# Applying Automation to Security Use Cases with n8n | Wes Lambert ## Метаданные - **Канал:** n8n - **YouTube:** https://www.youtube.com/watch?v=dNfV0NWnvcI - **Дата:** 14.04.2022 - **Длительность:** 18:56 - **Просмотры:** 4,993 ## Описание Wes Lambert will show you how to apply automation to security use cases in a smarter way! ---------------------------------------------------------------- About n8n n8n is the leading low-code automation tool, and with over 250 integrations, n8n enables you to connect anything to everything. With n8n you can move beyond simple integrations to build multi-step workflows that combine both 3rd party APIs and your own internal tools to create easy-to-use automations. Thanks to its fair-code distribution model, n8n will always have visible source code, be available to self-host, is completely free for personal or internal use and allows you to add your own custom functions, logic, and apps. Download: https://n8n.io/#get-started Deploy: https://docs.n8n.io/getting-started/i... n8n Cloud: https://n8n.io/cloud ## Содержание ### [0:00](https://www.youtube.com/watch?v=dNfV0NWnvcI) all right well thank you guys again thank you for the introduction uh my name is Wes Lambert just wanted to talk to you guys today about uh just some ways in which you can start thinking about how to automate security use cases if you aren't already uh just some simple kind of ways to get started with nadn and what types of nodes you might use and that sort of thing so uh continuing with that um I am a husband to an amazing beautiful wife and father of four crazy kids uh as mentioned I'm a principal engineer at security and in Solutions um where uh we have an Enterprise security monitoring platform that is free and open that we help folks to implement and uh we maintain that there at security and in Solutions uh security UN in and uh I have about 10 years a little over 10 years of experience in it and information security uh kind of in that same discipline in that same vein uh and really enjoy building those solutions that help security analysts and Engineers work smarter uh you know more efficiently and not harder so that's what I kind of want to get folks thinking about today uh and really you know when we think about security and you know we hear about it all the time about uh you know these threats and these breaches and everything else um as a blue teamer um security can be hard right I mean there are a lot of different areas uh like compliance um you know a lot of different technical controls right um just different things I mean the whole discipline is huge and there's so many things to think of and um you know as a blue teamer it's often said that you know we have to think of all the ways that uh bad guys can break in and they just have to find a one way to break in right um so it can definitely be hard and uh you know the fact that there are these secure coding methodologies and uh practices that are in place um these don't always necessarily equate to secure software right um in these next Generation firewalls um just having one in place is not necessarily mean that you have Next Level uh Enterprise security um there are always going to be gaps in vulnerabilities right bad guys are always going to be finding ways to get in to poke at the software and find these little holes and um you know they're always going to be those bad guys or even just people playing around and uh having opportunistic um you know fun with your um with your attack surface so um again security is hard and you know we just have to keep that in mind and keep in mind that they we're always going to have to keep at it um you know there's never really going to be a stopping point uh and the solution right so what is a solution uh again there's no Silver Bullet right no on-sides Fel approach uh everybody's Enterprise is different everybody's attack surface and threat model is different uh and really the most important thing here is to be able to no matter what your resources uh you know a lot of times folks uh you know today or businesses today uh they may not have that many uh people on their security team they might not have a dedicated security team so we have to be able to scale these operations these folks that are in these roles um we have to be able to scale analysis and scale response and be able to do that efficiently and effectively right so that's one of the goals of what I want to talk about today um and the overall goals I ### [3:24](https://www.youtube.com/watch?v=dNfV0NWnvcI&t=204s) Goals • Reduce fatigue and increase efficiency • Automate/orchestrate where it makes sense • Focus first on highly repetitive tasks that can be completed using boolean (yes/no) or matching think with these you know these folks and these teams really uh first and foremost to reduce that alert fatigue right so there may be um you know aside from tuning there may be hundreds or thousands or you know maybe even millions of alerts uh in some alert cue that an analyst is going to be investigating on a regular daily basis um we want to try to automate that and really reduce that fatigue and try to you know make things more efficient where we can and in doing so really focusing on those tasks that are repetitively uh perform or you know performed day in day out again and again by analysts that don't really make sense for them to keep doing you know going off and clicking and kind of doing the same thing to arrive at maybe a yes or no or um some kind of answer that can be selected from a box right like um we don't want to eliminate the analyst either right so we want to keep the analyst in the equation we need that human factor right machines aren't the best at everything you need that human uh you know that cognitive ability that ability to discern given certain context and that's what's really important here is providing a lot of context to an analyst more quickly so they can come to a decision around an investigation uh you know more quickly and resolve that investigation with that alert so that's really the goal here to increase the amount of context available and to do it quickly right empower the analyst so one common use case here uh and I'm going to be going through these kind of quickly because I've got a little bit to cover here um it's going to be initial alert triage right or reputation check uh typically an analyst might be sifting through an alert queue going through some IDs alerts or other types of alerts from a security system right um so one of the things that we