Playbook: Spot Insider Threats Automatically

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

In security, we tend to think of external actors, though the internal threat can also be significant.  The stats from this recent Deloitte study are alarming:


Many of of the Playbooks we’ve showcased in our library have focused on issues like malware, phishing, or other external problems.  Playbooks can also be written to address internal threats.

The Deloitte study shows that more than half of all employees leaving an organization take sensitive data with them.  The following are warning signs that an employee might leave:

  • Frequent external/personal recipients
  • Change in time to respond to manager
  • Change in volume of email sent (up or down)
  • Increase in visits to job search sites
  • Increase in access to personal email sites
  • Visits to cloud/file share sites
  • Bursts in printing on weekends and holidays
  • Decrease in visits to corporate apps; increase in leisure sites
  • Changes in work hours (up or down)

You could develop a Playbook that profiles the “Potential Leavers” based on monitoring for the warning signs.  For example, for a deviation in work hours you might calculate hours/changes, then enrich with what’s being done in the extra anomalous hours using data from Active Directory, the endpoint product, proxies, print-job details, etc.

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing

About Phantom:

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: