This topic provides general information about auto remediations and which ones are available. If you are ready to set up your auto remediations, go to Enable an Auto Remediation in Workbench.
When you enable an auto remediation, you allow Expel to automate certain response capabilities within your system(s) so that attacks can be rapidly contained without requiring any intervention from you. All remediation actions are created in Workbench, but the actions themselves are taken within your specific vendor technologies.
- Our SOC analysts make the call on when and what to remediate based on the settings you specify.
- Expel automates the remediation action itself but not the decision to remediate.
- The remediation action is only initiated from an Incident and not from an Investigation (exception: the attack surface is different for Managed Phishing, so we do initiate the remediation action from both).
- You have the option to customize a deny list so that certain files or paths are not subject to the actions of a remediation.
- You may disable a remediation at any time via Workbench.
- If for some reason Expel cannot complete the remediation, the action will be assigned to you to complete.
Auto remediations are configured by going to Organization Settings > My Organizations > Auto Remediations tab. You must have Administrator access in Workbench to configure auto remediations.
Watch our Introduction to Auto Remediations video to learn more.
Available Auto Remediations
Expel offers a number of auto remediations, which are enabled or disabled at the organization level. Use these links to skip ahead to learn more about the ones you are most interested in.
- Block Known Bad Hashes
- Contain Hosts
- Deactivate Access Keys
- Delete Malicious Files
- Disable Accounts
- Kill Processes
- Remove Malicious Email
- Reset Credentials
Block Known Bad Hashes
Blocking known bad hashes (which may be referred to by different vendor technologies as application blocking, banning hashes, blacklisting hashes, or indicator-based file blocking) prevents further propagation of an attack by blocking potentially malicious processes and files by their hash values.
All EDR vendors block the execution of a process by its hash. Some vendors also prevent the file itself from being accessed or modified, while other vendors ban shared libraries (DLLs). Depending on the vendor and the endpoint system, a couple of minutes of latency may exist between the action and the prevention.
Watch our Auto Block Bad Hashes video for a configuration walkthrough and to learn more.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Contain Hosts
Host containment (which may be referred to by different vendor technologies as quarantine or isolation) blocks incoming and outgoing network traffic except for the traffic necessary to maintain a connection to the security device console. This allows investigators to continue triaging a device from a security device console, while reducing the risks involved with allowing a compromised device to have continued access to the local network.
Each vendor technology handles host containment differently, but they usually perform the following actions:
- Block all TCP traffic to any IP/ports.
- Block all UDP connections except for those responsible for DNS requests (e.g. UDP/53); DNS/DHCP is generally allowed in order to ensure the bilateral communication between the console and the contained device.
- Allow ARP to ensure MAC addresses can resolve to IP addresses.
- Allow ICMP (ping).
- Terminate active sockets.
Some security devices can also allow connections to an allowed IP list.
Watch our Auto Host Containment video for a walkthrough and to learn more about this remediation action.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Deactivate Access Keys
In response to a suspected security incident in your cloud environment, Expel can automatically deactivate potentially compromised long-term AWS access keys that are tied to AWS IAM users, based on unique access key IDs.
Deactivating keys is a proactive measure that aims to sever the attacker's access point and mitigate the risk of a further data breach or system compromise. The goal is to contain the threat by preventing adversaries from continuing to use these keys to access your cloud resources. When Workbench completes the action, the deactivation occurs immediately in AWS.
Note
Expel only automates the deactivation of long-term access keys; we do not delete or rotate keys, because such measures are more destructive and are potentially premature. After your access keys are deactivated, you should rotate the compromised keys via AWS and update all cloud applications and services that require these keys to complete tasks.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Delete Malicious Files
If our SOC analysts identify a malicious file that must be removed, Workbench completes the action automatically after that action is created unless it is specifically called out as a file path or hostname on the deny list. If it is on the deny list, we assign the action to your team and notify you based on your notification preferences.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Disable Accounts
Disabling a user account (which may be referred to by different vendor technologies as blocking user, suspending user, changing user status, removing user from org, or locking user account) prevents further propagation of an attack by targeting a compromised user account's username or email address. As part of automating this action in Workbench, we also log the compromised user out of their existing session. Both of these actions are immediate in the target vendor technology.
Watch our Auto Disable Account video for a configuration walkthrough and to learn more.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Kill Processes
If our SOC analysts identify a malicious process that must be killed, Workbench completes the action automatically after that action is created unless it is specifically called out as a process path or hostname on the deny list. If it is on the deny list, we assign the action to your team and notify you based on your notification preferences.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Remove Malicious Email
If our SOC analysts identify a malicious email that must be removed, Workbench completes the action automatically after that action is created unless it is specifically called out as an inbox on the deny list. If it is on the deny list, we assign the action to your team and notify you based on your notification preferences.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.
Reset Credentials
Requiring a user to reset their credentials (which may be referred to by different vendor technologies as "expire password", or "force change password on next sign-in") prevents further propagation of an attack by stopping unauthorized access. After this remediation action is taken, the compromised user must authenticate with MFA before creating new credentials. As part of automating this action in Workbench, we also log the compromised user out of their existing session. Both of these actions are immediate in the target vendor technology.
Ready to enable this auto remediation? Go to Enable an Auto Remediation in Workbench to get started.