Playbook Series: Ransomware: Detect, Block, Contain, and Remediate

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

Ransomware is one the leading threats facing organizations today. With volumes of malicious inbound emails and already infected devices within your environment, regaining control over ransomware can be tedious and time consuming.

The Phantom security automation and orchestration platform can help you investigate, block, and contain ransomware threats. The platform with an expanded Ransomware playbook could also automate the remediation of infected devices. Deal with the volume of ransomware threats you face by using the Phantom platform to scale your investigations and response to meet the challenge.

ransomware-playbookScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests either a suspicious file or file hash from your current security infrastructure and triggers the Ransomware playbook, automating key investigation and containment steps:

  • get file – Downloads the file sample from a repository.
  • detonate file – Submits the file sample for sandbox analysis.
  • block ip – Configures your infrastructure to block access to IP addresses associated with the ransomware.
  • block hash – Configures your infrastructure to block access to files matching the hash of a malicious sample.
  • hunt file – Looks for indications of other infected devices in your environment.
  • terminate process – Terminates any instances of the malware actively executing.
  • quarantine device – Place the infected devices in quarantine to prevent it from infecting other devices.
  • list connections – Examine a device’s active connections / add newly discovered malicious IPs to the block ip action.
  • disable user – Disable the user’s account to prevent further malware propagation.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.