App Envy? You decide…

Though Phantom only went GA earlier in 2016, we’ve been working on the technology for nearly 3 years.  This investment in our architecture has produced meaningful differences – some of which we’ve covered in past blog posts.

One element that is foundational to our architecture is the Phantom App.  Apps extend the capabilities of the platform by supporting integration to all of the 3rd party security products that our users want to automate and orchestrate.

apps_75plusPhantom has over 75 Apps, allowing the platform automate common reputation services, endpoint technologies, sandboxes, firewalls, and common mobile, virtual and cloud based security products.

Apps are closely related to another foundational element in our architecture – actions.  Simply put, actions are what you automate – retrieving data for investigative purposes or changing policy on a security device for example.  The Phantom platform supports more than 150 actions.

Here’s an example to illustrate both elements:

hackertarget_actionlist

HackerTarget is a Phantom App that supports 12 actions including tracerouting an IP, executing a whois lookup, and several others.  You can see all Phantom Apps and their associated actions at my.phantom.us.

In a race to compete in this emerging market, some vendors have adopted a taxonomy that inflates their App count.  For example, what Phantom would call a single Active Directory App with two actions, is instead represented as two separate Apps:

  • Active Directory Authenticate App
  • Active Directory Query App

It’s misleading, but fortunately also rather transparent.  If you are evaluating Security Automation & Orchestration platforms, simply looking at the list of supported apps would reveal the attempt to inflate the count – more Apps equate to a better platform, unless they aren’t really Apps.

What is certainly related and also important to consider is the how Apps are developed for a Security Automation & Orchestration platform.  Our community-powered approach means core elements like Apps can be developed by anyone and shared within the community.  Users have the option of using community developed Apps entirely or as a starting point for developing their own.  Communication and collaboration is encouraged as a way for users to address challenges, share information, and showcase their skills.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see it in action.

CP Morey
VP, Products & Marketing
Phantom

Preventing Threat Intelligence Overload

Security professionals generally agree that the demand for threat intelligence is growing. With the ability to focus security teams and tools on the most relevant and high-risk threats, the context and tailored priority that threat intelligence feeds provide are undisputed benefits.

While it sounds like a win/win situation—the threat intel comes in, it’s applied, and the organization becomes less vulnerable—incorporating threat intelligence into security operations has actually led to an increased burden on the security teams that use it. Often incorporating multiple inbound intelligence feeds, the team has to parse through high volumes of multi-formatted data that comes in at disparate times. They must groom the incoming intelligence data, removing duplicate records and those that aren’t applicable to their organization or industry. Finally, the team must then re-distribute the combined and refined intelligence stream out to their internal tools and stakeholders.  

Security teams also correlate intelligence across multiple data sources, using algorithms to build a confidence rating for a piece of intelligence in the process.  Based on their personal experiences and a feed’s historical accuracy, the team uses a customized weighting system to rank the quality of intelligence by its source. This rating system allows the team to include every indicator or observable in their resulting set, thereby avoiding the elimination of a critical piece of intelligence. It also allows them to present the most trusted and high priority intelligence first, helping to improve downstream efficiency.

While the ingestion, grooming, and rating workflow is going on, the clock continues to tick and the utility of inbound threat intelligence diminishes. The longer it takes to get valuable intelligence into the hands of the people who can take action on it, the longer a bad actor has to carry out an attack.

Fortunately technology exists to relieve the burdens introduced by threat intelligence, extract threat intelligence benefits, and shorten incident response times. Using automated techniques, teams can aggregate data sets, de-duplicate records, and apply scoring algorithms to inbound intelligence. Intelligence that accrues a score above a watermark can be automatically escalated to members of the security team for review. Through automation of this workflow, team resources are freed to focus on the critical intelligence that warrants follow up. Perhaps most importantly, however, is that an organization’s overall security is improved by getting information to the people and systems where it can be actioned upon faster than with manual techniques.

