What is auto remediation?

As cyber threats become more sophisticated, the demand for effective and efficient remediation strategies grows. Automated remediation offers a way to quickly address security incidents, minimizing damage and reducing the workload on security teams. In this post, we’ll explore low effort, high value scenarios where automated remediation can be implemented today, steps to set up these automations, and potential risks to be aware of.

Low effort, high value situations for automated remediation

Automated remediation can be particularly beneficial in scenarios where rapid response is crucial and human intervention is minimal. Here are some key situations where automation can make a significant impact:

1. Malicious process execution on an endpoint

Requires: Endpoint Detection and Response (EDR)

EDR tools like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint can automatically detect malicious activity on endpoints. When an endpoint shows signs of compromise, such as unusual file modifications or unexpected processes, the EDR tool can kill the process, ban the hash, and contain the host for immediate response.

Why it’s valuable: This immediate action reduces the risk of lateral movement within the network and allows security teams to analyze and remediate the threat without rushing.

What’s the risk: Simply put, computers do weird things. Most alerts generated from EDR tools are false positives, so you run the risk of banning legitimate processes used for business functions or disabling network connectivity on critical hosts.

Suggested Playbook Ideas:

Response for Servers and Critical Assets

1. Ensure you have some form of notification (Email, Slack, etc.) that’s delivered to the team for a high- or greater-severity alert on your critical assets.
2. Kill Process / Ban Hash on the Binary automatically 
3. Leave containment as a manual action that requires user validation unless you’re highly confident in the detection

Response for workstations or non-essential servers

1. Ensure you have some form of notification (Email, Slack, etc.) that’s delivered to the team for a high- or greater-severity alert on your critical assets.
2. Kill Process / Ban Hash on the Binary automatically 
3. Automatically contain the host

2. Risky sign-in to Office 365 account

Requires: Azure AD Identity Protection

Scenario: Detecting and responding to risky sign-ins indicative of Business Email Compromise (BEC).

Office 365 can detect risky sign-ins based on various factors like unfamiliar locations, IP addresses, and sign-in patterns. When a risky sign-in is detected, automated actions such as revoking user sessions and resetting their password can mitigate the risk.

Why it’s valuable: Rapidly addressing potentially compromised accounts prevents attackers from leveraging stolen credentials for further malicious activities.

What’s the risk: Revoking sessions and resetting passwords can be disruptive to user workflows. In most cases, these actions are not business impacting but can cause inconvenience in false positive scenarios.

Suggested Playbook Ideas:

On high severity or greater risky sign-ins with Azure AD Identity Protection, use the Graph API to revoke the user session. Session token theft is among the most common methods for threat actors to gain access to an environment, and revoking the sessions creates some inconvenience from having to reauthenticate but less business disruption than a full password reset.

Revoke user sessions (Graph API):

POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions
Authorization: Bearer {token}

In the event another risky sign-in occurs from the same user within a 24 hour period, automate a password reset. 

Reset user password (Graph API):

PATCH https://graph.microsoft.com/v1.0/users/{userId}
Authorization: Bearer {token}
Content-Type: application/json
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "NewSecurePassword123!"
}
}

3. Identified phishing email

Requires: Proofpoint or other email solutions

Tools like Proofpoint can automatically detect phishing emails based on predefined rules and machine learning algorithms. When a phishing email is identified, the tool can quarantine the email, preventing it from reaching the user's inbox.

Why it’s valuable: This reduces the likelihood of a user falling for a phishing attack, saving time and potential security breaches.

What’s the risk: False positive identification of legitimate emails does happen and may slow business conversations.

Steps to set up automated phishing email remediation with Proofpoint:

1. Configure Proofpoint email protection:
   • Set IP detection rules: Define rules in Proofpoint to detect common phishing characteristics. This includes analyzing email headers, body content, URLs, and attachments for suspicious elements. Proofpoint’s advanced machine learning algorithms and threat intelligence feeds enhance the accuracy of these detections.
   • Enable impersonation protection: Use Proofpoint’s impostor email detection to identify phishing attempts that mimic internal email addresses or trusted contacts.
2. Set Up quarantine actions:
   • Define quarantine policies: Configure Proofpoint to automatically quarantine emails that match the phishing detection rules. You can set up different quarantine levels, such as “high-risk” and “low-risk” phishing emails, to tailor the response.
   • Notify administrators: Set up notifications to alert security administrators when an email is quarantined. This allows for a quick review and further action if necessary.
3. Enable user reporting and auto-remediation:
   • Deploy PhishAlarm: Proofpoint’s PhishAlarm allows users to report suspected phishing emails directly from their inbox. When a user reports an email, it is automatically moved to quarantine for further analysis.
   • Automate responses with TRAP: Proofpoint’s Threat Response Auto-Pull (TRAP) can automate the remediation of phishing emails. When a threat is identified, TRAP can automatically remove the email from all user inboxes, quarantine it, and block future occurrences.
4. Review and refine:
   • Regularly review quarantined emails: Security teams should periodically review quarantined emails to ensure legitimate emails are not being falsely identified as phishing. Adjust detection rules as necessary.
   • Update detection rules: Continuously update and refine phishing detection rules based on new threat intelligence and phishing techniques.

Potential risks of automated remediation

While automated remediation offers significant benefits, it also comes with certain risks:

False positives

Automated systems may occasionally misidentify benign activities as malicious, leading to unnecessary disruptions. For example, isolating a non-compromised endpoint or resetting an un-compromised user's password can impact business operations. Regularly reviewing and refining detection rules can help minimize false positives.

Over-reliance on automation

Relying too heavily on automation can lead to complacency. Security teams should remain vigilant and continue to perform manual reviews and interventions when necessary. Automation should complement, not replace, human expertise.

Integration challenges

Integrating various security tools and ensuring they work seamlessly together can be complex. Proper planning and testing are essential to avoid conflicts and ensure effective automation.

Conclusion

Automated remediation is a powerful strategy to enhance cybersecurity defenses with minimal effort. By focusing on high value scenarios such as EDR threat identification, risky Office 365 sign-ins, and phishing response, security professionals can significantly reduce the time to respond to incidents and mitigate risks. However, it’s crucial to balance automation with human oversight to ensure effective and reliable security operations.

Embrace automation, but do so wisely, and your security posture will be all the stronger for it.

Further reading

Automated incident response: streamlining your SecOps
Demystifying SOC automation
Alert tuning best practices

‍