New App for Phishing Investigations

I recently joined Phantom, and I am very excited to help grow the 1st community-powered Security Automation & Orchestration platform.

There are several ways that you can contribute to the community.  Creating and sharing Phantom Apps is a great way to get started (you can read more about Phantom Apps here).

My first Phantom App allows for integration with screenshotmachine.com.  This website provides a service that uses RESTful APIs to take a screenshot of a webpage and return an image.  The App requires you to have an account with screenshotmachine.com and then uses your account’s API key and secret phrase, if you have one configured, to generate a screenshot of a given URL.

screenshotmachine logo

So how does Phantom’s integration with this service fit into the security space?  One way is to help with phishing investigations.

Phishing emails can often include URLs that point to sites that look legitimate, but are in fact designed to deceive users into infecting a computer or releasing sensitive information.  The screenshotmachine.com App can be used to capture an image of these types of sites, which can then be shared with users for educational announcements or stored as a record of potential threats.

Phantom’s open and extensible platform allows you to interface with nearly any service, even those with actions as simple as taking a screenshot.

I’ll be publishing this App in the Phantom App Store soon.  You will be able to find it on the Phantom Portal when it’s available.

Are you planning to build a Phantom App?  Check out these resources for help:

  • Watch: There have been two Phantom Tech Sessions on App Development.  Sign in to the the portal (https://my.phantom.us/) and watch the videos from the Tech Sessions recorded on April 9th & May 7th.
  • Talk: Join our Slack channel: phantom-community.  In addition, Sourabh Satish (Phantom CTO) holds “Office Hours” to help with App development.  If you have questions, you can book a 30 minute 1-on-1 session with Sourabh for help.  He is available daily from noon – 12:30 PDT.  Book by sending an email to sourabh@phantom.us.
  • Read: Sign in to the portal (https://my.phantom.us/).  Click “Learn” on the menu, you’ll have access to full documentation on Apps, including the actions that each App can take.  We share tips on developing Apps as well.

Interested in seeing how Security Automation & Orchestration can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions.

Michael Weinberger
Security Engineer
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

IR Fire Drills and Automation

TechCrunch shared a blog post last week (Why Incident Response Plans Fail) describing how even the best IR plans become entangled while teams cycle through confusing “storming sessions” arguing over who owns what.  Meanwhile, response time worsens and the IT environment suffers further damage.

Automation of IR plans is a common use case.  While some can be simple scenarios aimed at helping responders collect data for further investigation, other use cases can be quite complex.  Consider this scenario where 8 different products orchestrate the investigation and containment of a phishing attack with as many steps:

TG Playbook

Note: this playbook will be featured during our Tech Session on Friday, May 20 at Noon ET / 9 am PT (register).

In cases like the one depicted above, there are often multiple “owners” not only within the security team, but across the entire IT organization.  The complexity of the plan and handoffs between teams can even show signs of strain in a simulation, as shared in the TechCrunch post.

I agree with the author’s suggestions to keep lines of communication open, bring suppliers (and other critical partners) into the planning, and remain flexible in times of stress.  I’d add a suggestion to the list though.  Consider how automation can help reduce confusion during an incident and ensure a timely, well planned response is executed.

Some companies considering automation think of it in a binary sense.  You are either automated or not.  It’s actually more like a spectrum where humans may be in, out or on the loop.

In an “in the loop” scenario, an analyst may need to approve further actions before the automation continues.  For example, a playbook may collect data from an IP reputation service and drop a suspicious email attachment into a sandbox, but pause for an analyst to review the information collected before approving a block action on the firewall.

An “out the loop” scenario is what most imagine when thinking of automation.  A playbook runs from start to finish without human intervention.  Though exceptions may be reported, the system is fully autonomous.

“On the loop” exists somewhere in between the previous two.  In this case, an analyst is able to monitor automation and even choose to reverse actions after they have executed.

When considering automation for IR, it’s best to think about how the “in, out or on the loop” spectrum aligns to the goals of the plan.  Full automation is often not possible in complex use cases, but certainly can reduce confusion and improve response times.

Interested in seeing how Security Automation & Orchestration can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Phantom + Shodan for Internet Connected Devices

We’re in the final two weeks of the Phantom Playbook & App Contest, so the early entries are coming in for review.

The contest has been a great way to invest in the community.  It’s also been fun to watch people collaborate and develop their ideas into Phantom Playbooks and Apps.

