Tines Summer Release 2019

July 12, 2019 in Blog

On today’s blog we’re delighted to announce details of the latest and greatest Tines features launched in the Tines Summer 2019 release. The Tines Summer Release is jam-packed with new features including:

  • Agent Templates & Private Templates
  • Improved Searching
  • Time-based Deduplication
  • Emit and Tag Duplicate Events
  • Emit and Tag Non-Matching Trigger Events
  • Asynchronous Event Loading

Existing Cloud tenants always stay on the latest release so Tines Cloud customers do not need to take any action. Tines On-Premise and Kubernetes customers can login to the Tines customer portal and download the release and installation instructions now. 

Agent Templates

You asked, we answered! The most exciting figure of the Tines Summer Release 2019 is Agent Templates. Tines now has automation templates for nearly 1,000 security actions commonly performed by security teams for the most popular security products.

Sample templates include:

  • Create A New Issue in Jira
  • Isolate a Host in Carbon Black
  • Search for Hash in VirusTotal
  • Disable a User Account in Microsoft Graph
  • Retrieve Email Headers in Outlook
  • Upload an Attachment to Box
  • Search for Details within Tickets in Service Now 
  • Create a New Alert in The Hive
  • Upload Samples to the Hybrid Analysis Sandbox
  • Scan a DynamoDB Table
  • Retrieve Analysis Results from App.Any.Run

It’s important to note that Tines integrates automatically with any tool in your stack with any API, regardless of the templates that exist. Templates help jump-start automation stories but are just that: a springboard on which you can begin automating all your manual workflows!

To view all available templates now, simply create a new agent within Tines. You will be presented with a list of hundreds of automatically generated templates which can be filtered by vendor, agent type, and privacy level. You can also search on the right hand side for specific terms like “Carbon Black” or “MD5”.

Users can still build agents from scratch using the “Start with a Blank Agent” tab.

Got a suggestion for agent templates that we’re missing? Email hello@tines.io and we’ll add them in right away!

Private Templates

In addition to the thousand public templates that are now available, Tines has also enabled “Private Templates”. If you have a private API that you use internally, or if you have custom fields and configurations for your own tools (like Jira, Splunk, AWS etc.) you can create your own Private Agent Templates within Tines. These templates are viewable to everyone within your company, and can be shared among all your Tines production and test tenants.

Creating Private Templates

To create a Private Template, find an agent that you have saved, and in the Actions Menu click “Create Template”. (Note, only Tines admins are able to create Private Templates).

Fill the appropriate details in the “Create a New Agent Template” page

Your template will then be visible in the “Manage Templates” page in the Admin Tab in your Tines tenant.

In addition, you will be able to choose this template from within the “Create New Agent” templates page.

You can also view all your Private Agent Templates using the Visibility: “Private” filter on the left hand side of the Agent Template search page.

Retry on Status Failure in HTTP Request Agents

When trying to automate manual processes using Tines, custom scripts, or any automation platform, customers often run into a stubmling block: when an action fails or is interrupted (e.g. when sites are down, or when the receiving server detects an error, or is rate limited the script) the entire automation flow fails. Common causes of this are rate limits on the server or a simple network blip. When an error occurs in automation stories or in scripts it can be tough to detect, and in some cases the entire automation flow fails. 

To tackle this problem in Tines you can now add an optional flag to every http request agent called “fail_on_status”. With this flag enabled, if Tines receives a non-2xx http response code when an agent runs it will re-run the agent 40 times with an exponential back-off over a 30 day period, until it receives a 2xx http response code. Now when Jira is down, or when VirusTotal returns a 429 rate limit response code, Tines will auto-rerun the agent with the same incoming event. Your Tines automation story will then continue as soon as the service is back-up. A sample configuration is below

Improved Search

We’re delighted to announce that the Summer Release includes a much improved search interface within Tines. The Search bar in the top right hand corner will now search and return results for Stories, Agents and Credentials. It performs a full text search within agents configurations too, so you can find all agents which reference a particular hostname or use a particular command. Try it out now in your own tenant!

Time Based Deduplication

One of the most frequent causes of fatigue in information security teams is alert overload. That’s why in Tines we have a “deduplication” mode within Event Transformation Agents – to suppress noisy alerts and prevent analysts having to repeat the same work over and over again.

In Tines we recognize that you often need to suppress events for a set period rather than than just ignoring all duplicate events. If an alert fires, you may want to suppress that same alert for another 24 hours, or simply not see it for another 100 events, or ever again. As a result, we have enhanced our deduplication mode in the event transformation agent – you can now deduplicate based on Time Period or based as well as based on a Lookback through previous emitted events.

  • A time-based deduplication analyzes each event that is received for uniqueness, and subsequent matching events will not be emitted until this time period has elapsed. A sample time based deduplication is below.
  • A lookback deduplication will examine the previous X events for uniqueness, regardless of when the events happened. It takes a parameter “lookback” which will be the number of events to store which Tines checks against for uniqueness.

Emit Duplicate and Emit on No Match

Emit Duplicates in Event Transformation Agents

A complementary feature launched along with Time Based Deduplication is an emit_duplicate flag for deduplication events and an emit_no_match for trigger events. 

When the emit_duplicate flag is set to “true”, in deduplication mode, duplicate events are emitted by the Event Transformation Agent. Duplicate events return the value “unique_event”:”false” in the emitted event, non-duplicate events will return the value “true”. Using this flag, users can create more complex stories, e.g. adding details of duplicate events to existing tickets, creating lower priority duplicate alerts, or taking a lower-risk action based on the fact it is a duplicate event. A sample configuration is below.

Emit on No Match in Trigger Agents

Similar to the “Emit Duplicate” flag, the emit_no_match flag is also available within Trigger Agents. Events which do not match the trigger agent’s rules can now be emitted, but will have the field “rule_matched” value set to ‘false’. Events which match the rule will have the “rule_matched” value set to ‘true’. This new feature allows users build and maintain a set of trigger rules within one agent.

A sample configuration for a trigger agent with emit_no_match set to true is below.

Asynchronous Event Loading

The last major feature of the Summer Release is an under-the-hood user experience improvement. When using Tines to automate AWS workflows; collect logs; analyze malware; and other common use-cases, some events in Tines can become extremely large. Previewing these Events within Tines is now much faster thanks to our new Asynchronous Event Loading feature. Tines will now only show the event data that the user wants to see. Expanding the json in the View Events page will then dynamically pull back the relevant data from the Tines database. Asynchronous Event Loading allows users to quickly preview the relevant section of the event, without waiting for the entire event to be downloaded. Each event should now take just fractions of a second to load making for a more seamless user experience.

That’s all for this year’s Summer Release. To get on the beta to test new features as they are being developed, simply talk to your Tines account manager. 

To learn more about how these features can help your automation journey, book a demo, start a free trial, or contact us hello@tines.io. 

Processing and Enriching AWS Security Hub Findings in Tines

July 5, 2019 in Blog

With AWS Security Hub, Amazon have provided a way for AWS customers to “quickly see their entire AWS security and compliance state in one place, and so help to identify specific accounts and resources that require attention.”

Security Hub went GA in July 2019 and although there is debate around the material value the service will provide, specifically in terms of ROI (when it’s enabled, 30+ Config rules are created per account, this can quickly become expensive), the benefit for enterprise security teams of having a centralised portal for Inspector, GuardDuty and CIS benchmark findings is intriguing.

In this post we will explore how to send findings from Security Hub to Tines so they can be enriched, prioritised, deduplicated and ticketed.

How AWS Security Hub Works

When you enable Security Hub, it immediately begins consuming, aggregating, organizing, and prioritizing findings from AWS services, such as Amazon GuardDutyAmazon Inspector, and Amazon Macie, and from AWS partner security products. Security Hub generates its own findings by running continuous, automated compliance checks based on AWS best practices and supported industry standards. It then correlates and consolidates findings across providers to help you to prioritize the most significant findings.

As AWS Security Hub discovers findings, it will automatically send them to CloudWatch Events. As a result of this automated process, it’s simple to trigger notifications to Tines through SNS Topics.

Tines AWS Security Hub Automation Story

Here you will find a Tines automation story which you should download and import into your Tines tenant. The story contains five agents. including a Webhook agent which we’ll use to receive events from Security Hub.

AWS Security Hub Tines Automation Story
Tines Webhook Agent Receive SNS Notifications

Take a note of the Webhook URL from the Summary tab in the Tines agent view, we’ll need to provide this to AWS. In the above example, the Webhook URL is: https://hq.tines.io/users/1/web_requests/1162/de38b6203ae66ed5ec6b76ba419f7f8e

Using the Tines AWS Security Hub CloudFormation Template

Next you will need to configure AWS Security Hub to send CloudWatch Events to Tines. Although you can do this manually, we also provide a CloudFormation template which does the hard work for you.

Download the template from here and upload it to CloudFormation.

Once you have uploaded the file, click Next and give the stack a name, then provide the following parameters:

EventPatternParameter: { "source": [ "aws.securityhub" ] }

TinesWebhookURL: The Webhook URL taken from the Receive AWS Security Hub Notification.

After selecting Create Stack, CloudFormation will begin creating the stack. When CloudFormation is finished creating the stack, it sends a new SNS Subscription Confirmation Event to Tines (sample below).

AWS Security Hub SNS SubscribeConfirmation Event in Tines

We’ve configured the Confirm subscription HTTP Request Agent to send a GET request to the SubscribeURL defined by SNS. This confirms the SNS subscription so Security Hub so it will now send Findings to Tines.

Receiving AWS Notifications in Tines

You should now have everything needed to begin automating response to Security Hub Findings in Tines. When Security Hub triggers a Finding, it will send a notification event to the Tines Webhook agent. A sample event is shown below:

AWS Security Hub Notification Event in Tines Security Automation Platform

The important information describing the Security Hub finding is in an escaped JSON string, this makes further automation challenging. To parse this string into a “friendlier” format, we use the Liquid Filter json_parse in a message_only mode Event Transformation Agent.

Events emitted by this agent will contain the Finding’s details in a format we can easily use in Tines to further enrich, deduplicate, prioritise and even automatically remediate the Finding.

To learn more about AWS Automation in Tines, or what this might look like in your environment, you can book a demostart a free trial, or contact us hello@tines.io. 

Tines {} urlscan automation

June 14, 2019 in Blog

On this week’s blog, we are delighted to announce that Tines is sponsoring one of our favorite tools, urlscan.io. Welcome urlscan users to the Tines website! In this blog you’ll learn more about urlscan automation including how you can automate your URL analysis processes; search for IOCs within urlscan; search for leaked credentials; and share threat intelligence with the security community.

For those Tines readers unfamiliar with urlscan, you’re one of today’s lucky 10,000! urlscan.io is a website scanner built by Johannes Gilger, which scans and classifies almost 100,000 urls every day. This includes submissions from thousands of public and enterprise users and security researchers and all urls in openphish, phishtank, certstream, urlhaus and more. urlscan runs all the analysis on its own servers and records http request data; all domain interactions; all links on the scanned page; the website technologies in use; a hash of every file on the page; and ssl certificate detection, as well as related scans, IP information, google safe browsing information for the domain and more.

Even better, urlscan makes all this information available, for free, via an intuitive and well built API. This makes automating scanning, searching, and interacting with urlscan through the Tines security automation platform incredibly easy.

For those of you visiting Tines for the first time, Tines is a Security Orchestration, Automation and Response (SOAR) platform that helps security teams automate any repetitive manual task. If you are unfamiliar with Security Automation, you can check out our ‘getting started’ guide. If you are familiar with security automation, you can read about why Tines is different than all other SOAR platforms. (hint: we don’t rely on any prebuilt integrations – you can integrate easily with every tool in your technology stack!)

Why sponsor urlscan?

At Tines we’ve long been fans of URLScan. Before setting up Tines we worked as security engineers in eBay/PayPal and DocuSign, some of the most phished brands in the world. When we had to analyze thousands of phishing urls we quickly realized that manually analyzing them one-by-one was time consuming, error prone and, frankly, boring. As a result, we turned to automation and we started using urlscan.io. When we started Tines urlscan’s incredible API made it easy to showcase how to analyze urls, and to share threat intelligence back to the community.

It’s no surprise that many enterprise security teams rely on urlscan.io to analyze suspicious URLs. It’s also no surprise that urlscan has been mentioned heavily in other blog posts by Tines! At Tines we want to give help ensure urlscan continues to be an incredible resource for the security community.

Does Tines integrate with urlscan?

Yes! urlscan is a tool which exposes all its analysis information up front in a clean and simple to use API. Because of this, it’s very easy for Tines customers to search for and submit urls to urlscan. We have several out of the box stories which harness the power of urlscan. Customers can easily customize these to suit their own needs and processes.

As mentioned above, Tines does not rely on pre-built apps to integrate with external systems. Instead, the HTTP Request Agent (one of the six agents available in Tines) provides direct integration with the target tool, in this case urlscan. This means consistent integration with any tool, regardless of the vendor, regardless of whether it’s open or closed-source, and regardless of whether it’s commercial off the shelf or custom built.

Tell me about urlscan automation in Tines!

The primary purpose of urlscan is to analyze urls. Those familiar with urlscan will know that every page that is analyzed is categorized and given a malicious score verdict:

the verdict of a url analysis in urlscan

The most obvious process to automate, therefore, is the analysis of urls sent to employee or customer abuse inboxes. You can read more about Tines in depth and out-of-the-box abuse inbox processing here. If you are spending significant time analyzing urls you should consider automating that process using an automation platform like Tines.

Submitting a url to urlscan through Tines is easy:

You can also use Tines to pull suspicious URLs from other sources which can then be analyzed in urlscan.io. Common sources of malicious or suspicious urls include:

  • URLs blocked by your email security solution like Proofpoint, FireEye ETP, Barracuda, Mimecast or Microsoft APT.
  • DMARC failures or rejects
  • Suspicious uncategorized or punycode URLs from your firewall logs or DNS logs
  • New SSL Certificates registered with domains similar to your brand (e.g. from crt.sh)
  • Threat Intel sources like the Phish.ai threat intel feed which generates feeds based on the brands attacked
  • Free feeds of malicious urls like Phishtank, Openphish, phishstats.info or Urlhaus. Note, these feeds are often are high-reputation so don’t necessarily need to be further analyzed.
automate the process for scanning urls from Tines in urlscan

Using Tines’ Phishing Story it’s easy to collect suspicious urls from dozens of different sources automatically. Once these feeds are in Tines it’s easy to deduplicate and classify urls to prevent alert overload and to generate more accurate metrics.

Does urlscan detect if a site is malicious?

urlscan results in Tines

Yes! The above screenshot shows that a verdict, or overall malicious score, is returned in the urlscan UI based on an analysis of the content on the page. This verdict takes into account the classification of the domain and IP in other security tools like GSB, openphish, phishtank, urlhaus etc.

This verdict is also returned in API calls, so we can use this information to automate the url analysis process. (note, this urlscan api feature is in beta mode so may change in the future)

Using the information returned via the urlscan API we can build a trigger agent to flag urls classified as malicious. We can then take additional actions including blocking that URL; scanning for traffic to the domain in our environment; sending takedown notices for malicious content; creating tickets for analysts etc.

urlscan automation to take action on all malicious urls submitted
completing the urlscan url analysis automation process

What else can I automate with urlscan.io?

Automate IOC extraction

Urlscan.io records the hash of every file it downloads as an indicator of compromise or ‘ioc’. Using the urlscan API you can search for other pages with this same IOC. This means if you’re a highly phished brand, for example, or a researcher tracking a phishing campaign, you can search for pages with similar IOCs which may be using the same phishing kit. E.g. searching for this md5 (a PayPal logo) will return several thousand other pages impersonating PayPal.

You can automate this search using Tines to extract urls with matching IOC every hour and issue takedown notices for pages abusing your brand, for example.

Search for leaked credentials or access tokens

Unfortunately, users and analysts occasionally mistake legitimate emails as suspicious and use urlscan to analyze legitimate web pages. Occasionally sensitive information like document access links or password reset tokens are exposed. For many services the url itself can be enough to give an attacker access to an account or to sensitive information.

With a trivial amount of effort searching urlscan (no, we won’t give you the searches here!) you can find several password reset tokens for high profile enterprise services as well as access links to enterprise file sharing services like Dropbox, OneDrive etc..

For more information on how to see if your company’s accounts or website might be affected, and how you can automate the detection of these for your enterprise, you can read this Tines blog on the topic.

Share threat intelligence with the community

urlscan is valuable threat intelligence tool for researchers and security professional, however it’s only as good as the data that the community submits and shares. If you have a feed of malicious urls you have detected privately, you can give back to the security community by sharing this information automatically to urlscan using Tines. Sharing threat intelligence with urlscan means researchers and other security teams can keep their customers, companies and the wider internet community safer.

For more information you can read this Tines blog on how to share threat intelligence information using urlscan.

Conclusion

In conclusion, integrating with urlscan.io is easy with Tines. If you find yourself using urlscan frequently to analyze urls you should consider looking at an SOAR platform to help with urlscan automation and let your team focus on more impactful risk reduction efforts.

To learn more about the automating URL analysis, or what this might look like in your environment, you can book a demostart a free trial, or contact us hello@tines.io.


Malware Analysis Automation using Public and Private Sandboxes

May 31, 2019 in Blog

Performing malware analysis on suspicious files is a bread and butter activity of any security operations or incident response team. Whether submitted to an abuse inbox, caught by an email gateway, detected by anti-virus, or found during a breach investigation, the malware analysis process is time-consuming, repetitive and manual – which is why many teams are examining malware analysis automation.

There are dozens of approaches to analyzing potentially malicious files and binaries, including using static and dynamic analysis . For now at least, nothing will perform better than a sophisticated malware reverse engineer interacting with and analyzing a file manually in a secure environment. However until humans can work at the scale and speed of malware analysis engines, relying on some form of automation is necessary.

One of the most popular methods of Malware Analysis Automation to determine the maliciousness of suspicious files is using public and private sandboxes. Popular sandboxes include Any.Run, Hybrid Analysis, Joe Sandbox, Valkyrie Sandbox, Cuckoo Sandbox. In this blog we examine some private and public sandboxes that analyze suspicious files. We’ll also learn how the results of the analysis can help proactively protect our environments.

Firstly, a word of caution: at Tines we don’t want you to think that you can completely automate the process of securing your environment by analyzing suspicious files. There are dangers and pitfalls to completely automating the analysis of malware. Modern malware often requires multiple applications to be running on a box for the malware to be triggered. Other malware can detect that it’s running in a sandbox. Furthermore, in many cases different contamination levels will require different triggers. Automated sandboxes struggle to accurately simulate the activities of a real, infected end-user. However, several sandboxes like app.any.run allow interactive analysis with malware and may help in this regard.

When should I automate the analysis of malware?


Using a Sandbox is the right approach for frequent, repetitive malware analysis tasks. A good example of a process like this is analyzing files which AV software detects as suspicious. Attachments which users submit to an abuse mailbox are another source of files which frequently require non-sophisticated malware analysis.

There are several free, public sandboxes available online, however if you suspect that a suspicious file may be targeted at your organization directly you should consider using a private sandbox. This will help prevent a targeted attacker knowing you have detected their activity.

You can setup your own free private sandbox like Cuckoo Sandbox, or you can make a private submission to sandboxes like app.any.run, hybrid analysis or other commerical sandboxes like the Crowdstrike Falcon or Palo Alto Wildfire.

How can I upload files programatically?

Uploading files to app.any.run, cuckoo, or hybrid analysis from Tines is simple once the contents of the file are in Tines. Tines can read the contents of email attachments, or, in some cases, extract the contents of files in a shared drive or the contents of a quarantined file. Once the contents are base64 encoded it’s possible to upload them using any api with a file upload capability.

In the below templates can see how to upload a file to three popular online sandboxes – Cuckoo, App.Any.Run and Hybrid Analysis. In the examples we simply replace the base64 encoded contents with the contents from a previous agent and you can upload to any sandbox. Below you’ll see examples of how to upload to any.run, hybrid analysis and cuckoo sandbox. There are also templates available for uploading to VirusTotal and several other sandboxes in your own Tines tenant.

Before uploading to any sandbox, we recommend checking to see if the file has been seen before in tools like VirusTotal or Hybrid Analysis or your own threat intel platform. If VirusTotal or your threat intelligence platform has seen the file before we can avoid duplicating work and take response actions immediately. You can read more about VirusTotal automation here.

We can easily check if a file exists in VirusTotal using the below agent template

This template requires the MD5 of the file to check in VirusTotal. If you do not have the MD5 of the file, you can use the agent template below to extract the md5 of a file in Tines.

Note, you can also upload files programmatically from a desktop using curl and a command similar to:

Or

Analysis of Manually Uploaded Files

At Tines we recognize that many processes involve analyzing files found manually – for example suspicious files found during a breach investigation. This does not mean that the results of the analysis can not be extracted and automated however. Using Tines we can extract indicators from every file analyzed in your private sandbox, regardless of how it is submitted.

Analyzing the results of all files uploaded to a Malware Sandbox

The most obvious aim in analyzing malware using a sandbox is to determine its maliciousness. A secondary aim is to extract potential indicators which can be searched for across our environment.

The best way to automate this in Tines is to create a HTTP Request Agent. The HTTP Request agent periodically polls your Sandbox for any new files that have been uploaded. Tines can then extract all the relevant indicators for those reports.

In this story, we’ve used several liquid filters to extract out the relevant elements of the malware analysis report:

The end result is an event that looks like the below – replete with registry modifications, file modifications, network connections etc. The extracted data is in a format that can then be easily used by other agents.

Post Analysis Automation Actions

You can use these results of this file analysis to take other automated actions in your environment. For example, for every domain that the malware connected to you can you can search for associated traffic to the network indicators. If the file was found to be malicious, you can ban malicious hash from endpoints in your enterprise. You can also search for unique file modifications or registry modifications in an EDR tool, for example. In addition, the Tines Security Automation, Orchestration and Response platform can use these results to  

  • Isolate or quarantine infected endpoints
  • Block domains or IP addresses in Firewalls or in DNS tools
  • Document details about the file to ticketing systems like JIRA, including PCAPs for analysis etc.
  • Collate all the analysis of multiple to help build better detections on known threats for your environment
  • Use the detailed results to help prioritize detections using the Mitre Attack Framework
  • Upload artifacts like malware PCAPs into ServiceNow or Jira or The Hive
  • Perform memory dumps on infected endpoints
  • Block email addresses or domains on your email gateway

In short, automating the malware analysis process can help security operations teams react more quickly to potential threats. This allows them to focus on more impactful, risk-reduction efforts

Note – this should not be taken as a complete method for analyzing malware. The correct approach will depend on your environment and risk tolerance. However this is illustrative of some of the analysis that you can automate using Tines and malware sandboxes.

