Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.
To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.
The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.
If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):
- Logoff user
- disable user
- reset password
These actions limit the malware from propagating laterally within the network using the user’s credentials.
Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:
- block hash
- terminate process
- send email
Automating this workflow provides multiple benefits:
- Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
- Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
- Ensures consistency by following your process the same way, every time.
Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.