It's no secret that speed is one of the most important elements of incident response. ExtraHop Reveal(x) not only detects attacks, it integrates with your existing systems to allow you to streamline or even fully automate your emergency responses, minimizing business disruption and limiting privacy violations.
One of those existing systems that you can now seamlessly integrate with is Demisto. Demisto is a security orchestration, automation, and response (SOAR) platform focused on incident response that enables you to automate security workflows, manage incidents, and investigate underlying issues.
ExtraHop has partnered with Demisto to create a full-featured integration that enables:
- Detection-driven investigations - Real-time creation of Demisto investigations for Reveal(x) detections of malicious or non-compliant behavior on your network.
- Orchestrated response - Playbook-driven enrichment and response powered by thousands of security actions to accelerate automated investigation and remediation.
- War Room commands - Access to real-time security commands against ExtraHop Reveal(x) to search for specific devices, hunt for network peers and active protocols, query records, download packets, and more from within the Demisto War Room.
- Ticket status in Reveal(x) - Enhanced ticket tracking by linking each of your Demisto investigations back to the corresponding detections in Reveal(x).
ExtraHop Reveal(x) acts as the always-on eyes and ears of the security operations center (SOC) and provides high-quality detections which, in real time, can create Demisto incidents and kick off automated workflows:
How Reveal(x) and Demisto Work Together
Create Demisto Incidents in Real Time
The integration includes an ExtraHop trigger that, for every ExtraHop detection, automatically creates a corresponding Demisto incident in real-time via the Demisto REST API. These incidents can kick off automated investigation and remediation workflows including ticket tracking, guided investigation, blocking/locking, and more.
Let's walk through an example where the unusual network behavior that ExtraHop detected was a CVE-2019-0708 RDP exploitation attempt. Here's the ExtraHop detection card that shows a detailed description of the attack, the victim and offender device, a timeline of related detections, mitigation options, CVE references, and links to the associated transaction records and network packets:
Figure 1. ExtraHop Detection card for CVE-2019-0708 RDP Exploit Attempt
The trigger automatically creates a corresponding Demisto incident with all of the ExtraHop detection details. This information helps analysts evaluating the detection to understand the severity of the event. Too often, analysts' time is wasted by alerts with low context—Reveal(x) gathers contextual details so that people don't have to spend time gathering that information for themselves.
Figure 2. Demisto incident summary for CVE-2019-0708 RDP Exploit Attempt
Playbook-Driven Enrichment and Response
Once an incident of type ExtraHop Detection is created in Demisto the ExtraHop - Default playbook automatically assigns an ExtraHop analyst to the incident, sets up ticket tracking, and runs any detection playbooks associated with the incoming incident.
Figure 3. ExtraHop - Default playbook to setup ticket tracking and run specific detection playbooks
In this case, the CVE-2019-0708 RDP exploitation attempt detection does have a specific detection playbook which automatically gathers detailed investigation information from Reveal(x) and orchestrates a remediation workflow.
Figure 4. ExtraHop - CVE-2019-0708 (BlueKeep) playbook for automated investigation and response
This playbook starts off by running a CVE search and returns the following:
"A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network."
The playbook continues to run a series of tasks to both automate the investigation of the exploitation attempt and also reach out to your ExtraHop analysts to determine if an automated IP blocking action is appropriate. The automated investigation completes the following tasks:
- Gathers device activity - Runs another ExtraHop contributed playbook to hunt for details on the offender device in your Reveal(x) including all of the network peers and protocols communicated during the exact time of the incident as well as provide a direct link to an ExtraHop Live Activity Map to visualize the network communications at the time of the attack.
- Queries transaction records - Retrieves the exact transaction records associated with the attack from Reveal(x) and displays them in a human readable table in the War Room.
- Collects PCAP file - Searches Reveal(x) for the exact packets associated with the attack and downloads a PCAP file to the War Room.
- Orchestrates remediation - Reaches out for an ExtraHop analyst approval to automatically block the offender IP address using the supported IP blocking integrations that you have enabled.
Figure 5. Demisto War Room showing the results of the automated Reveal(x) investigation
As a result of the playbook, within seconds of the incident being created your SOC analyst already has all of the detection information properly organized and formatted to make an informed decision about the appropriate response to take against the exploitation attempt.
Interactive Investigation in Virtual War Room
The integration brings the power of Reveal(x) to Demisto's War Room with the ability to quickly and easily search for devices matching specific criteria, hunt for network peers and active protocols, query records, download packets, view activity maps, tag devices, and more all from within the interactive command-line in Demisto War Rooms.
Reveal(x) automatically discovers and classifies all devices communicating in your network and then makes those attributes available for search in the Demisto War Room. This enables analysts to search for all file servers running the Windows operating system, for example. This search capability will also discover unmanaged and rogue devices that are not accounted for in a CMDB.
Figure 6. Reveal(x) command to quickly search for all Windows file servers on your network
Enhanced Ticket Tracking For Detections
The integration also links each of your Demisto incidents back to the corresponding detections in Reveal(x) so that your analysts can easily see the assignee and status of the incident from within the Reveal(x) UI.
Figure 7. ExtraHop Detections with ticket status updates from Demisto
Network detection and response (NDR) products are a vital layer of defense in detecting suspicious activity at every stage of the attack lifecycle. By integrating the Reveal(x) NDR with Demisto, an organization can dramatically speed up the response to newly detected threats with appropriate level of human interaction.