Playbook Series: Email-based Orchestration

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample Community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight playbook for today is on Email-based Orchestration.

Email is one of the most common methods for delivering malware.  The most recent Symantec Internet Security Report claims email was used to carry some 1.7 billion pieces of malware around the Internet in 2014.

Many companies train users to forward suspicious emails to the Security Operations team.  Though the technique has helped to prevent countless phishing attacks against enterprises, it still leaves the Security Operations team with an inbox full of emails to investigate.

These suspicious emails often include URLs to inspect or even files to detonate in a sandbox in order to determine if they are actually malicious.  Our research shows that a security analyst can investigate a suspicious email in 45 – 60 minutes.

Though the process works, it is tedious for the analyst and inefficient for everyone involved.  A Phantom Email Ingestion Playbook can help.

Users still forward suspicious emails to a custom mailbox monitored by the Security Operations team.  (Some may even want to go as far as having all emails with attachments and URLs forwarded.)  Though in this case, Phantom also monitors that mailbox via IMAP (for example) where any new email triggers a Playbook.  Phantom ingests the suspicious email and executes several actions:

  • If the email includes a file attachment, detonate it in a sandbox.
    • Set a “threat score” to help assess if the file is dangerous, and if so:
      • Hunt the data source to determine if the file has been seen before.
      • Access the Endpoint technology to determine if the file also exists elsewhere in the environment.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.
  • If the email includes URLs, take the following actions:
    • Detonate the URL to determine what happens when it is followed.
    • Look up the IPs, and enrich with  Whois data.
    • Geolocate the country of origin and determine if it is of concern.
    • Set a “threat score” to determine if the URL is dangerous, and if so:
      • Hunt in data source to determine if we have seen any other activity to or from this IP.
      • Potentially take corrective action such as “block ip”.
    • Hunt for the domain via a threat intel platform for attribution.
      • Potentially take corrective action such as “block ip”.

Phantom executes these actions automatically based on a Playbook the analyst has defined.  It happens without error and much faster than when this workflow is handled manually.

No longer does the analyst need to spend an hour collecting the context needed to assess a suspicious email.  In fact, as an additional step, the email and any related files can can even be automatically removed from all mailboxes across the network saving time with remediation.

The savings are substantial for an organization that sees even an average volume of suspicious email. 

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.

Posted by


Show All Tags
Show Less Tags