Playbook Series: Investigate IP Address Performing Reconnaissance Activity

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example covers one of the sample playbooks included with the Phantom 2.0 platform release. 

Whether from an intrusion detection system or through log analysis, security devices can generate alerts when reconnaissance activity is detected.

The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

recon-sample-playbookScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity
recon-supported-apps

Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes / hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Automating from the SafeBreach Hacker’s Playbook™ to Predict & Prevent Attacks

SafeBreach focuses on offensive security by deploying simulators to play the role of a hacker.  A user can orchestrate simulated attacks against elements of their network or cloud infrastructure, applications, and endpoints.  Following the simulated breach, the SafeBreach platform will make recommendations on remediation tactics to better secure the environment.

Remediation is where the SafeBreach and Phantom platforms work together to provide a complete “predict and prevent” solution.   When an analyst identifies a breach method in SafeBreach, the remediation information associated with the breach instance can be published to the Phantom platform through the click of a button within the SafeBreach interface (see image below).

safebreach-ui_click-to-automate-in-phantom

(Press release announcing joint solution.)

When publishing the breach information, a container is ingested into the Phantom platform and the details of the breach remediation are stored in artifacts.  Details can include artifacts such as open ports on an endpoint, unnecessary processes running, IP addresses of targeted endpoints or adversaries, application types, URLs, and other data describing a potential breach.

Upon ingestion of the container, a playbook can be initiated manually by an analyst or automated through the Phantom automation platform.  The playbook executes the remediation steps suggested by SafeBreach though connecting to each of the security technologies in the environment and executing actions that reflect the remediation steps.  Example actions include deploying a block IP rule, filtering a URL, blocking a file based on hash, disabling a user, and several others.  Over 150 actions are available through more than 70 App integrations on the Phantom platform.

Identification of data exfiltration over telnet is a great sample use case.  Once the SafeBreach platform discovers the potential breach and publishes the event to Phantom, a series of automated remediation actions can be initiated through a playbook:

  1. Acquire system information from the susceptible endpoint
  2. Query for suspicious activity associated with the service and/or endpoint
  3. List any active connections on the endpoint and check for Telnet activity
  4. Terminate the Telnet service
  5. Deploy block rules on network firewall for outside->in activity associated with Telnet
  6. Rerun the SafeBreach method to verify the remediation steps

safebreach-playbook_2

There are several benefits with this solution:

  • Proactive discovery of weaknesses that could lead to a data breach
  • Validation of network and endpoint security controls efficacy
  • Automation that closes discovered security weaknesses in seconds

Did you know that Phantom Playbooks are Python based? The Phantom platform interprets Playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Rob Truesdell
Director, Product Management
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us

Playbook Series: Investigate and Block Newly Discovered and Publicly-Accessible Server Services on Your Local Network

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan.

SIEM platforms, like Splunk used in this example playbook, collect and aggregate log data from your security infrastructure. They can also alert you to a newly discovered server service that is publicly accessible on your local network.

The Phantom platform can receive and enrich the alert with additional contextual data before prompting you to make a decision or taking an automated block action.

phantom_playbook-block_new_server_connectionsWatch community member Ryan Kranz demonstrate this playbook.

As shown in the above diagram, the Phantom platform ingests the connection to a new service alert and triggers an Investigation and Action playbook automating the following steps

  • Query for the server device’s profile information from Windows Server
  • Query for the requesting IP/Domain information from Who.is
  • Query for the server’s available services from Shodan
  • Automate the reconfiguration of Cisco firewalls to block access to the new service

Automating this process in Phantom has several benefits including

  • Limiting the possibility of data exfiltration
  • Reducing the time from awareness-to-response from minutes or hours down to seconds
  • Ensuring your processes are handled accurately and consistently every time

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

The Benefit of Code Without Actually Writing It?

I’ve been fortunate these last few years to meet with dozens, perhaps hundreds, of security teams of all shapes and sizes, with maturity ranging from a couple smart but embattled analysts all the way up to massive cyber fusion centers with an intelligence capability that likely rivals that of most small nations.

In my quest to understand what makes these teams effective, I started to develop a hypothesis: if you want to do security correctly, at some point, you must write code.

I first realized the importance of what we now call “automation and orchestration” about four years ago, when long-time users of our domain name research products started asking for API access to our data. The most interesting requirements came from security teams at companies in the defense industrial base and, later, in the financial sector.  The use cases ranged from “hey, I’ve got a set of domains, I need a bunch of Whois records” to “can I get your brand and registrant alerts via API so I can block the domains proactively?”

