OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example



Definitely a great start and along similar lines that we’ve been discussing internally.



Paul Patrick



From: <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Friday, May 5, 2017 at 9:08 AM
To: "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example




This looks great.  I really like the ideas you have captured.



Sent from my Commodore 64 


PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On May 4, 2017, at 2:14 PM, Mates, Jeffrey CIV DC3DCCI <Jeffrey.Mates@dc3.mil> wrote:

Based on the CoA call I put together a quick and dirty simple example of
what a branch CoA would look like with dependencies on prior steps failing
or succeeding.

Since the format for action hasn't been decided I made a simple wrapper for
these, which is most likely incorrect, but that illustrates the idea of
dependent chained actions.

In the call there was talk about using a Playbook for this type of CoA,
which honestly might make more sense, but I still wanted to put this out
there.  This CoA or Playbook advises:

1. That a specific TCP port should be blocked
2. That a file should be searched for across the network.
3. Once this search is completed a specific registry key should be deleted.
4. After the port is blocked AND registry key is deleted copies of this file
should be deleted.
5. If the deletion fails systems with this file should be taken offline.

   "type": "course-of-action",
   "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187",
   "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f",
   "created": "2017-05-04T20:03:48.000Z",
   "name": "Sample Complex CoA",
           "id": 1
           "requires_success": []
           "requires_failure": []
           "description": "block inbound access to TCP port 45815"
       , {
           "id": 2
           "requires_success": []
           "requires_failure": []
           "description": "Find all systems on the network for something
with SHA256 Hash: abc..."
       , {
           "id": 3
           "requires_success": [2]
           "requires_failure": []
           "description": "Delete registry key Z"
       }, {
           "id": 4
           "requires_success": [1,3]
           "requires_failure": []
           "description": "Delete file with hash acb..."
       , {
           "id": 5
           "requires_success": []
           "requires_failure": [4]
           "description": "Take systems offline where delete fails"
   "description": "This blocks a port on the network and deletes files with
a hash as well as removing registry keys that grant it persistence."

Jeffrey Mates, Civ DC3/DCCI
Computer Scientist
Defense Cyber Crime Institute

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]