Phishing in South Texas

Phishing investigations is one of the most common use cases that we have observed security teams selecting to automate.  We’ve written about it before, and covered it on a few Phantom Tech Sessions.  Still, as I learned more about Rackspace’s use case, I thought it would be interesting to share it with the community.

It’s not uncommon for the security team at Rackspace to investigate 45 phishing emails a day with “burst attacks” upping the haul to 300 or more.  Like many firms, Rackspace’s standard operating procedure for this type of event includes acknowledging receipt from the employee, assessing important details such as the sender, and taking steps to remediate if the email is actually malicious.  From start to finish, it might take more than 90 minutes for each investigation.

Routine processes like these are perfect candidates for automation.  Rackspace decided to invest in a platform that could help automate and orchestrate phishing investigations and other security issues.  Though flexibility was important, they needed a product that didn’t require DevOps resources to be successful.

Rackspace selected Phantom as their security automation & orchestration platform, and worked with our Delivery Services team to create a modular approach to playbook development which ensures a repeatable and auditable process for any security issue they want to automate.

Rackspace_Phishing_Playbook
Phantom Playbook used by Rackspace to automate Phishing Investigation & Remediation

Phantom Playbook Used by Rackspace to Automate Phishing Investigation & Remediation

Here’s what Phantom does when Rackspace gets a suspected phishing email:

  •     Search Jira for similar cases under investigation
  •     Query Splunk for similar emails in the logs
  •     Orchestrate a URL lookup
  •     Query the file reputation on VirusTotal
  •     Query the domain and IP reputation from Passive Total
  •     Detonate any file attachments with both FireEye and Wildfire sandboxes
  •     Update Jira with all information collected in the investigation steps
  •     Based on decision making, a second playbook may be called for remediation

With Phantom, Rackspace has been able to dramatically reduce the time required to handle phishing investigations.  What once was a manual process that could take 90 minutes or more, now completes in under a minute freeing the team to focus time on less routine investigations that require their analyst’s unique insight.

Burst attacks with 100’s of phishing emails in a single day are now managed with consistency and little disruption to the team.  With a Phantom Playbook, the same data is gathered for every email, and every email is investigated the same way, every time.

This Phishing investigation scenario is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses.  You can read more about the Phantom platform and playbooks here.

Ken Schar
Security Engineering
Phantom
Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Phantom Community GitHub repository.