Getting Started with Assets in Phantom

Hopefully by now you’ve downloaded and booted up your copy of Phantom.  If not, you can register for the Free Community Edition of Phantom and join our $10,000 Playbook & App Contest here.

One of the first things you will want to do after downloading Phantom is make sure you have Assets to work with. Assets are the devices, software and services that Phantom talks to for information and taking action.  You can read more about Phantom and Assets here.

In the latest release, a brand-new Phantom instance has three Assets already on it; Whois, Volatility, and MaxMind (IP geolocation.) The reason these are included, is because whois depends on open Internet servers, which require no authentication, so we can create that asset for you. And for Volatility and MaxMind, the services are on the Phantom server itself. MaxMind is a commercial product, but we’ve licensed it for you to use with Phantom (you’re welcome.) So these three services don’t require any credentials to use.

There’s also a fourth built-in Asset type, though it’s not pre-configured. That’s the REST data source. It’s usually used for pushing data from an external program. We will cover it in a future blog post, or you can read about now in the documentation (Phantom Portal login required).

For all the others, you’re going to need usernames and passwords or API keys. Some of these other asset types you would have to purchase or own, such as hardware firewalls. Others, like Windows servers and endpoints you probably already have. The set we’d like to focus on for the moment is cloud services that you can sign up for with no cost, just so you have a few assets more to help you get a feel for Phantom.

Let’s add some email services and a couple of reputation services, VirusTotal and Anubis. You can use just about any free email service you like, such as Google Mail. You might want to set up a new account just for this purpose, so that you’re not experimenting with a mailbox you care about.

Create the account, and take note of the username and password. You will also need the IMAP and SMTP settings for the provider. Use these to create IMAP and SMTP assets. For Google Mail, they will look something like this:

blog_imap1

blog_imap2

blog_imap3

After you have saved the asset, you should do a “test connectivity” on the Asset Settings tab to make sure your settings are correct.  And then “Poll Now” on the Ingest Settings tab to grab some emails into the system. Do about 10 containers and 10 artifacts to have some data to work with.

Create the SMTP in a similar way, this will be used for sending email from the Phantom server.

Create yourself an account on virustotal.com. Once signed in, click on your user profile, and select “My API Key.” Create a VirusTotal asset and past your API key into the settings. Again, “Test Connectivity” will confirm that your settings are correct. You can do the same for Anubis.

With these in place, I have opened the container for an email with a .exe attachment, which is now in the Vault. Then I opened Mission Control, and have taken a “detonate file” context action by clicking on the vault file:

blog_anubis

Note that Anubis can take a long time to process files when it has a backlog to work on.

This demonstrates how hooking up a few assets in Phantom can let you start automating some routine tasks immediately. Such as taking the URL from another email, and running a whois on the domain to see who the contacts are:

blog_whois

Here, I had just clicked on a URL in mission control again, and selected the “whois domain” command.

Other assets types you can easily get evaluation copies of, like Splunk and VMware ESXi. Both of those companies will let you register on their sites and get demo licenses. One of my favorite things to do with Phantom is to run Volatility actions on VM memory snapshots. Just make a VMware asset, run the “list vms” command, click on one of the VMX files, “snapshot vm”, go the vault, click on the snapshot file “find malware”. Takes about 90 seconds, and most of that time was downloading the snapshot into the Vault.

Ryan Russell
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

2016 Playbook & App Contest

ContestBannerV2

We’re excited to announce the 2016 Phantom Playbook and App Contest!  Help to protect your organization by making the Phantom Community Edition platform even more powerful!

This contest is sponsored by Phantom to promote the community development of Playbooks and Apps with $10,000 in cash prizes & more.  (REGISTER HERE)

“We’re putting our money where our mouth is to help build the community, give people a chance to showcase their skills and advance their efforts in protecting their organization all at once.” — Oliver Friedrichs, Phantom Founder & CEO

For decades, enterprises have been buying discrete security point products that do not interoperate.  Security teams swivel between dozens of different consoles in order to react to events and defend themselves.  While other industries have leveraged automation and orchestration, we have yet to see the security industry benefit.

