By Splunk January 04, 2017
If you are one of the many security analysts that receives threat intelligence about compromised user accounts, you understand the significant amount of time it takes to investigate and respond to each report. In many practices the manual process might include:
- Parsing the inbound threat intelligence for Indicators of Compromise (IoCs) like username and password pairs
- Hunting for the IoCs in your local environment
- Disabling and/or resetting compromised accounts
- Communicating with affected users to recover access
In the pursuit of greater efficiency and scale, this process is well suited for automation by the Phantom security automation and orchestration platform.
Sample playbook where Phantom automates Flashpoint threat intelligence to secure compromised accounts.
With Phantom, compromised account threat intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:
- Identify users who have been compromised
- Obtain user attributes
- Query for suspicious activity
- Notify the user of the compromise
- Force a password reset
- Optionally disable the user account
Automating this process with the Phantom platform has several benefits including:
- Frees up human resources for other critical investigations
- Reduces the response time for the threat from minutes or hours down to seconds
- Ensuring the process is handled accurately and consistently every time
Mitigating threats that might use compromised accounts is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses. You can read more about the Phantom platform and playbooks here.
----------------------------------------------------
Thanks!
Chris Simmons
----------------------------------------------------
Thanks!
Chris Simmons