How Palo Alto XSOAR & Aruba Clearpass work great together to auto-quarantaine infected hosts
In this article, we will elaborate on how to use the built-in automation capabilities of Palo Alto Cortex XSOAR to automatically quarantine infected hosts on your network. These hosts can be company PC’s, smart devices such as phones and tablets, IoT devices such as printers and camera’s and so on.
TrueGEN has chosen Palo Alto Cortex XSOAR technology as a key element within its own Security Operations Center (SOC) and as the preferred tool to build a co-managed SOC with customers.
There is a need for a specialized tool (other than a generic IT case management tool) because of the nature of handling security incidents. Investigating a security incident requires a lot of context (the more, the better!). The only way to gather and correlate all that context quickly is to use automation.
But we can take it one step further and not only automate the detection and investigation of cyber security incidents, we can also automate the response to them! Automating the response to a cyber security incident shortens the reaction time drastically and thus can reduce cyber security risk in your organization.
We will use the Cortex XSOAR platform to filter out security incidents that have high level of confidence of being malware related, for example : a host connecting to a known ‘command and control’ malware address. It is best not to automate incidents with a low or medium confidence level as there is the risk of acting on a ‘false positive’ where business impact could be created when it is a false alarm… In these cases human investigation is the better approach.
When a ‘True Positive’ security incident is identified on a host, we want to isolate it as quickly as possible to prevent extra damage or spreading through the network. A common approach is to add the infected host to a dynamic list on internal and external firewalls to block all its traffic through the firewall immediately.
When our customer has implemented a ‘Network Access Control (NAC)’ solution we can take an alternative or additional approach by removing the infected host completely from the network and placing it in a quarantine zone. Blocking the infected host on the perimeter/external firewall would not be enough. The infected host would no longer be able to reach its ‘command and control’ server, but still have full access to the local network and possibly spread the infection to neighboring hosts and networks.
Aruba Clearpass provides robust network access control (NAC) with granular role-based policies for authentication, authorization, continuous monitoring and enforcement. It is highly interoperable with many other products and solutions from other vendors. This helps customers leverage their investment in their existing solutions to better coordinate network and security operations.
So let’s get started and integrate Aruba Clearpass with Palo Alto Cortex XSOAR !
We will leverage this integration to change a user/host to another VLAN (e.g. Quarantine VLAN) if malicious network traffic or highly suspicious behavior is detected. The integration will be set up on an existing Cortex XSOAR tenant and an existing Aruba Clearpass installation with API access already enabled.
The following steps are required:
- Install the Aruba Clearpass integration from the Cortex XSOAR Marketplace
- Create the Cortex XSOAR playbook
Installing the Aruba Clearpass integration in Cortex XSOAR
In the Cortex XSOAR Marketplace we can find the integration pack for Aruba ClearPass provided and certified by Palo Alto Networks.
The pack contains the logic for the following interactions with ClearPass:
- Get a list of endpoints from the endpoint repository
- Update one or more fields of a specific endpoint in the endpoint repository
- Get a list of possible attributes from the Dictionary Attributes
- Create, update or delete an attribute from within the Dictionary Attributes
- Get a list of active sessions in the ClearPass
- Disconnect a specific active session and send a CoA to the authenticator
With these interactions we can create XSOAR playbooks to automatically add an attribute to a client or disconnect the client when needed and use this attribute on the next login to put the client in a secluded quarantine VLAN or prevent it access altogether.
Create the Cortex XSOAR playbook
Playbooks are at the heart of the Cortex XSOAR system. They enable you to automate many of your security processes. They help you to structure and automate security responses that previously had to be handled manually.
A playbook is visualized as a flowchart and contains standard and conditional tasks. Conditional tasks allow for branches in the automation flow.
In our example we will create a so-called sub-playbook that will be called from the main incident response playbook. Our sub-playbook uses the MAC address(es) of the infected host and marks them as ‘quarantined’. Playbooks can be easily changed to adapt to changing requirements.
The example sub-playbook looks as follows:
Now let’s go through this playbook step by step
- Playbook Triggered : our sub-playbook is triggered and the full context of the security incident is shared
- Retrieve info from Clearpass Endpoints Repository :
- Within the (enriched) context of the security incident we find the MAC address of the host
- Find out if the MAC address of the client is present in the endpoint repository by quering the Clearpass for the MAC address of the host
- Does the endpoint Repository contain the client :
- If the return is empty, the endpoint is unknown and the playbook is stopped with “Endpoint Unknown. Unable to quarantine it”. This could happen if the host is on another network that is not covered by the NAC solution – In this case the main playbook will for example assign a human analyst to further investigate.
- If we do find the endpoint in the “Endpoint Repository”, we can continue.
- Adding the client to NAC Quarantine
- Update Endpoint Quarantine Attribute to be true : XSOAR makes the change in the Clearpass DB, this will have an effect when the user/host tries to access the network in the future.
- Retrieve Active Session of this MAC Address : All active sessions are uniquely identified with an ID. To disconnect a client, we need that ID, and not the MAC address. However, we can retrieve the ID, if any, by polling the active sessions list with the MAC address as parameter.
- Is there an active session on the Clearpass : If this poll returns a specific session ID, we can disconnect that session
- ELSE: NO,the client is currently not connected to the network
- YES: Disconnect the client to force reauthentication : XSOAR sends a disconnect command to Clearpass.
- After the disconnect, once the client reconnects to the network, the client will be reauthenticated and will only have access to the quarantined environment
- A human analyst can perform further investigations (such as forensic investigation and collection of a forensic copy as proof)
- The ticket can be assigned to the IT support team to clean or reimage/reinstall the
- Confirm latest status of endpoint attributes : Finally, we retrieve the endpoint one more time. This is optional. The result of this poll can be added to the case as evidence.
The TrueGEN SOC actively uses this integration within the Managed XDR service offering on behalf of our customers. If you are interested to learn more about this integration or other integrations, do not hesitate to contact us! Our TrueGEN engineers can implement Cortex XSOAR integrations that are available for use in the Cortex XSOAR marketplace or even develop custom integrations as required.
About the author: Wouter Lambrecht
Wouter is a Senior Network & Security Engineer within the TrueGEN operations teams. As an expert in Palo Alto Networks & Aruba Clearpass technology, he is responsible for the overall architecture, design and implementation of integration projects between both technologies. With his experience he supports the TrueGEN SOC team to develop, deploy and improve automated workflows in Palo Alto Cortex XSOAR which enables the TrueGEN SOC analysts to faster detect and respond to attackers within customer environments.