As requested, I have pulled a few workflows that our SOC uses. They have been genericized, but they should give a general idea. Both of these flows are likely playbooks (which may contain
COAs), and a lot of it is manual (analyst driven). I don’t have great insight into our automated workflows, so I can’t give an example of them at the moment.
Forgive me if they’re not ‘correctly’ done in decision tree form. I wanted it to fit all on one page.
Thanks,
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
From:
<cti@lists.oasis-open.org> on behalf of Paul Patrick <Paul.Patrick@FireEye.com>
Date: Friday, May 5, 2017 at 9:38 AM
To: Bret Jordan <Bret_Jordan@symantec.com>, "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example
Jeff,
Definitely a great start and along similar lines that we’ve been discussing internally.
Paul Patrick
From:
<cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Friday, May 5, 2017 at 9:08 AM
To: "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example
This looks great. I really like the ideas you have captured.
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
Based on the CoA call I put together a quick and dirty simple example of
what a branch CoA would look like with dependencies on prior steps failing
or succeeding.
Since the format for action hasn't been decided I made a simple wrapper for
these, which is most likely incorrect, but that illustrates the idea of
dependent chained actions.
In the call there was talk about using a Playbook for this type of CoA,
which honestly might make more sense, but I still wanted to put this out
there. This CoA or Playbook advises:
1. That a specific TCP port should be blocked
2. That a file should be searched for across the network.
3. Once this search is completed a specific registry key should be deleted.
4. After the port is blocked AND registry key is deleted copies of this file
should be deleted.
5. If the deletion fails systems with this file should be taken offline.
{
"type": "course-of-action",
"id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187",
"created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f",
"created": "2017-05-04T20:03:48.000Z",
"name": "Sample Complex CoA",
"actions":[
{
"id": 1
"requires_success": []
"requires_failure": []
"description": "block inbound access to TCP port 45815"
}
, {
"id": 2
"requires_success": []
"requires_failure": []
"description": "Find all systems on the network for something
with SHA256 Hash: abc..."
}
, {
"id": 3
"requires_success": [2]
"requires_failure": []
"description": "Delete registry key Z"
}, {
"id": 4
"requires_success": [1,3]
"requires_failure": []
"description": "Delete file with hash acb..."
}
, {
"id": 5
"requires_success": []
"requires_failure": [4]
"description": "Take systems offline where delete fails"
}
]
"description": "This blocks a port on the network and deletes files with
a hash as well as removing registry keys that grant it persistence."
}
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is
strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.