Playbook Series: Triage Reconnaissance Alerts

Your existing security infrastructure probably observes lots of scanning, or reconnaissance, activity every day. While a great portion of this activity can be attributed to the noise generated on the Internet, it can also be an early warning signal to a full on attack. A classic problem for security teams is dealing with this type of high volume activity in a way that doesn’t consume the team’s time and doesn’t miss these early indicators of more nefarious activity.

This is a perfect scenario where Phantom can help. The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

recon-sample-playbook
Screenshot of a Phantom investigation playbook as viewed in the Phantom visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity
recon-supported-apps

Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes / hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: Secure Compromised Accounts

If you are one of the many security analysts that receives threat intelligence about compromised user accounts, you understand the significant amount of time it takes to investigate and respond to each report. In many practices the manual process might include:

  • Parsing the inbound threat intelligence for Indicators of Compromise (IoCs) like username and password pairs
  • Hunting for the IoCs in your local environment
  • Disabling and/or resetting compromised accounts
  • Communicating with affected users to recover access

In the pursuit of greater efficiency and scale, this process is well suited for automation by the Phantom security automation and orchestration platform.

Flashpoint Phantom Playbook
Sample playbook where Phantom automates Flashpoint threat intelligence to secure compromised accounts.

With Phantom, compromised account threat intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Automating this process with the Phantom platform has several benefits including:

  • Frees up human resources for other critical investigations
  • Reduces the response time for the threat from minutes or hours down to seconds
  • Ensuring the process is handled accurately and consistently every time

Mitigating threats that might use compromised accounts is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses.  You can read more about the Phantom platform and playbooks here.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.

Top 3 Phantom Playbooks for 2016

The Playbook Series on our blog remains one of our most popular content features.  With dozens of posts in the series, we thought it would be interesting to showcase three of the most popular Phantom Playbooks from the year.

First up is the Ransomware Playbook.  Phantom can ingest either a suspicious file or file hash from your current security infrastructure to trigger the Ransomware Playbook, automating key investigation and containment steps:

ransomware-playbook

Next on the list of the most popular Phantom Playbooks for 2016 addresses Phishing.  Phantom can ingest a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and trigger the Phishing Playbook to automate 15 triage, investigation, and remediation steps:

phishing_playbook

Last on the list is a Phantom Playbook that can automatically gather threat intelligence for you and enrich inbound security events. With the added context on hand you can reduce redundant steps in your investigations, achieve faster decision making, and improve your overall productivity:

vpe-inestigate-playbook

The new Playbook Editor in Phantom 2.0 made a significant leap forward in our mission to be the industry’s first, open, extensible, and community powered Security Automation & Orchestration platform – a technology that is core to building the next-generation SOC.  Watch this video to see how easy it is to build and customize Phantom Playbooks.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing
Phantom

Did you know that Phantom Playbooks are Python based? The Phantom platform interprets Playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and Playbooks here.

Playbook Series: Keyloggers: Prevent the loss of sensitive information

Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.

To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.

Note: The Phantom team is in the process of publishing the playbook to our community repository and expects it to appear on the Phantom platform in the coming days.

keylogger-response-playbookA visual representation of the Keylogger Response playbook as viewed using the Phantom 2.0 platform.

The Keylogger Response playbook begins execution when Phantom receives an alert from a SIEM platform, like Splunk, HP ArcSight, or IBM QRadar.

The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.

If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):

  • Logoff user
  • disable user
  • reset password

These actions limit the malware from propagating laterally within the network using the user’s credentials.

Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:

  • block hash
  • terminate process
  • send email

Automating this workflow provides multiple benefits:

  • Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
  • Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: Rootkits: Automatically Remediate Virtual Machines

Most security professionals will agree; the most reliable way to remediate Rootkit infections on Virtual Machines (VMs) is to re-image or revert the virtual machine to a pre-infected state. Today’s entry to our playbook series examines a Phantom playbook, included with our version 2.0 release of the platform, that automates this scenario.

rootkit_remediateA visual representation of the Remediate Rootkit playbook as viewed using the Phantom 2.0 platform.

The Phantom playbook begins by attempting to quarantine the infected VM. Next, the playbook collects information about the system that will aid in the downstream steps involved in recovering the endpoint. Depending on the running state of the VM, the playbook then uses encoded process logic and the Phantom decision engine to determine the next path in the workflow. If the VM is not currently running, Phantom attempts to revert the VM to a pre-infected state, unquarantine the endpoint, and send an email report of the activity. If the VM is actively running, Phantom attempts to terminate affected processes and disable affected user(s), create a ticket to have the machine re-imaged, and send an email summary.

Automating this workflow provides multiple benefits:

  • Improves security by executing your containment and remediation workflow the moment a rootkit infection is confirmed.
  • Increases the efficiency and productivity of your SecOps team.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom security automation and orchestration platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.

phishing_playbook.pngA visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

  • file reputation – Query a threat intelligence service for a file’s reputation.
  • detonate file – Analyze the file in a sandbox and retrieve the analysis results.
  • hunt file – Look for instances of the file on managed endpoints.
  • get system attributes – Gets the attributes of a computer/system.
  • url reputation – Query a threat intelligence service for a URL’s reputation.
  • detonate url – Load a URL in a sandbox and retrieve the analysis results.
  • get screenshot – Get a screenshot of a rendered URL.
  • domain reputation – Query a threat intelligence service for a domain’s reputation.
  • ip reputation – Query a threat intelligence service for an IP’s reputation.
  • geolocate ip – Queries a geolocation service for an IP’s location information.
  • hunt url – Look for information about a URL that could reveal attribution information.
  • lookup ip – Query Reverse DNS records for an IP.
  • whois domain – Run a whois query on the given domain.
  • whois ip – Execute whois lookup on the given IP address.
  • delete email – Deletes an email from the email server.

The benefits of automating your phishing IR workflow are numerous:

  • Free up analysts to research the latest phishing tactics.
  • Increase the efficiency and productivity of your SecOps team.
  • Create a precise and repeatable process that allows you to accurately measure success.

This Phantom playbook has been tested with many technology partners:

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Playbook Series: Ransomware: Detect, Block, Contain, and Remediate

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the sample playbooks included with the Phantom 2.0 platform release. 

Ransomware is one the leading threats facing organizations today. With volumes of malicious inbound emails and already infected devices within your environment, regaining control over ransomware can be tedious and time consuming.

The Phantom security automation and orchestration platform can help you investigate, block, and contain ransomware threats. The platform with an expanded Ransomware playbook could also automate the remediation of infected devices. Deal with the volume of ransomware threats you face by using the Phantom platform to scale your investigations and response to meet the challenge.

ransomware-playbookScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests either a suspicious file or file hash from your current security infrastructure and triggers the Ransomware playbook, automating key investigation and containment steps:

  • get file – Downloads the file sample from a repository.
  • detonate file – Submits the file sample for sandbox analysis.
  • block ip – Configures your infrastructure to block access to IP addresses associated with the ransomware.
  • block hash – Configures your infrastructure to block access to files matching the hash of a malicious sample.
  • hunt file – Looks for indications of other infected devices in your environment.
  • terminate process – Terminates any instances of the malware actively executing.
  • quarantine device – Place the infected devices in quarantine to prevent it from infecting other devices.
  • list connections – Examine a device’s active connections / add newly discovered malicious IPs to the block ip action.
  • disable user – Disable the user’s account to prevent further malware propagation.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

The use cases that can be addressed with Phantom playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great playbooks.

Chris Simmons
Director, Product Marketing
Phantom

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.