Conclusion

Malware Analysis Automation can have several benefits in allowing teams to move quickly and automatically extract the most relevant data from malware reports.
To learn more about the automating malware analysis, or what this might look like in your environment you can book a demo, start a free trial, or contact us hello@tines.io. You can also directly download the Cuckoo Sandbox Story or App.Any.Run Story directly for your own Tines tenant.

Automate the Analysis of Email Headers Using Tines.io

May 2, 2019 in Blog

Continuing our series analyzing on automating the analysis of phishing messages, this blog will look at the importance, and methods, for analyzing email headers.

It is becoming harder and harder to determine the validity of suspicious emails. Malware distributors are using unique URLs for every recipient, compromising or creating hundreds of new domains every day, developing more sophisticated malware detection evasion techniques, and even now hijacking real conversations.

To be successful, analysts should be using all the tools at their disposal. One of these tools is analyzing email headers. Often overlooked, Email headers contain important information about the route an email took before arriving in a recipient’s inbox and this information can help determine the legitimacy of a given email. Spammers frequently and easily spoof messages to make them look like they were sent from somewhere else. As such, it’s important to know how to analyze these headers correctly.

With many Tines customers running their own abuse inbox, it’s no surprise that one of the most frequent requests we hear from our customers is how they can automate the analysis of email headers.

Why Analyze Email Email Headers

According to RFC 2822 from IETF, all email messages must pass through certain characteristics to be processed by the receiving mailbox. Contained in these headers is a huge amount of information that can tell us more about the message and its authenticity. Headers can help us determine the sender’s IP, ISP, server, the tools they used to send the email, and the route the message took to arrive at its destination. Furthermore, they can even tell us the malware group that sent the message. When analyzing email headers there a few fields which are the most important to analyze.

What Email Headers should I analyze?

Originator Headers

Originator headers include common fields like ‘From’, ‘To’, ‘Subject’, ‘Originator-Date’ which are set by the sending mail server. Unfortunately, because the sending server sets these headers, a determined attacker can easily spoof them so they are not as valuable as other headers. They do, however, also include the message-id field which can be useful in determining the legitimacy of a message.

Message-ID

Perhaps the most overlooked field in message headers is the “Message-ID”. From Emotet/Geodo to Phorphiex/Trik (not to be confused with Trickbot!) the message-id field is often used by a botnet to track its operations and establish which ‘bot’ sent a particular message. It can also be used to detect whether your organization is being spoofed (e.g. if the message header shows it’s from @yourdomain.com, but doesn’t match your message ID pattern).

We can analyze the message-id field for certain patterns to help us identify whether the message was by a particular botnet. For example, the Emotet Group have previously used the Message-ID pattern:

<20 numeric characters>.<16 hex characters>@<recipient domain>

Or, more literally:

11223344556677889900.0123456789ABCDEF@recipient-domain.com (see this article by Cofense for more information)

In Tines we can write a regex to catch this message header, using a Trigger Agent:

trigger agent for searching for email headers

More recently Emotet have been using patterns like a 51 character hex string followed by @recipient-domain.com, or <11.22.334455.AA55CC99@recipient-domain.com>. We can also include regexes for these patterns in the same event transformation agent.

trigger agent to search for emotet message id patterns

Note, these are sometimes prone to false positives – for the most up to date version you should check with your threat intel vendor, or you can contact Tines and we’ll be able to assist!

Authentication-Results

The Authentication-Results header is a trace header field where a receiver can record the results of email authentication checks that it carried out. Multiple results for multiple methods can be reported in the same field, separated by semicolons and wrapped as appropriate [0].
Frequently included in the Authentication-Results header is information on whether the sender passed DMARC, DKIM and SPF.

dmarc and dkim authentication results

The best way to search for these is through regexes for the pass or fail values. In Tines we can generate a message-only mode to give the results: dkim=neutral, pass or fail, which simply extracts out the results:

If the DMARC, DKIM or SPF results returned are “Fail” then it’s possible an attacker has spoofed the message.

Trace Fields

Trace Fields are a group of header fields which provide trace information and provide an audit trail of message handling. In addition, they also indicates a route back to the sender of the message. The main Trace Fields to analyze are the ‘Return-Path’ and ‘Received’ headers.

a. Return-Path

The final transport system that delivers the message to its recipient adds a ‘return-path’ header.  This field is supposed to contain accurate data about route back to the message’s originating server.

b. Received

Every time a server or transport service relays a message it adds a new ‘Received’ header to the message. There are often three or more received headers associated with a single message. The first server that handled the message will have the ‘bottom’ received entry. Therefore, you should read the ‘Received’ Headers from the bottom up, as . This information is very useful to help us investigate phishing or spam. With this information we can find the server used to send the message and what relays delivered it. We can also use this information to determine if any open relays or relays known for sending spam sent the mail.

In the example below, we can tell that the message was sent from z17.autocontabil.com. The IP 139.99.75.19 then received the message and sent it to the recipient.

Analyzing the IP 139.99.75.19 in Talos Intelligence, for example, we can see this is a known Spam IP with a poor email reputation.

automate the analysis of email headers ips by searching in Talos Intelligence by Cisco

Using Tines and a Liquid Tag we can extract the last message header from headers Array in a Event Transformation Agent:

We can also extract all the IP addresses from ‘Received’ headers using Tines

Using Tines we can also automate the process of checking the IPs against known blacklists like Cisco Talos Intelligence (or any other Threat Intelligence Provider) which will give us an ip address reputation score for sending email.

Lines Beginning with X

Receiving Email Servers also add their own email analysis of the message which is useful when analyzing. If received by your own email servers, these are the completely trustworthy entries.

The most valuable of these are often x-originating-ip and x-php-originating-script – these will extract out information we have extracted out previously. We can then automate checking them against a blacklist.

Received-SPF

The Received-SPF header is a useful way of determining whether a message has been spoofed. For example, a ‘permanent error’ in the ‘Received-SPF’ header most likely indicates that the mail has been spoofed by an attacker and the sender policy framework has failed. Note, however, this not always included in Message Header, but it can be a

You can read more about how to manually extract email headers here https://mxtoolbox.com/Public/Content/EmailHeaders/

How to Extract Email Headers

Knowing what to analyze is often just half the problem in the analysis of email headers. The other half of the problem is extracting the message headers themselves. Fortunately, using the Tines Security Automation and Orchestration platform, it’s possible to retrieve Message Headers from any email platform. In the below two examples we’ll analyze headers in emails in Microsoft Office 365 and in GMail.

Using Microsoft Office 365

Microsoft’s default configuration for viewing emails in Office 365 using the Graph API does not automatically returning message headers, however to retrieve the message headers of a message in Office 365 is pretty simple, as Microsoft expose the endpoint:

If we do not know what the emailId is we can search for messages using different keywords or terms in the user’s mailbox. (Be careful not to confuse the emailId with the ‘message-id’ header!)

Extract Headers from Microsoft Attachment

Because this practice is prone to error and false positives, a lot of companies already automate process of sending suspicious messages as attachments to their abuse inbox. In this case, we can also use the graph api to analyze the message headers of the attachment.

(Note, in order for this to work, Microsoft must recognize the attachment as an #microsoft.graph.itemAttachment )

This request returns email headers in the format of an array in the field ‘internetMessageHeaders’

The end result is a Story which looks like this:

automate the analysis of email headers in microsoft graph

You can download this story for your own Tines tenant here.

Using GMail

Gmail makes the analysis of email headers easy as it automatically returns message headers within the message itself. In contrast to Microsoft, headers are always returned in GMail with a simple ‘read email’ request using the email’s ‘emailId’. (Again, do not confuse this with the Message-ID header!). As an example see the agent ‘retrieve email from gmail’ below:

You can find the extracted headers in the ‘payload.headers’ path of the json returned.

