Presentation Material

Abstract

The smart enemy attacks you exactly where you think you are safe. Most attacks try and target a server or a service being used by a company. But when the attack targets the very SOAR tool you use to defend your network to break in, things get interesting. Given that SOAR tools would be whitelisted in an organization to be able to capture logs from various servers and devices, the consequences of such vulnerabilities being exploited are far-reaching. On successful exploitation, either by the methods we’ve shown or from some other similar vectors, it would result in the complete compromise of the network as well as internal devices and services which are often present in large corporate networks. It also foreshadows future attacks via log poisoning on SOCs and SOAR tools that make use of LLMs such as ChatGPT leading to possible prompt injections.