RE&CT框架详细介绍
0 原理
RE&CT框架是为积累、描述和分类可操作的事件响应技术而设计的。
RE&CT的哲学是基于MITRE的att&ck框架。
列表示响应阶段。
这些单元格代表响应动作。
**主要用例:
**
1、事件响应能力开发的优先级,包括技能开发、技术措施的获取/部署、内部过程开发等
2、差距分析-确定现有事件响应能力的“覆盖范围”
主要资源:
RE&CT导航器(改进的ATT&CK导航器)用于可视化和观察大的图片
自动生成的RE&CT网站是获取现有分析细节的最佳地点
自动生成的Atlassian Confluence知识库-输出功能演示
可操作的分析
ATC RE&CT项目继承了ATC项目的“可操作分析”范式,这意味着分析如下:
人类可读的(.md)在运营中共享/使用
机器可读(.yml)用于自动处理/集成
通过事件响应平台可执行(目前仅thehive Case模板)
简单地说,分析数据存储在.yml文件中,这些文件会自动转换成.md文档(带有jinja)和.json的thehive Case模板。
响应行动
响应动作是对在事件响应期间必须执行的特定原子过程/任务的描述。它是一个初始实体,用于构建响应剧本。
每个响应动作都映射到一个特定的响应阶段。
响应动作ID的第一个数字反映了它所属的阶段:
1: Preparation
2: Identification
3: Containment
4: Eradication
5: Recovery
6: Lessons Learned
响应动作ID的第二个数字反映了它所属的类别:
0: General
1: Network
2: Email
3: File
4: Process
5: Configuration
6: Identity
通过使用响应动作ID,您可以看到它所属的阶段和类别。
例如,RA2202: Collect an email message与阶段2(识别)和类别2(电子邮件)有关。
该分类旨在改进事件响应过程成熟度评估和路线图开发。
响应剧本
响应剧本是一个事件响应计划,它代表了一个完整的过程/任务(响应行动)列表,必须执行该列表以响应特定威胁,并可选择映射到MITRE的att&ck或Misinfosec的AMITT框架。
响应剧本可以包括对工作流的描述、特定的条件/需求、响应操作执行顺序的细节,或者任何其他相关信息。
TheHive案例模板
TheHive Case模板是建立在响应剧本之上的。案例模板中的每个任务都是一个响应动作(带有完整的描述)。
下面是导入的TheHive Case模板的示例:
导入TheHive Case模板,在响应剧本上制作(点击展开)
{‘customFields’: {},
‘metrics’: {},
‘tlp’: 2,
‘pap’: 0,
‘tasks’: [{‘order’: 0,
‘title’: ‘1 | RA1001: Practice’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team. \nYou need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in your environment, i.e. blocking an IP address or a domain name. \n’},
{‘order’: 1,
‘title’: ‘2 | RA1002: Take trainings’,
‘group’: ‘Preparation’,
‘description’: ‘> We do not rise to the level of our expectations. We fall to the level of our training. \n\nHere are some relevant training courses that will help you in the Incident Response activities: \n\n1. Investigation Theory by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team \n2. Offensive Security trainings. We recommend PWK to begin with \n3. SANS Digital Forensics & Incident Response trainings \n\nOffensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques. \n\nAt the same time, we assume that you already have a strong technical background in fundamental disciplines — Networking, Operating Systems, and Programming. \n’},
{‘order’: 2,
‘title’: ‘3 | RA1004: Make personnel report suspicious activity’,
‘group’: ‘Preparation’,
‘description’: ‘Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system. \nMake sure that the personnel is aware of it, can and will use it. \n’},
{‘order’: 3,
‘title’: ‘4 | RA1003: Raise personnel awareness’,
‘group’: ‘Preparation’,
‘description’: ‘Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of \nsuccessful spearphishing, social engineering, and other techniques that involve user interaction.\n’},
{‘order’: 4,
‘title’: ‘5 | RA1101: Access external network flow logs’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured. \nIf there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them. \n\nWarning: \n\n- There is a feature called “NetFlow Sampling”, that eliminates the value of the Network Flow logs for some of the tasks, such as “check if some host communicated to an external IP”. Make sure it's disabled or you have an alternative way to collect Network Flow logs \n’},
{‘order’: 5,
‘title’: ‘6 | RA1104: Access external HTTP logs’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured. \n’},
{‘order’: 6,
‘title’: ‘7 | RA1106: Access external DNS logs’,
‘group’: ‘Preparation’,
