Phantom Releases Patch Update to 2.0 Platform

Feedback about the Phantom security automation and orchestration platform is incredibly important to all of us here at Phantom. As the product manager for the Phantom platform, I’m a strong believer of listening to current and future customers, as well as the ever-growing membership of the Phantom community. Our most recent patch release to the 2.0 platform is a great example of how we have incorporated the community feedback into the product.

Phantom 2.0 Patch 1 was released last Friday, December 9 and is available now on the Phantom Community’s download page. In addition to several other enhancements, there is one notable API change that will be particularly pleasing to Phantom power users. This change relates to feedback from users about the preferred behavior of the phantom.act() function call. This function call now executes even if its required parameters are missing and the playbook author should handle the failure in the action callback. In versions prior to this release, the automatically generated code for action blocks and the function itself checked to see if required parameters were passed to the action. The phantom.act() call would not be executed if any required parameters were missing.

Prior to this update, within an action block the call to phantom.act() would look like this:

if parameters:
     phantom.act("geolocate ip", parameters=parameters, 
     assets=['maxmind'], name="geolocate_ip_1", 
     phantom.error("'geolocate_ip_1' will not be executed 
     due to lack of parameters”) 

Now in the newly generated code, there is no check for parameters and the action is called directly:

phantom.act("geolocate ip", parameters=parameters, 
assets=['maxmind'], name="geolocate_ip_1”) 

This change in auto-generated code and behavior of the phantom.act() call helps users utilize joins. If there are two or more actions connected to a single block, the block will now be called when all phantom.act() calls have been called. In prior releases the playbook would have ended prematurely when all the called actions finish, while some actions were not called as expected by the user.

Two action blocks connected to a single action block

Another frequent community request has been supporting the Phantom platform on Amazon Web Services (AWS). Previously the platform was available as an Open Virtual Appliance (OVA) only. This week, we posted an Amazon Machine Image (AMI) version on our community site that contains the Phantom platform image suitable for AWS deployments. As always, please check it out and provide us with feedback through the community slack channel or through email at feedback (at) phantom (dot) us.

Finally, our CTO, Sourabh Satish, will cover these enhancements and others in greater detail during our next Tech Session webinar tomorrow, Friday, December 16 at 12PM ET / 9AM PT.

Registration to attend the session can be found here.

Robert Truesdell
Director, Product Management

Automating Security Operations at the Fed

I recently joined Phantom to work with our clients in the Federal sector.  Though Security Automation & Orchestration traces its roots to public sector, there is still much progress to be made.

There is no shortage in Federal-related news coverage: from open vulnerabilities in wireless networks at HHS, to vulnerability issues and unpatched systems at NASA, to phishing attacks at the IRS, to stolen credentials and malware backdoors at OPM.

Many Federal organizations are working to enhance their security posture by leveraging DHS’s Continuous Diagnostics and Mitigation (CDM) Phase 1 program to help them with their security issues, especially around issues relating to vulnerabilities and patching.

The question remains however, “How are they working to streamline their security operations?”

Automation is clearly a time saver and one important tool to streamline security operations.  Customers are routinely taking manual, labor intensive processes that can take hours to carry out and reducing them to automation tasks that run in seconds.  We’ve shared several examples of the time-saving benefits in the Playbook Series on our blog.

Faster security is nice.  It’s not the only benefit that comes with automation though.  Security can also be improved, like using automation to drive accuracy and consistency throughout the Incident Response (IR) process.  You can imagine that as alert volume increases, junior analysts become overwhelmed with information, causing them to overlook key indicators. Even experienced analysts might be tempted to make “gut calls” based on previous incidents and incomplete information. With automation, the same data is gathered for every alert, and every alert is investigated and memorialized the same way, every time.

No doubt, we’re just starting to understand the impact automation and orchestration can have on the security industry and the public sector.  I’m looking forward to being part of the team leading this change at Phantom.

Alfonso Ruiz
Federal Sales Manager

Playbook Series: Creating Nested Playbooks for Responding to Malware Incidents

One of the most powerful capabilities of the Phantom platform is its support for nested playbooks. When defining your process as a Phantom playbook, one of the four main branching choices offered by the Integrated Development Environment (IDE) is another playbook.

call-a-playbookNesting a playbook within a playbook using the Phantom platform’s visual automation IDE.  

