This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.
Sometimes the easiest way to gain a foothold on a corporate network is to place a Wireless Access Point (WAP) right outside the door and wait to see who connects to it. Other times, the easiest way into a network is to drive by (literally) and monitor for networks that are not using modern security protocols. Either way, it helps to know what wireless networks are in range of your office and whether they are official corporate WAPs. There are many ways to do this, but in this example, we dusted off an extra Raspberry Pi 3 and took it for a spin around the office to see what WAPs were broadcasting in our vicinity.
When we scanned the area, we found a large number of access points and needed to figure out a way to triage them efficiently. Naturally, we turned to the Phantom Platform! Based on our policy, we built two custom lists on Phantom. The first is a whitelist of our official corporate networks. The second is a greylist with a number of network names that sound like our company name. We used a custom Python function to compare whether any of the network names from the scan are similar to any of the entries on our greylist. If we find any of these evil twin WAPs, we know that either something is misconfigured or that we are being targeted.
After triaging the networks found during our scan, the results are stored and an operator is tasked with physically finding and disabling any WAPs identified as rogue. To track all this, we are using one Phantom Case and the Heads-Up Display (HUD) in Mission Control. The HUD is configured to show the signal strength and MAC address of each rogue WAP. The operator can take the Raspberry Pi and a laptop out and about, watching the signal strength change as they get closer to the rogue WAP. Once they find it, they can start a packet capture to see what it is doing, or they can remove it, put it in a Faraday cage, and bring it back to the SOC for forensic analysis.
Phantom Apps Used
To cause the playbook to execute on a regular interval, we configure a Generator asset, a standard data source included with the Phantom Platform, to create events with the label “Wireless.”
- Determine the most recent Phantom Case with the label “Wireless.” That is the case that will be updated with new artifacts and HUD cards.
- Run the WiFi scan with an SSH command sent to the Raspberry Pi
- Parse the results of the WiFi scan
- Check the network names and security protocols against the whitelist
- Check the remaining network names against the greylist
- Update the case with refreshed HUD cards and new artifacts from the scan results
- Task an operator to find the access points, analyze the traffic, and start forensics, if possible
Note that this is an example playbook. You can easily customize this playbook to perform additional security actions. The playbook should ultimately model your Standard Operating Procedures (SOPs) for investigating and remediating rogue WAPs.
You can download this playbook from either the Phantom Community or access it via the Phantom Platform. The platform automatically synchronizes Phantom Community Playbooks to your installation, if configured. If you don’t currently use the Phantom Platform, we invite you to download the free Community Edition today.
View other articles in this Playbook series here.