Playbook: Automated Lost or Stolen Device Response

Today’s post continues an ongoing series describing Phantom Playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.

A lost or stolen device not only presents an inconvenience for the owner, but also commonly triggers a data security incident if the device contains company-owned information. Responding to reports of lost or stolen devices promptly and efficiently helps protect your sensitive information and other assets. Moreover, depending on your industry and geography, a rapid and consistent response process ensures that you remain in compliance with state and federal law.

Phantom provides an example playbook for lost or stolen devices. This automated response plan ensures that your process is executed swiftly and precisely, all with appropriate record keeping.

A Phantom Playbook for automating lost or stolen device responses.
Automated Lost or Stolen Device Response Playbook

The playbook executes the following steps:

  1. First, the playbook retrieves a list of devices that are being managed by the Mobile Device Management (MDM) platform. MobileIron is used as the MDM tool in this example.
  2. The playbook then attempts to match the device ID ingested in the event record with the list of devices managed.
  3. If a match is found, the playbook issues a lock device to the MDM tool.
  4. Next, the playbook attempts to get the related user information from the directory service provider. Microsoft Active Directory is used as the directory service in this example.
  5. If the user information is found, the playbook branches into two paths depending on whether the user belongs to a group executives. In this example, the list of executives is a custom list stored on the Phantom Platform.

For non-executive users:

  1. The playbook issues a reset password command to the directory service provider.
  2. It then formats the relevant data and creates a ticket using a ticketing service. ServiceNow is used as the ticket service in this example playbook.
  3. Finally, it closes the event on the Phantom platform and ends the playbook execution.

For executive users:

  1. The playbook prompts an analyst to decide whether to automate the password reset step.
  2. It then branches depending on the analyst decision.
  3. If the analyst chooses the reset action, the playbook resets the user’s password.
  4. In both cases, the playbook creates a ticket on the ticketing platform and closes the event on the Phantom platform and ends execution of the playbook.

Note that this is an example playbook. You might customize this playbook to include other user groups or perform other security actions that would act to contain the attack. You can also adapt the playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for this type of attack.

You can get this playbook from either the Phantom Community or directly from the Phantom Platform. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.

View other articles in this Playbook series here.