Hi, my name is Tibor Földesi and I work as a Security Automation Analyst for Norlys in Denmark for almost 2 years now. My main tasks include log analytics, SIEM content engineering, automation & orchestration, consuming and generating threat intel.
I am using Splunk Enterprise Security and Phantom together for more than 3 years and I still love them and I still did not get bored of them. Why? Because I really don’t like to do the same thing twice.
I am working for Norlys, we are operating in the Jutland region of Denmark. We recently had a big merger, so today we have more than 700k owners, 700 board members, 2500 employees and more than 1.5M customers.
We are the biggest power utility and telecommunication concern in Denmark
Phantom’s flexible app model supports hundreds of tools and thousands of unique APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions.
In human language: imagine if you have a box of LEGO bricks, but you are not really sure what you actually want to build just yet. Phantom is here to help you to organize and guide you to the building process, like the building manuals for LEGO sets:
You can follow those, or you can go wild and follow your imaganiation.
"Every battle is won or lost before it is fought." - Sun Tzu said this more than 2000 years ago, meaning if you are prepared, almost nothing can surprise you. I believe this quote applies to today’s cyber landscape really well.
The security analytics team of Norlys were hired late 2017 with the idea of understanding and developing the analytics and incident response capabilities of the company. I joined them a little bit later in 2018 February.
We had a clear vision from the start:
Hire top level talents with different kind of expertise
Collect every logs we can
Automate the repetitive and boring tasks
Drink coffee and enjoy the work, spend time on serious things, like threat hunting and building detections
Your company will face some kind of IT breach sooner or later, but there are some questions regarding to that:
Will be able to detect?
Will you be able respond?
Will you able to remediate?
Our situation was hard: hundreds of gigabytes of logs/day, but only a handful of people in security analytics. We were considering automation from day one.
We were struggling with: repetitive tasks, myriad of tools, slow web interfaces, lack of internal processes.
We wanted: a centralized Mission Control for our investigations, with the option to document and automate most of our job.
Then we started to evaluate if Phantom is the right SOAR tools for us. We were using the free Community Edition for 6 months, then made a decision to purchase it. Compared to other automation & orchestration tools, we saw great advantage in the documentation and incident handling capabilities.
The first step was using Phantom for documentation and adding every information manually. Imagine Notepad++ on steroids. You actually use it, because it is so easy to use.
The second step was configuring and installing applications to semi-automate different kind of tasks. We started to investigate what are the “built-in” functions we can use out of the box. For example containing a machine, or figuring out if an endpoint is online.
The third step was chaining the apps together and creating playbooks. When we were comfortable using manual tasks, we started to think that we want to drink more coffee and work even less, so what if we can chain actions together. For example, when a ticket is created send a notification to our chat tool and check if the suspicious file hash is malicious.
The fourth step was customizing the playbooks with custom Python code. We had some really crazy ideas that went beyond the possibilities of Phantom, and almost all of them were realized through using some custom code.
The fifth step was finally connecting Splunk and Phantom for more closer integration
Selected notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation – instant ticket creations vs 10 minutes manual work
Some tickets are automatically initiating enrichment actions – automated ticket enrichment – 30 seconds vs 30 minutes
Advanced incident handling capabilities: Case Management allows us to document and maintain our processes inside Phantom, also if you have a lot of event you can just merge to a single one with a few clicks, or you can even automate it
As you can see here inNorlys we gather every log we can, then some alerts created by Splunk are automatically forwarded to Phantom. Through Phantom you can initiate actions with specific Apps.
If you have an Endpoint Response tool:
You can download files from endpoints
You can run PowerShell scripts on endpoints
You can automate tasks that you usually click through the webinterface
And all of this is properly documented and also visualized with a timeline. If your organisation is mature enough, you can even handle the full OODA-loop (observe–orient–decide–act) without any human interaction. Of course to do that you need to have the right employees with the skillset and willingness for automation. I was working in SOCs for many years and was bored of repetitive tasks, so in my mind, automation is helping to keep IT Security interesting and relevant.
I am going to show you 6 use cases we have at Norlys:
The first one will show you how we implemented 4 eyes principle in major decision making actions.
The second one will show you in a case of antivirus alerts how Phantom automatically grabs the file from the endpoints and uploads it to a malware sandbox for analysis
The third one will show you in a case of malicious domain alert how Phantom is grabbing the browsing history from the user’s machine
Let’s say a company faces a very serious ransomware infection in their production environment. The incident handlers might make a decision to contain all the production servers in able to save them from spreading the infection.
