DerbyCon is by far my favorite security conference each year. The quality of the talks, the amazing variety of challenges (a/k/a villages) to try your hand at, and the family-friendly community atmosphere all combine to form a very special event. Upon arrival at last year’s iteration of DerbyCon, I scanned the program for interesting talks that I wanted to attend live. Working for Phantom, and being a believer in the value of automation for security operations, I was immediately intrigued by a session title that claimed the author almost automated himself out of a job.
A critical flaw involving the ability, in certain situations, to exploit the root account on Apple macOS 10.13 (High Sierra) systems was reported on November 28, 2017 (CVE-2017-13872). Although Apple moved quickly to mitigate this vulnerability, a scenario like this presents an opportunity to improve upon existing security operations procedures. Toward this goal, we explore how the Phantom Security Automation & Orchestration Platform might help to hunt for and mitigate vulnerabilities like this in the future.
While Security Automation & Orchestration platforms are certainly equipped to handle complex use cases, it’s not the only way to automate. Simple tasks often thought of as daily annoyances are also perfect for automation; “utility playbooks” as one user coined them. These small playbooks pack a powerful punch.
Before joining Phantom, I worked in several security operations roles at a large electric power company. During my time there, we built out our Security Operations Center (SOC) and added numerous security tools to identify, investigate, and respond to cyber threats. As we grew, I realized how difficult it was just to keep track of … Continue reading Playbooks: Going Beyond Incident Response Use Cases
This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. Introduction Starting with just one successful phishing email, an attacker can quickly hide, pivot, persist, and exfiltrate from our … Continue reading Playbook: Investigating Phishing Attachments with McAfee
Sometimes the easiest way to gain a foothold on a corporate network is to place a Wireless Access Point (WAP) right outside the door and wait to see who connects to it. Other times, the easiest way into a network is to drive by (literally) and monitor for networks that are not using modern security protocols. Either way, it helps to know what wireless networks are in the range of your office and whether they are official corporate WAPs. There are many ways to do this, but in this example, we dusted off a Raspberry Pi 3 and took it for a spin around the office to see what WAPs were broadcasting in our vicinity.
A common security operations task involves investigating newly discovered servers on an organization's network. Whether detected by a scanning system or through a network detection system, the playbook below is triggered into action once a ticket is created to investigate the newly discovered server.