Automating Threat Intelligence Actions With Splunk Phantom Playbooks
April 17, 2019 • Zane Pokorny
Splunk Phantom helps security professionals work smarter, respond faster, and strengthen their defenses through automation and orchestration. Phantom playbooks enable clients to create customized, repeatable security workflows that can be automated, and this integration with Recorded Future gives those playbooks access to threat intelligence data.
To better explain how this integration improves security functions across the board, we’ll go through two different use cases: enrichment and correlation.
Enrich Your Data With Threat Intelligence
Recorded Future’s Phantom enrichment action provides external details and context on indicators of compromise (IOCs). An indicator like an IP address, a server domain, or a list of hashes can be useful information when responding to an incident, or on the other hand, it can be completely useless. Irrelevant data and false positives are abound in lists of indicators of compromise. Analysts need context to sort the wheat from the chaff — context like whether or not an IP address has already been associated with suspicious activity, for example.
But looking for this kind of context by hand is a time-consuming and inexact process. What single human analyst — or team of 10 or 20, for that matter — has the bandwidth to exhaustively research every indicator they come across daily?
Automating this process is a major use case for Phantom playbooks that integrate threat intelligence. When an IOC is passed over to Phantom, whether it’s via an IOC alert from Splunk Enterprise Security or as a new artifact in an incident, a playbook can be automatically invoked to get risk scores and associated context for those IOCs from Recorded Future. Then, the playbook’s decision logic can immediately escalate the IOC to a human analyst if it’s deemed risky, or pass over it if not.
With this context, analysts can discover real threats faster and prioritize the highest-risk ones while ignoring the alerts that don’t matter.
Correlate Internal and External Data
Threat actors are not, by and large, criminal masterminds who concoct unique schemes for carrying out their attacks every time they undertake a new operation. They do what works, and keep doing it the same way as long as they see results.
That means pattern recognition is an often reliable way to quickly identify suspicious activity and predict attacks — if you’ve got the right tools to do so. Splunk itself is a powerful tool for detecting these patterns, given its ability to correlate internal log data with malicious behavior and high-fidelity indicators. In addition to providing those high-fidelity indicators, Recorded Future can also enhance the correlated events with external threat context through a Phantom correlation action. Specific outcomes for each correlated event can be automatically chosen from the resulting threat intelligence, and repeatable, “hands free” actions can take place without requiring analyst oversight for each action.
For example, if Splunk should issue a breach-IOC alert to Phantom based on suspicious log data, the Phantom playbook can enrich that IOC using threat intelligence from Recorded Future. If the IOC risk score crosses a certain threshold or the risk string contains malware, then the playbook will bring the alert to the attention of an analyst, or have it blocked at the level of the firewall or SDN. Furthermore, external threat context can be added back into Splunk for later review and record keeping.
This proactive, intelligent, automatic blocking means that suspicious activity can be instantly cut off without needing human oversight, lowering your risk profile and preventing breaches.
Monitor for External Threats and Keywords
If the internet is like a vast library of information, then it’s a library with a pretty big and dark basement, full of piles of books that haven’t been cataloged (but no spiders, luckily). Even trying to keep up with one narrow topic — say, mentions of your own organization across the internet — can be an insurmountable task without automation.
Recorded Future alerting helps security professionals stay on top of external information like news, events, and risk factors important to your organization, like company mentions on social media or the dark web. Then, Phantom playbooks can speed up a team’s workflow review with alerting on company-specific entities found in that external data.
For example, this external monitoring might uncover some new typosquat domains, which may be the first sign of an impending phishing attack or form of fraud. A Phantom playbook can then be used to automate and orchestrate precautionary and remediation actions, like initiating takedown efforts.
Hunt Down Threats Proactively
Okay, we said before that most threat actors are not criminal masterminds — but some of them are pretty smart. Advanced persistent threats like actors funded and directed by nation-states are responsible for many of the most significant and devious cyberattacks as of late. And regardless of the source, some attacks are just new and clever. Though statistically a minority, zero-day attacks do really happen sometimes. What can be done?
More mature security operations may wish to go on the offensive and do some threat hunting. With Splunk Phantom and Recorded Future threat intelligence, threat hunters can proactively and iteratively search through networks to detect and isolate advanced threats that evade existing security solutions. It enables analysts to quickly pull together related evidence and possibly reveal a larger threat.
For example, let’s say Splunk generates a suspicious event. Maybe it’s not an incident that demands an immediate response. But for a security team that has the expertise and the capacity to investigate further, they can then use Recorded Future and Splunk Phantom to gather risk scores on those IOCs and expand the investigation to include related entities.
This playbook can significantly lower risk by giving analysts more time to spend on analysis rather than doing data collection manually. It’s a more advanced application of correlation — not something that every organization needs to focus on, but for those that can deploy an informed hunting capability, this represents a way to get off the back foot and switch from a defensive to offensive security posture.
For more information about how Recorded Future’s integration with Splunk Phantom helps security teams strengthen their defenses, feel free to request a demo today.