‘description’: “Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured. \nIf there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them. \n\nWarning: \n\n- Make sure that there are both DNS query and answer logs collected. It’s quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement. \n- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names. \n”},
{‘order’: 7,
‘title’: ‘8 | RA1111: Get ability to block external IP address’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets. \n\nWarning: \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action. \n’},
{‘order’: 8,
‘title’: ‘9 | RA1113: Get ability to block external domain’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets. \n\nWarning: \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action. \n’},
{‘order’: 9,
‘title’: ‘10 | RA1115: Get ability to block external URL’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets. \n\nWarning: \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action. \n’},
{‘order’: 10,
‘title’: ‘11 | RA1201: Get ability to list users opened email message’,
‘group’: ‘Preparation’,
‘description’: “Make sure you have the ability to list users who opened/read a particular email message using the Email Server’s functionality.\n”},
{‘order’: 11,
‘title’: ‘12 | RA1202: Get ability to list email message receivers’,
‘group’: ‘Preparation’,
‘description’: “Make sure you have the ability to list receivers of a particular email message using the Email Server’s functionality.\n”},
{‘order’: 12,
‘title’: ‘13 | RA1203: Get ability to block email domain’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality. \n’},
{‘order’: 13,
‘title’: ‘14 | RA1204: Get ability to block email sender’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality. \n’},
{‘order’: 14,
‘title’: ‘15 | RA1205: Get ability to delete email message’,
‘group’: ‘Preparation’,
‘description’: “Make sure you have the ability to delete an email message from an Email Server and users’ email boxes using its native functionality.\n”},
{‘order’: 15,
‘title’: ‘16 | RA1206: Get ability to quarantine email message’,
‘group’: ‘Preparation’,
‘description’: ‘Make sure you have the ability to quarantine an email message on an Email Server using its native functionality. \n’},
{‘order’: 16,
‘title’: ‘17 | RA2003: Put compromised accounts on monitoring’,
‘group’: ‘Identification’,
‘description’: ‘Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts. \nLook for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before. \nKeep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not. \n’},
{‘order’: 17,
‘title’: ‘18 | RA2113: List hosts communicated with external domain’,
‘group’: ‘Identification’,
‘description’: ‘List hosts communicated with an external domain using the most efficient way. \n’},
{‘order’: 18,
‘title’: ‘19 | RA2114: List hosts communicated with external IP’,
‘group’: ‘Identification’,
‘description’: ‘List hosts communicated with an external IP address using the most efficient way. \n’},
{‘order’: 19,
‘title’: ‘20 | RA2115: List hosts communicated with external URL’,
‘group’: ‘Identification’,
‘description’: 'List hosts communicated with an external URL using the most efficient way. '},
{‘order’: 20,
‘title’: ‘21 | RA2201: List users opened email message’,
‘group’: ‘Identification’,
‘description’: “List users who opened/read a particular email message using the Email Server’s functionality. \n”},
{‘order’: 21,
‘title’: ‘22 | RA2202: Collect email message’,
‘group’: ‘Identification’,