Today, we’re sharing a great entry built around Shodan, the first search engine for internet connected devices.  Kudos to Ryan Kranz for his work!  You can find the Phantom Playbook and App for Shodan here: https://github.com/kranzrm/PhantomShodan

shodan logo

Ryan even suggested a few use cases with his entry.  Users can check whether or not an IP address is listening to specific ports. This allows them to gain information that is: credible, publicly accessible, and does not require a single packet to be sent to the target IP address.

For Example:

  • For alerts about an inbound connection, Phantom can validate whether or not the service is publicly accessible.
  • For alerts regarding outbound connections (irc, smtp, ntp, etc.) the App can be used to verify whether or not the host is hosting the service and which service is listening on the port.
  • Users can also perform reconnaissance on internet hosts.

It’s a great example of what you can do with Phantom. You don’t have to take Ryan’s word for it (or mine).  See for yourself.  Join the contest or just sign-up for the free Community Edition of our product.  Here are a few links to help:

The contest runs through the end of May.  Interested in participating?  (get info & register)  When you register, you’ll automatically get a Community Edition account.

Just want to skip the contest and get access to the Community Edition?  (get Phantom)  Once you have an account, sign in to the portal and click “Learn” on the menu.  You’ll see full documentation, the knowledgebase and helpful videos.

Building a Phantom Playbook or App and have questions?  Sourabh Satish (our CTO) holds “Office Hours” to help.  Simply send an email to sourabh@phantom.us.  He has opened his calendar daily from noon – 12:30 PDT… first come, first serve.  You can also join our Slack channel by sending an email request to Sourabh.

Have you been to a Phantom Tech Session?  We host them every two weeks.  Check out the recorded sessions that focus on App Development (Part 1 and Part 2).

Hope to see you in the Community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

 

Floodlight App: Community Powered

Phantom enables collaboration in the security community through the use of open source Apps and Playbooks.  Phantom Apps are connectors capable of connecting to the management APIs of security applications, products and services to orchestrate the environment from within the Phantom platform.  Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.

This App model is one of the reasons that we refer to Phantom as being “Community Powered”.  You can read more about Phantom and Apps here.

We are pleased to spotlight (no pun intended) a new Phantom App that was built by the community.  The Phantom Floodlight App is now available at:

https://github.com/SDNC2/PhantomFloodlight

projectfloodlight-logo-header

As you might expect, this App connects Phantom to the Floodlight Software-Defined Networking (SDN) controller, and supports more than two dozen actions (See the README file for more information).

It’s great to see collaboration and sharing in the community.  If you want to try the new Phantom App, here is an outline of the steps to get started:

Start with a CentOS 7 endpoint, server, or VM, and clone the following repositories:

Building Floodlight is very straightforward.  Make sure you have a jdk, ant, maven, and ant-junit installed and then run these commands from the Floodlight root:

  • ant clean
  • ant eclipse
  • ant

It should build and run unit tests immediately if all dependencies are met.  If not, review the README file for help.

Building Open vSwitch requires a bit more work, but the documentation steps through the process very well.  Follow the instructions in INSTALL.RHEL.md.  The result will be a set of .rpm files in the ~/rpmbuild/RPMS/x86_64 directory. Disable SELinux, install the resulting rpm’s, and reboot.

Next, register for a Phantom Community Edition account (it’s free to use).

Once registered, sign in and select “PRODUCT->RELEASES” and download the Official Release: Phantom version 1.1.72 (as of May 11, 2016).

Next, you might want to review a tutorial to learn Open vSwitch: http://openvswitch.org/support/dist-docs/tutorial/Tutorial.md.txt.  I also recommend using Mininet to set up virtual networks.

Running Floodlight is simple.  Just use the following commands from the Floodlight top-level directory:

  • java -jar target/floodlight.jar
  • Configure Open vSwitch to look for an OpenFlow controller on port 6653 with the following command: ovs-vsctl set-controller s3 tcp:<floodlight_host_ip>:6653

When creating a Floodlight asset in Phantom, point the URL at port 8080 of the host running Floodlight: http://<floodlight_host_ip&gt;:8080<http://%3cfloodlight_host_ip%3e:8080/&gt;

Finally, be sure to check your Firewall rules if you have problems connecting.

Join the Phantom-Community Slack channel as a great resource for Q&A as well as collaboration with the community.

Rob Truesdell
Director, Product Management
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Series: Defining Security Automation & Orchestration

We’re starting a series on the blog to explore Security Automation & Orchestration as a new technology.  Comments will be enabled on this series as we’re hoping to see participation from the community.

