Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom security automation and orchestration platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.

phishing_playbook.pngA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

  • file reputation – Query a threat intelligence service for a file’s reputation.
  • detonate file – Analyze the file in a sandbox and retrieve the analysis results.
  • hunt file – Look for instances of the file on managed endpoints.
  • get system attributes – Gets the attributes of a computer/system.
  • url reputation – Query a threat intelligence service for a URL’s reputation.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • get screenshot – Get a screenshot of a rendered URL.
  • domain reputation – Query a threat intelligence service for a domain’s reputation.
  • ip reputation – Query a threat intelligence service for an IP’s reputation.
  • geolocate ip – Queries a geolocation service for an IP’s location information.
  • hunt url – Look for information about a URL that could reveal attribution information.
  • lookup ip – Query Reverse DNS records for an IP.
  • whois domain – Run a whois query on the given domain.
  • whois ip – Execute whois lookup on the given IP address.
  • delete email – Deletes an email from the email server.

The benefits of automating your phishing IR workflow are numerous:

  • Free up analysts to research the latest phishing tactics.
  • Increase the efficiency and productivity of your SecOps team.
  • Create a precise and repeatable process that allows you to accurately measure success.

This Phantom playbook has been tested with many technology partners:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.