Wazuh

Incident response is a structured approach to managing and addressing security breaches or cyber-attacks. Security teams must overcome challenges such as timely detection, comprehensive data collection, and coordinated actions to enhance readiness. Improving these areas ensures a swift and effective response, minimizing damage and restoring normal operations quickly.

Challenges in incident response

Incident response presents several challenges that must be addressed to ensure a swift and effective recovery from cyber attacks. The following section lists some of these challenges.

  • Timeliness: One of the primary challenges in incident response is addressing incidents quickly enough to minimize damage. Delays in response can lead to more compromises and increased recovery costs.
  • Information correlation: Security teams often struggle to effectively collect and correlate relevant data. Without a comprehensive view, understanding the full scope and impact of the incident becomes difficult.
  • Coordination and communication: Incident response requires coordination amongst various parties, including technical teams, management, and external partners. Poor communication can lead to confusion and ineffective responses.
  • Resource constraints: Many organizations operate with limited security resources. Understaffed teams may find it challenging to handle multiple incidents simultaneously, leading to prioritization issues and potential oversight.

Stages of incident response

Wazuh

  • Preparation involves creating an incident response plan, training teams, and setting up the right tools to detect and respond to threats.
  • Identification is the next critical step. It relies on effective monitoring for quick and accurate alerting of suspicious activities.
  • Containment uses immediate actions to limit the spread of the incident. This includes short-term efforts to isolate the breach and long-term strategies to secure the system before it becomes fully operational.
  • Eradication involves addressing the root causes of the incident. This includes removing malware and fixing exploited vulnerabilities.
  • Recovery entails restoring systems and closely monitoring them to ensure they are clean and functioning properly post-incident.
  • Lessons learned involve reviewing the incident and the response to it. This step is vital for improving future responses.

How Wazuh enhances incident response readiness

Wazuh is an open source platform that offers unified security information and event management (SIEM) and extended detection and response (XDR) capabilities across workloads in cloud and on-premises environments. Wazuh performs log data analysis, file integrity monitoring, threat detection, real-time alerting, and automated incident response. The section below shows some ways Wazuh improves incident response.

Automated incident response

The Wazuh active response module triggers actions in response to specific events on monitored endpoints. When an alert meets specific criteria, such as a particular rule ID, severity level, or rule group, the module initiates predefined actions to address the incident. Security administrators can configure automated actions to respond to specific security incidents.

Implementing active response scripts in Wazuh involves defining commands and configuring responses. This ensures that scripts execute under the right conditions, helping organizations tailor their incident response to their unique security needs. A general overview of the implementation process can be:

  • Command definition: Define the command in the Wazuh manager configuration file, specifying the script's location and necessary parameters. For example:
<command>
    <name>quarantine-host</name>
    <executable>quarantine_host.sh</executable>
    <expect>srcip</expect>
</command>
  • Active response configuration: Configure the active response to determine execution conditions, associating the command with specific rules and setting execution parameters. For example:
<active-response>
    <command>quarantine-host</command>
    <location>any</location>
    <level>10</level>
    <timeout>600</timeout>
</active-response>
  • Rule association: The custom active response will be linked to specific rules in the Wazuh ruleset to ensure the script runs when relevant alerts are triggered.

This implementation process allows security teams to automate responses efficiently and customize their incident response strategies.

Default security actions

Wazuh active response automatically executes some specific actions in response to certain security alerts by default, on both Windows and Linux endpoints. These actions include but are not limited to:

Blocking a known malicious actor

Wazuh can block known malicious actors by adding their IP addresses to a deny list as soon as an alert triggers. This active response ensures malicious actors are quickly disconnected from their target systems or networks.

The process typically involves continuously monitoring log data and network traffic to detect compromise or anomalous behavior. Wazuh predefined rules trigger an alert when suspicious activity is identified. The Wazuh active response module executes a script to update firewall rules or network access control lists, blocking the malicious IP address. A response action is logged, and notifications are sent to security personnel for further investigation.

This use case utilizes a public IP reputation database such as the Alienvault IP reputation database or AbuseIPDB containing IP addresses flagged as malicious to identify and block known threats. The image below illustrates identifying and blocking a malicious IP address based on IP reputation database.