Similar to the way a function call works in programming languages, the parent playbook jumps to the child playbook and executes the appropriate actions. To illustrate the utility of the nesting capability, let’s examine a process for handling Malware incidents and lay out the logic using a Phantom playbook.

Malware is one of the most common incident types handled by Security Operations (SecOps) teams. If you’re a member of such a team, you likely have a series of processes, or playbooks, to handle the various malware categories you may encounter. It’s also likely that there is a large amount of overlap, or redundancy, between these playbooks.

Using the Phantom platform, when you receive a suspected malware alert you can begin a generic malware response workflow. After performing investigative actions, such as retrieving the file reputation from a threat intelligence service, you can use that context to determine which of the more specific malware playbooks to branch to in order to execute the unique responses for that particular malware type.

nested-playbooksSimplified diagram showing the ability to branch from a parent playbook into a child playbook.  

This is a very simple use case for nested playbooks, but hopefully it illustrates how powerful nesting playbooks can be. Through nesting, you can build elaborate response workflows that minimize the amount of redundancy needed. That way, when your process changes you have fewer places to change in your Phantom playbooks.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: The evolution of the Phishing playbook

As we approach the one-year anniversary of the Phantom security automation and orchestration platform, we wanted to look back at how new releases of the platform have enabled more sophisticated playbooks. The Phishing playbook is a great example of how new platform developments have lifted the barriers to security automation.

  • Decision Blocks – Having the ability to insert conditional blocks into the workflow has allowed playbooks to better model real-world decision making, choosing the course of action that is most appropriate for a given scenario. For example, the Phishing playbook was evolved to get file reputation from a threat intelligence source and submit the file for dynamic analysis if the file was previously unknown.
  • Human In/On/Out-of-the-Loop Workflows – Teams often want the ability to participate in automation workflows. By combining decision blocks with user interactivity, you can interact with the workflow only if criteria are met. The Phishing playbook can be easily modified to support the level of interactivity desired.
  • App Integrations – Over the past year we have greatly increased the number of app integrations, adding new tools that integrate naturally with the Phishing playbook.

phishing_playbookA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

These are just a few of the changes that the Phishing playbook and the Phantom platform have experienced as they have evolved over the past year. Please join us this Friday (December 2 @ Noon ET / 9 AM PT) where we will cover the year-long evolution of the Email Phishing playbook and the Phantom platform.  

You can register for the Tech Session here.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.


App Envy? You decide…

Though Phantom only went GA earlier in 2016, we’ve been working on the technology for nearly 3 years.  This investment in our architecture has produced meaningful differences – some of which we’ve covered in past blog posts.

One element that is foundational to our architecture is the Phantom App.  Apps extend the capabilities of the platform by supporting integration to all of the 3rd party security products that our users want to automate and orchestrate.

apps_75plusPhantom has over 75 Apps, allowing the platform automate common reputation services, endpoint technologies, sandboxes, firewalls, and common mobile, virtual and cloud based security products.

Apps are closely related to another foundational element in our architecture – actions.  Simply put, actions are what you automate – retrieving data for investigative purposes or changing policy on a security device for example.  The Phantom platform supports more than 150 actions.

Here’s an example to illustrate both elements:


HackerTarget is a Phantom App that supports 12 actions including tracerouting an IP, executing a whois lookup, and several others.  You can see all Phantom Apps and their associated actions at

In a race to compete in this emerging market, some vendors have adopted a taxonomy that inflates their App count.  For example, what Phantom would call a single Active Directory App with two actions, is instead represented as two separate Apps:

  • Active Directory Authenticate App
  • Active Directory Query App

It’s misleading, but fortunately also rather transparent.  If you are evaluating Security Automation & Orchestration platforms, simply looking at the list of supported apps would reveal the attempt to inflate the count – more Apps equate to a better platform, unless they aren’t really Apps.

What is certainly related and also important to consider is the how Apps are developed for a Security Automation & Orchestration platform.  Our community-powered approach means core elements like Apps can be developed by anyone and shared within the community.  Users have the option of using community developed Apps entirely or as a starting point for developing their own.  Communication and collaboration is encouraged as a way for users to address challenges, share information, and showcase their skills.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see it in action.

