Playbooks: Going Beyond Incident Response Use Cases

Before joining Phantom, I worked in several security operations roles at a large electric power company. During my time there, we built out our Security Operations Center (SOC) and added numerous security tools to identify, investigate, and respond to cyber threats. As we grew, I realized how difficult it was just to keep track of all the security tools and data sources we had, much less realize their true potential. When I first came across the Phantom Platform, I immediately realized that the promise of orchestration between tools and automation of common workflows into digital playbooks was sorely needed in the security operations community. While Phantom has many incident response driven use cases and applications, the flexibility and extensibility of the platform also offer teams many other applications in the security operations context. Let me give you a couple of examples.

Automated Monitoring of Privileged Groups

Often one of the hardest things for a security incident responder or security content creator to get their arms around is their own organization’s environment. Keeping track of when a user gets added to a particular group (such as Domain Admins or other privileged groups) can be very useful to detect careless or fast-acting intruders or even insider threats. Advanced attackers will try and often succeed at blending in by compromising existing users. They also may try adding unauthorized users to privileged groups along the way. This can be an event of interest, but to investigate every occurrence of this type of event manually would be tedious or require yet another specialized security tool.

With Phantom, it’s as simple as building a custom list with the current members of the group, then building a playbook with the Phantom Visual Playbook Editor to query Active Directory (AD) for a list of users in a desired group, check the members of the AD group against that custom list members and notify an analyst if there are any additions. In order to demonstrate this, we’ve built such a playbook and published to our community site. This playbook makes it so easy to set up, it even creates the custom list for you from the first AD query! Just import it and run it!

Beyond this particular example of privileged AD users, this idea could be used to track all sorts of information within an organization’s environment—set up Phantom to query the authoritative source, check against a custom list and take action based on new additions.

Automated Website Unblock Requests

Another good example of an automation worthy processes is website unblock requests. Many organizations use a web proxy to block unwanted and/or malicious web traffic. Sometimes these proxies block sites necessary for employees to do their job, so the employees have to specifically request access to the blocked sites. Normally, this process involves a security analyst doing some research on the requested site to determine if it is ok for the employee to visit. Why not automate that process for greater efficiency? When given the blocked URL, either in a defined Common Event Format (CEF) field or through parsing and extracting the URL from an existing ticket in your current IT service management platform (e.g. ServiceNow, JIRA, BMC Remedy, etc.), perform some automated lookups on the URL to see if it’s “known bad” from the reputation services you use, get a screenshot of the URL and/or detonate it in a Sandbox. Use Phantom’s “Prompt” feature in the visual playbook editor to expedite the approval process from the security analyst. Once approval is granted or denied, Phantom can easily either automatically close the ticket, notify the user and/or implement the unblock on the proxy as appropriate. We have published an example playbook to our community site that is designed to perform this process.

Conclusion

These are just a couple of examples outside the normal Incident Response (IR) wheelhouse that Phantom is so excellent at handling. While Phantom is most quickly recognized as a huge value for automating IR process, Phantom is a boon for any security operator who finds themselves performing repetitive tasks.

You can download these playbooks from within the Phantom Platform by syncing with Phantom Community Git repository or gain access to them directly from the Phantom Community site:

• Automated Monitoring of Privileged Groups
• Automated Website Unblock Requests

Tim Frazier
Security Engineer
Phantom

Connect with Tim on LinkedIn to continue the discussion.

----------------------------------------------------
Thanks!
Tim Frazier