In summary, the automation of these threat intel triage tasks will free up the team to provide more meaningful analysis and expertiselike putting together that Threatscape document the CISO has been asking for.

Tim Condello
RedOwl

Tim Condello is a Technical Account Manager at RedOwl.  Prior to this he was a founding member of the Threat Intelligence team at BNYM.

Paul Davis Joins Phantom as VP of Delivery

I have had the honor of working with first-rate security operations teams around the world.  Whether I was in the CISO role at one of the top 5 companies in the Fortune 500, running Security Operations Centers in the frenetic world of financial exchanges, or responding to threats against the critical infrastructure industry, there are a number of challenges that have been universal:

  • There is never enough time
  • It is tough to deliver security consistently and effectively
  • Repeatable processes are illusive
  • Shutting down a threat or attack takes longer than it should

Lack of time and resources as well as having a “target on one’s back” are challenges that every IT security professional faces.  As they say, “you’re only as good as your last security event response.”  Just ask the CISOs who have lost their jobs to security lapses.

paul-davis-banner_2Paul brings more than 20 years of experience working with security operations teams and solving security challenges at some of the largest organizations in the world.

So what is needed to overcome these challenges?

Consistency – it takes time

It’s sad, but true.  Despite the glamorous portrayal of hackers and security response teams in the movies, a monotonous but important reality is that security teams need to document what they do.  We need to track it, we need to be coordinated, and we need to be agile.  We are forced to do it with increased pressure from the growing number of threats impacting our organizations.  Our work needs to be standardized and repeated every day, without a drop in service quality.

I’ve built a number of security programs.  One concept that has always served me well is the playbook.  In all situations, whether the security team was small or large, there has been a need for consistency, for common nomenclature, standard deliverables, and predictable paths.  At the very least, this approach ensures that the shift handover will be smooth.  Geographically dispersed groups are going to be able to respond more effectively, and the public face of the IT security team will look professional and reliable.

The benefits are worth it.  A consistent approach drives team pride, fast action (e.g. like building a SOC with full 24×7 operations in 2 months), and metrics that demonstrate the value of the security team.

Playbooks

To ensure consistency from the start, I’ve used playbooks with graphical diagrams supplemented by an arduous manual documenting each and every step of the process.  When the inevitable happens, the team could use a well documented playbook to ensure that we were following a consistent process.

Still, there was something that always bothered me.  Lack of automation.  I call it a “click-fest”.  Cut and paste this information into another application, or even worse, re-type the information.  I challenge anybody to get excited about entering a SHA256 manually.  This “click-fest” was often repeated multiple times a day.  Human error, boredom, and even missed security events occurred.  When I lead a security team, I want to exercise their critical thinking, challenge them to use their instincts and IT security chops versus treating them like a group of unskilled data entry dupes.

So what has changed?

The industry has evolved.  Products have APIs that allow you to extract information and enable response.  Though you need something to bring the data together and go beyond a prioritized list of events to review – invoking once again the cursed “click-fest”.

After two decades in the security industry, I started working with some of the most forward thinking security institutions, building threat intelligence platform architectures.  These architectures were designed to consume data in the form of events and threat intelligence, and then validate if the event reached a risk threshold.  These systems were being built in-house and they required a lot of maintenance.  This changed some of the members of the team from being security analysts to developers.  It’s not ideal, but you need people who not only understand how to build robust solutions, but also understand the mission and parameters that affect a security operations team, or a threat intelligence team, or an incident response team.

Are you in security or system integration?

The systems were built. They weren’t ‘pretty’, but they worked.  It wasn’t a system which allowed people to easily codify their processes into playbooks.  It required systems integration.  I remember meeting a CISO in Australia, and he asked if I could help him get out of the system integration business since most of his security engineers where focused on integration instead of optimizing security response.

