FalconFriday — Automating acquisition for incident response

Automating evidence collection in incident response

FalconFriday — Automating acquisition for incident response — 0xFF23

June 16, 2023

Nikolas Mantas

Releasing ParrotForce to help you fly high even when your systems are down.

In this world, nothing is certain except death, taxes and cyber incidents. Automation can play a crucial role in Cyber Incident Response by significantly enhancing the speed, accuracy, and efficiency of the overall process. Automation streamlines the evidence collection process by leveraging preconfigured workflows and tools that rapidly gather critical data. Incident responders can efficiently capture and preserve evidence without manual intervention, reducing the risk of data loss or tampering. Additionally, automation ensures consistency in evidence collection across multiple incidents, enabling comparability and facilitating comprehensive analysis. Timely and reliable evidence acquisition through automation empowers incident responders to make informed decisions, accelerate the incident resolution process, and mitigate the impact of cyber threats on organizations.

In this blog we discuss the significance of automation during the incident response process and introduce a (downloadable!) playbook for Microsoft Azure that leverages Logic Apps to streamline the collection of evidence upon incident notification, based on a predefined criticality of your systems.
Automation enables fast decisions
Automated playbooks on predefined assets (commonly referred to as ‘crown jewels’), such as domain controllers, file / email servers, or business process systems, minimize the average time to respond during cyber incidents. These playbooks are designed to incorporate best practices, industry standards, and organizational policies into a structured and repeatable set of actions. By utilizing a risk-based approach, these playbooks prioritize incidents based on their potential impact and likelihood, allowing decision-makers to allocate resources efficiently and address high-priority threats first.

Azure Logic Apps
Logic Apps are cloud-based workflow automation platforms that allow you to connect and orchestrate various systems, services, and data sources. With their drag-and-drop interface and extensive range of connectors, Logic Apps enable you to build powerful, customized workflows tailored to your organization’s specific needs.

So, how do Logic Apps help expedite incident response? Let’s break it down:

Automated detection and alerting: Logic Apps can monitor security events from multiple sources, such as intrusion detection systems, SIEM solutions, or even custom scripts. When a potentially malicious event is detected, Logic Apps can trigger real-time alerts, ensuring incident responders are promptly notified. This proactive approach ensures that incidents don’t go unnoticed, giving responders a head start.
Efficient data collection and enrichment: Gathering relevant data is a crucial step in incident response. Logic Apps can automate the collection of log files, network traffic data, or any other critical information needed for analysis. Additionally, Logic Apps can enrich this data by pulling in threat intelligence feeds or querying external services, providing responders with valuable context to make informed decisions quickly.
Collaboration and workflow: Incident response often involves multiple teams working together. Logic Apps can automate the coordination between teams, ensuring everyone is on the same page. From ticketing systems to communication platforms, Logic Apps can integrate with various tools, streamlining collaboration and information sharing. This eliminates manual handoffs, reduces communication gaps, and accelerates response times.
Automated playbooks and response actions: Logic Apps excel at executing predefined actions based on specific triggers or conditions. By building automated playbooks, incident responders can outline a sequence of actions to be executed when an incident occurs. These playbooks can include tasks like isolating affected systems, blocking malicious IP addresses, or initiating forensic investigations. With Logic Apps, these actions can be executed rapidly and consistently, reducing the time required for manual intervention.
Continuous improvement and adaptation: Incident response is a continuous learning process. Logic Apps allow you to collect data on response times, effectiveness of actions, and incident outcomes. This valuable feedback loop helps you identify bottlenecks, refine playbooks, and improve incident response over time. Logic Apps empower decision-makers to make data-driven adjustments to their workflows, ensuring that their response capabilities are always evolving and becoming more efficient.

Microsoft 365 Defender Live Response
Microsoft 365 Defender is a comprehensive endpoint protection platform that helps organizations detect, investigate, and respond to advanced threats. One of its standout features is Live Response, which allows security teams to perform real-time, interactive investigations and remediation actions on compromised endpoints. This powerful capability enables incident responders to take immediate control and mitigate threats swiftly.

By integrating Live Response capabilities into Logic App workflows, security teams can establish a powerful automation pipeline that enables a rapid and coordinated response to cyber incidents. This seamless integration empowers incident responders to perform crucial actions in real-time, without the need for manual intervention or context switching between different tools.

“Logic Apps help expedite incident response!”

Introducing: 🦜ParrotForce

Evidence collection is one of the most time-consuming and challenging tasks during Incident Response, especially during the early stages of an incident, where the impact and its scope are not clear. To tackle this challenge, we combined the automation power of Logic Apps and Live Response capabilities into ParrotForce, a playbook dubbed after the tools used by the fire fighters 👨‍🚒🚒 during extrication operations commonly referred to as “parrots” 🦜.

