WHAT IS AUTOMATED INCIDENT RESPONSE ACTIONS?
Evolve allows you to remotely orchestrate scalable incident response environments in any of your locations, whether it is on-premise or in the cloud. This helps to ensure that when a security breach occurs the evidence is collected and analyzed allowing the incident to be confirmed and automated response actions to be triggered to contain the breach as quickly as possible to minimize any negative impacts to your organization.
The Evolve “Automated Incident Response Actions” workflow is triggered as soon as the evidence has been analyzed and the security breach verified. This helps to ensure that the security breach is responded to and contained whilst the attack is still underway.
This provides your security team with the ability to automatically shut down security breaches and increases your team’s security capabilities to seamlessly achieve a streamlined and specialist incident response process.
Evolve “Automated Incident Response Actions” natively integrates with Slack for “Automation Authorization” enabling ChatSecOps capabilities to maximize your resources and security budgets.
Automated Incident Response Actions is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE
Automated Response Actions During Attack
Distributed Automated Incident Response
ChatOps Incident Response Authorization
Automated Incident Response Chaining
Automated Indicators of Compromise Ingestion
Automated Remote Command Execution
Automated System Shutdown
Automated Process Termination
Automated Indicators of Compromise Search
Automated Detection of Compromised Systems
Automated Recursive Incident Response
Automated Authorization for Recursive IR
FLEXIBLE SUBSCRIPTION PRICING
Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated Incident Response Actions capability from the Evolve Marketplace to begin your subscription.
Monthly Subscriptions. No lock in contracts.
OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING
Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities
SECURITY ZONE USAGE
Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time
Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data
Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions
Evolve Agents allow distributed orchestration of modules on premise and in the cloud. Optimize usage by reducing the polling frequency
When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data
Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers
Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts
FREQUENTLY ASKED QUESTIONS
WHAT ARE AUTOMATED INCIDENT RESPONSE ACTIONS?
The Evolve “Automated Incident Response Actions” solution is triggered automatically after Evolve Incident Response Evidence Analysis has verified that a security breach is likely to have occurred so that automated actions are performed to contain the security breach.
In real-time, Evolve will remotely orchestrate an incident response environment in any of your locations, whether it is on-premise or in the cloud, via an Evolve Agent. This provides the ability to stop an attack in its tracks whilst the attack is still in progress, whilst also detecting other systems on your internal network that may have been compromised using the same attack.
Evolve can automatically shut down systems, kill malicious processes, and search other machines on your network for indicators of the same attack.
This provides your security team to respond automatically and gain faster access to in-depth information about a security breach so that you can contain the breach and maintain control over your organization.
HOW DO I GET STARTED?
The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated Incident Response Actions solution. Simply import this automation workflow into your Evolve Account.
You can follow the Getting Started Guide to then setup your first Automated Incident Response Actions workflow instance.
You can then chain the Evolve Automated Incident Response Actions workflow off the back of the Evolve Automated Incident Response Evidence Analysis for automated response to security breaches.
HOW DO I INTEGRATE WITH SLACK FOR AUTOMATION AUTHORIZATION?
Evolve Automated Incident Response Actions natively integrates with Slack.
The Evolve SlackBot can request authorization from your security team prior to any actions being performed. This provides you with full control over your incident response containment decisions whilst also streamlining your incident response processes.
Simply import the Evolve SlackBot from the Evolve Marketplace and launch an instance of the Evolve SlackBot module. This SlackBot module instance is positioned before the Evolve Automated Incident Response Actions so that authorization is triggered before any actions are taken.
GETTING STARTED WITH
AUTOMATED INCIDENT RESPONSE ACTIONS
STEP 1: REGISTER AN EVOLVE ACCOUNT
Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.
STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT
Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
STEP 3: SETUP YOUR EVOLVE BILLING
Evolve subscriptions and usage-based bills are charged via credit card. You can setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account. Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.
As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments. Your Evolve Account is now setup and you are ready to mature your security.
STEP 4: SELECT YOUR EVOLVE REGION
Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs. You can select your Evolve Region in the top right-hand corner of your Evolve Account. Any actions you take will occur within your selected Evolve Region.
STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE
The Automated Incident Response Actions workflow is available in the Evolve Marketplace, which you can navigate to under the Marketplace side-menu. Whilst in the Evolve Marketplace, you can locate this workflow by either selecting the “Incident Response” category and browsing through the available workflows, or by searching for the keyword “yara”.
By clicking on the Automated Incident Response Actions workflow marketplace item, you can review the overview of the workflow, as well as usage and subscription pricing information. Click the Import button and simply step through the import steps, where you will then be redirected to the Imports page. You may need to use the Reload button to see your newly imported workflow.
Once the import status changes from “Pending” to “Available”, you have successfully subscribed to this security automation workflow and added this specialist security capability to your business.
STEP 6: CREATE AN EVOLVE AGENT
If you have already setup an Evolve Agent for the Evolve Automated Incident Response Evidence Collection workflow, then you can skip this step.
Evolve Agents are used to remotely orchestrate and execute security automation workflows within your internal on-premise or cloud environments. Since we want to collect evidence from internal systems, we will setup an Evolve Agent to remotely orchestrate an incident response environment within your internal network in real-time when a security breach occurs.
Select the Agents side menu and click the New Agent button. Set a useful name for your Agent and click the Next button, which will take you to the Configuration page to set the following options:
Evolve Agents poll the Evolve Agent API to request actions to be performed, such as orchestration and module executions. Agent polling incurs usage costs that can be optimized by reducing the number of times the Evolve Agent API is polled. For example, you may want to configure the Agent to poll every minute for fast execution of modules causing a higher usage, or you may want to configure the Agent to poll every hour for delayed module executions but a lower usage. In our use-case, we will set the “Agent Polling Frequency” to be “1 Minutes” since evidence collection is time sensitive.
