Prevent Proxy and VPN Access with Cortex XDR and Cortex XSOAR

Table of Contents

1. Introduction
2. Blocking Unwanted Proxy and VPN Applications
   • 2.1 Using Cortex XDR
   • 2.2 Automation with Cortex XOR
3. Preventing Unwanted Proxy Applications on the Endpoint
   • 3.1 Custom Behavioral Indicator of Compromise
   • 3.2 Enforcement Point: Digital Signature
   • 3.3 Testing the Prevention
4. Integrating Cortex XOR for Automated Response Actions
   • 4.1 Fetching Incidents from Cortex XDR
   • 4.2 Enriching Alerts with Additional Information
   • 4.3 Creating a Custom Playbook
   • 4.4 Performing Automated Actions
5. Dynamic Address Group and Next Generation Firewall Integration
   • 5.1 Tagging Host IP in the Next Generation Firewall
   • 5.2 Using Dynamic Address Group for Restrictions
   • 5.3 Other Use Cases for Dynamic Address Group
6. Sending Email Notifications and Completing Playbook Tasks
   • 6.1 Email Notification to User
   • 6.2 Personalizing the Email
   • 6.3 Closing the Incident
7. Conclusion

Blocking Unwanted Proxy and VPN Applications using Cortex XDR and Cortex XOR

The video by Brad Cochran demonstrates how to block unwanted proxy and VPN applications using Cortex XDR and automate response actions using Cortex XOR. This article will provide a step-by-step guide on implementing this solution, including the creation of a custom behavioral indicator of compromise and utilizing the digital signature of applications for enforcement. By integrating Cortex XOR, additional automation actions can be performed, such as enriching alerts with information from other sources and performing specific response tasks. The article will also explore the integration with the Next Generation Firewall and the use of a dynamic address group for tagging and restricting access. Email notifications and the completion of playbook tasks will be covered as well. This demonstration showcases the power of Cortex XDR and Cortex XOR in preventing unwanted applications and automating incident response actions.

Introduction

The use of proxy and VPN applications can pose security risks, leading organizations to want to block their usage. This article will guide You through the process of using Cortex XDR and Cortex XOR to prevent unwanted proxy and VPN application usage on endpoints while implementing automated response actions.

Blocking Unwanted Proxy and VPN Applications

2.1 Using Cortex XDR

Cortex XDR is a powerful security platform that provides visibility and control over endpoints, allowing for proactive threat detection and response. By leveraging Cortex XDR, you can prevent unwanted proxy and VPN applications from being executed on endpoints.

2.2 Automation with Cortex XOR

Cortex XOR is an advanced security orchestration and automation platform that allows for the creation of custom playbooks to automate response actions. By integrating Cortex XOR with Cortex XDR, you can perform additional automated actions Based on the prevention of unwanted applications.

Preventing Unwanted Proxy Applications on the Endpoint

3.1 Custom Behavioral Indicator of Compromise

To prevent unwanted proxy applications, you can Create a custom behavioral indicator of compromise (BIOC) in Cortex XDR. This BIOC specifies the behavior of unwanted applications and serves as a rule for detection and prevention.

3.2 Enforcement Point: Digital Signature

In this demonstration, the enforcement point for the prevention rule is the digital signature of the unwanted proxy application. By using the digital signature as the enforcement point, the prevention rule remains effective even if the application is renamed or run from an unexpected location.

3.3 Testing the Prevention

To test the prevention, Brad demonstrates running an undesirable application that has been renamed to "powershell.exe." Despite the different name, the prevention rule still detects and blocks the application, triggering a behavioral threat detection alert.

Integrating Cortex XOR for Automated Response Actions

4.1 Fetching Incidents from Cortex XDR

Cortex XOR integrates with Cortex XDR to fetch incidents automatically. Once an alert creates an incident in Cortex XDR, the information is pulled into Cortex XOR for further analysis and automation.

