Playbook Series: Keyloggers: Prevent the loss of sensitive information

Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.

To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.

Note: The Phantom team is in the process of publishing the playbook to our community repository and expects it to appear on the Phantom platform in the coming days.

keylogger-response-playbookA visual representation of the Keylogger Response playbook as viewed using the Phantom 2.0 platform.

The Keylogger Response playbook begins execution when Phantom receives an alert from a SIEM platform, like Splunk, HP ArcSight, or IBM QRadar.

The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.

If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):

  • Logoff user
  • disable user
  • reset password

These actions limit the malware from propagating laterally within the network using the user’s credentials.

Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:

  • block hash
  • terminate process
  • send email

Automating this workflow provides multiple benefits:

  • Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
  • Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.