App Spotlight: Farsight Security DNSDB—Incorporate DNS intelligence into automated investigations

farsightsecuritylogoThe App Spotlight series highlights new or recently updated Phantom Apps. Today we’re highlighting the integration between Phantom’s Security Automation and Orchestration (SA&O) platform and the Farsight Security DNSDB threat intelligence solution.

Two of the most popular investigational security actions automated with the Phantom platform are lookup ip, which provides reverse DNS information, and lookup domain, which provides important details about a domain name. With the recent release of the Farsight Security DNSDB app, Farsight subscribers can now use those abstracted Phantom actions to access Farsight’s expansive historical database of DNS intelligence from within their Phantom playbooks.

Phantom playbooks connect your workflow to the new Farsight DNSDB App. You can try out the integration with one of two standard playbooks: the Phishing playbook, which can be used to investigate and remediate phishing emails; and the Investigate playbook, which queries several external reputation and intelligence services to enrich events. You can also leverage the Farsight App from any playbook shared throughout the community or from the custom playbooks you or your team creates.

phishing_playbook
The new Farsight Security DNSDB app for Phantom supports standard Phantom playbooks like the Phishing playbook example shown here.

The investigation of suspicious IP addresses or domains is standard practice in security investigations. Before automation this task was handled manually and took 20 minutes or more of an analyst’s time per investigation.  By leveraging the Phantom Security Automation and Orchestration platform and the Farsight DNSDB App, you can automate this critical task and reduce investigation time down to seconds. Through the Phantom App model and automation, Farsight DNSDB now seamlessly integrates with other incident response tasks so that  no alert ever goes untouched and investigations can advance quickly and accurately.

About Farsight Security, Inc.
Farsight Security, Inc. provides the world’s largest real-time threat intelligence on changes to the Internet. Leveraging proprietary technology with over 200,000 observations/second, Farsight provides the Internet’s view of an organization and how it is changing purposely, inadvertently or maliciously. For more information on Farsight, please visit https://farsightsecurity.com

Playbook Series: Triage Reconnaissance Alerts

Your existing security infrastructure probably observes lots of scanning, or reconnaissance, activity every day. While a great portion of this activity can be attributed to the noise generated on the Internet, it can also be an early warning signal to a full on attack. A classic problem for security teams is dealing with this type of high volume activity in a way that doesn’t consume the team’s time and doesn’t miss these early indicators of more nefarious activity.

This is a perfect scenario where Phantom can help. The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

recon-sample-playbook
Screenshot of a Phantom investigation playbook as viewed in the Phantom visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity
recon-supported-apps

Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes / hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: Secure Compromised Accounts

If you are one of the many security analysts that receives threat intelligence about compromised user accounts, you understand the significant amount of time it takes to investigate and respond to each report. In many practices the manual process might include:

  • Parsing the inbound threat intelligence for Indicators of Compromise (IoCs) like username and password pairs
  • Hunting for the IoCs in your local environment
  • Disabling and/or resetting compromised accounts
  • Communicating with affected users to recover access

In the pursuit of greater efficiency and scale, this process is well suited for automation by the Phantom security automation and orchestration platform.

Flashpoint Phantom Playbook
Sample playbook where Phantom automates Flashpoint threat intelligence to secure compromised accounts.

With Phantom, compromised account threat intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Automating this process with the Phantom platform has several benefits including:

  • Frees up human resources for other critical investigations
  • Reduces the response time for the threat from minutes or hours down to seconds
  • Ensuring the process is handled accurately and consistently every time

Mitigating threats that might use compromised accounts is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses.  You can read more about the Phantom platform and playbooks here.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.

Phantom Releases Patch Update to 2.0 Platform

Feedback about the Phantom security automation and orchestration platform is incredibly important to all of us here at Phantom. As the product manager for the Phantom platform, I’m a strong believer of listening to current and future customers, as well as the ever-growing membership of the Phantom community. Our most recent patch release to the 2.0 platform is a great example of how we have incorporated the community feedback into the product.

Phantom 2.0 Patch 1 was released last Friday, December 9 and is available now on the Phantom Community’s download page. In addition to several other enhancements, there is one notable API change that will be particularly pleasing to Phantom power users. This change relates to feedback from users about the preferred behavior of the phantom.act() function call. This function call now executes even if its required parameters are missing and the playbook author should handle the failure in the action callback. In versions prior to this release, the automatically generated code for action blocks and the function itself checked to see if required parameters were passed to the action. The phantom.act() call would not be executed if any required parameters were missing.

Prior to this update, within an action block the call to phantom.act() would look like this:

if parameters:
     phantom.act("geolocate ip", parameters=parameters, 
     assets=['maxmind'], name="geolocate_ip_1", 
     callback=whois_ip_1) 
else: 
     phantom.error("'geolocate_ip_1' will not be executed 
     due to lack of parameters”) 

Now in the newly generated code, there is no check for parameters and the action is called directly:

phantom.act("geolocate ip", parameters=parameters, 
assets=['maxmind'], name="geolocate_ip_1”) 

This change in auto-generated code and behavior of the phantom.act() call helps users utilize joins. If there are two or more actions connected to a single block, the block will now be called when all phantom.act() calls have been called. In prior releases the playbook would have ended prematurely when all the called actions finish, while some actions were not called as expected by the user.

branched_action
Two action blocks connected to a single action block

Another frequent community request has been supporting the Phantom platform on Amazon Web Services (AWS). Previously the platform was available as an Open Virtual Appliance (OVA) only. This week, we posted an Amazon Machine Image (AMI) version on our community site that contains the Phantom platform image suitable for AWS deployments. As always, please check it out and provide us with feedback through the community slack channel or through email at feedback (at) phantom (dot) us.

