[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Branching CoA / Playbook Example
Based on the CoA call I put together a quick and dirty simple example of what a branch CoA would look like with dependencies on prior steps failing or succeeding. Since the format for action hasn't been decided I made a simple wrapper for these, which is most likely incorrect, but that illustrates the idea of dependent chained actions. In the call there was talk about using a Playbook for this type of CoA, which honestly might make more sense, but I still wanted to put this out there. This CoA or Playbook advises: 1. That a specific TCP port should be blocked 2. That a file should be searched for across the network. 3. Once this search is completed a specific registry key should be deleted. 4. After the port is blocked AND registry key is deleted copies of this file should be deleted. 5. If the deletion fails systems with this file should be taken offline. { "type": "course-of-action", "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187", "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f", "created": "2017-05-04T20:03:48.000Z", "name": "Sample Complex CoA", "actions":[ { "id": 1 "requires_success": [] "requires_failure": [] "description": "block inbound access to TCP port 45815" } , { "id": 2 "requires_success": [] "requires_failure": [] "description": "Find all systems on the network for something with SHA256 Hash: abc..." } , { "id": 3 "requires_success": [2] "requires_failure": [] "description": "Delete registry key Z" }, { "id": 4 "requires_success": [1,3] "requires_failure": [] "description": "Delete file with hash acb..." } , { "id": 5 "requires_success": [] "requires_failure": [4] "description": "Take systems offline where delete fails" } ] "description": "This blocks a port on the network and deletes files with a hash as well as removing registry keys that grant it persistence." } Jeffrey Mates, Civ DC3/DCCI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computer Scientist Defense Cyber Crime Institute jeffrey.mates@dc3.mil 410-694-4335
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]