Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Playbook Fridays: Have You Been Pwned?

Enriching Indicators with haveibeenpwned

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

Why Was the Playbook Created?

Data breaches come and go and it is easy to forget who was breached and when. The team at Have I Been Pwned? has built a searchable database of 4.8 billion compromised accounts. 

We have built a PlayBook app that allows you to query for breach information for a given email address as well as return additional context around a given breach.

How it Works:

  1. When looking at any EmailAddress indicator in the ThreatConnect platform simply click “Check HIBP”.  That’s all that is needed.
  2. From here, the ThreatConnect PlayBooks engine takes over and performs the following steps:
    a. Check HIBP for the email address
    b. If found, perform some data transformations to extract the data needed
    c. Tag the current Indicator with the name of the breach it was found in
    d. Search for existing Incidents to associate the EmailAddress too, creating a new Incident if required

playbook-actions

One step for the analyst

 

 

common-tags-threatconnect

Here you can see that this unlucky user’s account was found in over 50 data breaches and we tagged the indicator with each breach.

 

associated-groups-threatconnect

 

We also created and associated an incident for each data breach that contains the breach date as well as a brief description of the breach.

 

It’s important to note that we did not write a single line of code to build this playbook with HIBP, and relied entirely on utility apps provided in ThreatConnect Playbooks to “build the integration”.  This showcases the power and extensibility of ThreatConnect as a true platform.  If an integration doesn’t exist, you can easily create one using the built-in capabilities of ThreatConnect Playbooks.

 

How to Use It:

  1. Import the PlayBook, we have created a GitHub repository with the PlayBook file
  2. Click “Check HIBP”
About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.