‘description’: ‘Collect an email message using the most appropriate option: \n\n- Email Team/Email server: if there is such option \n- The person that reported the attack (if it wasn't detected automatically or reported by victims) \n- Victims: if they reported the attack \n- Following the local computer forensic evidence collection procedure, if the situation requires it\n\nAsk for the email in .EML format. Instructions: \n\n 1. Drug and drop email from Email client to Desktop \n 2. Archive with password “infected” and send to IR specialists by email \n’},
{‘order’: 22,
‘title’: ‘23 | RA2203: List email message receivers’,
‘group’: ‘Identification’,
‘description’: "List receivers of a particular email message using the Email Server’s functionality. "},
{‘order’: 23,
‘title’: ‘24 | RA2204: Make sure email message is phishing’,
‘group’: ‘Identification’,
‘description’: ‘Check an email and its metadata for evidences of phishing attack: \n\n- Impersonalisation attempts: sender is trying to identify himself as somebody he is not \n- Suspicious askings or offers: download “invoice”, click on link with something important etc \n- Psychological manipulations: invoking a sense of urgency or fear is a common phishing tactic \n- Spelling mistakes: legitimate messages usually don't have spelling mistakes or poor grammar \n\nExplore references of the article to make yourself familiar with phishing attacks history and examples. \n’},
{‘order’: 24,
‘title’: ‘25 | RA2205: Extract observables from email message’,
‘group’: ‘Identification’,
‘description’: ‘Extract the data for further response steps: \n\n- attachments (using munpack tool: munpack email.eml) \n- from, to, cc \n- subject of the email \n- received servers path \n- list of URLs from the text content of the mail body and attachments \n\nThis Response Action could be automated with TheHive EmlParser. \n’},
{‘order’: 25,
‘title’: ‘26 | RA3101: Block external IP address’,
‘group’: ‘Containment’,
‘description’: “Block an external IP address from being accessed by corporate assets, using the most efficient way. \n\nWarning: \n\n- Be careful blocking IP addresses. Make sure it’s not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action \n”},
{‘order’: 26,
‘title’: ‘27 | RA3103: Block external domain’,
‘group’: ‘Containment’,
‘description’: “Block an external domain name from being accessed by corporate assets, using the most efficient way. \n\nWarning: \n\n- Be careful blocking doman names. Make sure it’s not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action \n”},
{‘order’: 27,
‘title’: ‘28 | RA3105: Block external URL’,
‘group’: ‘Containment’,
‘description’: ‘Block an external URL from being accessed by corporate assets, using the most efficient way. \n’},
{‘order’: 28,
‘title’: ‘29 | RA3201: Block domain on email’,
‘group’: ‘Containment’,
‘description’: ‘Block a domain name on an Email Server using its native filtering functionality. \n’},
{‘order’: 29,
‘title’: ‘30 | RA3202: Block sender on email’,
‘group’: ‘Containment’,
‘description’: ‘Block an email sender on an Email Server using its native filtering functionality. \n’},
{‘order’: 30,
‘title’: ‘31 | RA3203: Quarantine email message’,
‘group’: ‘Containment’,
‘description’: ‘Quarantine an email message on an Email Server using its native functionality. \n’},
{‘order’: 31,
‘title’: ‘32 | RA4001: Report incident to external companies’,
‘group’: ‘Eradication’,
‘description’: “Report incident to external security companites, i.e. National Computer Security Incident Response Teams (CSIRTs). \nProvide all Indicators of Compromise and Indicators of Attack that have been observed. \n\nA phishing attack could be reported to: \n\n1. National Computer Security Incident Response Teams (CSIRTs) \n2. U.S. government-operated website \n3. Anti-Phishing Working Group (APWG) \n4. Google Safe Browsing \n5. The FBI’s Intenet Crime Complaint Center (IC3) \n\nThis Response Action could be automated with TheHive and MISP integration. \n”},