But I want efficiencies, I want automation

When I started to design those threat intelligence platforms, many customers wanted complete automation.  I had to explain to them that you could only expect to automate a portion of the operations – maybe 60% of the threats.  I had to explain that their security response needed to leverage all of the organization’s infrastructure.  There is a cost associated with implementing security controls.  The closer the threat gets to the processor, the higher the cost.  If I can block an attack at the network level, then I’m not going to affect the performance of that critical database.  I talked about an agile response model with “micro rules” that could be applied according to whether you were monitoring for a threat IOC inside the infrastructure versus responding to an active threat inside their environment.

Nirvana

A system is needed that provides automation to enable speedy, standardized, and effective response. This same system also needs to support the triage process of investigating an event, bringing all relevant information to the analyst from multiple sources, enabling them to determine the level of risk and to perform deeper analysis of the situation.  It should also enable active response across multiple solutions.

The Answer

Phantom has built what security operations teams and incident responders need.  A platform that empowers security teams to integrate and develop standardized process and procedures.  All the concepts that I’ve dreamed of and spoken about during the past few years are realized in a product that enables integration, automation, and efficiency in a security operations environment. It supports an agile model that can leverage the power of automation and the human brain.

Phantom provides automation, consistently.  A powerful platform to ensure that SOC and IR teams are focusing on the interesting aspects of investigation and response, leveraging their skills and passion for security.  Phantom is the solution that can proactively gather all the information that analysts need to assess risk, and execute an effective response, at scale.

I’m really excited to be joining Phantom, since it is the realization of the dreams I had as a security professional.  I look forward to helping our customers, our partners, and the IT security community find success. I look forward to working with a great skilled team to build relationships that will help advance the capabilities of the IT security industry, from vendors to the people protecting organizations on the electronic frontline.

Paul Davis
VP of Delivery
Phantom

Paul is a seasoned IT Security Executive with a global reputation for building organizations and delivering services.  He has more than 20 years of experience working with security operations teams and solving security challenges at top companies including EDS, General Motors, GE, Cisco, Dow Chemical, The Washington Post, The United Nations, MCI, Prudential, and Mitsui.

Prior to joining Phantom, Paul held a number of senior leadership roles including EDS’ Chief Information Security Officer at General Motors, Chief Security Officer at Dow Chemical, and Director of Security Operations for a major financial exchange.  Paul earned a CISSP certification, and is a member of ISSA, IACs, and the MIT Enterprise Forum of Cambridge.

App Spotlight: ReversingLabs: Real-Time Classification of Malware Samples

In the first of a new series spotlighting Phantom Apps, today we’re highlighting the integration between Phantom’s Security Automation and Orchestration (SA&O) platform and the ReversingLabs A1000 Malware Analysis Platform.

Gaining analyst productivity is paramount to improving your organization’s security posture against file-based threats. One way to increase a team’s productivity is by automating the triage and investigation steps. Today we explore how a Phantom and ReversingLabs integration can help.

Upon receiving a file sample from a detection system or SIEM platform, the Phantom SA&O platform can automate investigative actions on a ReversingLabs A1000 Malware Analysis Platform. It does this via the ReversingLabs File Reputation App, which also provides the necessary integration between the two platforms to enable ReversingLabs to return high-level sample classifications back to Phantom for further decision making and orchestration steps.

reversinglabs-sample-malware-playbookSample Playbook illustrating ReversingLabs and Phantom Integration

After returning the high-level classification, the sample can be investigated more thoroughly using the sample detonation capability of the A1000 device.  Once the sample detonation is complete, a link to the analysis report on the A1000 device is made available to the Phantom platform.  Then a playbook can automatically send an email to your analyst team for further investigation.  In Phantom’s Mission Control UI, the analyst can link to the A1000 analysis report through the action results displayed.

This use case demonstrates the value of leveraging real-time classification of file samples against the ReversingLabs File Reputation Database of goodware and malware.  The real-time classifications can yield better incident response times and accelerate the forensic process by providing concise information on the samples that require deeper analysis and which can be assigned lesser priority and/or systematically closed.  This automated triage and analysis process is particularly useful for maximizing the productivity and focus of your analyst team.

