SOARCA tool: automated security against cyber attacks

Only with optimal cyber security can we ensure the best possible protection for critical infrastructure, such as energy and water supply, payment transactions, and healthcare facilities. Infrastructure that we, as a society, cannot do without. TNO is playing its part by developing an open-source tool for automated cyber security: SOARCA.

Run through playbooks automatically with SOAR

Organisations’ security operation centres can use playbooks to combat cyber attacks. If malware enters the system through a phishing email for example, a playbook describes what needs to be done to tackle it, step by step.

So, to remove the malware, the steps could be to isolate the affected hardware from the network and prevent it from spreading further, and then to report these mitigation steps back to internal security incident systems, like Slack, Teams, and email.

With Security Orchestration, Automation, and Response (SOAR) tools, these security steps no longer need to be performed manually, but can be automated instead.

SOARCA: open-source, open-standard

Existing SOAR tools are often not open-source; this means the source code cannot be viewed or modified by users. Or SOAR tools only make limited use of open standards, so current security playbooks have limited interchangeability.

This is why TNO has developed the SOAR tool: Security Orchestrator for Advanced Response to Cyber ​Attacks (SOARCA). It is first open-source SOAR tool to make full use of the open-playbook standard Collaborative Automated Course of Action Operations (CACAO). The SOARCA tool is freely available to anyone, and the goal is that it can be applied to almost any cyber security system. This allows organisations to easily experiment with a SOAR tool, without excessive initial investment costs.

What’s more, SOARCA includes a python-library software component, where users can create their own software extensions and integrations, allowing them to tailor the tool to their own organisation and systems.

Standardised playbook format

CACAO – the open standard used by SOARCA – was developed by OASIS Open for cyber security playbooks. TNO was involved in developing CACAO as part of the standardisation committee. CACAO defines the playbooks clearly and unambiguously, so machines can read them easily.

Until recently, companies could only use the CACAO playbooks manually. But with SOARCA, security operation centres can now have these playbooks run automatically, making it easier and more efficient to secure systems.

More time for better cyber security

Cyber security needs to be more efficient for it to work properly, as the number of people with the necessary cyber security knowledge is limited. Only by increasing efficiency can we make the best use of their knowledge.

One way is to resolve low-level alerts automatically, so SOC operators have more time to resolve more complex attacks or to do more research on threat intelligence into current or future threats. This makes the work more interesting for them and ensures enhanced cyber security.

Collaborative development from GitHub

SOARCA is still under development. It is already available to download and use, but is also still being improved. And the SOARCA founders are not working alone, say TNO researchers and co-founders Jan-Paul Konijn and Maarten de Kruijf.

The code behind SOARCA is available from GitHub, a platform where anyone can view it and even contribute to improving SOARCA. TNO's SOARCA team is calling on anyone interested to go onto the platform and suggest modifications, share ideas for new features, and ask questions.

‘This way, we hope to bring together unique cyber security knowledge and make the tool even better’, Jan-Paul says. The TNO team will decide which suggestions will and will not be implemented for now. That way, they can continue to guarantee the tool’s quality and reliability.

Striving for optimal cyber security – for every organisation

Jan-Paul, Maarten, and their colleagues aim to make SOARCA a tool that can be applied to any system. Maarten explains: ‘What we’d really like to be able to do one day is apply it to outdated Operational Technology systems, which are mostly found in critical infrastructure. Then any organisation – government, factory, or start-up – can achieve optimal cyber security, regardless of what condition their systems are in.’

Need help or interested in working together?

If you need help automating your organisation's cyber security, you can get easily started yourself with SOARCA. Otherwise, don’t hesitate to contact us.

Want to help us develop SOARCA? Join us at Github. We’re keen to hear your ideas.