CP Morey
VP, Products & Marketing

Preventing Threat Intelligence Overload

Security professionals generally agree that the demand for threat intelligence is growing. With the ability to focus security teams and tools on the most relevant and high-risk threats, the context and tailored priority that threat intelligence feeds provide are undisputed benefits.

While it sounds like a win/win situation—the threat intel comes in, it’s applied, and the organization becomes less vulnerable—incorporating threat intelligence into security operations has actually led to an increased burden on the security teams that use it. Often incorporating multiple inbound intelligence feeds, the team has to parse through high volumes of multi-formatted data that comes in at disparate times. They must groom the incoming intelligence data, removing duplicate records and those that aren’t applicable to their organization or industry. Finally, the team must then re-distribute the combined and refined intelligence stream out to their internal tools and stakeholders.  

Security teams also correlate intelligence across multiple data sources, using algorithms to build a confidence rating for a piece of intelligence in the process.  Based on their personal experiences and a feed’s historical accuracy, the team uses a customized weighting system to rank the quality of intelligence by its source. This rating system allows the team to include every indicator or observable in their resulting set, thereby avoiding the elimination of a critical piece of intelligence. It also allows them to present the most trusted and high priority intelligence first, helping to improve downstream efficiency.

While the ingestion, grooming, and rating workflow is going on, the clock continues to tick and the utility of inbound threat intelligence diminishes. The longer it takes to get valuable intelligence into the hands of the people who can take action on it, the longer a bad actor has to carry out an attack.

Fortunately technology exists to relieve the burdens introduced by threat intelligence, extract threat intelligence benefits, and shorten incident response times. Using automated techniques, teams can aggregate data sets, de-duplicate records, and apply scoring algorithms to inbound intelligence. Intelligence that accrues a score above a watermark can be automatically escalated to members of the security team for review. Through automation of this workflow, team resources are freed to focus on the critical intelligence that warrants follow up. Perhaps most importantly, however, is that an organization’s overall security is improved by getting information to the people and systems where it can be actioned upon faster than with manual techniques.

In summary, the automation of these threat intel triage tasks will free up the team to provide more meaningful analysis and expertiselike putting together that Threatscape document the CISO has been asking for.

Tim Condello

Tim Condello is a Technical Account Manager at RedOwl.  Prior to this he was a founding member of the Threat Intelligence team at BNYM.

Paul Davis Joins Phantom as VP of Delivery

I have had the honor of working with first-rate security operations teams around the world.  Whether I was in the CISO role at one of the top 5 companies in the Fortune 500, running Security Operations Centers in the frenetic world of financial exchanges, or responding to threats against the critical infrastructure industry, there are a number of challenges that have been universal:

  • There is never enough time
  • It is tough to deliver security consistently and effectively
  • Repeatable processes are illusive
  • Shutting down a threat or attack takes longer than it should

Lack of time and resources as well as having a “target on one’s back” are challenges that every IT security professional faces.  As they say, “you’re only as good as your last security event response.”  Just ask the CISOs who have lost their jobs to security lapses.

paul-davis-banner_2Paul brings more than 20 years of experience working with security operations teams and solving security challenges at some of the largest organizations in the world.

So what is needed to overcome these challenges?

Consistency – it takes time

It’s sad, but true.  Despite the glamorous portrayal of hackers and security response teams in the movies, a monotonous but important reality is that security teams need to document what they do.  We need to track it, we need to be coordinated, and we need to be agile.  We are forced to do it with increased pressure from the growing number of threats impacting our organizations.  Our work needs to be standardized and repeated every day, without a drop in service quality.

I’ve built a number of security programs.  One concept that has always served me well is the playbook.  In all situations, whether the security team was small or large, there has been a need for consistency, for common nomenclature, standard deliverables, and predictable paths.  At the very least, this approach ensures that the shift handover will be smooth.  Geographically dispersed groups are going to be able to respond more effectively, and the public face of the IT security team will look professional and reliable.

The benefits are worth it.  A consistent approach drives team pride, fast action (e.g. like building a SOC with full 24×7 operations in 2 months), and metrics that demonstrate the value of the security team.


