Incident Response(IR)
Incident Response is an organized approach to addressing and managing the aftermath of a security breach or cyber attack, also known as an IT incident. The goal of incident response is to handle the situation in a way that limits damage and reduces recovery time and costs.
Ideally incident response activities are conducted by SOC analyst. The process, if not automated, is time consuming and requires SOC analyst to look at through results of various tools, which can be error prone.
Challenge
To implement a workflow that an analyst would follow as per a documented playbook for a malware incident response. Such workflow consists of multiple steps, which are mostly manual tasks to be performed by analyst. Task that an analyst for a malware incident response include tasks such as analyzing an alert , extracting observables, enriching them by looking up threat intel resources, etc . For any of the tasks listed, a SOC analyst has to manually perform the task, which is a time consuming. We a need a quick way to automate certain or all tasks in a playbook so that response is quick and effective enough to contain damage, after which begins the the important process of eradication of the threat. The solution for this is a playbook which defines a IR cycle.
Solution
Playbook
This playbook follows the incident phase, and for each phase performs a set of actions. These actions can be to create a manual task for a SOC analyst or an automated step which performs that action. Once a manual task is complete , then next manual task is added to workflow. The playbook also updates the incident with relevant comments describing the action required or performed. User can replace manual playbook steps to with automated steps using automated way using CyOPs™ Connectors.
Prerequisites
You will have to import the attached MMD of the Incident module before importing the playbook. You will also require to install the following CyOPs™ connectors:
Note: These connectors are used in this example playbook but can be changed as per the requirements of each SOC integrations.
How to use
This Sample Playbook has following
Import the Incident module’s configuration and publish same.
To run the sample playbook open an incident and from the Execute list click the Malware - IR Life Cycle option:
The Malware IR Life Cycle playbook:
Continue below
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.