Phantom is a Security Automation & Orchestration platform that integrates with existing security technologies in order to provide a layer of “connective tissue” between them.  Phantom doesn’t replace existing security products, but instead uses Playbooks and Apps to make them smarter, faster and stronger.

The Phantom Community Edition is a free download that offers organizations 100 actions per day to automate and orchestrate their security operations.  Phantom is extensible, with Python based Apps, allowing anyone to expand the platform and contribute Apps to the Phantom App store.  Similarly, Phantom Playbooks are also written in Python and can be customized at will.  Community Playbooks are synchronized via Git and published on a public GitHub repository.

Contest Criteria
Submissions should include a Playbook and required Apps that can be executed by the Phantom Community Edition product.  In short we are looking for the most impressive Playbook and App combinations; those exhibiting the most sophisticated and impressive use of the Phantom platform.  Submissions will be judged based on:

  • Feasibility, scalability, performance, and ease of use.
  • Technical maturity and viability of proposed approach.
  • Proposers’ expertise and ability to feasibly create a successful outcome.
  • Both individual & team entries are accepted.  Winning team will share prize with a maximum of 1 prize per individual or team.  Multiple entries are allowed.

Contest Process
The contest kicks off on January 20th and runs through May 27, 2016.  Contestants can join the Phantom Community to request support and attend our semi-monthly webinar series.

  • Register as a contestant and follow the instructions you receive in the welcome email.
  • Join the community mailing list by sending an email to users+subscribe@phantom.us.  When you receive a response, reply to that response to complete your subscription.
  • Attend an upcoming webinar and watch video tutorials in Phantom Portal (requires a Phantom Community Edition login).
  • Follow-us @TryPhantom and visit our blog during during the contest period for hints, contest updates and more.
  • Submit your Playbook and Apps by email to contest@phantom.us by midnight EDT on May 27.
  • Contact us at contest@phantom.us for any questions!  We are here to help and are happy to guide you through the process of learning the Phantom platform.

Contest Award
Winners will be announced at the sole discretion of the judges based on the criteria outlined.

  • 1st Place: $5,000
  • 2nd Place: $3,500
  • 3rd Place: $1,500

Contest Judges
Entries will be judged by leaders in security from the media and practice.  We will announce them during the contest.

Contest Terms
All judging, eligibility, and award decisions are final, not subject to review and at the sole discretion of the judges and Phantom. Contestants acknowledge that Phantom reserves the right to (i) fund or award all, some, or none of the responses received, and (ii) determine all award amounts.  The award determination will be made by Phantom with the guidance and recommendations of the judges convened for this purpose, to ensure relevant expertise and diversity of perspectives.

Official Contest Press Release (8am EDT, Jan 20)

Playbook Series: Email-based Orchestration

Today’s post introduces an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.  (Have an idea for the series? Tell us.)

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample Community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight playbook for today is on Email-based Orchestration.

Email is one of the most common methods for delivering malware.  The most recent Symantec Internet Security Report claims email was used to carry some 1.7 billion pieces of malware around the Internet in 2014.

Many companies train users to forward suspicious emails to the Security Operations team.  Though the technique has helped to prevent countless phishing attacks against enterprises, it still leaves the Security Operations team with an inbox full of emails to investigate.

These suspicious emails often include URLs to inspect or even files to detonate in a sandbox in order to determine if they are actually malicious.  Our research shows that a security analyst can investigate a suspicious email in 45 – 60 minutes.

Though the process works, it is tedious for the analyst and inefficient for everyone involved.  A Phantom Email Ingestion Playbook can help.

