Playbooks: Automated Investigation & Mitigation for Apple macOS Root Bypass Issue

A critical flaw involving the ability, in certain situations, to exploit the root account on Apple macOS 10.13 (High Sierra) systems was reported on November 28, 2017 (CVE-2017-13872). Although Apple moved quickly to mitigate this vulnerability, a scenario like this presents an opportunity to improve upon existing security operations procedures. Toward this goal, we explore how the Phantom Security Automation & Orchestration Platform might help to hunt for and mitigate vulnerabilities like this in the future.

Playbooks: Going Beyond Incident Response Use Cases

Before joining Phantom, I worked in several security operations roles at a large electric power company. During my time there, we built out our Security Operations Center (SOC) and added numerous security tools to identify, investigate, and respond to cyber threats. As we grew, I realized how difficult it was just to keep track of … Continue reading Playbooks: Going Beyond Incident Response Use Cases

Playbook: Investigating Phishing Attachments with McAfee

This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. Introduction Starting with just one successful phishing email, an attacker can quickly hide, pivot, persist, and exfiltrate from our … Continue reading Playbook: Investigating Phishing Attachments with McAfee

Playbook: Remediating Rogue Wireless Access Points

Sometimes the easiest way to gain a foothold on a corporate network is to place a Wireless Access Point (WAP) right outside the door and wait to see who connects to it. Other times, the easiest way into a network is to drive by (literally) and monitor for networks that are not using modern security protocols. Either way, it helps to know what wireless networks are in the range of your office and whether they are official corporate WAPs. There are many ways to do this, but in this example, we dusted off a Raspberry Pi 3 and took it for a spin around the office to see what WAPs were broadcasting in our vicinity.

Playbook: Using Filters, Decision-Making Logic, Custom Lists, User Prompts, and Scheduled Actions

This blog entry continues an ongoing series of articles describing Phantom Playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform. In May of 2017, Phantom's Co-Founder and CTO Sourabh Satish held two consecutive Tech Sessions covering capabilities of the Phantom … Continue reading Playbook: Using Filters, Decision-Making Logic, Custom Lists, User Prompts, and Scheduled Actions