Playbook Series: Automatically Secure Compromised Accounts

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

Flashpoint gives their threat intelligence subscribers the ability to see compromised user names, passwords, email addresses, and other credentials.  This information can be ingested daily and distributed over email.

When an analyst receives an email from Flashpoint, the first step is to check the information against the organization’s known users to identify accounts that may have been compromised.  Typically, this manual process includes opening the email, searching for the pertinent information, and then identifying, notifying, & disabling any compromised users.  It’s a process that can consume a significant amount of time, and one that is well suited for automation.

With Phantom, Flashpoint intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Flashpoint Phantom Playbook

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Rob Truesdell
Director, Product Management
Phantom

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Data Exfiltration Monitoring with Phantom, Ansible, and Cisco ACI

A great use case submitted by one of our top contributors in the community!  Joel King of WWT, built an automation that monitors for data exfiltration using Phantom, Ansible, and Cisco.

Joel submitted this as an entry in Round 2 of the Phantom App & Playbook Challenge.

An overview of the App, and links to a YouTube video clip, as well as PowerPoint slides which document the use case are here: https://github.com/joelwking/Phantom-Cyber#ansible-tower-app

The source code and the .tgz file are in this GitHub repository: https://github.com/joelwking/Phantom-Cyber/tree/master/ansible_tower

Phantom is the first company to provide an open community for security automation and orchestration, and this is something we take very seriously.  It’s one thing to talk about it, and it’s another to invest in it.  There is still time to join the contest which runs through December 2nd.

Don’t miss the chance to help protect your organization, showcase your skills, share with the community, and maybe win a $2,500 prize!

Just want to skip the contest and get access to the Community Edition?  (get Phantom)  Once you have an account, sign in to the portal and click “Learn” on the menu.  You’ll see full documentation, the knowledgebase, and helpful videos.

Have you been to a Phantom Tech Session?  We host them every two weeks.  Our next session on August 26th will focus on Joel’s winning entry in Round 1 of the contest (register).

Hope to see you in the Community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Where Are You on the Automation Continuum?

Earlier this week, we covered Safe Mode on the blog.  It’s a great new feature in Phantom 2.0, and a relevant topic for those who are just getting started with automation and orchestration.  Today, we’ll touch on a more advanced topic; one suitable for those who are already on the automation and orchestration journey.

Though not a new concept in the technology industry, this is the first time that I’ve seen a maturity continuum applied to automation and orchestration.  As with other continuums, it’s a useful way to benchmark your progress in adopting this new technology as well as developing a strategic vision for the future.

2000px-Spectrum

Incidentally, if you like this post, it’s an excerpt from a whitepaper that we’ve written, which you can download here.

Now on to the continuum:

  • Automated Security Lifecycle Management – This first level of automation involves ingesting structured or unstructured data, normalizing it, assigning ownership, determining severity/sensitivity, and enforcing SLAs for actions. Additionally, the platform facilitates security analysts to take various kinds of actions on the information from a centralized incident management interface to bring security incidents to closure.
  • Response Plan Orchestration (i.e. Playbooks) – The next level of automation is about enabling security operations team to be able to express and encode response plans on the platform. Response plans represent a complex decision making process and a set of conditional Courses of Actions (COA’s) across a diverse set of devices and applications known as Playbooks in the platform. Playbooks can then be executed on-demand on any security incident to quickly get the results of many actions.
  • Supervised Automation and Orchestration – The next level of automation involves ingesting data in real time and configuring Playbooks to be executed automatically and continuously on any new information, but still requiring users (e.g. security operations personnel or asset owners) to approve individual actions before they are executed. At this level of automation, the platform expedites the incident handling by automatically executing actions on incidents as specified in Playbooks, but users are still engaged.
  • Autonomous Orchestration – Once the users are comfortable with the system and decisions it makes, they can deploy the technology to automatically execute actions via Playbooks with minimal user engagement. The platform can replay human decisions and preferences on the basis of past interactions for the same or similar situation and engage them only when necessary or in cases of certain business conditions or types of assets impacted.
  • Prioritized Response Action Recommendations – At this level, the platform is capable of ‘learning’ from past user interactions, decisions and choices along with information it has processed so far and outcomes that have been effective, and can now recommend a prioritized set of actions that can be executed with detailed Cost-Benefit-Analysis.
  • Predictive Response Strategies – This level of automation leverages machine learning based predictive models to offer users recommendations for response plans to address security incidents by leveraging certain traits of the incidents, phase of the attack, types of assets being impacted, business process being impacted, temporal attributes, geopolitical and market conditions, etc.

We’ve enabled comments on this post, so you can share your thoughts:

  • What’s missing from the continuum?
  • Are the levels realistic?
  • How do we accelerate through the continuum?

Not on the Automation Continuum yet?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to get started on your journey.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Safe Mode – Like Training Wheels for Automation

You may have noticed the Safe Mode switch in Phantom.  It’s new in 2.0 and a great way to experiment with automation & orchestration; like learning to ride a bike with training wheels.  It’s a great way to find your balance without hurting yourself.

COA Editor SAFE MODE

If you already use Phantom, then you know that Apps & Playbooks work together like an “operating system” to automate & orchestrate the security products you own.  If you are new to Phantom, then you can read more about Apps & Playbooks here.

Phantom Apps & Playbooks call actions on the security products that you’ve connected to Phantom.  Apps have actions that are either readable or writeable (i.e. they can cause a persistent change).  Phantom supports more than 125 actions.  Examples include: block ip, disable user, geolocate ip, and detonate file.

Safe Mode restricts Playbooks to ONLY execute readable actions.  Writeable actions are ignored, thereby preventing accidental harm when you are experimenting with with automation & orchestration.  It’s a great way to try complex enrichment & investigative Playbooks with full decision making.  You can use the results of the actions, but not actually execute any containment or remediation actions that could potentially disrupt operations while you are experimenting.

Safe Mode does not simulate writeable actions.  So if a Playbook has actions dependent on the results of certain writeable actions, then they will not be executed since these actions are ignored in Safe Mode.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Phantom in action.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

The Phantom Apps Keep Coming

Thanks to the community and Team Phantom, you’ve seen a tremendous increase in new Phantom Apps this summer with highlights covered here, here, here, & here!

It’s only August, so the Phantom Summer App Explosion is still well underway.

Sign in to the Phantom Portal to see the latest versions of all Apps and watch closely as our most recent progress makes its way into the community:

  1. Anomali
  2. Dell SonicWall
  3. EWS for Office 365 / Exchange
  4. McAfee Nitro

The new Phantom Community Portal is a great resource for exploring Apps with full documentation and release notes as well as tips on supported automation actions and suggested Phantom Playbooks for the App.

Screen Shot 2016-08-09 at 1.45.28 PM

Our strategy to be the first company to provide an open community for security automation and orchestration is working, and it benefits everyone in the community.  A big THANK YOU to those who are contributing!

Here are a few ways to get started in the Phantom Community:

Get the Phantom Community Edition.  It’s free to use, and a great way to try automation & orchestration (register).

The Phantom Community Edition is also the best starting point for creating Phantom Apps.  Once you have an account, sign in to the portal and click “Learn” on the menu.  You’ll see full documentation, the knowledgebase, and helpful videos.

Join our Phantom Tech Sessions.  We host them every two weeks.  If you’re interested in App  Development, see the recorded sessions that focus on this topic (Part 1, Part 2 & Part 3)

We also recently announced Round 2 of the Phantom App & Playbook Challenge.  Submit a new Phantom App by December 2nd for a chance to win $2,500 (full details).

Hope to see you in the community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Winner Announced: Coding for Security Pros Hack-a-thon

The team really enjoyed the chance to work with all students in the Coding for Security Pros course at Black Hat this week.

When we were asked to help with the class and sponsor the hack-a-thon, it seemed like a great way to show our support for the open community approach to Security Automation & Orchestration.

Several strong entries were submitted in the contest.  Congratulations to all who took part in the challenge, because it was a great way to showcase their skills and share with the community.  For one lucky student, it was also an opportunity to win a $2,500 prize!

We are pleased to announce Matthew Jackson as the winner of the Coding for Security Pros Hack-a-thon.

IMG_20160804_130018.jpg

Matthew’s Playbook ran correctly from the start and contained really interesting pivots from action results (e.g. used file reputation and numerous other actions based on prior action results), as well as more actions in the Playbook in general.  The email formatting related action was also great!

We think open community approach to Security Automation & Orchestration is the only way to build a platform, and we’re doing our part to contribute with our free Phantom Community Edition, App Store, GitHub repo for Playbooks, and the new Community Portal, as well as Round 2 of the Phantom App & Playbook Challenge!

Congratulations again to Matthew, and we hope to see all of you in the community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.