ParrotForce differs from other existing templates that simply offer the API functionality of Live Response, as it can be extended based on your assets’ predetermined risk factor and incident severity way before incident detection. It’s not a matter of ‘if’, but a matter of ‘when’ and ParrotForce aims to be an actionable playbook giving responders and decision-makers enough room to strategize on the best mitigation approaches once the incident occurs. Consistency is another significant advantage offered through this playbook, as responders can ensure that the same actions are followed consistently, reducing the risk of errors or oversights during the high pressure commonly faced. After deployment, you can use this playbook to automatically trigger upon incident conditions and attach it to analytics rules.

Different problems call for different solutions

Figure 1: Snippet on the collection schematics based on the machine tags.

Delicate problems require delicate solutions and each incident calls for a different approach. ParrotForce will be triggered on High Severity incidents to avoid wasting resources on incidents with lesser impact. The playbook leverages custom tagging of machines to determine the appropriate actions based on the criticality of the systems and your business operations.

The default values of the expected tags are `HighJewel` and `MediumJewel`, but can be changed or extended according to your liking.

HighJewel actions

Figure 2: Snippet of the HighJewel actions.

We recommend tagging the machines that are the backbone of your infrastructure (domain controllers, mail servers, internal file servers, etc.) or systems that are used by accounts with elevated or administrative privileges (Domain Admins / Enterprise Admins). ParrotForce will trigger the execution of two forensic evidence collection tools through the Live Response API and update the incident ticket with the links to download the evidence files:

Trident : A PowerShell script for fast triage and collection of evidence from forensic artifacts and volatile data.
WinPmem : A Windows executable for physical memory acquisition.

These tools need to be first uploaded inside your Live Response library and can be changed or extended according to your predefined response playbooks. For more information on the Live Response library visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide.

MediumJewel actions

Figure 3: Snippet of the MediumJewel actions.

We recommend tagging the machines that are the critical to your operations and business needs (ticketing systems, ERPs, etc.) or systems that are used by accounts that can pose a significant risk inside your organization (VIPs, business owners, 3rd parties). ParrotForce will trigger the collection of the `Investigation Package` through the MDE API to automatically parse predefined artifacts such as:

Autoruns
Installed programs
Network connections
Prefetch files
Processes
Scheduled tasks
Security event log
Services
SMB sessions
System information
Temp directories
Users and groups
WdSupportLogs (if Troubleshooting mode is enabled)

Troubleshooting mode provides additional logs from Microsoft Defender Antivirus and will last for 4 hours. To enable Troubleshooting mode, select your device from the Devices pane in Microsoft 365 Defender web console.

Figure 4: Troubleshooting mode from the device page.

Details on the debug mode can be found on https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode?view=o365-worldwide.

Although the Investigation Package does not provide custom configuration, these artifacts are typically sought after by forensic examiners and incident responders and provide enough evidence during the early stages of the investigation.

Details on the Investigation Package API functions can be found on https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide.

Finally, the incident page will be updated with the link to download the Investigation Package to help you start the analysis in later stages and a timestamp to enable the chain of custody and give analysts a compete overview of the response process.

Collect automatically, decide faster

ParrotForce is available in our GitHub .

Azure deployment

Before deployment, ensure that the tags “HighJewel” and “MediumJewel” exist in Microsoft 365 Defender. You can either add the tags through the “Manage tags” in your devices pages or change the tag names inside the template.

The following API permissions need to be present in your managed identity that connects to Azure Sentinel and Microsoft 365 Defender:

AdvancedQuery.Read.All
Alert.Read.All
File.Read.All
Machine.CollectForensics
Machine.LiveResponse

By default, the Logic App of the template is configured on “Consumption” plan type. Hence, pricing will only occur upon workflow execution.

You can automatically deploy ParrotForce in Azure with the press of a button through our GitHub page or deploy manually by following the below steps:

1. Log in to the Azure Portal at https://portal.azure.com.

2. In the top bar search for “template” and select `Deploy a custom template` to start the deployment.

Figure 5: Search for template and select the Deploy a custom template.

3. Select the `Build your own template in the editor` to manually import ParrotForce.

Figure 6: Click the build your own template to enter the editor.

4. Click `Load File` and select the `deployazure.json` file to deploy ParrotForce.

Figure 7: ParrotForce template upon file load.

5. Click Save and assign ParrotForce to your Resource Group and Subscription of your choice.

Outro

Ultimately, ParrotForce can enable you to better safeguard the assets of your organization, respond swiftly to threats, and mitigate the potential impact of cyberattacks.