Finally, our CTO, Sourabh Satish, will cover these enhancements and others in greater detail during our next Tech Session webinar tomorrow, Friday, December 16 at 12PM ET / 9AM PT.

Registration to attend the session can be found here.

Robert Truesdell
Director, Product Management
Phantom

Automating Security Operations at the Fed

I recently joined Phantom to work with our clients in the Federal sector.  Though Security Automation & Orchestration traces its roots to public sector, there is still much progress to be made.

There is no shortage in Federal-related news coverage: from open vulnerabilities in wireless networks at HHS, to vulnerability issues and unpatched systems at NASA, to phishing attacks at the IRS, to stolen credentials and malware backdoors at OPM.

Many Federal organizations are working to enhance their security posture by leveraging DHS’s Continuous Diagnostics and Mitigation (CDM) Phase 1 program to help them with their security issues, especially around issues relating to vulnerabilities and patching.

The question remains however, “How are they working to streamline their security operations?”

Automation is clearly a time saver and one important tool to streamline security operations.  Customers are routinely taking manual, labor intensive processes that can take hours to carry out and reducing them to automation tasks that run in seconds.  We’ve shared several examples of the time-saving benefits in the Playbook Series on our blog.

Faster security is nice.  It’s not the only benefit that comes with automation though.  Security can also be improved, like using automation to drive accuracy and consistency throughout the Incident Response (IR) process.  You can imagine that as alert volume increases, junior analysts become overwhelmed with information, causing them to overlook key indicators. Even experienced analysts might be tempted to make “gut calls” based on previous incidents and incomplete information. With automation, the same data is gathered for every alert, and every alert is investigated and memorialized the same way, every time.

No doubt, we’re just starting to understand the impact automation and orchestration can have on the security industry and the public sector.  I’m looking forward to being part of the team leading this change at Phantom.

Alfonso Ruiz
Federal Sales Manager
Phantom

Playbook Series: Creating Nested Playbooks for Responding to Malware Incidents

One of the most powerful capabilities of the Phantom platform is its support for nested playbooks. When defining your process as a Phantom playbook, one of the four main branching choices offered by the Integrated Development Environment (IDE) is another playbook.

call-a-playbookNesting a playbook within a playbook using the Phantom platform’s visual automation IDE.  

Similar to the way a function call works in programming languages, the parent playbook jumps to the child playbook and executes the appropriate actions. To illustrate the utility of the nesting capability, let’s examine a process for handling Malware incidents and lay out the logic using a Phantom playbook.

Malware is one of the most common incident types handled by Security Operations (SecOps) teams. If you’re a member of such a team, you likely have a series of processes, or playbooks, to handle the various malware categories you may encounter. It’s also likely that there is a large amount of overlap, or redundancy, between these playbooks.

Using the Phantom platform, when you receive a suspected malware alert you can begin a generic malware response workflow. After performing investigative actions, such as retrieving the file reputation from a threat intelligence service, you can use that context to determine which of the more specific malware playbooks to branch to in order to execute the unique responses for that particular malware type.

nested-playbooksSimplified diagram showing the ability to branch from a parent playbook into a child playbook.  

This is a very simple use case for nested playbooks, but hopefully it illustrates how powerful nesting playbooks can be. Through nesting, you can build elaborate response workflows that minimize the amount of redundancy needed. That way, when your process changes you have fewer places to change in your Phantom playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: The evolution of the Phishing playbook

As we approach the one-year anniversary of the Phantom security automation and orchestration platform, we wanted to look back at how new releases of the platform have enabled more sophisticated playbooks. The Phishing playbook is a great example of how new platform developments have lifted the barriers to security automation.

  • Decision Blocks – Having the ability to insert conditional blocks into the workflow has allowed playbooks to better model real-world decision making, choosing the course of action that is most appropriate for a given scenario. For example, the Phishing playbook was evolved to get file reputation from a threat intelligence source and submit the file for dynamic analysis if the file was previously unknown.
  • Human In/On/Out-of-the-Loop Workflows – Teams often want the ability to participate in automation workflows. By combining decision blocks with user interactivity, you can interact with the workflow only if criteria are met. The Phishing playbook can be easily modified to support the level of interactivity desired.
  • App Integrations – Over the past year we have greatly increased the number of app integrations, adding new tools that integrate naturally with the Phishing playbook.

phishing_playbookA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

These are just a few of the changes that the Phishing playbook and the Phantom platform have experienced as they have evolved over the past year. Please join us this Friday (December 2 @ Noon ET / 9 AM PT) where we will cover the year-long evolution of the Email Phishing playbook and the Phantom platform.  

You can register for the Tech Session here.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.