might want to do is pull the system for new alerts or maybe send a notification if we get a new alert um you know from a certain security system maybe it's an IDs maybe it's uh you know network based IDs or maybe it's a host-based IDs intrusion detection system uh maybe it meets a certain threshold right uh maybe we want to clear a virus title for it and see if it has any context available for us or maybe some other source of information maybe some internal data some repository that we have and maybe we want to send an external alert right or some sort of notification if it exceeds that threshold or it matches some Val value this is you know one of those use cases that we might want to look into to help analysts get that context more quickly and uh be able to resolve that investigation and that alert more quickly right focus on the things that matter and make the best use of their time so in doing that uh here's a simple example workflow I don't have a link for it here but I can definitely produce that later but uh again to get a feel of what you might use here you might use something like interval trigger um to basically perform that polling at an interval there may be a better way to do this uh I'm certainly not an init an expert so um but that's one way is using the interval trigger say every minute or every 30 seconds or every 10 seconds to pole if you have an elastic search database where your IDs or h space intrusion detection alerts or housed or other types of alerts a Sim we can query that and then we can use that you know we can use a HTTP node to that and then transform that data uh with that function node and then uh if we need to submit that data however it's transformed we can submit that to virus total you know some internal repo and then we can come to some determination more quickly and we can even chain these events together right so if we don't really know that this is you know potentially malicious yet we can kind of shift these around because this is a very contrived use case um but we can continue chaining those outputs and in building that context right and then so based on that switch node if we feel like it's not necessarily malicious or something that we deeming noteworthy right now we can acknowledge or dismiss the alert right um and then we can send an email if we do feel like that's something that we want to investigate further maybe it's slack or you know maybe it's Discord um or you know it's some additional piece of information uh we could use an HTTP node to add on to that alert right to tack on addition details back into the Sim or back into that data platform uh so that might be one way that you can achieve that right again a very simple example um but just a way kind of to get started thinking about how you might chain that together and produce the results that you're looking for excuse me get some water real quick now continuing on from use case one another use case and I'm sorry so let me say um let me back up a little bit so one repository uh here like if you're running security ending so um you know I work for security ending Solutions obviously um but that might be an example here I realized I just forgot to go back and address this but uh security end would house both those host Bas and IDs based alerts and other types of alerts and data that you can kind of uh you know pivot from there if you want to work from that workflow but going forward if you want to use something like an EDR platform or uh you know something like an endpoint visibility tool maybe we have a use case where we want to search all of our hosts across our Enterprise that are enrolled in that platform uh for a particular ioc right maybe we've gone through and we have an alert and we've investigated that alert to a certain degree on one host and we found this malicious executable or this or whatever um what if we want to search all other hosts and see if it's present there you know what's a quick easy way to do that uh well we can do that in somewhat automated fashion if we want to right so we could indicate this observable as an ioc in something like security Inn or another case management platform uh we can have something watching right um if that particular platform has the ability to send to a web hook we can do that and send to the web hook Trigger or we can use that HTTP polling input again um and we can also again route the observable if it's a hash or a file name we can route that based on the type and then we can perform a call to you know some EDR platform to search that F the host for that particular ioc right and maybe if an ioc is found in that box maybe something that we know to be malicious we want that host to be quarantined right away right we want to cut off access to make maybe if it's you know trying to perform C2 and xfi data we want to cut off that communication and really only be able to connect to it from that in point or that ER platform so that might be something we want to do as well so an example of that would be again I mentioned if that case management platform supports sending notifications to web hope we can use the web hope trigger here and in it in and that's switch node to Route by a doable type so it's a hash then we can go over here to the hash hunt and for Velociraptor for example our EDR tool of choice here we can perform a hunt across all of our enrolled clients so every machine that we have enrolled in Velociraptor and search for that hash on dis right and if it's found um I'll show you here some other magic in just a minute we can then perform additional actions either through Ann or the EDR tool itself and these hash hunts right here really used or I'm sorry utilized by the execute command node so what we're doing here is actually just executing a local command a local python client uh to go off and perform that call I'm going to talk more about that get into detail in just a minute with kind of an example implementation what I put together everybody get so far everybody following along good okay awesome all right so sign it all the together um a while back and this is I think uh kind of how herel and I started talking I put together an article about using um Security on in with the hive a free and open source platform or I'm sorry platform uh they've kind of changed their licensing model now but for case uh management and instant management uh naden and Velociraptor uh to each kind of take on the role of that uh you know that data platform uh with the intrusion detection system the log management