Playbook Series: Trigger a Playbook from an IOC

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

A simple script and Playbook can automatically post an IOC (e.g. IP address, file hash, etc.) to Phantom to kick off a Playbook.  Perhaps you want a Playbook to run an investigation when a specific file hash is detected.  Mark that Playbook active and let it do the investigation every time a new hash needs to be investigated.

Note: You can download the script and Playbook to use in your Phantom deployment.

Here are the steps to set up and use it:

  1. Create a new REST asset (Administration / Assets) on your Phantom instance (Product Vendor: Generic, Product Name: ‘REST Data Source’):
    • In the asset settings, chose ‘any’ as the IP of the host from where you want to post the hash since you want any user to be posting it.
    • Give the label (in Ingest Settings) section as ‘filehash’.
    • You can choose any label but remember to update the script to whatever label you give to the container.
  2. When you are done creating & saving the REST asset, you will get the Auth token on the ingest settings tab. Update the script to use this auth token.
  3. Also update the address of Phantom instance.
  4. To use the script, all you need to do is: python2.7 post_hash.py <hash>.
  5. Now on Phantom you should be able to see the filehash container.
  6. You can create your Playbook that does all the actions on cef.fileHash and mark it as active.
    • Once marked active it will automatically run every time a new hash is posted.
  7. The Playbook is simply doing a VirusTotal lookup and sending an email with the results.
    • Update the Playbook for whatever email address you want this result to go to.

Here is the email from this Playbook:

Screen Shot 2016-04-25 at 5.18.20 PM

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Sourabh Satish
CTO & Co-Founder
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Phantom Announces Strategic Investment and Development Agreement with In-Q-Tel (IQT)

After nearly two years of hard work, we launched Phantom’s security automation and orchestration platform in January and the level of interest has been remarkable.  It’s rare to see a new category appear in the security industry these days – with well over a thousand point product vendors and counting. But we’re seeing exactly this when it comes to security automation and orchestration.  With the typical enterprise having over 50 security products, and 75% of enterprises admitting to routinely ignoring security alerts, we have no choice but to automate.

Today we’re happy to announce new strategic funding from In-Q-Tel, allowing us to further accelerate the development of critical capabilities required by both the commercial enterprise and government agencies alike.  This funding will allow us to expand even faster on the great foundation that the Phantom team has built.

Here is the link to the full press release.  The text is also included below.

Oliver Friedrichs
CEO & Founder
Phantom

Phantom Announces Strategic Investment and Development Agreement with In-Q-Tel (IQT)

Fuels Further Innovation of the Industry’s Leading Platform for Security Automation & Orchestration

Palo Alto, Calif. – April 26, 2016 — Phantom, the first company to provide an open community for security automation and orchestration, today announced a strategic investment and technology development agreement with In-Q-Tel (IQT), the independent, non-profit strategic investor that identifies, adapts and delivers innovative technology solutions to support the mission of the U.S. Intelligence Community.

The partnership fuels Phantom’s mission to provide a layer of “connective tissue” that enables organizations to integrate their existing, disparate security technologies.

Julian Mann, Principal, Investments at IQT said, “Phantom is pioneering an automation and orchestration platform that will dramatically reduce the response and remediation gap caused by limited resources, an increasing threat surface and incident rate, and the overwhelming complexity of an organization’s security enterprise.”

Recently recognized as the Most Innovative Company at the 2016 RSA Conference, Phantom streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of point products used in typical security environments. Focused on enhancing security operations, Phantom doesn’t replace existing security products, but instead makes an organization’s investment smarter, faster and stronger.

“We’ve seen tremendous interest in Phantom from the private sector and expect the benefits from a purpose-built, community-powered platform for security automation and orchestration to be revolutionary for the public sector as well,” said Oliver Friedrichs, CEO and Founder of Phantom.

While not strictly open source, Phantom is expandable by the user community. Phantom Apps allow users to create connectors to in-house or more obscure security technologies and abstract their APIs back to the platform. Phantom Apps are Python modules, allowing anyone in the community to expand the platform and contribute Apps to the Phantom App store.  Similarly, Phantom Playbooks are also written in Python and can be customized at will by the community. Playbooks are synchronized via Git and published on a public GitHub repository.  For more information, or to download the Free Community Edition of Phantom, visit http://www.phantom.us/product.

About Phantom
Phantom, an award-winning company, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger, Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Don’t Just Integrate, Orchestrate

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.  The spotlight Playbook for today covers malware analysis and investigation with Cisco’s AMP Threat Grid and other products.

Automating your security technologies to work the way you want is still a bit visionary, but orchestration is not. Nowadays, we have too many security problems to manage, as discussed here in a blog about The Security Patchwork Problem. Security products have been built to address a very specific niche, and you end up having 40-60+ technologies to manage just to ensure you’re maintaining confidentiality and integrity.

