By Splunk November 04, 2016
Most security professionals will agree; the most reliable way to remediate Rootkit infections on Virtual Machines (VMs) is to re-image or revert the virtual machine to a pre-infected state. Today’s entry to our playbook series examines a Phantom playbook, included with our version 2.0 release of the platform, that automates this scenario.
The Phantom playbook begins by attempting to quarantine the infected VM. Next, the playbook collects information about the system that will aid in the downstream steps involved in recovering the endpoint. Depending on the running state of the VM, the playbook then uses encoded process logic and the Phantom decision engine to determine the next path in the workflow. If the VM is not currently running, Phantom attempts to revert the VM to a pre-infected state, unquarantine the endpoint, and send an email report of the activity. If the VM is actively running, Phantom attempts to terminate affected processes and disable affected user(s), create a ticket to have the machine re-imaged, and send an email summary.
Automating this workflow provides multiple benefits:
- Improves security by executing your containment and remediation workflow the moment a rootkit infection is confirmed.
- Increases the efficiency and productivity of your SecOps team.
- Ensures consistency by following your process the same way, every time.
Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.
----------------------------------------------------
Thanks!
Chris Simmons
----------------------------------------------------
Thanks!
Chris Simmons