Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Playbook: Risk-Based Domain Blocking
By
Splunk
New domains are created everyday as part of the normal operation of the Internet Domain Name Service (DNS). Unfortunately, bad actors commonly use newly created domains for criminal activities like spam, malware distribution, or botnet command and control (C&C). They commonly use the new domains within the first few minutes of creating them—making it difficult to build effective domain-based blocking policies.
This playbook uses domain reputation from a threat intelligence service to risk score a domain. It then uses a cloud-based security policy enforcement tool to block access to the domain.
DomainTools is used as the threat intelligence service and Cisco Umbrella (OpenDNS) is used as the cloud-based security policy enforcement service in this sample playbook.
User Prompt and Block Domain Playbook on the Phantom PlatformThe playbook executes the following steps:
- First, an event container containing a domain name is ingested, which triggers the playbook to retrieve the domain’s reputation. Domain reputation intelligence from DomainTools contains a risk score. This risk score is used for decision-making in the next step.
- If the risk score is less than 80 (on a scale of 0 to 100), then playbook execution ends.
- If the risk score is equal to or greater than 80, then playbook execution continues.
- The playbook then issues a prompt to users in the role of Automation Engineer to insert human decision making into the loop. If the user cancels the block domain action, playbook execution ends.
- If the user confirms the block domain action, the playbook executes the block domain action on security policy enforcement tool for 60 minutes. After this period, the domain block is programmatically removed. Playbook execution then ends.
Note that this is an example playbook. You might customize this playbook to include other user types or perform additional security actions. You can also adapt the playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for malicious domains.
You can get this playbook from either the Phantom Community or directly from the Phantom Platform. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.
----------------------------------------------------
Thanks!
Chris Simmons
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