Consequently, every field in the array can easily be referenced in future agents using a ‘where’ liquid loop:

Extract Headers from Gmail Attachment

Gmail also make the process of analyzing mails sent as attachments to an abuse inbox very easy. The first step is to get the contents of the attachment, by attachmentId.

First, we find the attachment details in the original message:

Then, taking the attachment ID we can create a query in Tines to return the raw eml file:

This query will return data in the form of a base64url encoded version of a .eml file:

We can take this ‘data’ returned and import it directly into Gmail, which will create an email that can be recursively analyzed in gmail. The upload will return an ‘id’ and ‘threadId’.

We can read the new email using the same configuration from the ‘retrieve email from gmail’ agent above. Any attached email files will also be pulled out recursively. The end result is a flow which looks like this:

automate the analysis of email headers in GMail

You can download this story for your own Tines tenant here.

Next Steps

To learn more about the analysis of email headers, or what this might look like in your environment you can book a demo, start a free trial, or contact us hello@tines.io . You can also directly download the Microsoft Story or GMail Story directly for your own Tines tenant.

[0] https://en.wikipedia.org/wiki/Email_authentication

Useful Resources:
https://sqrrl.com/hunting-email-headers/
https://mlhale.github.io/nebraska-gencyber-modules/phishing/email-headeranalysis/
https://www.alyninc.com/2018/11/10/email-headers-what-can-they-tell-the-forensic-investigator/
https://cofense.com/category/threat-intelligence/page/4/
https://cofense.com/dark-realm-shifting-ways-geodo-malware/

DynamoDB and Tines Security Automation

April 3, 2019 in Blog

An increasingly popular database choice amongst security teams is AWS DynamoDB. The key-value storage, simplicity, scalability and security offered by DynamoDB make it suitable for the kinds of data storage tasks common in security operations and incident response, especially if they already use AWS.

In this post we’ll explore how security teams can use DynamoDB in their automation stories.

Authenticating to AWS DynamoDB from Tines

To begin integrating Tines with AWS DynamoDB, we first need to create a credential. In your AWS console, create an IAM user with the appropriate permissions to perform actions in DynamoDB. Take the access key and access secret for the user and enter them into a new Tines AWS mode credential.

Next, specify a name for the credential and choose the AWS region you will be working with. Finally, under service name enter ‘dynamodb’.

When finished your Tines AWS credential should look like the below:

Creating a Tines AWS credential

Using the AWS Credential

AWS credentials work a little differently to the other credential modes in Tines. When a HTTP Request Agent with an AWS mode credential included in a header called “Authorization” runs, Tines will use the AWS Signature Version 4 Signing Process and include the corresponding auth headers in the request before submitting it to AWS.

For example, the below HTTP Request agent uses an AWS mode credential (aws_cloudtrail) to list cloudtrails in the us-east-1 region.

When this agent runs, the request will be signed and will be converted to the following before being sent to AWS:

DynamoDB Tines Agents

Tines can perform all available DynamoDB actions. The following agent examples cover a selection of the cost common.

List Amazon AWS DynamoDB Tables

Scan an Amazon AWS DynamoDB table with a filter

Scan an Amazon AWS DynamoDB Table

Delete an Amazon AWS DynamoDB table

Create an Amazon AWS DynamoDB Table

Add an item to Amazon AWS DynamoDB table

Get an item from an Amazon AWS DynamoDB table

Delete an item from an Amazon AWS DynamoDB table

Summary

By including DynamoDB actions in Tines automation stories, security teams can quickly and reliably fetch and store important data, allowing them enrich security incidents and make better decisions around incident investigation and remediation.

For more information on how Tines can automate interaction with DynamoDB and other AWS services, contact us here.

Threat Intelligence Sharing with Tines.io

March 15, 2019 in Blog

This is the first blog in a series looking at how companies are consuming and sharing threat intelligence using Security Orchestration and Automation platforms like Tines.io.

In this blog we discuss the process of sharing individual indicators of compromise (IOCs) using tines.io. With Tines it’s easy to share IOCs to common Threat Intelligence platforms like AlienVault, Trustar, Facebook Threat Exchange and PassiveTotal as well as automating sharing IOCs on Pastebin and submitting content to VirusTotal, urlscan.io and Phishtank.

Most information security teams have dozens of security tools, and with dozens of threat intelligence platforms available [0] it’s hard to know which one suits your company best. Unfortunately it’s not always clear which Threat Intelligence tools integrate with other tools in your security stack. Furthermore, it’s important to know which tools your peers and partners are using to share relevant threat intelligence for you can consume. Consequently, the best advice centers around using platforms which are used by your peers. Hence, platforms which have a Rest API for easy sharing, classification and integrations usually have the most use and highest quality indicators. It’s also important to investigate threat intelligence platforms which can link with your SIEM, Endpoint Tools, Firewalls etc. These links can help your security teams detect and block malicious attacks.

Features of Good Threat Intel Platforms

In order for any platform to be successful security teams and analysts must be comfortable using them frequently to keep indicators up to date. Likewise, they require participation and active sharing of threat intelligence by other security teams, either publicly by security vendors or altruistic companies, or privately by ISACs or industry groups, when they come across it.

One of the advantages of the tines.io security automation platform is we don’t rely on any pre-built integrations. Consequently, consuming and sharing to a new threat intelligence source or feed is as simple as signing up for an account, creating an API key, or sending an email. Therefore there’s no need to wait for your SOAR vendor to build an integration or to build one yourself.

This blog discusses how you can use tines.io to automate the sharing of malicious IOCs of your own to multiple threat intelligence platforms.

How to Share Indicators in Tines

Tines provides pre-built stories for security teams to help them automate threat intelligence sharing. In contrast to one-off scripts, using Tines can automate the sharing of indicators with not one but dozens of Threat Intelligence platforms at the same time. We can also easily add other platforms without the need for additional coding or development. The below Story shows just how easy it is to share Threat Intelligence Automatically to a handful of different threat intelligence sources:

  • AlienVault
  • Trustar
  • Phishtank
  • URLScan.io
  • VirusTotal
  • Pastebin
  • Facebook Threat Exchange
  • RiskIQ PassiveTotal

In the example below we have created a Story “Share Indicators of Compromise” and an agent called “IOCs Webhook”. To start this story we’re sending the webhook an event with a malicious URL, along with an indicator type, indicator group, name and a tag. To read more about how to create a Story in Tines click here. In addition, you can download the Story below and upload it to your own trial tenant.

You can generate data in your own webhook via a form or using a simple curl command like below:

Subsequently, your webhook will receive the below event:

AlienVault OTX – Creating Pulses

AlienVault is one of the largest online threat intelligence platforms with over 65,000 participants who contribute more than 14 million threat indicators daily. Data in Alienvault is shared through “Pulses”. Pulses provide a summary of the threat and group related indicators of compromise (IOC) together.

You can create a pulse in AlienVault with a simple curl request:

Similarly, to create a pulse using Tines with the data sent to the webhook, you can create a HTTP Post Agent. When we add the webhook as an “Event Source” this agent receives the event emitted by the webhook agent, and can read the event’s parameters and be referenced using the json path of those paramaters. For example, adding {{.iocs_webhook.ioc}} to the HTTP post agent will send through the URL in the image above in the “name” parameter of the payload. Similarly, {{.iocs_webhook.ioc_type}} will pass through the type above, “url” as the indicator type to AlienVault. This agent then sends the relevant information to AlienVault:

This simple request automatically creates a Pulse in AlienVault OTX. This pulse is public and contains all the information we originally sent to the webhook above:

A pulse created using tines.io

You can augment the above query to send pulses with hundreds of IOCs or update a pulse with more information using a “Patch” command.

