OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Branching CoA / Playbook Example

Based on the CoA call I put together a quick and dirty simple example of
what a branch CoA would look like with dependencies on prior steps failing
or succeeding.

Since the format for action hasn't been decided I made a simple wrapper for
these, which is most likely incorrect, but that illustrates the idea of
dependent chained actions.

In the call there was talk about using a Playbook for this type of CoA,
which honestly might make more sense, but I still wanted to put this out
there.  This CoA or Playbook advises:

1. That a specific TCP port should be blocked
2. That a file should be searched for across the network.
3. Once this search is completed a specific registry key should be deleted.
4. After the port is blocked AND registry key is deleted copies of this file
should be deleted.
5. If the deletion fails systems with this file should be taken offline.

{
    "type": "course-of-action",
    "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187",
    "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f",
    "created": "2017-05-04T20:03:48.000Z",
    "name": "Sample Complex CoA",
    "actions":[
        {
            "id": 1
            "requires_success": []
            "requires_failure": []
            "description": "block inbound access to TCP port 45815"
        }
        , {
            "id": 2
            "requires_success": []
            "requires_failure": []
            "description": "Find all systems on the network for something
with SHA256 Hash: abc..."
        }
        , {
            "id": 3
            "requires_success": [2]
            "requires_failure": []
            "description": "Delete registry key Z"
        }, {
            "id": 4
            "requires_success": [1,3]
            "requires_failure": []
            "description": "Delete file with hash acb..."
        }
        , {
            "id": 5
            "requires_success": []
            "requires_failure": [4]
            "description": "Take systems offline where delete fails"
        }
    ]
    "description": "This blocks a port on the network and deletes files with
a hash as well as removing registry keys that grant it persistence."
}

Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]