Created by John Tuckner and the team at automation and AI-powered workflow platform Tines, the SOC Automation Capability Matrix (SOC ACM) is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.
A customizable, vendor-agnostic tool featuring lists of automation opportunities, it’s been shared and recommended by members of the security community since its launch in January 2023, notably by Airbnb engineer Allyn Stott in his BSides and Black Hat talk, How I Learned to Stop Worrying and Build a Modern Detection & Response Program.
The SOC ACM has been compared to the MITRE ATT&CK and RE&CT frameworks, with one user saying, “it could be a standard for classification of SOAR automations, a bit like the RE&CT framework, but with more automation focus.” It’s been used by organizations in Fintech, Cloud Security, and beyond, as a basis for assessing and optimizing their security automation programs.
Here, we’ll take a closer look at how the SOC ACM works, and share how you can use it in your organization.
What is the SOC Automation Capability Matrix?
The SOC Automation Capability Matrix is an interactive set of techniques that empower security operations teams to respond proactively to common cybersecurity incidents.
It’s not a list of specific use cases related to any one product or service, but a way to think about the capabilities an organization might follow.
It offers a solid foundation for beginners to understand what’s possible with security automation. For more advanced programs, it serves as a source of inspiration for future implementations, a tool to gauge success, and a means to report outcomes.
While the tool is vendor-agnostic, it pairs well with a platform like Tines, which was developed by security practitioners to help fellow security practitioners enhance their mission-critical processes through workflow automation and AI
How does the SOC Automation Capability Matrix work?
The SOC ACM is split into categories that contain automation capabilities.
Each capability comprises:
- Description – a brief overview of what the capability is doing
- Techniques – technology-agnostic ideas for how to implement the capability
- Examples – relevant workflow templates from the Tines library
- References – other research contributing to the capability
The framework reads from left to right and top to bottom within categories. While it is minimally opinionated about which capabilities bring the most value or are easier to implement, the framework is adaptable to what organizations find most valuable.
Each capability can stand alone in the matrix, but joining many capabilities together can produce many more complex and impactful outcomes.
How to use the SOC Automation Capability Matrix
Next, we’ll illustrate how to use the SOC ACM, taking phishing response as our example. Many organizations utilize multiple techniques to find and analyze suspicious messages to respond appropriately to malicious emails.
To start, here are some processes a routine phishing investigation might include:
- Receive a phishing email or alert
- Send a notification to the security team for processing
- Create a ticket to track and record the analysis
- Review the elements of the email, including attachments, links, and email message headers
- If suspicious, delete the email and add features to blocklists
- Send a notification to the recipient with a status update
Within the matrix capability, Phishing Alerts appear in the Alert Handling section; it mentions that many organizations implement tools like email security gateways to prevent suspicious emails from being delivered to inboxes while also generating alerts of attack campaigns that could be automated.
The capability also outlines a strategy to create a purposeful inbox for users to easily forward phishing emails that may have passed through the filters. Implementing both of these capabilities offers an opportunity to begin an automation workflow.
Once a suspicious message has been identified, either through the user reporting or generated alert, more automation capabilities become available. One recommendation is to create a location for tracking the lifecycle of each alert as soon as possible.
Utilizing the Tracking Location capability in the Issue Tracking section, we can identify where these alerts should be recorded, updated, and reported. Notice how the workflow has now moved between sections of the Automation Capability Matrix to extend the process.
With the alert and tracking location decided on, we can move towards performing a thorough analysis of the phishing alert in question. Phishing emails commonly contain potentially malicious attachments and suspicious links to capture authentication material and are typically sent from spoofed sources.
Moving into the Enrichment phase, we want to focus on utilizing a few key capabilities at a minimum: Domain Analysis for any links present in the email body, File Hash Analysis/File Analysis to look at any attachments to the email, and Email Attributes to look deeper into email headers for signs of emails from spoofed addresses.
For Enrichment opportunities, the number of options for API-driven tools and services that can be used to provide these capabilities grows exponentially. Some common options include VirusTotal for files, URLscan for domains, and EmailRep for sender information. Each of these enrichment results can be recorded in the associated tracking location identified previously to document the outcomes and provide analysts with a view into the results.
This shows how many capabilities from the same section can be applied to the same automation workflow, in this case, to provide as much information as possible to analysts.
After enrichment occurs, a verdict might be reached already, but more likely, the issue will require a quick review from an analyst. At this point, the User Interaction section becomes critical.
To start, we can use Chat Alerts to notify the security team in a Slack channel that a phishing email has arrived and a tracking issue has been created, with various enrichment details added as additional context is ready for review.
That takes care of informing the security team, but what about updating any users who might be impacted or who reported the email? Phishing response processes, in particular, are unique because many organizations actively train users to report emails they might identify as suspicious. Informing these users with a confident verdict within a short timeframe is a great way to empower operations such as getting sensitive documents signed quickly or preventing mass malware outbreaks.
To do this, we can use the User Notification capability to identify the user who reported the email and provide them with the results of the email analysis. In the case of User Interaction, it’s not only about additional notification of the security team but also extending the reach and empowering others with real-time information to make the right decisions.
At this point, a lot of activity has taken place, and we have a lot of knowledge at our disposal. While more information is always helpful, acting on it appropriately is what ultimately counts most, resulting in the remediation phase. Many of the data points (indicators) we gathered before can be used for remediation action. Depending on how the situation has played out, we could take some of the following steps:
- Domain blocklist: Add any domains and URLs identified as suspicious to a blocklist.
- File hash blocklist: Add any file hashes identified as malicious to a blocklist.
- Email deletion: Remove emails related to an attack campaign from inboxes.
- Password invalidation: Change the passwords of any users found to have submitted credentials to a phishing website.
The key to any remediation is knowing what’s possible and starting small, especially when utilizing automation to build confidence. One way to do this is to provide links or buttons that need to be manually clicked to take remediation actions, but in a repeatable manner. If you want to introduce full automation, keeping lists of suspicious domains that can be blocked provides you with great utility, minor risk, and can be fixed quickly with little overall impact when errors occur.
Looking at the process end-to-end, we have utilized the following capabilities to help automate critical actions for many cybersecurity teams:
- Phishing alerts
- Tracking location
- File hash analysis
- Domain analysis
- Email attributes
- Chat alerts
- User notification
- Domain blocklist
- File hash blocklist
- Email deletion
- Password invalidation
A significant benefit of developing these capabilities in your organization to address a single process, such as phishing, is that many of these capabilities are now available to be reused for additional purposes like malware detection or handling suspicious logins, making each subsequent automation opportunity easier.