{‘order’: 32,
‘title’: ‘33 | RA4201: Delete email message’,
‘group’: ‘Eradication’,
‘description’: “Delete an email message from an Email Server and users’ email boxes using its native functionality.\n”},
{‘order’: 33,
‘title’: ‘34 | RA5101: Unblock blocked IP’,
‘group’: ‘Recovery’,
‘description’: ‘Unblock a blocked IP address in the system(s) used to block it. \n’},
{‘order’: 34,
‘title’: ‘35 | RA5102: Unblock blocked domain’,
‘group’: ‘Recovery’,
‘description’: ‘Unblock a blocked domain name in the system(s) used to block it. \n’},
{‘order’: 35,
‘title’: ‘36 | RA5103: Unblock blocked URL’,
‘group’: ‘Recovery’,
‘description’: ‘Unblock a blocked URL in the system(s) used to block it. \n’},
{‘order’: 36,
‘title’: ‘37 | RA5201: Unblock domain on email’,
‘group’: ‘Recovery’,
‘description’: ‘Unblock an email domain on an Email Server using its native functionality. \n’},
{‘order’: 37,
‘title’: ‘38 | RA5202: Unblock sender on email’,
‘group’: ‘Recovery’,
‘description’: ‘Unblock an email sender on an Email Server using its native functionality. \n’},
{‘order’: 38,
‘title’: ‘39 | RA5203: Restore quarantined email message’,
‘group’: ‘Recovery’,
‘description’: ‘Restore a quarantined email message on an Email Server using its native functionality. \n’},
{‘order’: 39,
‘title’: ‘40 | RA6001: Develop incident report’,
‘group’: ‘Lessons Learned’,
‘description’: ‘Develop the Incident Report using your corporate template. \n\nIt should include: \n\n1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc) \n2. Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful) \n3. Detailed timeline of actions taken by Incident Response Team \n4. Root Cause Analysis and Recommendations for improvements based on its conclusion \n5. List of specialists involved in Incident Response with their roles \n’},
{‘order’: 40,
‘title’: ‘41 | RA6002: Conduct lessons learned exercise’,
‘group’: ‘Lessons Learned’,
‘description’: “The Lessons Learned phase evaluates the team’s performance through each step. \nThe goal of the phase is to discover how to improve the incident response process. \nYou need to answer some basic questions, using developed incident report: \n\n- What happened? \n- What did we do well? \n- What could we have done better? \n- What will we do differently next time? \n\nThe incident report is the key to improvements. \n”}],
‘description’: ‘Response playbook for Phishing Email case\n\nWorkflow:\n\n1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)\n2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts\n3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook\n4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time\n’,
‘name’: ‘RP0001: Phishing email’,
‘status’: ‘Ok’,
‘severity’: 2,
‘titlePrefix’: ‘’,
‘tags’: [‘attack.initial_access’,
‘attack.t1566.001’,
‘attack.t1566.002’,
‘phishing’]}
TheHive案例中的一个任务,在响应操作(单击展开)之上完成。
thehive案例模板可以在docs/thehive_templates目录中找到,可以通过web界面导入到thehive中。
一、响应阶段
1、准备(Preparation)
为安全事件做好准备。
2、识别(Identification)
收集关于触发安全事件的威胁、其TTPs和受影响资产的信息。
3、遏制(Containment)
防止威胁实现其目标和/或在环境中传播。
4、根除(Eradication)
从环境中移除一个威胁。
5、恢复(Recovery)
从事故中恢复,并使所有资产恢复正常运行。
6、经验教训(Lessons Learned)
了解如何改进事件响应流程并实现改进。
二、准备
1、RA1001: Practice
描述:在真实的环境中练习。加强组织内部的响应行动。
确保您的事件响应团队已在内部演习中执行了大多数响应行动。
你需要确保当事件发生时,团队不会只是尝试遵循他们第一次看到的剧本,而是能够在你的环境中快速执行实际步骤,例如阻止IP地址或域名。
2、RA1002: Take trainings
描述:参加培训课程以获得相关知识
