OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example


As requested, I have pulled a few workflows that our SOC uses. They have been genericized, but they should give a general idea. Both of these flows are likely playbooks (which may contain COAs), and a lot of it is manual (analyst driven). I don’t have great insight into our automated workflows, so I can’t give an example of them at the moment.

 

Forgive me if they’re not ‘correctly’ done in decision tree form. I wanted it to fit all on one page.

 

Thanks,

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

 

From: <cti@lists.oasis-open.org> on behalf of Paul Patrick <Paul.Patrick@FireEye.com>
Date: Friday, May 5, 2017 at 9:38 AM
To: Bret Jordan <Bret_Jordan@symantec.com>, "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example

 

Jeff,

 

Definitely a great start and along similar lines that we’ve been discussing internally.

 

 

Paul Patrick

 

 

From: <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Friday, May 5, 2017 at 9:08 AM
To: "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] [cti] Branching CoA / Playbook Example

 

Jeff,

 

This looks great.  I really like the ideas you have captured.

 

Bret 

Sent from my Commodore 64 

 

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


On May 4, 2017, at 2:14 PM, Mates, Jeffrey CIV DC3DCCI <Jeffrey.Mates@dc3.mil> wrote:

Based on the CoA call I put together a quick and dirty simple example of
what a branch CoA would look like with dependencies on prior steps failing
or succeeding.

Since the format for action hasn't been decided I made a simple wrapper for
these, which is most likely incorrect, but that illustrates the idea of
dependent chained actions.

In the call there was talk about using a Playbook for this type of CoA,
which honestly might make more sense, but I still wanted to put this out
there.  This CoA or Playbook advises:

1. That a specific TCP port should be blocked
2. That a file should be searched for across the network.
3. Once this search is completed a specific registry key should be deleted.
4. After the port is blocked AND registry key is deleted copies of this file
should be deleted.
5. If the deletion fails systems with this file should be taken offline.

{
   "type": "course-of-action",
   "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187",
   "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f",
   "created": "2017-05-04T20:03:48.000Z",
   "name": "Sample Complex CoA",
   "actions":[
       {
           "id": 1
           "requires_success": []
           "requires_failure": []
           "description": "block inbound access to TCP port 45815"
       }
       , {
           "id": 2
           "requires_success": []
           "requires_failure": []
           "description": "Find all systems on the network for something
with SHA256 Hash: abc..."
       }
       , {
           "id": 3
           "requires_success": [2]
           "requires_failure": []
           "description": "Delete registry key Z"
       }, {
           "id": 4
           "requires_success": [1,3]
           "requires_failure": []
           "description": "Delete file with hash acb..."
       }
       , {
           "id": 5
           "requires_success": []
           "requires_failure": [4]
           "description": "Take systems offline where delete fails"
       }
   ]
   "description": "This blocks a port on the network and deletes files with
a hash as well as removing registry keys that grant it persistence."
}

Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335


This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
...

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .

Attachment: Data Dump decision tree.pptx
Description: Data Dump decision tree.pptx

Attachment: DOX decision tree.pptx
Description: DOX decision tree.pptx



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]