Playbook Series: Rootkits: Automatically Remediate Virtual Machines

Most security professionals will agree; the most reliable way to remediate Rootkit infections on Virtual Machines (VMs) is to re-image or revert the virtual machine to a pre-infected state. Today’s entry to our playbook series examines a Phantom playbook, included with our version 2.0 release of the platform, that automates this scenario.

rootkit_remediateA visual representation of the Remediate Rootkit playbook as viewed using the Phantom 2.0 platform.

The Phantom playbook begins by attempting to quarantine the infected VM. Next, the playbook collects information about the system that will aid in the downstream steps involved in recovering the endpoint. Depending on the running state of the VM, the playbook then uses encoded process logic and the Phantom decision engine to determine the next path in the workflow. If the VM is not currently running, Phantom attempts to revert the VM to a pre-infected state, unquarantine the endpoint, and send an email report of the activity. If the VM is actively running, Phantom attempts to terminate affected processes and disable affected user(s), create a ticket to have the machine re-imaged, and send an email summary.

Automating this workflow provides multiple benefits:

  • Improves security by executing your containment and remediation workflow the moment a rootkit infection is confirmed.
  • Increases the efficiency and productivity of your SecOps team.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.