Playbook: Risk-Based Domain Blocking

This blog entry continues an ongoing series of articles describing Phantom Playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.

New domains are created everyday as part of the normal operation of the Internet Domain Name Service (DNS). Unfortunately, bad actors commonly use newly created domains for criminal activities like spam, malware distribution, or botnet command and control (C&C). They commonly use the new domains within the first few minutes of creating them—making it difficult to build effective domain-based blocking policies.

This playbook uses domain reputation from a threat intelligence service to risk score a domain. It then uses a cloud-based security policy enforcement tool to block access to the domain.

DomainTools is used as the threat intelligence service and Cisco Umbrella (OpenDNS) is used as the cloud-based security policy enforcement service in this sample playbook.

user_prompt_and_block_domain
User Prompt and Block Domain Playbook on the Phantom Platform

The playbook executes the following steps:

  1. First, an event container containing a domain name is ingested, which triggers the playbook to retrieve the domain’s reputation. Domain reputation intelligence from DomainTools contains a risk score. This risk score is used for decision-making in the next step.
  2. If the risk score is less than 80 (on a scale of 0 to 100), then playbook execution ends.
  3. If the risk score is equal to or greater than 80, then playbook execution continues.
  4. The playbook then issues a prompt to users in the role of Automation Engineer to insert human decision making into the loop. If the user cancels the block domain action, playbook execution ends.
  5. If the user confirms the block domain action, the playbook executes the block domain action on security policy enforcement tool for 60 minutes. After this period, the domain block is programmatically removed. Playbook execution then ends.

Note that this is an example playbook. You might customize this playbook to include other user types or perform additional security actions. You can also adapt the playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for malicious domains.

You can get this playbook from either the Phantom Community or directly from the Phantom Platform. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.

View other articles in this Playbook series here.