[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cacao-chair] Re: [EXT] [cacao] Playbooks
Frans - We will discuss in the next meeting and we will present a proposal on the various aspects for discussion with the group.
regards
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions <http://www.lookingglasscyber.com/>
ïOn 9/29/19, 11:36 PM, "Frans Schippers" <cacao-chair@lists.oasis-open.org on behalf of f.h.schippers@hva.nl> wrote:
Bret
Seeing you examples, we must define what we think âAutomated" means is de context of CACAO.
These examples are high level and need context to able to operate on.
For example: "Call level one network supportâ make only sense if the call also gives information about
what happend, ip-addresses (and roles) involved, what type of threat etc.
I really would like to be able to specify (in the end) actionable operations.
For example âblock src-ip x.x.x.x to server y.y.y.y for ports a,a in router câ
Which then can be implemented using the right instruction for a specific router.
This also means that to apply this rule context information about the local network is needed
To determine the right router for this action and the router-type tp determine the right command.
What do we see as the scope of CACAO?
How much of the translation from the shared playbook to the actual action can be automated,
how much information must be added by the user to make the playbook actionable.
An escalation procedure can be different for each CACAO user.
Do we adres such issues?
Could we talk about this next meeting (tomorrow)?
Frans
> On 26 Sep 2019, at 16:40, Bret Jordan <Bret_Jordan@symantec.com> wrote:
>
> Frans,
>
> Are you looking for examples of what exists in the SoC today? If you search for "security playbooksâ on Google the first 2 or 3 non sponsored links have some visual examples. In slide ware, when I talk about this, I often give the follow examples as it is something that most people can easily understand:
>
> Security Operations Center
> â Open ticket with priority level 2
> â Call level one network support
> â If they do not respond within 10 minutes
> â Escalate to level 2, then level 3, then management
> Network Support
> â Quarantine system to sandbox VLAN
> Security Operations Center
> â Call level level one desktop support
> â If they do not respond within 30 minutes
> â Escalate to level 2, then level 3, then management
> Desktop Support
> â Delete run at start reg keys and triggers
> â Reboot into SafeMode
> â Kill process sysmg.exe then winsrvx.exe then xnc.exe
> â Delete temp files
> â Delete compromised files defined in KB article 311
> â Delete other registry keys defined in KB article 312
> â Reboot system in to safe mode
> â Verify processes do not restart after cleanup
> â If this does not work, escalate
> â Patch AV system and run updated AV scan
> â Patch OS
> â Run additional on-demand special AV scanners
> â Reboot system to normal mode
> â Update ticket
> Network Support
> â Monitor traffic from system for 90 minutes
> â If no abnormal behavior is detected move system out of sandbox VLAN in to a restricted watch VLAN for 24 hours
> â If no user issues or abnormal behavior is detected move system to production VLAN
> â Update and close ticket
>
> Bret
>
>
>
>> On Sep 26, 2019, at 1:34 AM, Frans Schippers <f.h.schippers@hva.nl> wrote:
>>
>> Dear members
>>
>> Can anyone share some playbooks with me?
>>
>> Frans Schippers
>> Cyber Security
>> Lecturer / Researcher
>>
>> Amsterdam Universe of Applied Science
>> HBO-ICT
>> Wibautstraat 2-4
>> 1091 GM Amsterdam
>>
>> PGP: 12D1 D930 488C 22B7 6AFF BFF7 218C 865E D6E0 6B48
>>
>
Frans Schippers
Cyber Security
Lecturer / Researcher
Amsterdam Universe of Applied Science
HBO-ICT
Wibautstraat 2-4
1091 GM Amsterdam
PGP: 12D1 D930 488C 22B7 6AFF BFF7 218C 865E D6E0 6B48
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]