Resolve offers a collection of incident “runbook automation” that help security and IT teams implement best-in-class processes with ease. In addition to being fully customizable, our runbook automation frequently includes interactive automations to greatly accelerate incident diagnostics and triage.

Featured Runbook Automation

Phishing Remediation

In the event that your organization is hit with a spear phishing campaign, Resolve provides guided procedures and automations in an Incident Response Runbook that:

  • checks the message headers of email in question
  • obtains a listing of all users who received the phishing message
  • extracts malicious url(s) from the phishing message
  • automates blocking the phishing url(s) on your firewalls
  • block future email messages from phishing sender
  • send phishing message recipients a warning email
  • optionally (in case credentials were compromised) disable Active Directory users who accessed phishing url(s)
  • opens a ticket
  • update ticket with actions taken
  • assign ticket to appropriate group for further investigation

WannaCrypt Triage Runbook Automation

Preparation

  • Identify target systems and owners
  • Notify owners of WannaCrypt0r threat

Detection & Analysis

  • Identify systems missing MS17-010, have SMB v1 enabled, and open NetBIOS ports
  • Validate NetBIOS, RDP and TOR are blocked at the perimeter
  • Check for IDS/IPS for WanaCrypt0r, MS17-010 and EternalBlue alerts
  • Check web content filter for traffic to WanaCrypt0r kill-switch domains
  • Conduct hunt for WanaCrypt0r IOCs

Containment, Eradication and Recovery

  • Block NetBIOS, RDP, and TOR on perimeter firewall
  • Isolate systems containing WanaCrypt0r IOCs or communicating to kill-switch domains
  • Eradicate infection with anti-malware or recover from backup
  • Disable SMB v1 on vulnerable systems
  • Deploy MS17-010 to vulnerable systems
  • Deploy WanaCrypt0r IOCs to prevent binary execution

Post-Incident Activity

  • Conduct incident review and lessons learned
  • Implement updated policies

Sample Runbook Automation

Ransomware Triage

Ref: NIST SP 800-53, Revision 4: CA-7; SC-39,44; SI-3,4,8

Malware Removal

Ref: NIST SP 800-53, Revision 4: CA-7; SC-39,44; SI-3,4,8

User Terminations

Ref: NIST SP 800-53, Revision 4: AC-2,3,7,11,12; CA-7; IA-5,10; SC-17,23; SI-4

Redhat Vulnerability Management

Ref: NIST SP 800-53, Revision 4: CA-7; CM-2,3,5,6,7,8,9,11; MA-4; RA-5; SA-4; SC-15,34; SI-2,4

Security Device Not Reporting to SIEM

Ref: NIST SP 800-53, Revision 4: CA-7; CM-8; IA-3; SA-4; SI-4; PM-5

Continuous Vulnerability Assessment and Remediation

Ref: NIST SP 800-53, Revision 4: CA-2,7; RA-5; SC-34; SI-4,7

Limitation and Control of Network Ports, Protocols and Switches

Ref: NIST SP 800-53, Revision 4: AT-1,2,3,4; SA-11,16; PM-13,14,16

Controlled Use of Admin Privileges

Ref: NIST SP 800-53, Revision 4: AC-2,6,17,19; CA-7; IA-4; IA-5; SI-4

Accelerate Incident Response and Automation Today.