我们不会上升到我们期望的水平。我们的训练水平下降了。
以下是一些有关的培训课程,有助你应付事故:
(1)克里斯·桑德斯的《调查理论》。我们建议你们对事故响应小组的每个成员进行强制性的培训
(2)全面安全培训。我们建议从PWK开始
(3)数字取证和事件响应培训
全面的安全训练是其中之一,因为为了对抗威胁,你需要了解他们的动机、战术和技巧。
与此同时,我们假定您已经在基础学科(网络、操作系统和编程)方面有很强的技术背景。
3、RA1003: Raise personnel awareness
描述:提高人员对网络钓鱼、勒索软件、社会工程和其他涉及用户交互的攻击的意识
培训用户了解对手的访问或操作企图,以降低鱼叉钓鱼、社会工程和其他涉及用户交互的技术的成功风险。
4、RA1004: Make personnel report suspicious activity
描述:确保工作人员会报告可疑活动,如可疑电子邮件、链接、文件、电脑上的活动等
开发一种简化的、公司众所周知的方式,在用户系统发生可疑活动时联系IR团队。
确保员工意识到它,能够并且将要使用它。
5、RA1005: Set up relevant data collection
描述:通常,数据收集由日志管理/安全监控/威胁检测团队管理。您需要向他们提供一个数据列表,这对IR过程至关重要。大多数情况下,DNS、DHCP日志等数据不被收集,因为它们的检测值比较低。您可以参考现有的响应动作(准备阶段)来开发列表
以markdown格式描述响应操作的工作流程。
这里将保存换行符。
6、RA1006: Set up a centralized long-term log storage
描述:建立一个集中的长期日志存储。这是当今公司面临的最关键的问题之一。即使有这样一个系统,在大多数情况下,它存储的是不相关的数据,或者保留时间过短
以markdown格式描述响应操作的工作流程。
这里将保存换行符。
7、RA1007: Develop communication map
描述:为内部(c级,其他部门的经理和技术专家,可能参与IR过程)和外部(执法部门,CERT,你缺少的主题专家,等等)制定一个沟通图。
以markdown格式描述响应操作的工作流程。
这里将保存换行符。
8、RA1008: Make sure there are backups
描述:确保有在线备份和离线备份。确保它们能正常工作。在一个成功的勒索病毒蠕虫攻击的情况下,这是唯一的事情,将帮助你保护你的至关重要的数据
9、RA1009: Get network architecture map
描述:获取网络架构图。通常,它由网络安全团队管理。它将帮助您选择遏制策略,例如隔离特定的网段
10、RA1010: Get access control matrix
描述:获取访问控制矩阵。通常,它由网络安全团队管理。它将帮助你识别对手的机会,比如横向移动等等
11、RA1011: Develop assets knowledge base
描述:建立资产知识库。它将帮助您将观察到的活动与特定主机、用户或网段的正常活动配置文件进行比较
12、RA1012: Check analysis toolset
描述:确保您用于分析和管理的工具集是更新的并且完全可操作的。确保授予了所有必需的权限
13、RA1013: Access vulnerability management system logs
描述:访问漏洞管理系统日志。它将有助于识别特定主机在过去特定时间的漏洞
14、RA1014: Connect with trusted communities
描述:连接可信的社区以交换信息
其它条件:
与其他团队的MISP连接或在另一个机构的MISP实例上工作
邮件列表
slack的通道
15、RA1101: Access external network flow logs
类型:网络
描述:确保您能够访问外部通信网络流日志
其它条件:
MS_border_firewall
MS_border_ngfw
DN_zeek_conn_log
工作流:
确保为外部通信(从公司资产到Internet)配置了一组网络流日志。
如果没有在网络设备上配置它的选项,您可以在每个端点上安装一个特殊的软件并从它们那里收集它。
警告:
有一个特性叫做“NetFlow Sampling”,它消除了一些任务中网络流量日志的值,例如“检查某些主机是否与外部IP通信”。确保禁用它,否则您有另一种收集网络流日志的方法
16、RA1102: Access internal network flow logs
类型:网络
描述:确保你可以访问内部通信网络的流量日志
条件:
DN_zeek_conn_log
17、RA1103: Access internal HTTP logs
类型:网络
描述:确保您能够访问内部通信HTTP日志
18、RA1104: Access external HTTP logs
类型:网络
描述:确保您能够访问外部通信HTTP日志
条件:
MS_border_proxy
MS_border_ngfw
DN_zeek_http_log
确保为外部通信(从公司资产到Internet)配置了一组HTTP连接日志。
19、RA1105: Access internal DNS logs
类型:网络
描述:确保您能够访问内部通信DNS日志
条件:
DN_zeek_dns_log
20、RA1106: Access external DNS logs
类型:网络
描述:确保您能够访问外部通信DNS日志
条件:
MS_dns_server
DN_zeek_dns_log
工作流:
确保为外部通信(从公司资产到Internet)配置了一组DNS日志。
如果没有在网络设备/DNS服务器上配置它的选项,您可以在每个端点上安装一个特殊的软件,并从它们收集它。
警告:
请确保DNS查询和应答日志都已收集。在Windows DNS服务器和ISC绑定上配置这样的集合是相当困难的。有时,使用第三方解决方案来满足这一需求要容易得多。
确保到外部(公共)DNS服务器的DNS通信被边界防火墙阻止。这样,企业DNS服务器就是资产可以解析域名的唯一地方。
21、RA1107: Access VPN logs
类型:网络
描述:确保你能访问VPN日志
22、RA1108: Access DHCP logs
类型:网络
描述:确保您能够访问DHCP日志
23、RA1109: Access internal packet capture data
类型:网络
描述:确保您能够访问内部通信包捕获数据
24、RA1110: Access external packet capture data
类型:网络
描述:确保您能够访问外部通信数据包捕获数据
25、RA1111: Get ability to block external IP address
类型:网络
描述:确保您有能力阻止企业资产访问外部IP地址
26、RA1112: Get ability to block internal IP address
类型:网络
描述:确保您可以阻止企业资产访问内部IP地址
条件:
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
27、RA1113: Get ability to block external domain
类型:网络
描述:确保你有能力阻止外部域名被公司资产访问
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
工作流:
确保您能够在列出的缓解系统之一中创建策略规则或特定配置,以阻止企业资产访问外部域名。
警告:
确保使用列出的系统(1个或多个)可以控制对基础设施中所有资产的internet的访问。在某些情况下,你需要一个有保证的方法来阻止外部域名被公司资产完全访问。如果一些资产不在所列缓解系统的管理之下(以便它们可以绕过这些系统接入互联网),就无法完全实现应对行动的最终目标。
28、RA1114: Get ability to block internal domain
类型:网络
描述:确保您可以阻止企业资产访问内部域名
29、RA1115: Get ability to block external URL
类型:网络
描述:确保您有能力阻止企业资产访问外部URL
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
工作流:
确保您能够在列出的缓解系统之一中创建策略规则或特定配置,以阻止企业资产访问外部URL。
警告:
确保使用列出的系统(1个或多个)可以控制对基础设施中所有资产的internet的访问。在某些情况下,您将需要一种有保证的方法来阻止企业资产完全访问外部URL。如果一些资产不在所列缓解系统的管理之下(以便它们可以绕过这些系统接入互联网),就无法完全实现应对行动的最终目标。
30、RA1116: Get ability to block internal URL
类型:网络
描述:确保您可以阻止企业资产访问内部URL
条件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_dns_server
31、RA1117: Get ability to block port external communication
类型:网络
描述:确保您可以阻止一个网络端口进行外部通信
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
32、RA1118: Get ability to block port internal communication
类型:网络
描述:确保您可以阻止一个网络端口进行内部通信
条件:
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
33、RA1119: Get ability to block user external communication
类型:网络
描述:确保您可以阻止一个用户进行外部通信
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_nac
34、RA1120: Get ability to block user internal communication
类型:网络
描述:确保您可以阻止用户进行内部通信
条件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
35、RA1121: Get ability to find data transferred by content pattern
类型:网络
描述:确定您有能力查找过去某个特定时间通过其内容模式(即特定字符串、关键字、二进制模式等)传输的数据
条件:
36、RA1122: Get ability to block data transferring by content pattern
类型:网络
描述:确保你有能力通过内容模式(如特定字符串,关键字,二进制模式等)来阻止数据传输。
条件:
DN_zeek_conn_log
37、RA1123: Get ability to list data transferred
类型:网络
描述:确保您能够列出当前或过去某个特定时间正在传输的数据
条件:
DN_zeek_conn_log
38、RA1124: Get ability to collect transferred data
类型:网络
描述:确保您有能力收集当前或过去某个特定时间正在传输的数据
条件:
39、RA1125: Get ability to identify transferred data
类型:网络
描述:确保您有能力识别当前或过去某个特定时间正在传输的数据(即它的内容、值)
条件:
DN_zeek_conn_log
40、RA1126: Find data transferred by content pattern
类型:网络
描述:确保您能够找到当前或过去某个特定时间内根据内容模式传输的数据
条件:
DN_zeek_conn_log
41、RA1127: Get ability to analyse user-agent
类型:网络
描述:确保您有能力分析用户代理请求头
条件:
42、RA1201: Get ability to list users opened email message
类型:邮件
描述:确保您能够列出打开特定电子邮件消息的用户
条件:MS_email_server
工作流:
确保你能够使用邮件服务器的功能列出打开/阅读特定邮件信息的用户。
43、RA1202: Get ability to list email message receivers
类型:邮件
描述:确保你有能力列出特定邮件的收件人
条件:MS_email_server
工作流:
请确保您能够使用电子邮件服务器的功能列出特定电子邮件的收件人。
44、RA1203: Get ability to block email domain
类型:邮件
描述:确保你有能力阻止一个电子邮件域名
条件:MS_email_server
工作流:
确定您有能力使用电子邮件服务器的本机过滤功能屏蔽电子邮件域名。
45、RA1204: Get ability to block email sender
类型:邮件
描述:确保你有能力阻止邮件发送者
条件:MS_email_server
工作流:
确保你有能力在邮件服务器上使用其本机过滤功能来阻止邮件发送者。
46、RA1205: Get ability to delete email message
类型:邮件
描述:确保你有删除邮件的能力
条件:MS_email_server
工作流:
确保你有能力从电子邮件服务器和用户的电子邮箱中删除邮件信息,使用其本机功能。
47、RA1206: Get ability to quarantine email message
类型:邮件
描述:确保您有隔离电子邮件的能力
条件:MS_email_server
工作流:
确保您能够使用电子邮件服务器上的本机功能隔离电子邮件。
48、RA1207: Get ability to collect email message
类型:邮件
描述:确保你有能力收集邮件信息
条件:DN_zeek_conn_log
工作流:
49、RA1208: Get ability to analyse email address
类型:邮件
描述:确保你有能力分析一个电子邮件地址
条件:
工作流:
50、RA1301: Get ability to list files created
类型:文件
描述:确保您能够列出在过去特定时间创建的文件
条件:DN_zeek_conn_log
工作流:
60、RA1302: Get ability to list files modified
类型:文件
描述:确保您能够列出在过去特定时间被修改的文件
条件:DN_zeek_conn_log
工作流:
61、RA1303: Get ability to list files deleted
类型:文件
描述:确保您能够列出在过去特定时间被删除的文件
条件:DN_zeek_conn_log
工作流:
62、RA1304: Get ability to list files downloaded
类型:文件
描述:确保您能够列出在过去某个特定时间从互联网上下载的文件
条件:DN_zeek_conn_log
工作流:
63、RA1305: Get ability to list files with tampered timestamps
类型:文件
描述:确保您能够列出带有篡改的时间戳的文件
条件:DN_zeek_conn_log
工作流:
64、RA1306: Get ability to find file by path
类型:文件
描述:确保您能够通过路径(包括名称)查找文件
条件:DN_zeek_conn_log
工作流:
65、RA1307: Get ability to find file by metadata
类型:文件
描述:确保你有能力根据文件的元数据(例如签名,权限,MAC时间)找到文件
条件:DN_zeek_conn_log
工作流:
66、RA1308: Get ability to find file by hash
类型:文件
描述:确保您能够通过文件的HASH来查找文件
条件:DN_zeek_conn_log
工作流:
