February 8, 2018February 9, 2018 Phantom Guest

Phantom, Empire, and the DeathStar

DerbyCon is by far my favorite security conference each year. The quality of the talks, the amazing variety of challenges (a/k/a villages) to try your hand at, and the family-friendly community atmosphere all combine to form a very special event. Upon arrival at last year’s iteration of DerbyCon, I scanned the program for interesting talks that I wanted to attend live. Working for Phantom, and being a believer in the value of automation for security operations, I was immediately intrigued by a session title that claimed the author almost automated himself out of a job.

November 29, 2017November 29, 2017 PRoyer

Playbooks: Automated Investigation & Mitigation for Apple macOS Root Bypass Issue

A critical flaw involving the ability, in certain situations, to exploit the root account on Apple macOS 10.13 (High Sierra) systems was reported on November 28, 2017 (CVE-2017-13872). Although Apple moved quickly to mitigate this vulnerability, a scenario like this presents an opportunity to improve upon existing security operations procedures. Toward this goal, we explore how the Phantom Security Automation & Orchestration Platform might help to hunt for and mitigate vulnerabilities like this in the future.

November 3, 2017November 3, 2017 cpmorey

Five Security Automation Playbooks that Pack a Powerful Punch

While Security Automation & Orchestration platforms are certainly equipped to handle complex use cases, it’s not the only way to automate. Simple tasks often thought of as daily annoyances are also perfect for automation; “utility playbooks” as one user coined them. These small playbooks pack a powerful punch.

November 2, 2017February 9, 2018 Phantom Guest

Playbooks: Going Beyond Incident Response Use Cases

Before joining Phantom, I worked in several security operations roles at a large electric power company. During my time there, we built out our Security Operations Center (SOC) and added numerous security tools to identify, investigate, and respond to cyber threats. As we grew, I realized how difficult it was just to keep track of … Continue reading Playbooks: Going Beyond Incident Response Use Cases

October 10, 2017October 10, 2017 PRoyer

Playbook: Investigating Phishing Attachments with McAfee

This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. Introduction Starting with just one successful phishing email, an attacker can quickly hide, pivot, persist, and exfiltrate from our … Continue reading Playbook: Investigating Phishing Attachments with McAfee

September 21, 2017 PRoyer

Playbook: Remediating Rogue Wireless Access Points

Sometimes the easiest way to gain a foothold on a corporate network is to place a Wireless Access Point (WAP) right outside the door and wait to see who connects to it. Other times, the easiest way into a network is to drive by (literally) and monitor for networks that are not using modern security protocols. Either way, it helps to know what wireless networks are in the range of your office and whether they are official corporate WAPs. There are many ways to do this, but in this example, we dusted off a Raspberry Pi 3 and took it for a spin around the office to see what WAPs were broadcasting in our vicinity.

September 11, 2017September 11, 2017 Chris Simmons

Playbook: Investigating Newly Discovered Linux Servers

A common security operations task involves investigating newly discovered servers on an organization's network. Whether detected by a scanning system or through a network detection system, the playbook below is triggered into action once a ticket is created to investigate the newly discovered server.

Splunk-Phantom

Security Operations Platform

Playbooks