4.2 Enriching Alerts with Additional Information

In Cortex XOR, you can enrich the alerts with information from other sources using subplaybooks. Entity enrichment allows for checking indicators such as file hash, IP addresses, URLs, or Active Directory account information.

4.3 Creating a Custom Playbook

A custom playbook is created in Cortex XOR and associated with the Cortex XDR integration. The playbook defines the automated actions to be performed based on the prevention of unwanted applications.

4.4 Performing Automated Actions

Automated actions in the Cortex XOR playbook include tagging the host IP in the Next Generation Firewall and sending email notifications to the user. These actions ensure the restricted access of the user and inform them of the detected activity.

Dynamic Address Group and Next Generation Firewall Integration

5.1 Tagging Host IP in the Next Generation Firewall

By integrating with the Next Generation Firewall, Cortex XOR can tag the host IP address of the detected unwanted application. This tag allows for easy identification and application of security policies.

5.2 Using Dynamic Address Group for Restrictions

A dynamic address group is utilized to store the tagged IP addresses of the offending hosts. This approach allows for immediate population of the address object on the firewall without requiring a commit. It enables the application of security policies to restrict access based on the dynamic address group.

5.3 Other Use Cases for Dynamic Address Group

The dynamic address group feature can be further utilized to enforce stricter SSL decryption, Apply authentication policies for multi-factor authentication, or customize access based on the detected application or threat.

Sending Email Notifications and Completing Playbook Tasks

6.1 Email Notification to User

As part of the playbook in Cortex XOR, an email notification task is included to inform the user about the detected inappropriate use of proxy or VPN software and the temporary network access restriction.

6.2 Personalizing the Email

The email notification can be personalized using the information enriched from the entity enrichment playbook. This allows for the inclusion of the user's full name and email address in the email notification.

6.3 Closing the Incident

Once all the playbook tasks are completed, including the email notification, the incident is closed. This automation ensures that analysts can focus on incidents that require further response actions.

Conclusion

In conclusion, the demonstration by Brad Cochran showcases the effectiveness of using Cortex XDR and Cortex XOR to block unwanted proxy and VPN applications on endpoints. By creating a custom behavioral indicator of compromise and leveraging automation with Cortex XOR, organizations can prevent the execution of undesirable applications and take necessary response actions. The integration with the Next Generation Firewall and the use of dynamic address groups further enhance security capabilities. The combination of Cortex XDR and Cortex XOR provides powerful tools for proactive threat prevention and incident response automation.

Highlights

• Use Cortex XDR and Cortex XOR to block unwanted proxy and VPN applications.
• Create a custom behavioral indicator of compromise to detect unwanted applications.
• Utilize the digital signature of applications for enforcement in prevention rules.
• Integrate Cortex XOR for automated response actions, such as tagging IP addresses in the Next Generation Firewall.
• Use dynamic address groups for immediate application of restrictions based on tagged IP addresses.
• Personalize email notifications to inform users about restricted access due to detected unauthorized software.

FAQ

Q: Can the prevention rules detect renamed or relocated applications? A: Yes, by using the digital signature of the application as the enforcement point, the prevention rules remain effective even if the application is renamed or run from an unexpected location.

Q: What other actions can be performed in Cortex XOR? A: Cortex XOR allows for enriched alert information with additional data, automation of response tasks, and integration with various security tools for a comprehensive incident response workflow.

Q: How can the dynamic address group be used in security policies? A: The dynamic address group can be used to create security policies that heavily restrict the access of the tagged IP addresses. This can include stricter SSL decryption, authentication policies, or specific access controls based on the detected application or threat.

Q: Can the email notification in Cortex XOR be customized? A: Yes, the email notification can be personalized using the information enriched from other sources. This allows for including the user's full name and email address in the notification for a more personalized communication.

Q: Can Cortex XOR automatically close incidents in Cortex XDR? A: Yes, once the playbook tasks are completed, including the email notification, Cortex XOR automatically closes the incident in Cortex XDR. This ensures that analysts can focus on incidents requiring further response actions.