Take a malware analysis tool, or sandbox, for example. They are generally a standalone tool that sits on a network TAP or SPAN, operated by a security analyst who uses it to identify and block malware from entering the network. Unfortunately, most of the alerts produced are ignored according to one ESG study. That’s pretty much the extent of it. Little to no remediation, and it doesn’t talk to other tools that you have, such as firewalls, proxies, or even a SIEM, to say it has blocked a specific domain, IP, or hash based on analysis. AMP Threat Grid was built with a very robust REST API that allows users to automate sample submissions and retrieve results. But what if you want to go further and automate your entire workflow from detection through analysis to blocking and remediation? Without heavy scripting that hasn’t really possible, until now. Orchestration has been a core tenant of DevOps engineers since the get go.

Now it’s time for security to come out of the dark ages of manual investigation and adopt orchestration. Phantom allows you to quickly and seamlessly create a playbook for a specific action to be taken with technologies like Threat Grid. The integration has a lot of basic functionality that can automate actions from Threat Grid including

  • File submission
  • Report retrieval
  • URL submission

Sound pretty good so far? It gets a lot better. Instead of just automating the submission and retrieval of suspect files, you can go all the way through your workflow in a very automated way.  For example, your security analysts are tired of continually updating the email gateway rules due to all the phishing attempts and you want to streamline the process. Here is how the integration of Threat Grid and Phantom could play out:

TG Playbook.png

  • Look up file hash in Cisco AMP, or Virus Total, to determine reputation.
  • If none is found, send any file attachment to Threat Grid for analysis.
  • Then look up the source IP in VirusTotal.
  • And since your security analysts are paranoid, you opt to validate the information and look up the IP in OpenDNS.
  • Now they go a step further and want the geo location associated with the IP address so you look that up in another tool, maybe Maxmind.
  • Perhaps you want to block all emails coming in from an arbitrary country. Let’s say Canada (since I’m Canadian).
  • Analysis is done running, so retrieve results from Threat Grid – turns out it’s malware.
  • Based on this information you might want to block the source IP and hash value in your Cisco ASA firewall.
  • And you found a number of instances of the file in your environment. Your workflow dictates you quarantine the assets from the network with Cisco ISE for further remediation.

All this can be automated, instead of having a person go through and do the scripting, saving hours for each investigation, and even more when you begin to automate quarantine and remediation actions based on findings within Threat Grid.

Be sure to sign up for your free trial account of Threat Grid here: https://info.sourcefire.com/tgportalinfo.html

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend a Tech Sessions to see Playbooks like the one featured above in action.

Joe Malenfant
Product Marketing
Cisco

Playbook Series: IOC Blocking

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

The spotlight Playbook for today covers IOC Blocking. This is a common use case as customers look to action their threat intel. In simple terms, it’s a way take all your lists of known ‘badness’ (i.e. IPs, URLs, hashes, email addresses, domains, etc.) and distribute them to blocking technologies for automation.

IOC Blocking

In this scenario, Phantom ingests STIX-based threat intel before taking the following actions:

  • Block the IP on Cisco ASA (or another product).
  • Block the URL on Palo Alto Networks NGFW (or another product).
  • Block the Application on Juniper (or another product).
  • Block a File Hash on the endpoint.
  • Block the Domain on OpenDNS (or another product).

With Phantom you could orchestrate all five blocking actions or some combination thereof.  You could even create decision logic that selects specific actions based on criteria you define in the Playbook.  Many of our users have described Playbooks like this example as a way to “close the loop” or “go full circle” on their threat intel.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

The savings are substantial for an organization that sees even an average volume of events.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Phantom to Sponsor Hack-a-thon at Black Hat

Security Automation & Orchestration exists to bring existing technologies together.  At Phantom, we think of it as the “connective tissue” making them smarter, faster and stronger.  We also think that an open community approach is the only way to build a Security Automation & Orchestration platform, and we’ve made significant investments to support this in the market.

For example, the Phantom Community Edition is a free version of our full product that offers organizations 100 actions per day to automate and orchestrate their security operations.  Even the architecture of our product is based on ‘openness’ with Phantom Playbooks and Apps written in Python so they can be customized at will and shared via our GitHub repository and App store.  Since January, we’ve had a contest with cash prizes underway to support the development of Playbooks and Apps, and we’ve seen strong interest from the community.

It’s this same commitment to the community that led us to today’s announcement.  We’re proud to pledge our support as the sponsor of the Hack-a-thon contest taking place at Black Hat this summer during the Coding for Security Pros: Black Hat Edition course.

bh16usa_767x200_new_TRAINER_v1

The course will be led by noted security expert, VP & CISO of Optiv, Jonathan Trull, and when he shared his goals for the students, it was clear that our philosophies align.   The chance to partner with Jonathan was an easy decision; an opportunity to once again put our money where our mouth is to help build the community, give people a chance to showcase their skills and advance their efforts in protecting their organizations all at once.

All students registering for the class will be given a Phantom Community Edition license for use before and after Black Hat and during the Hack-a-thon in the class.  As part of the Phantom Community, students will be invited to Tech Sessions to learn more about Phantom and how it uses Python for automation and orchestration.

The Phantom team will be onsite during Black Hat to help with questions and serve on the judges panel for the Hack-a-thon.  We’re also announcing a $2,500 cash prize that will be awarded to one lucky student selected as the winner of the competition.

Be sure to register for the class before May 27th July 23rd to receive Black Hat’s early bird discount regular price.  We look forward to seeing you in Vegas!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.