For a full list of ways to submit data to AlienVault OTX you can read their full documentation here.

Trustar – Sharing IOCs to an Enclave

Trustar is a another threat intelligence platform popular among “Information Sharing and Analysis Centers” (ISACs) like IT-ISAC or H-ISAC (Health-ISAC). They provide closed-source feeds from entities like Abuse.ch, DHS CISCP, US-Cert, Malware Traffic Analysis and others that can be integrated into your SIEM, Splunk, Endpoint tools etc.

To submit to IT ISAC you need an Enclave ID to which you have “Full Access” and then include that in your request. You’ll also need to login or create an OAuth2.0 App to get a Bearer token which is included in your request, as below.

Once you have a bearer token, you share data with Trustar using curl:

In Tines, a HTTP Request Agent is used to make a Post request to the Trustar API. Similar to the AlienVault agent we are sending Trustar data that was sent to the webhook above:

When Tines runs this agent, the relevant indicator is shared to Trustar. Because we chose an ISAC enclaveID, this indicator has been shared with our partners in the relevant ISAC. We could also share the indicator in our own private enclave.

An indicator shared in a Trustar Enclave

You can also update indicators, delete indicators, share contextual information and more using the Trustar API in Tines. For a full list of ways to submit data to Trustar you can read their full documentation here.

Phishtank – Submitting Phish

Phishtank is a large, collaborative, public repository of online phishing websites managed by OpenDNS.

In contrast to AlienVault and Trustar, Phishtank to not have an API for submitting malicious URLs. They do, however, provide a mechanism submit URLs via email directly. When you create a Phistank account you receive a private submission email address:

In Tines we can create an email agent to submit the malicious URL as part of the email body:

The configuration for an Email Agent to submit data to phishtank

Phishtank is smart enough to extract URL, scan it, and allow community voting on whether or not it is malicious:

A phish submitted by Tines in Phishtank

To read more about reporting Phish to Phishtank click here.

Urlscan – Sharing URLs

Urlscan.io is a free online service which scans and analyse websites. Due to its widespread use and quality of the data it is becoming one of the most popular threat intelligence platforms. Urlscan has an easy to use Rest API, and submitting URLs for scanning is straight forward. To get started you need to sign up for a free account and request an API Key here.

Using Curl you can submit a URL for public sharing and analysis using the below command:

Similarly, the sample agent configuration for submitting to urlscan.io is straight forward:

This will publicly submit the URL we sent to the webhook to urlscan.io:

For a full list of Urlscan.io API commands and documentation click here.

VirusTotal – Sharing IOCs

Similar to Urlscan.io, VirusTotal is another one of the most popular threat intelligence platforms for sharing intelligence publicly. All urls submitted publicly are shared and analyzed by up to 60 different anti-virus engines. They are given an aggregate score based on the number who detect the URL as malicious.

Through Tines it’s simple to integrate with the VirusTotal API as outlined previously here. To submit a URL to VirusTotal using curl you can use the below command:

We can use a HTTP Request Agent to submit a Get request with the URL in the same way:

Submitting to VirusTotal allows over 60 different anti-virus companies to scan the page.

To read more about the VirusTotal API click here.

Pastebin – Creating Pastes

For large scale malware and phishing campaigns, several threat intelligence and malware researchers share indicators on the Pastebin platform. For instance, researchers frequently share indicators from Hancitor, Trickbot, Emotet, Ursnif and others campaigns for security teams to analyze and track.

Automating the sharing of indicators to Pastebin is free and easy. Once you sign up for pastebin account you should generate a “userkey”. You can do this with your username, password and API Developer Key which is available in the API Documentation. Pastebin have created an easy form to generate the userkey here.

After generating the userkey, you can create a paste using curl by copying the below command:

Similarly, using the API Developer Key and Userkey, you can create a HTTP Request Agent to create a Paste on Pastebin using Tines:

This will result in a public paste with the Indicator and some context:

You can read more about the Pastebin API here.

Facebook Threat Exchange – Creating Indicators

Facebook Threat Exchange is a private threat intelligence api for security professionals to share threat intelligence more easily, learn from each other’s discoveries, and make their own systems safer. It is built on Facebook Graph, and has over 800 members who share and submit indicators publicly and privately.

Unsurprisingly, submitting indicators to threat exchange is easy using the Facebook Graph API:

Likewise, to share inidcators in Facebook Threat Exchange through Tines we can create a HTTP Request Agent with the below configuration:

This will then submit the content publicly to Facebook Threat Exchange:

With Facebook Threat Exchange it’s also possible to submit privately, or submit to specific industry sharing groups you’ve created. Furthermore, if you make a mistake you can easily update the indicator and mark it as non-malicious.

For a full list of ways to interact with Facebook Threat Exchange you can read their documentation here.

RiskIQ PassiveTotal – Creating Artifacts

RiskIQ PassiveTotal is another popular threat intelligence platform which has integrations with Splunk, QRadar, McAfee SIEM, Check Point Firewalls and dozens of other security tools. By sharing with RiskIQ you can often integrate directly into your own tools, in addition to helping the RiskIQ security community.

Before submitting any data to RiskIQ you have to create a Project, however this can be done using the UI, or using the API. An agent to create a public project using the RiskIQ API is included in the downloadable Story. Once you have created a project you can easily add IOCs to that project using the curl command below.

In Tines, we can create a HTTP request agent to do the same thing, however as PassiveTotal relies on domain intelligence rather than URL intelligence we first use a Tines Event Transformation agent to extract the associated domain. This agent configuration is also included in the downloadable Story. Once the domain has been extracted it’s easy to share the URL in PassiveTotal using a HTTP Request Agent:

This will create an IOC in the associated RiskIQ Project

You can read more about the PassiveTotal API here.

Conclusion

Using Tines it’s easy to automate the sharing of indicators to dozens of threat intelligence platforms in addition to the above eight. To download this story for your own Tines tenant to see how easy it is for yourself, please click here. The completed story looks like this:

To learn more about how to integrate your environment with any Threat Intelligence platforms you can start a free trial, or contact us hello@tines.io

Sources:

[0] Cyberscape Threat Landscape https://momentumcyber.com/docs/CYBERscape.pdf

Phishing Automation: Automating URL Analysis with Phish.ai and Tines.io

March 5, 2019 in Blog

A partner blog between Phish.ai and Tines.io

According to the latest Verizon Data Breach report Phishing is involved in 93% of breaches and email continues to be the most common vector (96%) in successful cyber attacks [0]. These figures indicate that malicious email detection software and employee security awareness training are no longer sufficient on their own to deal with the volume of attacks, even at a small scale. In addition, the process to review suspicious emails and examine suspicious URLs is both time consuming and error prone. Furthermore is one of the most frequent causes of alert overload and analyst fatigue. Phishing Automation using SOAR platforms like Tines and Phishing analysis tools like phish.ai helps companies tackle these problems.

In a world where detecting and responding to incidents quickly is a key metric for any security program, automating the collection and analysis of suspicious URLs can reduce mistakes and improve response times. Above all, it will make your analysts more efficient, effective and happier.

What steps should I take to automate the analysis of suspicious URLs?

The first step in building out automation is to identify sources for collecting suspicious URLs for your environment. Common sources of malicious URLs include:

  • Customer Abuse boxes (You can read more about using Tines to manage your Abuse Inbox here)
  • URLs blocked by your email security solution like Proofpoint, FireEye ETP, Barracuda, Mimecast or Microsoft APT.
  • DMARC failures or rejects
  • Suspicious uncategorized or punycode URLs from your firewall logs or DNS logs
  • New SSL Certificates registered with domains similar to your brand (e.g. from crt.sh)
  • Threat Intel sources like the Phish.ai threat intel feed which generates feeds based on the brands attacked
  • Free feeds of malicious urls like Phishtank, Openphish, phishstats.info or Urlhaus. Note, these feeds are often are high-reputation so don’t necessarily need to be further analyzed.

