Introduction
As malware threats become more sophisticated, organizations must act swiftly to block known malicious hashes across their environments. Manual enrichment and blocking can lead to delays, creating potential security gaps. SIRP’s Block Threat Intelligence Reported Hashes playbook automates this process, ensuring fast and efficient blocking of malicious hashes across multiple security controls while involving SOC analysts for further investigation when needed.
Challenges Faced
Manual Hash Analysis: Enriching hashes manually slows down response times.
Fragmented Security Controls: Blocking malicious hashes across multiple platforms is cumbersome and prone to errors.
Missed Threats: Limited visibility or no information on certain hashes creates blind spots.
Delayed SOC Escalation: SOC teams are often overloaded with manual reviews and remediation tasks.
How SIRP Solves This
The Block Threat Intelligence Reported Hashes playbook delivers seamless integration and automation for hash enrichment and response, ensuring efficient threat mitigation.
Hash Enrichment
Uses Virus Total and Kaspersky Threat Intelligence to evaluate hash reputations.
Provides insights on whether a hash is malicious, suspicious, or unknown.
Automatic Blocking
Malicious hashes are immediately blocked on Kaspersky Security, Defender for Endpoints, Trend Micro Apex Central, and the Fortigate Firewall.
Intelligent Decision-Making
Skips blocking if a hash is already flagged by the security controls’ vendors (Microsoft, Fortinet, Kaspersky, Trend Micro).
Unknown hashes are forwarded to SOC analysts for manual review, ensuring no potential threat goes unnoticed.
Comprehensive Reporting
Sends automated email notifications to security control admins, ensuring they remain informed.
Consolidates enrichment data and action summaries for easy reference.
Playbook Integrations
This playbook is powered by robust integrations that enhance its effectiveness:
Virus Total: For hash reputation analysis and enrichment.
Kaspersky Threat Intelligence: To cross-check and validate hash reputation.
Kaspersky Security Center: For automated blocking of malicious hashes.
Trend Micro Apex Central: To enforce endpoint protection.
Fortigate Firewall: For network-level threat blocking.
Playbook Inputs
File Hashes: The suspicious file hashes requiring enrichment and action.
Playbook Outputs
Hash Reputation from Virus Total: Provides detailed reputation insights.
Hash Reputation from Kaspersky Threat Intelligence: Additional validation against a trusted source.
Email Notifications for Control Admins: Keeps stakeholders informed of actions taken.
Hash Forwarded to SOC Analyst: Unknown hashes flagged for manual review.
Hash Blocked on Security Controls: Ensures immediate threat mitigation.
The SIRP Playbook
Key Benefits
Accelerated Threat Response: Automated enrichment and blocking streamline workflows.
Improved Coverage: Protects against threats across multiple endpoints and network layers.
SOC Efficiency: Reduces manual workload, allowing analysts to focus on complex investigations.
Vendor Coordination: Avoids duplicate efforts by recognizing hashes already flagged by security controls.
FAQs
Can this playbook be customized to integrate additional tools?
Yes, SIRP playbooks are fully customizable to include other tools in your security ecosystem.
Can I use different tools than the aforementioned ones for this playbook?
Absolutely. The playbook can be adapted to work with alternative security controls and threat intelligence providers.
What happens if a hash has no reputation information?
Unknown hashes are automatically flagged and forwarded to the SOC analyst for manual review and further action.