EN$-$US

Bellevue Bank and Trust has recently purchased and deployed the Shuffle Cloud SOAR service and wants to take advantage of the functionality to automate as many of the tasks that the SOC and IR teams currently handle manually as possible. While there are tens or hundreds of use cases, the CISO at BB&T wants the team to pick two of the use cases that generate the most amount of work and pilot the automation of those use cases with SOAR. As part of the preparation for that automation, he has tasked you to develop flowcharts of two processes.

For this assignment, pick the flowcharting tool of your choice. Draw.io is a free website that will allow you to complete this assignment

$$

s flowcharts. You can also create flowcharts using the drawing tools in Microsoft Word to complete the assignment. Other drawing tools like Viso can also be used. Make sure you submit your flowcharts in a standard format such as a Word Document, PDF

$,$

$$or standard image file

$($

JPEG

$,$

$$PNG

$,$

$$BMP

$,$

$$etc$.$

$)$

$.$

Use Case

$/$

Process

$1$

One of the heaviest workloads for the SOC and IR teams is dealing with phishing. The company has used Proofpoint as an email security gateway for several years. Currently, there is no integration with TheHive ticketing system. A SOC analyst will have to go into the Proofpoint console and review the alerts generated by Proofpoint. For each alert, if it is not immediately apparent that the emails in the alert are benign, they must manually transfer the information from Proofpoint into the TheHive to open the case. Once the case is open, they must research any artifacts, such as sender email addresses, mail servers, attachments, URLs, and domains for evidence of maliciousness using the service AbuseIPDB, Virus Total, URLScan, Phishtank, OTX, and IBM Xforce services. If any of these services indicate any prior malicious detection the SOC analyst must escalate the case to a security incident. They must also contact the user outside of email and let them know they have been phished, and then reset their password. They must also generate a ticket for the HR training team to assign the phished employee to remedial phishing training. If malware was downloaded, they must put a ticket in for the forensics team to take a forensic image of the machine

$($

over the network

$)$

$.$

$$ After this is done the forensics team will manually put in a ticket for the endpoint support team to obtain and reimage the device. When all these tasks are complete, the SOC analyst can close out the security case and document the remedial actions taken. If at any point, ransomware or exfiltration of data occurs, the SOC analyst must escalate the case to the IR team and that team will start the IR processes.