67、RA1309: Get ability to find file by format
类型:文件
描述:确保您能够根据文件的格式查找文件
条件:DN_zeek_conn_log
工作流:
68、RA1310: Get ability to find file by content pattern
类型:文件
描述:确保你有能力根据内容模式(如特定字符串,关键字,二进制模式等)找到文件
条件:DN_zeek_conn_log
工作流:
69、RA1311: Get ability to collect file
类型:文件
描述:确保您能够从(远程)主机或系统收集特定的文件
条件:DN_zeek_conn_log
工作流:
70、RA1312: Get ability to quarantine file by path
类型:文件
描述:确保您有能力通过访问其路径(包括其名称)阻止文件
条件:DN_zeek_conn_log
工作流:
71、RA1313: Get ability to quarantine file by hash
类型:文件
描述:确定你有能力访问通过它的哈希阻止一个文件
条件:DN_zeek_conn_log
工作流:
72、RA1314: Get ability to quarantine file by format
类型:文件
描述:确保您有能力通过访问其格式阻止文件
条件:DN_zeek_conn_log
工作流:
73、RA1315: Get ability to quarantine file by content pattern
类型:文件
描述:确保你有能力通过访问它的内容模式访问(例如特定的字符串,关键字,二进制模式等)阻止一个文件
条件:DN_zeek_conn_log
工作流:
74、RA1316: Get ability to remove file
类型:文件
描述:确保您能够从(远程)主机或系统中删除特定的文件
条件:DN_zeek_conn_log
工作流:
74、RA1317: Get ability to analyse file hash
类型:文件
描述:确保您有能力分析文件散列
条件:
工作流:
75、RA1318: Get ability to analyse Windows PE
类型:文件
描述:确保你有能力分析Windows可移植的可执行文件
条件:
工作流:
76、RA1319: Get ability to analyse macos macho
类型:文件
描述:确保您有能力分析macOS Mach-O文件
条件:
工作流:
77、RA1320: Get ability to analyse Unix ELF
类型:文件
描述:确保您有能力分析UNIX ELF文件
条件:
工作流:
78、RA1321: Get ability to analyse MS office file
类型:文件
描述:确保你有能力分析Microsoft Office文件
条件:
工作流:
79、RA1322: Get ability to analyse PDF file
类型:文件
描述:确保你有能力分析PDF文件
条件:
工作流:
80、RA1323: Get ability to analyse script
类型:文件
描述:确保你有能力分析脚本文件(如Python, PowerShell, Bash脚本等)
条件:
工作流:
81、RA1324: Get ability to analyse jar
类型:文件
描述:确保您有能力分析JAR文件
条件:
工作流:
82、RA1325: Get ability to analyse filename
类型:文件
描述:确保你有能力分析一个文件名
条件:
工作流:
83、RA1401: Get ability to list processes executed
类型:进程
描述:确保您能够列出当前或过去某个特定时间正在执行的进程
条件:DN_zeek_conn_log
工作流:
84、RA1402: Get ability to find process by executable path
类型:进程
描述:确保您能够通过可执行路径(包括名称)查找在过去特定时间执行的进程
条件:DN_zeek_conn_log
工作流:
85、RA1403: Get ability to find process by executable metadata
类型:进程
描述:确保您有能力找到进程在过去特定时间内通过其可执行元数据(即签名、权限、MAC时间)执行的进程。
条件:DN_zeek_conn_log
工作流:
86、RA1404: Get ability to find process by executable hash
类型:进程
描述:确保您有能力查找在过去某个特定时间通过其可执行散列执行的进程。
条件:DN_zeek_conn_log
工作流:
87、RA1405: Get ability to find process by executable format
类型:进程
描述:确保您有能力查找在过去特定时间按其可执行格式执行的进程。
条件:DN_zeek_conn_log
工作流:
88、RA1406: Get ability to find process by executable content pattern
类型:进程
描述:确保你有能力找到在过去特定时间通过其可执行内容模式(即特定字符串、关键字、二进制模式等)执行的进程
条件:DN_zeek_conn_log
工作流:
89、RA1407: Get ability to block process by executable path
类型:进程
描述:确保您能够通过其可执行路径(包括其名称)阻塞进程
条件:DN_zeek_conn_log
工作流:
90、RA1408: Get ability to block process by executable metadata
类型:进程
描述:确保你有能力通过可执行的元数据(例如,签名,权限,MAC时间)阻塞进程
条件:DN_zeek_conn_log
工作流:
91、RA1409: Get ability to block process by executable hash
类型:进程
描述:确保您有能力通过其可执行散列来阻塞进程
条件:DN_zeek_conn_log
工作流:
92、RA1410: Get ability to block process by executable format
类型:进程
描述:确保您有能力按其可执行格式阻塞进程
条件:DN_zeek_conn_log
工作流:
93、RA1411: Get ability to block process by executable content pattern
类型:进程
描述:确保你有能力通过它的可执行内容模式(例如特定字符串,关键字,二进制模式等)来阻塞进程。
条件:DN_zeek_conn_log
工作流:
94、RA1501: Manage remote computer management system policies
类型:配置
描述:确保您可以管理远程计算机管理系统的策略
条件:
工作流:
95、RA1502: Get ability to list registry keys modified
类型:配置
描述:确保您有能力列出在过去特定时间修改的注册表项
条件:
工作流:
96、RA1503: Get ability to list registry keys deleted
类型:配置
描述:确保您有能力列出在过去特定时间删除的注册表项
条件:DN_zeek_conn_log
工作流:
97、RA1504: Get ability to list registry keys accessed
类型:配置
描述:确保您有能力列出在过去特定时间访问的注册表项
条件:DN_zeek_conn_log
工作流:
98、RA1505: Get ability to list registry keys created
类型:配置
描述:确保您有能力列出在过去特定时间创建的注册表项
条件:DN_zeek_conn_log
工作流:
