Playbook: Automating from the SafeBreach Hacker’s Playbook to Predict & Prevent Attacks

SafeBreach focuses on offensive security by deploying simulators to play the role of a hacker.  A user can orchestrate simulated attacks against elements of their network or cloud infrastructure, applications, and endpoints.  Following the simulated breach, the SafeBreach platform will make recommendations on remediation tactics to better secure the environment.

Remediation is where the SafeBreach and Phantom platforms work together to provide a complete “predict and prevent” solution.   When an analyst identifies a breach method in SafeBreach, the remediation information associated with the breach instance can be published to the Phantom platform through the click of a button within the SafeBreach interface (see image below).


(Press release announcing joint solution.)

When publishing the breach information, a container is ingested into the Phantom platform and the details of the breach remediation are stored in artifacts.  Details can include artifacts such as open ports on an endpoint, unnecessary processes running, IP addresses of targeted endpoints or adversaries, application types, URLs, and other data describing a potential breach.

Upon ingestion of the container, a playbook can be initiated manually by an analyst or automated through the Phantom automation platform.  The playbook executes the remediation steps suggested by SafeBreach though connecting to each of the security technologies in the environment and executing actions that reflect the remediation steps.  Example actions include deploying a block IP rule, filtering a URL, blocking a file based on hash, disabling a user, and several others.  Over 150 actions are available through more than 70 App integrations on the Phantom platform.

Identification of data exfiltration over telnet is a great sample use case.  Once the SafeBreach platform discovers the potential breach and publishes the event to Phantom, a series of automated remediation actions can be initiated through a playbook:

  1. Acquire system information from the susceptible endpoint
  2. Query for suspicious activity associated with the service and/or endpoint
  3. List any active connections on the endpoint and check for Telnet activity
  4. Terminate the Telnet service
  5. Deploy block rules on network firewall for outside->in activity associated with Telnet
  6. Rerun the SafeBreach method to verify the remediation steps


There are several benefits with this solution:

  • Proactive discovery of weaknesses that could lead to a data breach
  • Validation of network and endpoint security controls efficacy
  • Automation that closes discovered security weaknesses in seconds

Did you know that Phantom Playbooks are Python based? The Phantom platform interprets Playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

Rob Truesdell
Director, Product Management

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: