close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Playbook Fridays: Have You Been Pwned?

Playbook Fridays: Check haveibeenpwned for indicators

Enriching Indicators with haveibeenpwned

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

pwn-playbook-threatconnect

Why Was the Playbook Created?

Data breaches come and go and it is easy to forget who was breached and when. The team at Have I Been Pwned? has built a searchable database of 4.8 billion compromised accounts and provide a simple to use REST API for queries.  

We have built a PlayBook to leverage this data and enrich the indicators that are important to your SecOps team.

How it Works:

  1. When looking at any EmailAddress indicator in the ThreatConnect platform simply click "Check HIBP".  That's all that is needed.
  2. From here, the ThreatConnect PlayBooks engine takes over and performs the following steps:
    a. Check HIBP for the email address
    b. If found, perform some data transformations to extract the data needed
    c. Tag the current Indicator with the name of the breach it was found in
    d. Search for existing Incidents to associate the EmailAddress too, creating a new Incident if required

playbook-actions

One step for the analyst

 

 

common-tags-threatconnect

Here you can see that this unlucky user's account was found in over 50 data breaches and we tagged the indicator with each breach.

 

associated-groups-threatconnect

 

We also created and associated an incident for each data breach that contains the breach date as well as a brief description of the breach.

 

threatconnect-webhost-breach

It's important to note that we did not write a single line of code to build this playbook with HIBP, and relied entirely on utility apps provided in ThreatConnect Playbooks to "build the integration".  This showcases the power and extensibility of ThreatConnect as a true platform.  If an integration doesn't exist, you can easily create one using the built-in capabilities of ThreatConnect Playbooks.

 

How to Use It:

  1. Import the PlayBook, we have created a GitHub repository with the PlayBook file
  2. Click "Check HIBP"
ABOUT THE AUTHOR

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform.