Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom security automation and orchestration platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.

phishing_playbook.pngA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

  • file reputation – Query a threat intelligence service for a file’s reputation.
  • detonate file – Analyze the file in a sandbox and retrieve the analysis results.
  • hunt file – Look for instances of the file on managed endpoints.
  • get system attributes – Gets the attributes of a computer/system.
  • url reputation – Query a threat intelligence service for a URL’s reputation.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • get screenshot – Get a screenshot of a rendered URL.
  • domain reputation – Query a threat intelligence service for a domain’s reputation.
  • ip reputation – Query a threat intelligence service for an IP’s reputation.
  • geolocate ip – Queries a geolocation service for an IP’s location information.
  • hunt url – Look for information about a URL that could reveal attribution information.
  • lookup ip – Query Reverse DNS records for an IP.
  • whois domain – Run a whois query on the given domain.
  • whois ip – Execute whois lookup on the given IP address.
  • delete email – Deletes an email from the email server.

The benefits of automating your phishing IR workflow are numerous:

  • Free up analysts to research the latest phishing tactics.
  • Increase the efficiency and productivity of your SecOps team.
  • Create a precise and repeatable process that allows you to accurately measure success.

This Phantom playbook has been tested with many technology partners:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

The Road to Hell is Paved with Good Intentions

Saint Bernard of Clairvaux supposedly said it back in 1150.  He certainly wasn’t thinking about security products when he said it, but the quote may nonetheless apply.

Shelfware is a common ailment in the tech industry, and the security segment isn’t immune to the phenomenon.  Many a product has been bought, only to gather dust because it was never implemented. Whether it was internal politics, lack of staff or expertise, or employee turnover, what started as a good intention didn’t end with success.

Though a bit dated (circa 2014), Javvad Malik even presented research on the topic:

451-research_shelfwareResponses to the question: What ends up on the shelf?

Though most security technologies seem to be represented, SIEM is a standout in the bunch.  SIEM has traditionally been focused on ingesting and enriching data, stopping far short of taking action.  I’ll submit that aspect is one of the reasons for the relatively high number of SIEM/Shelfware responses in Javvad’s research.

The reality is that security analysts have plenty of data to consume already. Our research shows that even a well-trained analyst can handle only 8 – 12 incidents per day. So it’s no surprise that when large organizations receive thousands of actionable events per week, it’s tough to keep up with the volume.  Interest and use wane.  Suddenly, you and your intentions are on the road to hell.

Security Automation & Orchestration (SA&O) platforms make great complements to SIEMs, providing a way to drive remediation from correlated events.  The two platforms work as a “closed-loop system” to collect and analyze data, make decisions, and take action.   All or some of the steps can be automated with analyst checkpoints for human approval along the way.

In the simple example below, the Phantom Playbook includes decision logic that automatically blocks an IP address or notifies a human analyst to review information—depending on the outcome of the prior geolocate IP action.

playbook-editor_decision-block(Phantom UI showing the Playbook Editor in V2.0)

SA&O platforms integrate with more than SIEM platforms.  Moreover, the Phantom platform can automate nearly any product to keep it “off the shelf.”

Apps extend the Phantom platform’s capabilities by supporting integration into third party security products and tools. Most security technologies these days have REST APIs, command line interfaces, or some other management interface that Phantom Apps can connect to in order to execute investigative and containment actions.

More than 75 Phantom Apps are available today (my.phantom.us), and our community-powered approach means that new Apps can be developed by anyone and freely shared within the Phantom user community.  In fact, we’re even running an App Contest now where one lucky contestant will win a $2,500 cash prize!

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

CP Morey
VP, Products & Marketing
Phantom

Playbook Series: Ransomware: Detect, Block, Contain, and Remediate

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

Ransomware is one the leading threats facing organizations today. With volumes of malicious inbound emails and already infected devices within your environment, regaining control over ransomware can be tedious and time consuming.

The Phantom security automation and orchestration platform can help you investigate, block, and contain ransomware threats. The platform with an expanded Ransomware playbook could also automate the remediation of infected devices. Deal with the volume of ransomware threats you face by using the Phantom platform to scale your investigations and response to meet the challenge.

ransomware-playbookScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests either a suspicious file or file hash from your current security infrastructure and triggers the Ransomware playbook, automating key investigation and containment steps:

  • get file – Downloads the file sample from a repository.
  • detonate file – Submits the file sample for sandbox analysis.
  • block ip – Configures your infrastructure to block access to IP addresses associated with the ransomware.
  • block hash – Configures your infrastructure to block access to files matching the hash of a malicious sample.
  • hunt file – Looks for indications of other infected devices in your environment.
  • terminate process – Terminates any instances of the malware actively executing.
  • quarantine device – Place the infected devices in quarantine to prevent it from infecting other devices.
  • list connections – Examine a device’s active connections / add newly discovered malicious IPs to the block ip action.
  • disable user – Disable the user’s account to prevent further malware propagation.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Automation with Palo Alto Networks and Phantom

Palo Alto Networks and Phantom combine best-in-class protection with best-in-class security automation and orchestration, offering increased advanced threat visibility and protection that is fully synchronized across the security environment.

Palo Alto Networks can be quickly integrated with the Phantom platform using Phantom Apps for AutoFocus threat intelligence, PA Series network firewalls, Panorama centralized management, and WildFire file analysis.

pan-and-phantom-overview

Phantom Apps for Palo Alto Networks automation actions like:

  • AutoFocus threat intelligence – hunt for file, IP address, and domain intelligence
  • PA Series network firewalls – block/unblock IP addresses, applications, and URLs
  • Panorama centralized management – block/unblock IP addresses, applications, and URLs
  • WildFire file analysis – detonate a file, get a report about a file, download a file, and get a PCAP of the file’s communications

Palo Alto Networks and Phantom increase productivity with uses cases like these:

Use Case 1: Detect and Respond to Malware Infection with C2 Connectivity

Challenge: Shorten response time associated with discovery of an endpoint infected with malware and established C2.

Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.

Response: Deploy a Playbook which covers the following steps:

  1. Detect C2 on PAN Firewall which sends an event to Splunk
  2. Splunk forwards an event for Phantom to automate
  3. Playbook connects to vSphere to get a memory snapshot of the VM
  4. Playbook uses Volatility to find the malware in the memory dump and extract the process associated with the threat
  5. Playbook then automates a file detonation in PAN WildFire
  6. With a positive return from WildFire, the Playbook deploys a firewall rule to PAN firewall to block connections associated with the destination IP address of the C2 connection
  7. Playbook then can execute a termination of the application and/or VM

Use Case 2: Detect and Respond to Suspicious Email

Challenge: Shorten response time associated with a phishing investigation.

Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.

Response: Deploy a Playbook which covers the following steps:

  1. Potentially malicious email with file attachment forwarded to SOC for investigation
  2. Playbook automates file detonation from attachment to PAN WildFire
  3. With a positive return, Playbook will block the file hash in Windows Server
  4. Playbook automates a URL reputation
  5. With a positive return, playbook will deploy a URL filtering rule to PAN firewall
  6. Delete email on Exchange server

Interested in seeing how Phantom and Palo Alto Networks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Phantom in action.

CP Morey
VP, Products & Marketing
Phantom

Playbook Series: Enrich Security Events with External Threat Intelligence

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

The Phantom platform can automatically gather threat intelligence for you and enrich inbound security events. With the added context on hand you can reduce redundant steps in your investigations, achieve faster decision making, and improve your overall productivity.

VPE - Inestigate Playbook .pngScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests a security event from your infrastructure and triggers the Event Investigation playbook, automating 19 common investigation steps:

  • detonate file – Execute a file in a sandbox and retrieve the analysis results.
  • get file – Download a sample from a repository.
  • get file info – Retrieve information about a file.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • domain reputation – Query a reputation service for domain reputation.
  • file reputation – Query a reputation service for file reputation.
  • ip reputation – Query a reputation service for IP reputation.
  • geolocate ip – Query a geolocation service for IP location.
  • hunt domain – Look for a domain in a threat intelligence database.
  • hunt file – Look for a file in a threat intelligence database.
  • hunt ip – Look for IP information within a threat intelligence database.
  • hunt url – Look for URL information within a threat intelligence database.
  • lookup domain – Query DNS records for a Domain or Host Name.
  • lookup ip – Query Reverse DNS records for an IP.
  • reverse domain – Find IPs that point to this domain and other domain names that share the same attributes.
  • reverse ip – Find domain names that share an IP.
  • url reputation – Query a reputation service for URL reputation.
  • whois domain – Run a whois query for the given domain.
  • whois ip – Execute a whois lookup on a given IP address.

The Phantom sample playbook shown here supports many external sources of threat intelligence:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Phantom Extends Lead in Security Automation and Orchestration Market with New Product, Partners, and Playbooks

It’s been less than 3 quarters since we launched the first version of Phantom, and I’m amazed at the progress we’ve made in such a short period of time.

Today I am pleased to officially announce the General Availability of Phantom 2.0 with more than 500 improvements including the new Playbook Editor, Mission Control, Onboarding, and a community of more than 70 Phantom Apps.

Phantom’s growing list of partners and playbooks shows the power of our approach.  Here is a link to the full press release.  The text is also included below.

CP Morey
VP, Products & Marketing
Phantom

phantom-hero-image_no-awards

Phantom Extends Lead in Security Automation and Orchestration Market with New Product, Partners, and Playbooks

Community-Powered Approach Continues to Drive Innovation and Growth

Palo Alto, CA. – October 11, 2016 – Phantom, the first company to provide an open, extensible, and community-powered security automation and orchestration platform, has extended its lead since entering the market and being named RSA Conference 2016’s Most Innovative Startup earlier this year.  Product innovation, plus growth with partners and playbooks shows the strength of a community-powered approach.

“Security automation and orchestration has become a top priority for organizations,” said Oliver Friedrichs, Founder & CEO of Phantom.  “This has driven strong interest in our platform, our partner ecosystem, and the playbooks our community has developed. The innovation and growth proves that reducing time spent on tedious and repetitive tasks through automation is becoming a must-have means of increasing the capacity of security teams and driving consistency for more accurate results.”

Product

Phantom 2.0 became generally available in late September.  Fueled by feedback from customers and the community, this release delivered more than 500 enhancements including:

  • Playbook Editor 2.0 for Tier 3 Analysts to visually create automation playbooks. The new Playbook Editor provides a new experience through a rich, visual, BPMN-based (Business Process Model & Notation) editor enabling users to create playbooks more easily, with or without coding skills.
  • Mission Control 2.0 for Tier 1 Analysts to triage security events and alerts more efficiently. The details of the incident, triage, status, and results are presented in a single view, speeding the event and alert triage process for security operations teams.  Mission Control also introduces an Activity Feed that is a Slack-like interface enabling collaboration and commenting between all team members working on an event or alert.
  • Onboarding Process to get new users executing automated playbooks in less than 5 minutes. The process allows users to quickly configure a data source like a SIEM platform, threat intelligence feed, email message, RESTful API, or sample data, and then configure security tools utilized in the playbook before enabling the automation playbook to execute.

Visit the TryPhantom YouTube channel to see these enhancements and others.

Partners

Solution and technology partners are embracing the growing popularity of security automation and orchestration as well as Phantom’s unique, community-powered approach.  Companies like World Wide Technology (WWT) recognize Phantom’s extensibility as a way to grow their services businesses and deliver increased value to clients.

Mike McGlynn, Vice President of Security Solutions at WWT said, “Automation is becoming increasingly important to our clients who face the challenge of limited resources, an increasing threat surface and incident rate, and an overwhelmingly complex IT infrastructure.  We’ve tapped Phantom as a key solution partner based on the strength of their product combined with our security domain expertise.  We are seeing significant demand for security automation from our clients.”

Phantom’s community-powered approach enables collaboration, development, and sharing of apps and playbooks amongst users. Phantom has more than 75 apps available that span reputation services, endpoint technologies, sandboxing, firewalls, and common mobile, virtual and cloud based security products.  Many of the apps were developed by Phantom partners as well as the community at large.

Playbooks

The new Phantom Playbook Editor and updated community site offers users the most extensive resource in the industry to address security challenges, share information, and showcase their skills.  As with Phantom Apps, many of the playbooks were developed by partners.

Mark Kendrick, Director of Business Development, DomainTools said, “The new Playbook Editor in Phantom 2.0 makes it incredibly easy to build complex registrant and infrastructure pivots on domain names and the actors who register them.  It’s the perfect setting for DomainTools data because it makes proven workflows available to an entire team. Our updated DomainTools App will take advantage of the new features in Phantom 2.0, and it will also enable access to our Domain Reputation and Reverse Whois datasets.”

Phantom offers playbooks for investigation, threat hunting, and several others through the community playbook library.  Users can easily pull other playbooks from the Phantom Community Site or create their own with the new Playbook Editor in the Phantom 2.0 release.

Anyone interested in seeing how Phantom can help their organization should sign-up for the free Phantom Community Edition, attend a Tech Session to see Phantom in action, and read more about playbooks on the Phantom blog.  Those interested in showcasing their security automation and orchestration skills, may also opt to join Phantom’s Playbook & App Challenge.  The contest, which runs through December 2, 2016, will award a cash prize to the community user submitting the most impressive playbook and app combination.

ABOUT PHANTOM

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one open, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Hunt for Community-Sourced IOCs and Artifacts in Your Environment

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

Most security teams would love to be able to follow up on every Indicator of Compromise (IOC) or artifact that they receive from the security community at large. Whether the piece of intelligence comes from trusted circles or from threat intelligence providers, the reality today is that security teams have many more “tips” than they have time to adequately investigate. The teams often have to prioritize their threat hunting activities, leading to the possibility of missing the crucial tip that would have led to the prevention of a successful attack.

The scenario described above highlights the power of Phantom security automation and orchestration. The Phantom platform can receive community-based intelligence and automatically execute enrichment and threat hunting steps for every IOC and artifact within your environment. Phantom can eliminate intelligence that is not found in your environment. But more importantly, it can identify the threats that are present and begin an automated investigation and/or action playbook or escalate the intelligence up to a human analyst for further analysis and decision making.

threat-hunting-sample-onboarding-playbookScreenshot from the Phantom platform’s new visual playbook editor. The Threat Hunting playbook is just one of the many real-world samples available with Phantom 2.0.

threat-hunting-sample-supported-vendors

As shown in the above diagram, the Phantom platform ingests threat intelligence from a community source and then triggers the Threat Hunting playbook automating the following steps

  • Enrich an IOC/artifact with context from other threat intelligence sources
  • Search for the IOC/artifact in logs collected by the SIEM platform
  • Search for the IOC/artifact on managed endpoints in real time
  • Automatically dismiss intelligence items which are false positives
  • Automatically escalate intelligence items found within the local environment

Automating this process in Phantom has several benefits including

  • Increased scalability—Follow up on every tip coming from your communities
  • Increased security—Never miss a real attack due to volume or workload
  • Increased efficiency—Save time by automating key context-gathering steps and provide a big-picture view to human analysts
  • Increased precision—Ensure your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be fully customized and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.