As I dug deeper, I discovered these teams were writing scripts that acted as glue between various pieces of their security infrastructure, and that persisted in some system the intelligence gathered externally, or revealed interactively by their analysts.

It was fascinating, and it began to inform the ways we built our products. We knew we wanted to bring as much of that capability as possible to teams early in their maturity. We built our Iris investigative platform to help with interactive investigations on domains, the actors that control them, and the infrastructure they are using, and it’s been very effective for that kind of human-driven research. But as powerful as Iris is, it’s only part of the story; it is most effective when paired with programmatic access to our data for enrichment and automation.

Our list of integration partners is growing all the time, but that can only address pre-defined use cases. Each security environment is unique, with it’s own special blend of tech, targets, and teams, and you very likely need some custom code to put DomainTools data to best use in all the right places.

My “you must write code” hypothesis was further strengthened when I spoke to the cyber security lead at a huge multi-national manufacturing company. He said it was important for him that his analysts were comfortable at a Linux command line. He expected them to be proficient at writing Python scripts that would automate their investigations and, more importantly, document successful workflows the entire team could use.

And then in June of this year, at the FIRST conference in Seoul, I listened as Christopher Clark, Managing Director of Palo Alto Network’s Global Security Response Team, said in his keynote that one of his earliest hires in the new team he built was a programmer. He knew he’d need a dedicated resource to create tooling for his analysts, and he wanted to automate his team’s hunting activities and investigative workflows. He went on to say that the ability to code at a basic level was a fundamental requirement he had of everyone on his team, including himself.

We all laughed when Christopher explained how bad his coding skills were, but I also sensed a certain resignation in the room, as leaders who were trying to build their own teams realized good analysts with coding skills would be very hard to find. Even if they agreed that it was an important requirement, they knew that for their team, Christopher was describing a capability that was entirely out of reach.

I’ve worried about the same thing, because if my hypothesis is true, if you must have code in your security practice to be truly effective, a lot of teams are going to struggle to get the most value out of their technology investments and threat intelligence sources, unless they can find a way to benefit from code without actually having to write it.

investigate-playbook

What if it was possible, just by drawing a flow diagram, to block a domain name in your web filter based on the Reputation Score DomainTools assigns to it, without either DomainTools or the web filter knowing how to work together?

Or what if you could take a proven investigative pathway for phishing domains, one that reveals related domains by owner or infrastructure, and have it run every time someone in your team investigates a domain name? What if you could make it smart enough to decide what to pivot on, without having to remember if this particular language expects curly braces around its conditional blocks?

All of that, and indeed much more, is possible with the incredible product Phantom has built and the DomainTools app available now in the Phantom platform.  The code is still there – it’s just built for you, at the right level of abstraction, with dozens of tidy interfaces to other products, and with the option to edit the code directly if you must. The code is even packaged as playbooks you can share among peers or receive from vendors like DomainTools that enables immediate re-use of proven workflows. You don’t even need to get very fancy with it – just run a quick “domain whois” action and you’ll get the results directly, though Phantom is smart enough to stick those results in a container so you (and your peers) can find it again.

I’ll admit I was skeptical when I first heard Phantom’s claims, but now that I’ve had a chance to run actions and create playbooks with the DomainTools API, it’s made a believer out of me. I simply love how easy it is to get incredibly powerful results with minimal effort, and I can’t wait to show you what’s possible.

Please join Rob Truesdell, Director, Product Management at Phantom and me this Friday NOON ET / 9 AM PT as we walk through the actions and playbooks made possible with the DomainTools app for Phantom.

Mark Kendrick
Director of Business Development
DomainTools, LLC

 

Phantom Recognized as a SINET 16 Innovator for 2016

“I am proud and excited to recognize Phantom as one of this year’s SINET 16 Innovators,” said Robert Rodriguez, Chairman and Founder of SINET. “Of our four programs each year, Silicon Valley, New York City, Washington DC and London, the Showcase is my favorite as it has a clear deliverable in our mission to advance innovation in the Cybersecurity domain.”

sinet-16-innovator

How does SINET choose the winners?  It all starts with an application based on the following criteria:

  • The urgency in the marketplace for their products and solutions
  • How innovative and unique their solutions are
  • How well their products and technologies solve real and significant Cybersecurity problems
  • What advantages exist over other solutions
  • The company’s ability to succeed based on the state of their product, capital, and leadership. For very early stage or small companies, their concrete plans on how to grow in these areas will be evaluated

Though we’re not permitted to share our application, we can suggest ways to learn more about how Phantom stacks up against the criteria:

  • Read our 1st EVER blog post to see how we view the urgency in the market.
  • Learn more about our innovative and unique solution here.
  • Check out our Playbook series to discover how Phantom solves real and significant Cybersecurity problems.
  • Understand what makes Phantom different in this series on Defining Security Automation & Orchestration.