Malware detection and removal with Wazuh

Wazuh monitors file activity on endpoints, utilizing its File Integrity Monitoring (FIM) capability, integrations with threat intelligence, and predefined rules, to detect unusual patterns indicating potential malware attacks. An alert is triggered upon identifying changes on files that match the known malware behavior. The Wazuh active response module then initiates a script to remove the malicious files to ensure they cannot execute or cause further harm.

All actions are logged, and detailed notifications are generated for security personnel. These logs include information about the detected anomaly and the response actions executed, showing the status of the affected endpoint. Security teams can then use the detailed logs and data from Wazuh to investigate the attack and implement additional remediation measures.

The image below shows Wazuh detecting malicious software with VirusTotal, and Wazuh active response removing the detected malware.

Policy enforcement

Account lockout is a security measure that defends against brute force attacks by limiting the number of login attempts a user can make within a specified time. Organizations can use Wazuh to enforce security policies automatically, such as disabling a user account after multiple failed password attempts.

Wazuh uses disable-account, an out-of-the-box active response script, to disable an account with three failed authentication attempts. In this use case, the user is blocked for five minutes:

<ossec_config>
    <active-response>
        <command>disable-account</command>
        <location>local</location>
        <rules_id>120100</rules_id>
        <timeout>300</timeout>
    </active-response>
</ossec_config>

<command>: Specifies the disable-account active response script to be executed.

<location>: Specifies where the active response configured will be executed, which is local meaning on the monitored endpoints.

<rules_id>: Specifies the rule ID, the condition for executing active response command.

<timeout>: Specifies how long the active response action must last. In this case, the account will remain disabled for 300 seconds. After that period, the active response reverts its action and re-enables the account.

In the image below, the Wazuh active response module disables a user account on a Linux endpoint and automatically re-enables it after 5 minutes.

Customizable security actions

Wazuh also provides flexibility by allowing users to develop custom active response scripts in any programming language, enabling them to tailor responses to their organization's unique requirements. For instance, a Python script could be designed to quarantine an endpoint by modifying its firewall settings.

Integration with third-party incident response tools

Wazuh integrates with various third-party incident response tools, enhancing its capabilities and providing a more extensive security solution. This integration allows organizations to leverage existing investments in security infrastructure while benefiting from Wazuh capabilities.

For example, integrating Wazuh with Shuffle, a security orchestration, automation, and response (SOAR) platform, enables the creation of sophisticated automated workflows that streamline incident response processes.

Similarly, enhancing incident response with Wazuh and DFIR-IRIS integration provides an insightful combination of digital forensics and incident response (DFIR). DFIR-IRIS is a versatile incident response framework that, when integrated with Wazuh, offers extended incident investigation and mitigation capabilities.

These integrations can facilitate:

  • Automated ticket creation in IT service management (ITSM) systems.
  • Orchestrated threat intelligence lookups to enrich alert data.
  • Coordinated response actions across multiple security tools.
  • Customized reporting and notification workflows.

An instance is when a phishing email containing a malicious link is detected by Wazuh, an incident ticket is automatically created in the ITSM system, assigning it to the relevant team for immediate attention. Simultaneously, Wazuh queries a threat intelligence platform to enrich the alert data with additional context about the malicious link, such as its origin and associated threats. The security orchestration tool automatically isolates the affected endpoint and blocks the malicious IP across all network devices. Customized reports and notifications are generated and sent to relevant parties, ensuring they are informed about the incident and the actions taken.

By leveraging these integrations, security teams can quickly and effectively respond to the phishing attack, minimizing potential damage and preventing further spread. This enhances incident response readiness through streamlined and automated processes facilitated by integrating third-party tools with Wazuh.

Conclusion

Enhancing incident response readiness is essential for minimizing the impact of cyberattacks. Wazuh provides a comprehensive solution to help your organization achieve this with its real-time visibility, automated response capabilities, and ability to integrate with third-party tools.

By leveraging Wazuh, security teams can manage incidents, reduce response times, and ensure a robust security posture. Learn more about Wazuh by checking out our documentation and joining our community of professionals.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.