Getting Started with Assets in Phantom

Hopefully by now you’ve downloaded and booted up your copy of Phantom.  If not, you can register for the Free Community Edition of Phantom and join our $10,000 Playbook & App Contest here.

One of the first things you will want to do after downloading Phantom is make sure you have Assets to work with. Assets are the devices, software and services that Phantom talks to for information and taking action.  You can read more about Phantom and Assets here.

In the latest release, a brand-new Phantom instance has three Assets already on it; Whois, Volatility, and MaxMind (IP geolocation.) The reason these are included, is because whois depends on open Internet servers, which require no authentication, so we can create that asset for you. And for Volatility and MaxMind, the services are on the Phantom server itself. MaxMind is a commercial product, but we’ve licensed it for you to use with Phantom (you’re welcome.) So these three services don’t require any credentials to use.

There’s also a fourth built-in Asset type, though it’s not pre-configured. That’s the REST data source. It’s usually used for pushing data from an external program. We will cover it in a future blog post, or you can read about now in the documentation (Phantom Portal login required).

For all the others, you’re going to need usernames and passwords or API keys. Some of these other asset types you would have to purchase or own, such as hardware firewalls. Others, like Windows servers and endpoints you probably already have. The set we’d like to focus on for the moment is cloud services that you can sign up for with no cost, just so you have a few assets more to help you get a feel for Phantom.

Let’s add some email services and a couple of reputation services, VirusTotal and Anubis. You can use just about any free email service you like, such as Google Mail. You might want to set up a new account just for this purpose, so that you’re not experimenting with a mailbox you care about.

Create the account, and take note of the username and password. You will also need the IMAP and SMTP settings for the provider. Use these to create IMAP and SMTP assets. For Google Mail, they will look something like this:

blog_imap1

blog_imap2

blog_imap3

After you have saved the asset, you should do a “test connectivity” on the Asset Settings tab to make sure your settings are correct.  And then “Poll Now” on the Ingest Settings tab to grab some emails into the system. Do about 10 containers and 10 artifacts to have some data to work with.

Create the SMTP in a similar way, this will be used for sending email from the Phantom server.

Create yourself an account on virustotal.com. Once signed in, click on your user profile, and select “My API Key.” Create a VirusTotal asset and past your API key into the settings. Again, “Test Connectivity” will confirm that your settings are correct. You can do the same for Anubis.

With these in place, I have opened the container for an email with a .exe attachment, which is now in the Vault. Then I opened Mission Control, and have taken a “detonate file” context action by clicking on the vault file:

blog_anubis

Note that Anubis can take a long time to process files when it has a backlog to work on.

This demonstrates how hooking up a few assets in Phantom can let you start automating some routine tasks immediately. Such as taking the URL from another email, and running a whois on the domain to see who the contacts are:

blog_whois

Here, I had just clicked on a URL in mission control again, and selected the “whois domain” command.

Other assets types you can easily get evaluation copies of, like Splunk and VMware ESXi. Both of those companies will let you register on their sites and get demo licenses. One of my favorite things to do with Phantom is to run Volatility actions on VM memory snapshots. Just make a VMware asset, run the “list vms” command, click on one of the VMX files, “snapshot vm”, go the vault, click on the snapshot file “find malware”. Takes about 90 seconds, and most of that time was downloading the snapshot into the Vault.

Ryan Russell
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.