To ensure consistency from the start, I’ve used playbooks with graphical diagrams supplemented by an arduous manual documenting each and every step of the process.  When the inevitable happens, the team could use a well documented playbook to ensure that we were following a consistent process.

Still, there was something that always bothered me.  Lack of automation.  I call it a “click-fest”.  Cut and paste this information into another application, or even worse, re-type the information.  I challenge anybody to get excited about entering a SHA256 manually.  This “click-fest” was often repeated multiple times a day.  Human error, boredom, and even missed security events occurred.  When I lead a security team, I want to exercise their critical thinking, challenge them to use their instincts and IT security chops versus treating them like a group of unskilled data entry dupes.

So what has changed?

The industry has evolved.  Products have APIs that allow you to extract information and enable response.  Though you need something to bring the data together and go beyond a prioritized list of events to review – invoking once again the cursed “click-fest”.

After two decades in the security industry, I started working with some of the most forward thinking security institutions, building threat intelligence platform architectures.  These architectures were designed to consume data in the form of events and threat intelligence, and then validate if the event reached a risk threshold.  These systems were being built in-house and they required a lot of maintenance.  This changed some of the members of the team from being security analysts to developers.  It’s not ideal, but you need people who not only understand how to build robust solutions, but also understand the mission and parameters that affect a security operations team, or a threat intelligence team, or an incident response team.

Are you in security or system integration?

The systems were built. They weren’t ‘pretty’, but they worked.  It wasn’t a system which allowed people to easily codify their processes into playbooks.  It required systems integration.  I remember meeting a CISO in Australia, and he asked if I could help him get out of the system integration business since most of his security engineers where focused on integration instead of optimizing security response.

But I want efficiencies, I want automation

When I started to design those threat intelligence platforms, many customers wanted complete automation.  I had to explain to them that you could only expect to automate a portion of the operations – maybe 60% of the threats.  I had to explain that their security response needed to leverage all of the organization’s infrastructure.  There is a cost associated with implementing security controls.  The closer the threat gets to the processor, the higher the cost.  If I can block an attack at the network level, then I’m not going to affect the performance of that critical database.  I talked about an agile response model with “micro rules” that could be applied according to whether you were monitoring for a threat IOC inside the infrastructure versus responding to an active threat inside their environment.


A system is needed that provides automation to enable speedy, standardized, and effective response. This same system also needs to support the triage process of investigating an event, bringing all relevant information to the analyst from multiple sources, enabling them to determine the level of risk and to perform deeper analysis of the situation.  It should also enable active response across multiple solutions.

The Answer

Phantom has built what security operations teams and incident responders need.  A platform that empowers security teams to integrate and develop standardized process and procedures.  All the concepts that I’ve dreamed of and spoken about during the past few years are realized in a product that enables integration, automation, and efficiency in a security operations environment. It supports an agile model that can leverage the power of automation and the human brain.

Phantom provides automation, consistently.  A powerful platform to ensure that SOC and IR teams are focusing on the interesting aspects of investigation and response, leveraging their skills and passion for security.  Phantom is the solution that can proactively gather all the information that analysts need to assess risk, and execute an effective response, at scale.

I’m really excited to be joining Phantom, since it is the realization of the dreams I had as a security professional.  I look forward to helping our customers, our partners, and the IT security community find success. I look forward to working with a great skilled team to build relationships that will help advance the capabilities of the IT security industry, from vendors to the people protecting organizations on the electronic frontline.

Paul Davis
VP of Delivery

Paul is a seasoned IT Security Executive with a global reputation for building organizations and delivering services.  He has more than 20 years of experience working with security operations teams and solving security challenges at top companies including EDS, General Motors, GE, Cisco, Dow Chemical, The Washington Post, The United Nations, MCI, Prudential, and Mitsui.

Prior to joining Phantom, Paul held a number of senior leadership roles including EDS’ Chief Information Security Officer at General Motors, Chief Security Officer at Dow Chemical, and Director of Security Operations for a major financial exchange.  Paul earned a CISSP certification, and is a member of ISSA, IACs, and the MIT Enterprise Forum of Cambridge.