Using Tines’ Phishing Story it’s easy to collect suspicious urls from over a dozen of different sources automatically. Once these feeds are in Tines it’s easy to deduplicate and classify urls to prevent alert overload and to generate more accurate metrics.

Once Tines has deduplicated the URL feed, it’s time to perform a real-time URL analysis using a tool like phish.ai.

Phish.ai is a premium service which proactively indexes websites of top brands around the world to create an up-to-date computer vision database. Phish.ai’s real-time web crawler will index all URLs submitted and compare the site image against the known bad database. (Note, to submit privately you’ll need to sign up for a basic plan. Basic plans allows scanning of up to 10,000 URLs each month).

Integrating Phish.ai with Tines in your phishing automation process

With Tines it’s simple to make a single API call to submit these URLs for analysis using Phish.ai’s API. The configuration to make these calls in Tines is below, using a “HTTP Post Request Agent”. In this example, {{.explode_urls-array.url}} represents the url to be sent for analysis. Moreover this can be done in a totally secure manner. The parameter {% credential phish_ai %} is the phish.ai API key which is encrypted and sent along with the request.

A HTTP Request Agent configuration to submit urls to phish.ai

This request returns a unique “scan_id” parameter:

The event response information from a phish.ai scan

In the next step, Tines sends this parameter to phish.ai to retrieve the results of the analysis. Similar to the request above, a HTTP Request Agent is used.

Another HTTP Request Agent configuration to retreive the results of phish.ai scan

This call returns the results of the analysis by phish.ai:

The results returned by phish.ai

In the background, phish.ai has compared the image of the crawled page against its collection of known bad images. Subsequently, phish.ai has correctly detected that this particular site submitted through Tines is a phishing website. In the event emitted above, not only has phish.ai has successfully identified the site as malicious, it has also identified the target as “National Bank”. Importantly, this information can also be used to help analysts decide on the priority of an incident. For example, this information can help analysts identify more targeted attacks or phishing using brands used by employees.

Analysts can also use the phish.ai dashboard to view more information about the detection or a screenshot of the phishing page.

The phish.ai Dashboard UI

What’s Next?

Once your phishing automation process has completed analysis of the phishing URL it’s possible to automate dozens of other interactions in Tines.io. For instance, traditional next steps include scanning for any traffic to the identified malicious in firewall logs and endpoint logs etc.; blocking the domain; removing the particular email from inboxes; performing a header analysis etc. Other companies also use Tines to respond to reporters confirming a site is malicious. Another popular use case is to use phish.ai’s threat feeds in combination with other public and private feeds to detect brand abuse and send takedown notices to hosts requesting they remove the infringing content.

An excerpt from the Tines Phishing Automation Story

In conclusion, Phishing Automation using a security automation platform like Tines in combination with a real-time phishing analysis platform like Phish.ai, can help your security team scale and keep your analysts focused on more impactful efforts, leaving them happier.

You can read more about this step in the process in part three of our “automating your abuse inbox” blog series.


To date Phish.ai has scanned over 21 million URLs and identified over 85,000 zero day phishing attacks.  You can read more about the Phish.ai api here.

Tines.io is an Security Orchestration, Automation and Response (SOAR) platform used by Fortune 10 companies, global banks and large public and private SaaS companies.

[0] Verizon Data Breach Investigations Report 2018


Security Automation: Getting Started

February 20, 2019 in Blog

What Should I Automate First?

In Tines we pride ourselves on having developed a Security Orchestration Automation and Response platform that’s easy for any analyst to use, even with no coding experience, and which operates with every API using Direct Integration. We also assign every new customer a dedicated Customer Success Representative to provide Security Automation training for your team.

Not all SOAR platform deployments are a success, however, as without help or training, engineers and analysts can get stuck developing over-complicated response stories. Other teams find their SOAR platform can lack the pre-built integrations necessary to make their implementation successful. Even more teams just don’t know where to get started.

The question needs to be asked- if you’re trialing a Security Automation platform, what should you automate first?

Where are you spending your time?

The quickest way to decide what to automate first is to ask your analysts what tasks they’re spending the most time on. With 79% of security teams overwhelmed by the number of security alerts [0] we predict you’ll hear about the challenges of time-consuming investigations involving dozens of manual steps and where a high percentage of incidents are false positives.

The most frequent answers to this question that we hear are:

  • Processing employee or customer Abuse Inbox reports
  • Running, and analyzing the results of, vulnerability scans
  • Triaging low level security incidents like adware
  • Gathering contextual information for alerts for noisy detections like
    • Data Loss Prevention alerts
    • Live off the land tool use
    • Suspicious login events
    • Brute force access attempts etc.
  • On-boarding and off-boarding users
  • Processing ticket escalations from VIPs
  • Standardizing or synchronizing ticket information in Case Management Systems
  • Reviewing phishing page visits or CEO Fraud
  • Writing incident notes and shift handovers

While none of these tasks are particularly complex, they all have several things in common – they’re frequent, they’re time-consuming and they’re not interesting cases for your analysts and engineers. Above all, security professionals have known for years what steps should be taken to investigate them, but until now they weren’t able to automate those steps.

Using the Tines Security Orchestration and Automation Platform there are a few immediate use cases teams can automate to take the pain out of dealing with these common incidents.

1. Deduplicate Alerts

Alerts are noisy, and even with the best tuning your teams may still see the same alert pop up over and over again causing alert overload. It could be an alert for Powershell encoded command use by a user in Product Operations, a payroll analyst sending bank account details to an external email address, or a Business Intelligence team member exporting a large number of rows from a CRM tool triggering a DLP event. These incidents are easy to handle but still take time to review. With Security Automation platforms like Tines, it’s simple for analysts to create Stories to deduplicate incidents against multiple fields.

In the example below, we deduplicate alerts using an “Event Transformation Agent” in Tines on the fields “Hostname” and “IOC Value” emitted from the “explode EDR alerts array” agent. This deduplication flow means the same indicator won’t alert on the same machine twice. Using a security automation platform to automate these steps helps minimize alert overload and, above all, help keep your analysts focused on higher impact engineering efforts.

Security Automation Agent Configuration
An Event Transformation Agent set up to Deduplicate alerts

2. Enrich & Provide Context

Reducing the mean time to action an alert is a key metric for any security team. Additional context helps analysts determine whether the incident is truly bad, a false positive, or something in between. For example, enriching suspicious login events with threat intelligence, researching when a domain was registered, running malware in a sandbox for additional analysis or performing real-time analysis on a URL are all actions that can be automated with Security Automation platforms like Tines and included up-front in an incident ticket.

Security Automation Workflow Diagram
An adware story in Tines

A good example of a simple enrichment flow that can be automated immediately is a suspicious binary download detected by your Anti Virus, Firewall or EDR tool. With Tines it’s very simple for analysts to create a flow to first deduplicate and then enrich detections with binary information (from VirusTotal or elsewhere) to see exactly how dangerous the binary is and to take workload off analysts if they’re classified as Unwanted or Adware. If the binary is classified as adware then Tines can automatically send the incident details to IT for remediation. Using this method we have seen analysts, with no coding background, automate a process in just a few hours that immediately freed up 10-20% of their time.

3. Correlate Alerts

Differentiating between legitimate and illegitimate detections for commonly used tools can be both hard and time consuming. Alerts for a macro being run in Office, PII being downloaded from a CRM or BI system or Powershell being used can differ dramatically in severity based on who the user is, but writing hard rules for this is difficult. Often the first thing an analyst does when investigating an alert is search in internal tools for additional context:

  • Who owns an asset
  • what’s their job title
  • where are they based
  • how long have they been with the company
  • has this user done anything like this before
  • have we seen an alert on this device recently

With Tines it’s possible to include this information directly in an alert ticket by correlating alert information with particulars found in other tools. By giving this information to your analysts you empower them to quickly make a decision on an incident.

