SECURITY

Playbook Series: Hunt for Community-Sourced IOCs and Artifacts in Your Environment

Most security teams would love to be able to follow up on every Indicator of Compromise (IOC) or artifact that they receive from the security community at large. Whether the piece of intelligence comes from trusted circles or from threat intelligence providers, the reality today is that security teams have many more “tips” than they have time to adequately investigate. The teams often have to prioritize their threat hunting activities, leading to the possibility of missing the crucial tip that would have led to the prevention of a successful attack.

The scenario described above highlights the power of Phantom security automation and orchestration. The Phantom platform can receive community-based intelligence and automatically execute enrichment and threat hunting steps for every IOC and artifact within your environment. Phantom can eliminate intelligence that is not found in your environment. But more importantly, it can identify the threats that are present and begin an automated investigation and/or action playbook or escalate the intelligence up to a human analyst for further analysis and decision making.

 

threat-hunting-sample-onboarding-playbookScreenshot from the Phantom platform’s new visual playbook editor. The Threat Hunting playbook is just one of the many real-world samples available with Phantom 2.0.

 

 

 

 

threat-hunting-sample-supported-vendors

 

 

 

As shown in the above diagram, the Phantom platform ingests threat intelligence from a community source and then triggers the Threat Hunting playbook automating the following steps

  • Enrich an IOC/artifact with context from other threat intelligence sources
  • Search for the IOC/artifact in logs collected by the SIEM platform
  • Search for the IOC/artifact on managed endpoints in real time
  • Automatically dismiss intelligence items which are false positives
  • Automatically escalate intelligence items found within the local environment

Automating this process in Phantom has several benefits including

  • Increased scalability—Follow up on every tip coming from your communities
  • Increased security—Never miss a real attack due to volume or workload
  • Increased efficiency—Save time by automating key context-gathering steps and provide a big-picture view to human analysts
  • Increased precision—Ensure your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition.

 

 

 

Chris Simmons
Posted by

Chris Simmons

Chris Simmons is a Senior Product Marketing Manager with Splunk. Chris currently focuses on the Splunk Phantom platform and the Security Orchestration, Automation and Response segment of the security market. Previously, he led Product Marketing at Phantom and has held various product roles at IBM, Cisco, Sourcefire, and Fortinet.

TAGS

Playbook Series: Hunt for Community-Sourced IOCs and Artifacts in Your Environment

Show All Tags
Show Less Tags

Join the Discussion