When Agents are installed (possibly on multiple systems), they register themselves as an Agent Device. The Inactive Device Expiry is the timeframe for Evolve to assume that a device no longer exists if it hasn’t polled after a certain period of time. Evolve will automatically delete the Agent Device Registration after this inactive period. This keeps the Agent Device list clean. Evolve Agents will automatically re-register themselves if they come back online. In this use-case, set the “Inactive Device Expiry” to be “7 Days”.
Click the Next button, review your settings, and then click the Create button. This will automatically create your new Evolve Agent, which should be available immediately.
STEP 7: SETUP YOUR EVOLVE AGENT
If you have already setup an Evolve Agent for the Evolve Automated Incident Response Evidence Collection workflow, then you can skip this step.
Now that you have your Evolve Agent created, you can install the Evolve Agent on your internal network that will connect back and automatically register itself via the Evolve Agent API.
Your first step is to setup an Ubuntu machine on your internal network, which should have access to the systems that you may want to automatically collect evidence from. This machine should have access to the internet, either directly or configured with the required proxy details, so that any required Linux packages can be downloaded automatically (typically via apt, pip, wget or curl).
From within the Evolve Console, select the Agents side menu to list your available Evolve Agents. You will find a series of buttons alongside your Agent where you will need to click the button called “Download”. This will download a ZIP file containing the Evolve Agent installer and your corresponding Evolve Agent API Key. Copy this ZIP file to your Ubuntu machine and unzip the contents.
Open a Terminal and change to the directory where you extracted the Evolve Agent Installer. You may need to set the installer to be executable by running the command “chmod 750 install.sh“. You can now view the installer options by running “sudo ./install.sh -h“.
In nearly all cases you can install using the default options with the command “sudo ./install.sh“. This will automatically install all of the dependencies, configure your Evolve Agent, set it to start on boot, and automatically connect and register with the Evolve Agent API.
To check that your Agent is running, run the command “ps aux | grep agent.py” that should show that the Evolve Agent is running.
You should confirm that your Agent has registered successfully. From within the Evolve Console, select the Agents side menu to list your available Evolve Agents. Alongside your Agent row, click the button called “View Devices”. This will list all of the registered Agent Devices that are running this Evolve Agent.
Thats it. You are now ready to start remotely orchestrating Evolve Incident Response workflows via your Evolve Agent against your internal systems.
STEP 8: LAUNCH A WORKFLOW INSTANCE
You have imported the Automated Incident Response Actions workflow, which can be thought of as a part of your security team’s incident response security capability. You now need to launch a Workflow Instance to be orchestrated and executed each time a security breach occurs.
Select the Workflows side menu item to list your available workflows. You will find a series of buttons alongside your Automated Incident Response Actions workflow where you will need to click the button called “Create Instance”. Set a useful name for your workflow instance and click the Next button, which will take you to the Parameters page where you provide your authentication details.
The Automated Incident Response Actions workflow currently supports Windows systems, which means that Evolve must be able to authenticate to your Windows systems as an Administrator (typically either a Local Administrator, Workstation Administrator, Server Administrator, or a Domain Administrator). Enter CIDR for the systems that you wish to search for Indicators of Compromise (IOCs), as well as your Windows Domain, Administrator username and password. These details are stored encrypted within the Evolve platform and are passed to modules being executed in real-time for authentication.
The Yara Path should be set to the Windows directory that you wish to search. We will set this to be C:\
The Timeout should be set to 30 minutes to allow sufficient time for the search across your systems to be performed. For larger environments, this timeout value may want to be increased as desired.
Since this workflow will typically be chained with others, you should set the Input Container to be the Output Container of the Evolve Incident Response Evidence Analyzer. The Output Container can be left blank.
Click the Next button to go to the Configuration page where you select the default location for modules will be executed. You should un-check the Security Zone, and select your Evolve Agent from the “Agents” drop-down list.
Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Automated Incident Response Actions workflow instance, including all Module Instances and Containers, using the configurations that you specified for your systems.
Your workflow will be automatically launched by Evolve every time a new Evolve Evidence Analysis Yara File containing the Indicators of Compromise is uploaded to the Input Container.
STEP 9: SETUP YOUR WINDOWS SYSTEMS FOR EVIDENCE COLLECTION
If you have already setup your Windows systems for the Evolve Automated Incident Response Evidence Collection workflow, then you can skip this step.
When a security breach occurs and has been analyzed, the Evolve Automated Incident Response Actions workflow will automatically attempt to perform your actions on the victim Windows machine and search your other Windows machines for the corresponding Indicators of Compromise.
Evolve uses the native Windows Remote Management (WinRM) protocol over HTTPS to remotely run commands via Powershell on your Windows machines, and uses SMB to collect large files.
You need to ensure that your Windows machines have WinRM and SMB running, and that they are permitted through the Windows Firewall. This can be performed by applying an Active Directory Group Policy to all Windows systems, or can be applied on each individual host.
STEP 10: REVIEW YOUR RESULTS
The Evolve Automated Incident Response Actions workflow will automatically upload Indicators of Compromise found on any additional hosts in your environment to the configured Evolve Output container.
From within the Evolve Console, select the Containers side menu to list your available Evolve Containers. In the search box, type “yara” to filter down your Container list. Locate the Yara Scan Output Container. You will find a series of buttons alongside your Container where you will need to click the button called “View”. This will list the results of the Yara Scans stored within your Evolve Container. You may download the Yara Scan files using the corresponding “Download” button to identify other systems that have been breached.
More advanced users may also want to be notified when your incident response actions are complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Output Container for real-time ChatOps notifications.