Also let’s say the senior analyst has to approve it before it actually happens and it has to be documented before it happens.
Usually in the past I saw this happening in the following way:
a mail chain with 100+ mails asking for verification from at least two level 3 analyst for initiating the actions
Action initiated manually by someone in the web interface, hence there is no real documentation
Mail is attached to the ticket for documentation, but still no one knows who actually initiated the action
We managed to handle this in the following way:
Let’s say the manager or a level 3 analyst is initiating the production server group containment
All the level 3 analysts gets a notification for this action
An action is listing all the group IDs and if two separate level 3 analysts picked the same group the action proceeds
Everything is documented in the ticket with timestamps
But this was not even close to perfect
In a case of an antivirus alert, a ticket is automatically created in Phantom. This playbook grabs the quarantined file from the endpoint, then uploads it to malware sandbox. After some delay, it downloads the summary in PDF form, then presents it to the analyst.
This is how the playbook looks like today:
We require DUO 2FA authentication from both level3 analysts
More robust and stable, than before
Better documentation
Not a perfect playbook, but how to improve it?
Splunk’s Professional Services helped us to improve our existing playbooks. Today this playbook is:
Using a lot less resources, than before
Scheduled to check the sandbox job every 2 minutes
No human interaction is needed
If the sandbox analysis is done, the analyst is presented with a PDF report to make a decision
In case of a bad domain/IP alert, this playbook:
Copy Nirsoft’s browser history view to the endpoint
Run it with csv output
Grab the file from the machine and put it to the ticket’s file vault
Clean the temporary files after the process
This playbook was completely built on a previously written custom code, but Splunk’s Professional Services helped us to simplify it.
The playbook today uses zero custom code, now we are only using actions provided by the Apps.
Very visual
Even a non-coder can understand or edit it
Much more easier to debug.
The other 3 uses cases will be the following:
Creating a dashboard-like visualization for analysts
Notifying analyts if a ticket was opened automatically
Initiate memory capture remotely
And that’s what I like. The top 5 things, I usually check when I open a ticket:
Hostname
OS running
User currently using the machine
The file that triggered the alert
The action the Antivirus made
In a weekend when I’m on duty I don’t want to manually check every 4 hours if there is a high severity ticket opened. Instead of manually checking, I just want a single notification on my phone to check Phantom.
This playbook will send me a pre-formatted message with a clickable link to the ticket. It can be a chat notification or an e-mail, based on your preference.
If an investigation requires capturing memory from an endpoint, that is also possible with a playbook, that requires zero human interaction.
This playbook initiates the mmeory capture action, the checks every 10 minutes, if the action finished. If not, then it will check automatically again in 5 minutes. If yes, the analyst will get a notification.
If an investigation requires capturing memory from an endpoint, that is also possible with a playbook, that requires zero human interaction.
This playbook initiates the mmeory capture action, the checks every 10 minutes, if the action finished. If not, then it will check automatically again in 5 minutes. If yes, the analyst will get a notification.
This is how a ticket (or an event) looks like in Phantom. On the left you have an activity timeline, on the middle you have a visual timeline and on the bottom you can have a visual representation of the output of your actions.
We say each other in the team: if we can make coffee whenever we want, then we do a good job
Mostly, we measure our success if:
We don’t have to disturb the users
We don’t have to physically obtain the machines for forensics
We can at least semi-automate investigation and documentation tasks (more the better)
And the real advantage here: in a matter of seconds we have enough information to make decisions and take actions, we don’t have to wait for anyone
Instead of opening tickets and do the forensics manually we can:
Drink coffee
Do threat hunting
Do trainings
Help each other to be better
There are 5 key takeaways for today:
Splunk offers professional services for Phantom, helping you and your team to achieve your automation goals
Have a separated environment for testing :)
If you hit walls with Phantom, the option is there to implement your custom code or even your custom Application
The Community Edition is free up to 100 actions / day, more than enough to try, we used the Community Edition for 6 months
There is a friendly Slack community out there, someone will help you out very fast
Links for getting started
Application are now open-source!
New per-seat license model has been introduced
Python 3 support will come soon
Mission Control dashboard for Splunk cloud environment
Mobile app is now available with Phantom 4.6