Playbook Series: Secure Compromised Accounts

If you are one of the many security analysts that receives threat intelligence about compromised user accounts, you understand the significant amount of time it takes to investigate and respond to each report. In many practices the manual process might include:

  • Parsing the inbound threat intelligence for Indicators of Compromise (IoCs) like username and password pairs
  • Hunting for the IoCs in your local environment
  • Disabling and/or resetting compromised accounts
  • Communicating with affected users to recover access

In the pursuit of greater efficiency and scale, this process is well suited for automation by the Phantom security automation and orchestration platform.

Flashpoint Phantom Playbook
Sample playbook where Phantom automates Flashpoint threat intelligence to secure compromised accounts.

With Phantom, compromised account threat intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Automating this process with the Phantom platform has several benefits including:

  • Frees up human resources for other critical investigations
  • Reduces the response time for the threat from minutes or hours down to seconds
  • Ensuring the process is handled accurately and consistently every time

Mitigating threats that might use compromised accounts is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses.  You can read more about the Phantom platform and playbooks here.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.