While Security Automation & Orchestration platforms are certainly equipped to handle complex use cases, it’s not the only way to automate. Simple tasks often thought of as daily annoyances are also perfect for automation; “utility playbooks” as one user coined them. These small playbooks pack a powerful punch.
Before joining Phantom, I worked in several security operations roles at a large electric power company. During my time there, we built out our Security Operations Center (SOC) and added numerous security tools to identify, investigate, and respond to cyber threats. As we grew, I realized how difficult it was just to keep track of … Continue reading Playbooks: Going Beyond Incident Response Use Cases
This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. Introduction Starting with just one successful phishing email, an attacker can quickly hide, pivot, persist, and exfiltrate from our … Continue reading Playbook: Investigating Phishing Attachments with McAfee
Sometimes the easiest way to gain a foothold on a corporate network is to place a Wireless Access Point (WAP) right outside the door and wait to see who connects to it. Other times, the easiest way into a network is to drive by (literally) and monitor for networks that are not using modern security protocols. Either way, it helps to know what wireless networks are in the range of your office and whether they are official corporate WAPs. There are many ways to do this, but in this example, we dusted off a Raspberry Pi 3 and took it for a spin around the office to see what WAPs were broadcasting in our vicinity.
A common security operations task involves investigating newly discovered servers on an organization's network. Whether detected by a scanning system or through a network detection system, the playbook below is triggered into action once a ticket is created to investigate the newly discovered server.
This blog entry continues an ongoing series of articles describing Phantom Playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. In May of 2017, Phantom's Co-Founder and CTO Sourabh Satish held two consecutive Tech Sessions covering capabilities of the Phantom … Continue reading Playbook: Using Filters, Decision-Making Logic, Custom Lists, User Prompts, and Scheduled Actions
New domains are created everyday as part of the normal operation of the Internet Domain Name Service (DNS). Unfortunately, bad actors commonly use newly created domains for criminal activities like spam, malware distribution, or botnet command and control (C&C). They commonly use the new domains within the first few minutes of creating them—making it difficult to build effective domain-based blocking policies.