Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.
To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.
Note: The Phantom team is in the process of publishing the playbook to our community repository and expects it to appear on the Phantom platform in the coming days.
A visual representation of the Keylogger Response playbook as viewed using the Phantom 2.0 platform.
The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.
If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):
- Logoff user
- disable user
- reset password
These actions limit the malware from propagating laterally within the network using the user’s credentials.
Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:
- block hash
- terminate process
- send email
Automating this workflow provides multiple benefits:
- Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
- Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
- Ensures consistency by following your process the same way, every time.
The use cases that can be addressed with Phantom playbooks are nearly limitless. Be sure to check the blog regularly for posts on other great playbooks.
Director, Product Marketing
Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations. Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository. You can read more about the Phantom platform and playbooks here.