Using a SOAR platform like Tines to enrich AntiVirus, EDR, DLP, firewall, and other alerts with asset owner information, user role, user location, and correlating with previous alerts (for example, has an alert fired for this hostname in the past 24 hours) can reduce the time needed for analyst to triage and make a determination on the severity of an incident. In addition, automating the process reduces the chances of responders making simple mistakes during the investigation.

4. Supercharge Responses with Prompts

Once responders have enough information to triage an incident the next steps are to contain, eradicate and recover. This remediation can involve dozens of different individual steps for an analyst, but for many incidents there are a few common steps that can be automated using a SOAR platform like Tines – isolating machines, blocking domains, resetting passwords, sending a machine for forensics, replying to an end-user’s email etc.

Security Automation Prompts
Prompt Actions within a ticket allowing analysts to instantly isolate a machine or lock an account

With Tines’ “Prompts” feature we enable responders to automatically take an action in any workflow by simply clicking a link. These Prompts can be launched from anywhere, for example in an incident ticket, in a text or email, in Slack etc. They allow analysts take the next step in an investigation without opening up different tools, contacting other teams, or leaving their environment. When a responder clicks a “Prompt” this re-releases an event in Tines and sends it down a new remediation workflow. These prompts super-charge analysts responses.

5. Crowdsource Suspicious Activity

With an ever increasing number of security tools, new attacks and alerts it’s hard to quickly respond to every incident. To combat this, many teams begin turning off noisier or lower-fidelity detections regardless of how useful they might be. Using Security Orchestration and Automation platforms like Tines it’s possible instead to “crowdsource” noisy alerts and activity.

A crowdsourced security automation alert
A crowdsourced suspicious VPN login alert

For example, as a small security team (or small company) with just a few security tools it’s possible to investigate every suspicious VPN login, or contact every new user provisioned export rights or admin rights. As the team expands and builds out higher-fidelity detections, however, these alerts become noisier and the ratio of true to false positive means it’s not practicable to follow up every one. Instead of turning off these alerts Tines takes these incidents, enriches them, and allows users themselves detect potentially malicious activity.

Examples of crowdsourced reports include users:

  • logging in from a new location for the first time
  • provisioned new access rights
  • downloading large amounts of PII
  • requesting a new VPN token
  • changing payment details in their Payroll
  • visiting suspicious websites
  • uploading or downloading a large number of files

By crowdsourcing these alerts, Tines customers can quickly find true-positives among the noise.

Have a question on how you can automate your own security workflows? Contact us here or sign up for a free trial!

[0] https://www.enterprisemanagement.com/research/asset.php/3441/InfoBrief:-A-Day-in-the-Life-of-a-Cyber-Security-Pro

Storing G Suite logs in ELK

January 17, 2019 in Blog

As businesses of all sizes continue to embrace G Suite, security teams’ ability to detect and respond to malicious activity in G Suite tenant is more important than ever. Thankfully, Google provides admins with comprehensive reporting and logging which security teams can interrogate to detect suspicious behaviour. However, moving these logs from G Suite to a centralised logging environment (e.g.: a SIEM) often requires a software engineering project. In this post, we’ll explore how Tines can be used to take logs from G Suite and forward them to ELK (Elasticsearch, Logstash, Kibana) for analysis and alerting.

Prerequisites

To follow along, you’ll need the following:

  • A Tines tenant (free trial available here)
  • An G Suite admin account
  • An ELK stack with a Logstash HTTP Input configured to send logs to Elasticsearch

What logging is available in G Suite?

From the G Suite Reports portal, admins can view and search logs related to the following activity in a G Suite account.

  • Admin actions
  • Logins
  • SAML
  • LDAP
  • Calendar
  • Token
  • Groups
  • Hangouts Chat
  • Google+
  • Hangouts Meet
  • User Accounts
  • Email Log Search

G Suite report logs

Enabling the G Suite Admin SDK API

All the information available in the reports portal is also available via APIs in the G Suite Admin SDK. To begin, we need to enable the Admin SDK APIs. From console.cloud.google.com choose “APIs & Services”, “Library”.APIs and Services

Next, search for “Admin SDK” and press “Enable”.

Creating a Service Account

  1. In the top-left corner of the GCP console, click Menu.
  2. Click IAM & Admin > Service accounts.
  3. Click Create Service Account and in the Service account name field, enter a name for the service account.
  4. (Optional) Enter a description of the service account.
  5. Click Create.
  6. (Optional) Assign the role of Project viewer to the new account.
  7. Click Continue > Create Key.
  8. Ensure the key type is set to JSON and click Create. You’ll see a message that the service account JSON file has been downloaded to your computer.
  9. Make a note of the location and name of this file.
  10. Click Close > Done.

Adding the service account to G Suite

  1. Go to your G Suite domain’s Admin console.
  2. Click Security.
  3. Click Advanced settings.
  4. From the Authentication section, click Manage API client access.
  5. Open the JSON key file downloaded in step 8 above.
  6. In the Client Name field, enter the Client ID for the service account. This can be taken from the JSON key file.
  7. In the One or More API Scopes field, enter the list of scopes that your application should be granted access to. In our case, we need the following to access the reports API:
  8. Click Authorize.

Creating the Tines credential

Finally, we’ll create a corresponding credential so Tines can authenticate to G Suite, we’ll use a JWT-type credential. For detailed instructions on how to use JWTs with G Suite, see here. The payload for the JWT will resemble the following:

Building the automation story

Now that we’ve laid the necessary groundwork, we can start to build the automation story. To get started, we’ll use a HTTP Request Agent to get an authentication token which we’ll use to fetch the logs. The options block for this agent is shown below:

With the authentication token emitted by this agent, we can now use it to fetch the report data. We’ll use an example of how to fetch Login Activity Reports. The options block for this HTTP Request agent is shown below. In this example, we’re fetching all logins since January 1st, 2019, of course we could also use the now and minus liquid filters to fetch logs in the last 24 hours, 5 minutes, etc.

An event emitted by the above agent is shown below. We can see the event contains an array called “items” which contains all the login occurrences in the G Suite tenant.

Sample G Suite Login Event from Tines

For ease of downstream analysis, we’d like every individual event to be an individual log in ELK. Therefore, before pushing the events to Logstash, we’ll use an Event Transformation Agent in Explode mode to create individual events for every login. This explode agent’s options block should be similar to the following:

The resultant event, emitted by the Event Transformation Agent is shown below:

Sample event showing single login event from G Suite

Sending login events to Logstash and ELK

To send the login data to ELK, we’ll use Logstash’s HTTP Input plugin. The plugin creates a listener which will convert data it receives over HTTP(S) into log events, which can later be sent to a number of destinations, including, in our case, Elasticsearch. As a result, we can easily use the below HTTP Request Agent to post login events to Logstash. In the example, below our Logstash HTTP plugin is listening at https://elk.tines.xyz on port 4999. Additionally, we use the “as_object” liquid filter to ensure that the formatting of the event is retained.

Our finished automation story will look like the following:

Searching G Suite report data in ELK

As a result of this automation, we can see how these events look in ELK by searching Kibana. Consequently, we can build alerts to trigger for suspicious behaviour.

G Suite Logs in Kibana

Conclusion

The benefits of centrally storing G Suite events in ELK for indexing, searching and alerting are obvious. The Tines advanced security automation platform provides security teams with a quick, reliable and scalable mechanism to extract, transform and deliver this critical source of information. All, of course, without writing a single line of code.

To see this automation story in action, request a demo with one of our security automation experts.