the automation case management and EDR platform so it's really an article put together that kind of walk you through how to set all this up together and I call it Sor laab just because it's security UN in and uh you know with Automation and response it's not necessarily you know a complete sore but you can check out those links there and what I'm going to do next is just kind of walk through a couple of those components that are in there so the overall workflow is going to be that you know we see an interesting Alert in security un and then we create a case for that alert and then we have a platform called a last alert running which is going to be polling itself those that data insecurity in and it's going to tell us whenever an observable or an ioc is added to a case insecurity ending and then from there it's going to hit that nadn web hook and go through that workflow I described earlier and this link down here is going to be an example of that workflow that you can Implement along with those sore lab resources on GitHub so going into a little bit more uh here's an example of a case that was created from an alert and security ening so what happened here was a file was extracted out of the network stream and analyzed by a tool called Stoka and what Stoka did was it applied Yara to the rule or I'm sorry to the file and then it detected that it was indeed a malicious batch file and then it created an alert and Security in and then from there we escalated to a case inste of security in we created a case from that and then we created an observable here from that event so this file it had an md5 hash yes I know md5 is not obviously not the best of hashes for files but uh for academic purposes we'll use it here um so we had the md5 has here from the event that was related to that file and that file was called poker. Bat it was a bat file that was detected then we've added an observable in security UN in to associate it to that case that we created and when we did that what happened was in a last alert rule uh was going off and it was perusing the data it was checking to see if there were any new observables added to a case and then once there was it went off and hit the nadn web hook right here and then once it hits that web hook what's going to happen is um obviously it's going to receive the notification and then it's going to go through it's going to hit that switch ### [14:56](https://www.youtube.com/watch?v=dNfV0NWnvcI&t=896s) Switch Node Route observable data to appropriate endpoint hunt based on type (filename or hash) node it's going to see that it's a half hash I know this is empty here maybe not the best example but it's going to see that it's a hash so it's going to move on to that execute command node and what ### [15:07](https://www.youtube.com/watch?v=dNfV0NWnvcI&t=907s) Execute Command Node Execute a hunt for a specific hash across all endpoints by calling the Velociraptor API from a local Python client is going to happen here is what I mentioned before was it's going to execute that local python client and then it's going to start a hunt in Velociraptor for this hash across all endpoints right so now what we're doing is we're taking you know some automation from nadn and we're also doing some other components from other platforms right we don't necessarily have to do everything through inad end we could separately call each uh you know call the hunt and then the hunt results and do everything else but for our purpose we're just going to call a hunt and then it's going to go hunt for that data and what Velociraptor has is these things called artifacts which encap which encapsulate expert knowledge and it's going to go off and actually perform that action and perform that hunt so we can see that it's going off and it's looking on the endpoint it's performing a query for that particular hash and it did find that file and that hash on an endpoint and what it's going to do here is once it finds it this particular artifact here is actually going to check and say are there any completed flows that you know completed successfully basically and you know do they meet this criteria were they executed by Security in and did they have uh this particular artifact regular expression in there uh and it's going to say if so then if there are results then I need to quarantine this host so then it executes this Windows remediation quarantine here uh which is going to basically put that endpoint into a quarantine status to where we can go investigate it manually with Velociraptor or do other uh perform other response actions right so again we could call out we could call the quarantine artifact or action from inad in if we wanted to manually but sometimes it's just best to utilize you know certain components of platforms that work best and just you know maybe use nadn as the glue to get there and then and go from there right it just depends on your use case so uh again we've basically taken that observable data that we found from that alert and Security in we've taken it all the way through naden it's use Velociraptor and its API to execute a hunt across maybe a thousand endpoints and then automatically quarantined all of those hosts right and then if we want to go off and send an additional notification from there saying that all of these endpoints were quarantined we can certainly do that as well but if you want to check that out in more detail I'll stop rambling and you can go off and watch that in your own time later um there is a video on YouTube there an example video about how to set all that up um I will mention that we do not use the hive anymore in security Innings so uh it would be without this Hive component here and I will be rewriting that particular article and putting up a new video very soon to address that but um you know if you do have questions or you do have interest in that please let me know uh other than that I think that is all that I have and uh you know if you want to ask any questions on Twitter please feel free to reach out to uh the real W Lambert or if you want to check out that code please be sure to check out my GitHub there and uh I'll be glad to answer any questions that you have in the Q& A and uh elsewhere so thank you all right awesome uh thank you so much uh Wes for sharing this I can see already people are finding this really useful and they are going to uh try out any time in the security sa off space if they haven't so thank you once again for sharing this --- *Источник: https://ekstraktznaniy.ru/video/15712*