OASIS Cyber Threat Intelligence (CTI) TC

 View Only

  • 1.  Branching CoA / Playbook Example

    Posted 05-04-2017 20:15
    Based on the CoA call I put together a quick and dirty simple example of what a branch CoA would look like with dependencies on prior steps failing or succeeding. Since the format for action hasn't been decided I made a simple wrapper for these, which is most likely incorrect, but that illustrates the idea of dependent chained actions. In the call there was talk about using a Playbook for this type of CoA, which honestly might make more sense, but I still wanted to put this out there. This CoA or Playbook advises: 1. That a specific TCP port should be blocked 2. That a file should be searched for across the network. 3. Once this search is completed a specific registry key should be deleted. 4. After the port is blocked AND registry key is deleted copies of this file should be deleted. 5. If the deletion fails systems with this file should be taken offline. { "type": "course-of-action", "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187", "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f", "created": "2017-05-04T20:03:48.000Z", "name": "Sample Complex CoA", "actions":[ { "id": 1 "requires_success": [] "requires_failure": [] "description": "block inbound access to TCP port 45815" } , { "id": 2 "requires_success": [] "requires_failure": [] "description": "Find all systems on the network for something with SHA256 Hash: abc..." } , { "id": 3 "requires_success": [2] "requires_failure": [] "description": "Delete registry key Z" }, { "id": 4 "requires_success": [1,3] "requires_failure": [] "description": "Delete file with hash acb..." } , { "id": 5 "requires_success": [] "requires_failure": [4] "description": "Take systems offline where delete fails" } ] "description": "This blocks a port on the network and deletes files with a hash as well as removing registry keys that grant it persistence." } Jeffrey Mates, Civ DC3/DCCI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computer Scientist Defense Cyber Crime Institute jeffrey.mates@dc3.mil 410-694-4335 Attachment: smime.p7s Description: S/MIME cryptographic signature


  • 2.  Re: [cti] Branching CoA / Playbook Example

    Posted 05-05-2017 10:11
    On 04.05.2017 20:13:56, Mates, Jeffrey CIV DC3DCCI wrote: > > In the call there was talk about using a Playbook for this type of > CoA, which honestly might make more sense, but I still wanted to put > this out there. > Hey, Jeff - This looks like a terrific starting point for the STIX Playbook SDO. Nice work, Jeff, great initiative! -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "It is easier to move a problem around (for example, by moving the problem to a different part of the overall network architecture) than it is to solve it." --RFC 1925 Attachment: signature.asc Description: Digital signature


  • 3.  Re: [EXT] [cti] Branching CoA / Playbook Example

    Posted 05-05-2017 13:09



    Jeff,


    This looks great.  I really like the ideas you have captured.


    Bret 

    Sent from my Commodore 64 


    PGP
    Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    On May 4, 2017, at 2:14 PM, Mates, Jeffrey CIV DC3DCCI < Jeffrey.Mates@dc3.mil > wrote:



    Based on the CoA call I put together a quick and dirty simple example of
    what a branch CoA would look like with dependencies on prior steps failing
    or succeeding.

    Since the format for action hasn't been decided I made a simple wrapper for
    these, which is most likely incorrect, but that illustrates the idea of
    dependent chained actions.

    In the call there was talk about using a Playbook for this type of CoA,
    which honestly might make more sense, but I still wanted to put this out
    there.  This CoA or Playbook advises:

    1. That a specific TCP port should be blocked
    2. That a file should be searched for across the network.
    3. Once this search is completed a specific registry key should be deleted.
    4. After the port is blocked AND registry key is deleted copies of this file
    should be deleted.
    5. If the deletion fails systems with this file should be taken offline.

    {
       "type": "course-of-action",
       "id": "course-of-action--024e2d2b-17d4-4cbf-938f-98ee46b3c187",
       "created_by_ref": "identity--8631f809-377b-45e0-aa1c-6a4751cae42f",
       "created": "2017-05-04T20:03:48.000Z",
       "name": "Sample Complex CoA",
       "actions":[
           {
               "id": 1
               "requires_success": []
               "requires_failure": []
               "description": "block inbound access to TCP port 45815"
           }
           , {
               "id": 2
               "requires_success": []
               "requires_failure": []
               "description": "Find all systems on the network for something
    with SHA256 Hash: abc..."
           }
           , {
               "id": 3
               "requires_success": [2]
               "requires_failure": []
               "description": "Delete registry key Z"
           }, {
               "id": 4
               "requires_success": [1,3]
               "requires_failure": []
               "description": "Delete file with hash acb..."
           }
           , {
               "id": 5
               "requires_success": []
               "requires_failure": [4]
               "description": "Take systems offline where delete fails"
           }
       ]
       "description": "This blocks a port on the network and deletes files with
    a hash as well as removing registry keys that grant it persistence."
    }

    Jeffrey Mates, Civ DC3/DCCI
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Computer Scientist
    Defense Cyber Crime Institute
    jeffrey.mates@dc3.mil
    410-694-4335









Related Content