EternalBlue SOC Playbook

1. Detection:
   • Use network intrusion detection systems (NIDS) like Snort or Suricata to monitor for EternalBlue exploitation attempts.
   • Configure alerts for unusual SMB traffic on port 445, especially from external IP addresses.
   • Employ Security Information and Event Management (SIEM) tools like Splunk or ELK Stack to correlate logs and identify potential threats.
   • Utilize endpoint detection and response (EDR) solutions to monitor for suspicious activities on individual systems.
2. Triage and Initial Assessment:
   • Verify alerts using log analysis tools to confirm if it’s a true positive.
   • Use threat intelligence platforms to check if the source IP addresses are known threat actors.
   • Conduct a quick vulnerability scan of the affected systems using tools like Nessus or OpenVAS to check for MS17-010 vulnerability.
3. Containment:
   • Isolate affected systems from the network using network access control (NAC) solutions or by manually disconnecting them.
   • Update firewall rules to block all incoming and outgoing traffic on port 445 for affected systems.
   • Use endpoint protection platforms (EPP) to lock down potentially compromised systems.
4. Eradication:
   • Apply the MS17-010 patch to all vulnerable systems. Use patch management tools like WSUS for Windows environments or similar solutions for other operating systems.
   • Conduct a thorough malware scan using up-to-date antivirus and anti-malware tools.
   • Use memory analysis tools like Volatility to check for any persistent threats.
   • Employ forensic tools like EnCase or FTK to analyze affected systems for any backdoors or additional malware.
5. Recovery:
   • Restore systems from clean backups using backup and recovery solutions.
   • If clean backups are unavailable, consider rebuilding systems from scratch using standardized, secure system images.
   • Implement stronger network segmentation using VLANs and next-generation firewalls.
   • Update and strengthen Group Policies in Windows environments to enhance security.
6. Post-Incident Activities:
   • Conduct a comprehensive vulnerability assessment of the entire network.
   • Update intrusion detection/prevention system (IDS/IPS) rules to better detect similar attacks in the future.
   • Review and improve patch management processes, possibly implementing automated patching solutions.
   • Enhance network monitoring capabilities, considering the implementation of a network behavior analysis tool.
7. Reporting and Documentation:
   • Use incident response management platforms like TheHive or RTIR to track and document all actions taken during the incident.
   • Generate a detailed incident report including timeline, affected systems, actions taken, and lessons learned.
   • Update threat intelligence databases with information gathered during the incident.
8. Lessons Learned:
   • Conduct a post-incident review meeting with all relevant teams.
   • Update incident response plans based on the experience from this event.
   • Consider implementing additional security measures such as:
     • Regular vulnerability scanning
     • Improved network segmentation
     • Enhanced logging and monitoring
     • Security awareness training for employees
9. Long-term Improvements:
   • Evaluate and possibly implement application whitelisting solutions.
   • Consider deploying a honeypot network to detect and analyze future attacks.
   • Implement or improve asset management systems to ensure all systems are accounted for and properly maintained.

This playbook provides a structured approach to handling an EternalBlue security event without relying on specific scripts. It suggests various tools and actions that a SOC team can take to detect, contain, and recover from such an incident. The exact implementation would depend on the specific tools and processes already in place in your organization.

Would you like me to elaborate on any particular aspect of this playbook?