication)
• How do I store the credentials?• TODO: Figure out how to store
credentials securely (should be easy)• What about authentication?
• TODO: Figure out authentication.
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Testing)
• Let’s run the script on past alerts.• It worked 63% of the time. Not
bad.• Some PCs disabled PowerShell• Others have an old PowerShell version• Few network problems, and a few I’m not
sure about
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Testing #2)
• It worked 71% of the time. Not bad.
• Couldn’t connect to some PCs• Firewall issue?• Network Issue?
• WMI can’t run behind NAT (Remote employees)
• Access denied (who knows….)
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Production)
• Ignore TODO list for now and run the script
• First alert worked! Yes!!• Second one failed. Access denied. Need
to fix that. (I have it on my TODO)• Aha, I know why. Running process. Easy.
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate.• How can I find the right process?? • Process image file and from there the
process ID• Get all processes and their image file script
• Let’s connect it together……
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate – (Production #2)
• It didn’t work. • Grrrrrrrr.
• It had another file handle, locking the file
• How can I find that with PowerShell ?
AlertsSyslo
g
Automation Framework
Intelligent Security Orchestration and Automation hexadite.com
Back to that to-do list…What TimeFigure out how to store credentials securely 4 DaysFigure out authentication 2 DaysResearch how to “fight” process with file handles ?How can I exclude my work (scripts) from security tools we have in our organization?
?
Figure out access issues (permission denied…) ?Firewall issues – GPO policy? 2 DaysWMI can I use WinRM? How do I secure it? (What about Linux and Mac?) ? :-\Documentation (I need to document the code) GrrrrrrrQA and Testing What have I missed?