Or maybe the best choice of all is to get the free Phantom Community Edition, and attend one of our Tech Sessions to see for yourself Phantom how can help your organization.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Investigate Suspicious Outbound Connections

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

SIEM platforms, like Splunk, collect and aggregate log data from your security infrastructure. When configured, these platforms can alert you to a suspicious outbound connection from your managed networks or endpoints.

When an analyst receives a suspicious outbound connection alert from the SIEM, there are several investigation actions commonly executed to gather context about the source and destination. The gathering of information is highly repetitive and can consume a significant amount of time. This makes the context gathering ideally suited for automation.

The Phantom platform can receive these alerts, enrich the alert with additional contextual data, like source device information and destination domain reputation, and automatically generate a service ticket for further analysis and decision making.

suspicious-outbound-connection-playbook-with-shodan

(Community Member Ryan Kranz demos this Playbook here)

With Phantom, the Splunk alert can be ingested and trigger an Investigation Playbook automating the following steps:

  • Query for the source device’s profile information from Windows Server
  • Query for the destination domain’s owner information from Who.is
  • Query for the destination IP’s available services from Shodan
  • Create a ticket within the ServiceNow platform for further investigation and decision making

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Chris Simmons
Director, Product Marketing
Phantom

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Art Coviello Joins Phantom Board of Advisors

Innovation is deeply rooted in our industry – driven by the attackers who are constantly evolving their techniques and the security industry working against them.

I’ve seen the innovation first hand.  At RSA, we built a business on our foundation in authentication and encryption to become a leader in several of the most important information security technologies, including security analytics, identity, and Governance, Risk & Compliance.  RSA Security grew from $25 million in 1995 to over $1 billion when I retired as Executive Chairman in 2015.

More recently, I’ve seen innovation through my role at Rally Ventures and as a board member of companies like Bugcrowd, Cylance, and AtHoc – each driving important change in the industry.

art-coviello2

Today, I’m pleased to announce that I’m joining Phantom’s Advisory Board to help evolve our industry’s approach to another important challenge – perhaps the biggest we’ve ever faced in security.

We simply don’t have enough security professionals to cover all of the open positions that exist today.  Estimates show a shortage of between 1 and 2 million qualified professionals.  Worse, we’ve now been building point products for more than three decades and can count over 1,400 security vendors in the market today.  As much as I worry about technology being eclipsed, I worry more about how we keep adding control after control without looking at the problem holistically. I talk to CSO’s and CISO’s all the time and their common refrain is, “I can’t absorb another product!”.  Meanwhile, the hackers continue to innovate, and the time we need to address breaches continues to increase.

The only way to address this challenge is with true defense in depth. We need to eliminate the tired old categories of endpoint, network, identity management etc. and start looking at solving the problem in a way that helps us create defense in depth.  How, by thinking about defense in terms of several discreet layers: preventing attacks before they’re launched; detecting attacks if we can’t prevent them; preventing intrusions when we spot the attack; detecting intrusions when we can’t prevent them and responding to intrusions to prevent loss or disruption if we have been breached. The key to the success of this approach will be automation.  In the past, people dismissed it as a non-viable solution for fear of automating false positives and potentially disrupting a commercial application or a key element of the infrastructure.  That view is quickly changing because we just don’t have the security professionals to cover all the companies and vulnerabilities that exist in our infrastructures.

Companies adopting automation are already seeing results.  Tasks that routinely consumed hours or longer, can be completed in seconds with automation.  Equally important is the improved accuracy and consistency in their processes as the same data is gathered for every security alert, and every alert is investigated the same way, every time.

The team at Phantom is leading the way in the emerging security automation and orchestration space.  Their purpose-built platform is already helping organizations drive efficiency and consistency in the SOC, leveraging existing and newer innovative security investments. Two of my investing tenets, as I consider security startup business plans, are to look for companies that add value to customers’ existing security technology infrastructure and make their SOC’s more cost effective. Phantom delivers on both counts, technically and extends their capability, qualitatively, with their community-based approach.  We are, indeed, stronger together.  From the Playbooks needed to automate security to the Apps required to integrate technologies seamlessly to one another, the Phantom community is coming together to develop and share the tools needed to address this critical challenge (Join the Phantom Community).

I’m excited to work with the Phantom team. They’re not just solving the latest problem; I believe Phantom is helping to redefine security.

-Art