Playbook Series: Email-based Orchestration

Today’s post introduces an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.  (Have an idea for the series? Tell us.)

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample Community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight playbook for today is on Email-based Orchestration.

Email is one of the most common methods for delivering malware.  The most recent Symantec Internet Security Report claims email was used to carry some 1.7 billion pieces of malware around the Internet in 2014.

Many companies train users to forward suspicious emails to the Security Operations team.  Though the technique has helped to prevent countless phishing attacks against enterprises, it still leaves the Security Operations team with an inbox full of emails to investigate.

These suspicious emails often include URLs to inspect or even files to detonate in a sandbox in order to determine if they are actually malicious.  Our research shows that a security analyst can investigate a suspicious email in 45 – 60 minutes.

Though the process works, it is tedious for the analyst and inefficient for everyone involved.  A Phantom Email Ingestion Playbook can help.

Users still forward suspicious emails to a custom mailbox monitored by the Security Operations team.  (Some may even want to go as far as having all emails with attachments and URLs forwarded.)  Though in this case, Phantom also monitors that mailbox via IMAP (for example) where any new email triggers a Playbook.  Phantom ingests the suspicious email and executes several actions:

  • If the email includes a file attachment, detonate it in a sandbox.
    • Set a “threat score” to help assess if the file is dangerous, and if so:
      • Hunt the data source to determine if the file has been seen before.
      • Access the Endpoint technology to determine if the file also exists elsewhere in the environment.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.
  • If the email includes URLs, take the following actions:
    • Detonate the URL to determine what happens when it is followed.
    • Look up the IPs, and enrich with  Whois data.
    • Geolocate the country of origin and determine if it is of concern.
    • Set a “threat score” to determine if the URL is dangerous, and if so:
      • Hunt in data source to determine if we have seen any other activity to or from this IP.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.

Phantom executes these actions automatically based on a Playbook the analyst has defined.  It happens without error and much faster than when this workflow is handled manually.

No longer does the analyst need to spend an hour collecting the context needed to assess a suspicious email.  In fact, as an additional step, the email and any related files can can even be automatically removed from all mailboxes across the network saving time with remediation.

The savings are substantial for an organization that sees even an average volume of suspicious email.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage..

Director, Security Engineering
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit to register for Phantom Community Edition, a free version of Phantom.

One thought on “Playbook Series: Email-based Orchestration

Comments are closed.