When considering the series, we were reminded of the story about the blind men and the elephant.  In this fable, each man touches the elephant and describes his experience.  They all touch a different part, but only one part, such as the side or the tusk. When the men compare notes, they are in complete disagreement despite having all touched the same elephant.

Ohara Donshu _Brooklyn Museum
By Ohara Donshu – Brooklyn Museum

New technologies can often seem like the elephant.  When a category emerges, it’s common for vendors to position themselves to benefit.  In doing so, they often “describe the elephant” differently depending on their experience.

In some versions of the parable, the men learn to collaborate and share their perspectives.  This allows them to “see” the full elephant.  We’d like to use this series on Security Automation & Orchestration similarly; a tool for collaboration.

We’ll make suggestions to describe a Security Automation & Orchestration platform, but rely on input from the community to refine it.  In the end, we’ll all gain a better understanding of this new technology.

For today’s post, we’d like to share a summary list of key characteristics for Security Automation & Orchestration:

In subsequent posts, we’ll elaborate on each of these characteristics and solicit input from the community.  For now, we’d like to hear your impressions of the list.

  • Would you add others?
  • Any that you would remove?
  • Which seem the most uncertain or confusing?

Community Double Play!

Phantom is the first company to provide an open community for security automation and orchestration, and this is something we take very seriously. It’s one thing to talk about it, and it’s another to invest in it.

When we announced the 2016 Phantom Playbook & App Contest in January, we saw it as a way to invest in the community.

We’ve seen a number of great contest entries from the community. I wanted to share one with you today.  Joel King at WWT submitted a video for his SECOND contest entry to showcase the work:


(Joel’s first entry)

It’s a great example of what you can do with Phantom. You don’t have to take Joel’s word for it (or mine). See for yourself. Join the contest or just sign-up for the free Community Edition of our product. Here are a few links to help:

The contest runs through the end of May. Interested in participating? (get info & register) When you register, you’ll automatically get a Community Edition account.

Just want to skip the contest and get access to the Community Edition? (get Phantom) Once you have an account, sign in to the portal and click “Learn” on the menu. You’ll see full documentation, the knowledgebase and helpful videos.

Building a Phantom Playbook or App and have questions? Sourabh Satish (our CTO) holds “Office Hours” to help. Simply send an email to sourabh@phantom.us. He has opened his calendar daily from noon – 12:30 PDT… first come, first serve.  You can also join our Slack channel by sending an email request to Sourabh.

Have you been to a Phantom Tech Session? We host them every two weeks. Check out the recorded sessions that focus on App Development (Part 1 and Part 2).

Hope to see you in the Community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

“Those who cannot remember the past are condemned to repeat it.”

When George Santayana made this statement, he probably wasn’t thinking about Security Automation & Orchestration platforms, yet it applies.

Recent research by CERT reminded me of Santayana’s quote.  The project studied how schemas ensure a repeatable, auditable process, and serve us in many other ways.  In their podcast, the CERT researchers describe how schemas can help both novice and expert security analysts.

The study tracked three independent security analysts using a common schema to plan responses to incidents.  The findings show that schemas can be used to train novices to become experts in less time, and to help experts respond to incidents faster by consistently structuring disparate data for analysis.

Helping junior analysts learn and seasoned analysts work faster are important benefits, but the value schemas extends even further.  In organizations that are automating and orchestrating security without a common schema, analysts are still likely to write scripts that can be used to handle mundane tasks and speed response times.  In an industry where employee turnover can be high, this free-form approach can lead to problems.  For example, when a star analyst responsible for developing scripts chooses to move on, the company might be left with a “pile of code” vs. a schema that serves as a decision support system.  In effect, the memory of the past goes out the door with the analyst and the boss is condemned to repeat the work necessary to recapture that knowledge – or at least hire someone who can.

Platforms can help to define and maintain a schema; a codification of the plan.  In the Phantom platform, these schemas are represented by Python-based Playbooks that execute actions to automate and orchestrate a given scenario.  Playbooks can help to train new analysts, increase the output of seasoned analysts, and provide a record of experiences to help limit the misfortune of repeating the past.

Sound interesting?  Learn more about Phantom and the role it can play in defining your security schema.  Start with the no-cost Phantom Community Edition, and attend one of our Tech Sessions to see Phantom in action.

CP Morey
VP Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.