Users still forward suspicious emails to a custom mailbox monitored by the Security Operations team.  (Some may even want to go as far as having all emails with attachments and URLs forwarded.)  Though in this case, Phantom also monitors that mailbox via IMAP (for example) where any new email triggers a Playbook.  Phantom ingests the suspicious email and executes several actions:

  • If the email includes a file attachment, detonate it in a sandbox.
    • Set a “threat score” to help assess if the file is dangerous, and if so:
      • Hunt the data source to determine if the file has been seen before.
      • Access the Endpoint technology to determine if the file also exists elsewhere in the environment.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.
  • If the email includes URLs, take the following actions:
    • Detonate the URL to determine what happens when it is followed.
    • Look up the IPs, and enrich with  Whois data.
    • Geolocate the country of origin and determine if it is of concern.
    • Set a “threat score” to determine if the URL is dangerous, and if so:
      • Hunt in data source to determine if we have seen any other activity to or from this IP.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.

Phantom executes these actions automatically based on a Playbook the analyst has defined.  It happens without error and much faster than when this workflow is handled manually.

No longer does the analyst need to spend an hour collecting the context needed to assess a suspicious email.  In fact, as an additional step, the email and any related files can can even be automatically removed from all mailboxes across the network saving time with remediation.

The savings are substantial for an organization that sees even an average volume of suspicious email.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage..

Swami
Director, Security Engineering
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

Phantom Top 10 for January 2016

Interested in Security Automation & Orchestration?  Here’s a short, but informative Top 10 look back & forward on Phantom and Security Automation & Orchestration.

  1. In one of the earlier stories from 2015, Maria Korolov of CSO Online did her own Top 10 for automated response companies that can help contain a breach.  It’s a great survey of the market and players.
  2. Are you attending RSA in 2016?  Be sure to join us for free food & drinks from 8 – 10 on Monday, February 29th at Jillian’s.  You can pre-register here.  If you miss the party, stop by Booth 2621 in the South Hall to say hello and see a demo.
  3. Jeremy Seth Davis of SC Magazine wrote a great article from an end user perspective that outlines one CISO’s plan to “fix everything” as a remediation strategy.
  4. While not strictly open source, Phantom is extensible. Phantom Apps allow you to create connectors to in-house or more obscure security technologies and expose their APIs back to the platform. Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.  Similarly, Phantom Playbooks are also written in Python and can be customized at will.  Playbooks are synchronized via Git and published on our public GitHub repository.  Register for our Free Community Edition to get started.
  5. Jon Oltsik’s coverage of Security Automation & Orchestration is a prolific with several great articles to to his credit at Network World including Cybersecurity Lessons Learned from the 9/11 Commission Report, A Call for Open Cybersecurity Middleware, The Network’s Role as a Security Sensor and Policy Enforcer, Incident Response: More Art than Science, Malware? Cyber-crime? Call the ICOPs!, and others.
  6. Are you already using Phantom?  Have you attended one of our Tech Sessions?  Join a live webinar to learn more about Phantom, Playbooks, Apps and the Community.  We leave 15 minutes at the end of the session for live Q&A.
  7. Though the article was primarily focused on our Series A investment, Danny Yadron’s coverage in the Wall St. Journal included a good perspective on the problem addressed by Security Automation & Orchestration.
  8. Are you attending FS-ISAC in May?  Join us to hear how financial services firms like Blackstone are adopting Phantom for Security Automation & Orchestration.  Learn how new techniques are helping existing security tools work better together and automatically respond to breaches.  Security Automation & Orchestration can lead to significant improvements in Time to Detection and Time to Remediation.  Gain a better understanding of how technology innovations are changing the way security teams manage risk.
  9. An in-depth article on the Security skills shortage by Kathleen Richard of Information Security presents Security Automation & Orchestration as a solution to help address this challenge.
  10. No doubt, 2016 will be an exciting year for Security Automation & Orchestration.  Follow us on Twitter and be the first to hear Phantom news as it unfolds in 2016.

CP Morey
VP, Products & Marketing
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.