About ReversingLabs:
ReversingLabs collects and processes millions of files a day to build and maintain the largest commercially-available private File Reputation Repository of over 3 billion unique goodware and malware samples.  Each sample is regularly analyzed/reanalyzed to provide over 3000 metadata fields of actionable information.

ReversingLabs’ automated static analysis engine recognizes over 3500 file formats and contains support for 350 unpackers malware authors use to obfuscate the executables. The support for more file formats and unpackers continues to grow with each release of their automated static analysis engine.

Playbook Series: Keyloggers: Prevent the loss of sensitive information

Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.

To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.

Note: The Phantom team is in the process of publishing the playbook to our community repository and expects it to appear on the Phantom platform in the coming days.

keylogger-response-playbookA visual representation of the Keylogger Response playbook as viewed using the Phantom 2.0 platform.

The Keylogger Response playbook begins execution when Phantom receives an alert from a SIEM platform, like Splunk, HP ArcSight, or IBM QRadar.

The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.

If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):

  • Logoff user
  • disable user
  • reset password

These actions limit the malware from propagating laterally within the network using the user’s credentials.

Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:

  • block hash
  • terminate process
  • send email

Automating this workflow provides multiple benefits:

  • Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
  • Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Are You Bringing a Knife to a Gun Fight?

Though one might question if their origins were for good or evil, botnets have been used for both causes for years.  For bad actors, botnets represent a cheap and powerful form of automation.  With bots dispersed across a vast network of infected computers and controlled by a Command and Control (C2) server, automation directs the next action from the queue.

Malicious botnets are used for multiple purposes: distributing malware, stealing passwords, propagating spam, and launching DDoS attacks.  The benefits are hard to ignore–botnets are a low cost, fast acting way to complete the mission.  But why should automation be a tool used only by the bad guys?

With automation becoming increasingly popular in the SOC, it’s easy to wonder why it has taken so long for the good guys to stop showing up to the gun fight with a knife.  Some would say that we’ve been forced to “carry.”

One driver for SOC automation is that our security deployments have gotten more complex.  Twenty years ago, companies had just a few security products to manage – perhaps a firewall and anti-virus.  Today, most are juggling dozens or more.  I was recently at a CISO event where my informal poll of the crowd showed many enterprises are working with 25 – 30 different security vendors.  Industry research suggests the number may even be higher.  With more to manage, automation is an easy choice – and perhaps the only logical choice.

So where do you start?

automation-continuum

We’ve developed a maturity continuum for automation and orchestration to help answer this question.  As with other continuums, it’s a useful way to benchmark your progress in adopting this new technology as well as developing a strategic vision for the future.  Download a copy of our whitepaper to explore the continuum in depth.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

CP Morey
VP, Products & Marketing
Phantom

Playbook Series: Rootkits: Automatically Remediate Virtual Machines

Most security professionals will agree; the most reliable way to remediate Rootkit infections on Virtual Machines (VMs) is to re-image or revert the virtual machine to a pre-infected state. Today’s entry to our playbook series examines a Phantom playbook, included with our version 2.0 release of the platform, that automates this scenario.

rootkit_remediateA visual representation of the Remediate Rootkit playbook as viewed using the Phantom 2.0 platform.

The Phantom playbook begins by attempting to quarantine the infected VM. Next, the playbook collects information about the system that will aid in the downstream steps involved in recovering the endpoint. Depending on the running state of the VM, the playbook then uses encoded process logic and the Phantom decision engine to determine the next path in the workflow. If the VM is not currently running, Phantom attempts to revert the VM to a pre-infected state, unquarantine the endpoint, and send an email report of the activity. If the VM is actively running, Phantom attempts to terminate affected processes and disable affected user(s), create a ticket to have the machine re-imaged, and send an email summary.

Automating this workflow provides multiple benefits:

  • Improves security by executing your containment and remediation workflow the moment a rootkit infection is confirmed.
  • Increases the efficiency and productivity of your SecOps team.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.