99、RA1506: Get ability to list services created
类型:配置
描述:确保您能够列出在过去特定时间创建的服务
条件:DN_zeek_conn_log
工作流:
100、RA1507: Get ability to list services modified
类型:配置
描述:确保您能够列出在过去特定时间被修改的服务
条件:DN_zeek_conn_log
工作流:
101、RA1508: Get ability to list services deleted
类型:配置
描述:确保您能够列出在过去特定时间被删除的服务
条件:DN_zeek_conn_log
工作流:
102、RA1509: Get ability to remove registry key
类型:配置
描述:确保您有能力删除注册表项
条件:DN_zeek_conn_log
工作流:
103、RA1510: Get ability to remove service
类型:配置
描述:确保您有能力删除服务
条件:DN_zeek_conn_log
工作流:
104、RA1511: Get ability to analyse registry key
类型:配置
描述:确保你有能力分析注册表项
条件:
工作流:
105、RA1601: Manage identity management system
类型:身份
描述:确保您可以管理身份管理系统,即删除/阻止用户,撤销凭证,并执行其他响应操作
条件:
工作流:
106、RA1602: Get ability to lock user account
类型:身份
描述:确保您有能力锁定用户帐户不被使用
条件:
工作流:
107、RA1603: Get ability to list users authenticated
类型:身份
描述:确保您能够列出在特定系统上过去特定时间经过身份验证的用户
条件:
工作流:
108、RA1604: Get ability to revoke authentication credentials
类型:身份
描述:确保您有能力撤销身份验证凭据
条件:DN_zeek_conn_log
工作流:
109、RA1605: Get ability to remove user account
类型:身份
描述:确保您有能力删除用户帐户
条件:DN_zeek_conn_log
工作流:
三、识别
1、RA2001: List victims of security alert
类型:通用
描述:列出安全告警的受害者
条件:DN_zeek_conn_log
自动化:thehive
工作流:
2、RA2002: List host vulnerabilities
类型:通用
描述:获取关于特定主机现有漏洞的信息,或关于它在过去特定时间拥有的漏洞的信息
条件:DN_zeek_conn_log
自动化:thehive/phantom/demisto/etc
工作流:
3、RA2003: Put compromised accounts on monitoring
类型:通用
描述:将(可能)泄露的账户置于监控之中
条件:
自动化:
工作流:
开始监控身份验证尝试和所有(潜在的)泄露帐户的潜在有害行为。
寻找异常,不正常的网络连接,不正常的工作地点/时间,以前从未执行过的动作。
与真正的用户保持联系,必要时询问他们是否有自己的可疑行为。
4、RA2101: List hosts communicated with internal domain
类型:网络
描述:列出与内部域通信的主机
条件:
自动化:thehive
工作流:
5、RA2102: List hosts communicated with internal IP
类型:网络
描述:列出与内部IP地址通信的主机
条件:
自动化:thehive
工作流:
6、RA2103: List hosts communicated with internal URL
类型:网络
描述:列出与内部URL通信的主机
条件:
自动化:thehive
工作流:
7、RA2104: Analyse domain name
类型:网络
描述:分析域名
条件:
自动化:thehive
工作流:
8、RA2105: Analyse IP
类型:网络
描述:分析IP地址
条件:
自动化:thehive
9、RA2106: Analyse uri
类型:网络
描述:分析URI
条件:
自动化:thehive
10、RA2107: List hosts communicated by port
类型:网络
描述:列出当前或过去特定时间通过特定端口通信的主机
条件:
自动化:thehive
11、RA2108: List hosts connected to VPN
类型:网络
描述:列出当前或过去某个特定时间连接到VPN的主机
条件:
自动化:thehive/phantom/demisto/etc
12、RA2109: List hosts connected to intranet
类型:网络
描述:列出当前或过去某个特定时间连接到内部网络的主机
条件:
自动化:thehive/phantom/demisto/etc
13、RA2110: List data transferred
类型:网络
描述:列出当前或过去某个特定时间正在传输的数据
条件:DN_zeek_conn_log
自动化:
14、RA2111: Collect transferred data
类型:网络
描述:收集当前或过去某个特定时间正在传输的数据
条件:DN_zeek_conn_log
自动化:
15、RA2112: Identify transferred data
类型:网络
描述:识别当前或过去某个特定时间正在传输的数据(即其内容、值)
条件:DN_zeek_conn_log
自动化:
16、RA2113: List hosts communicated with external domain
类型:网络
描述:列出与外部域通信的主机
条件:
DN_zeek_conn_log
DN_zeek_dns_log
DN_zeek_http_log
DN_dns_log
DN_proxy_log
DN_network_flow_log
自动化:
列出使用最有效的方式与外部域通信的主机。
17、RA2114: List hosts communicated with external IP
类型:网络
描述:列出与外部IP地址通信的主机
条件:
DN_network_flow_log
DN_zeek_conn_log
自动化:
列出使用最有效的方式与外部IP地址通信的主机。
18、RA2115: List hosts communicated with external URL
类型:网络
描述:列出与外部URL通信的主机
条件:
DN_zeek_http_log
DN_proxy_log
自动化:
列出使用最有效的方式与外部URL通信的主机。
19、RA2116: Find data transferred by content pattern
类型:网络
描述:通过内容模式(即特定字符串、关键字、二进制模式等)查找当前或过去某个特定时间正在传输的数据
条件:
DN_zeek_conn_log
自动化:
20、RA2117: Analyse user-agent
类型:网络
描述:分析一个用户代理请求头
条件:
DN_zeek_conn_log
自动化:
21、RA2202: Collect email message
类型:Email
描述:收集邮件信息
条件:
MS_email_server
自动化:
工作流:
使用最合适的选项收集电子邮件信息:
1、电子邮件组/电子邮件服务器:如果有这样的选择
2、报告攻击的人(如果攻击没有被自动检测到或被受害者报告)
3、受害者:如果他们报告了袭击
4、如果需要,请按照本地计算机取证程序进行取证
请求. eml格式的电子邮件。产品说明:
1、将电子邮件从电子邮件客户端转移到桌面
2、存档密码为“感染”,并通过电子邮件发送给IR专家
22、RA2203: List email message receivers
类型:Email
描述:列出特定电子邮件的收件人
条件:
MS_email_server
自动化:
工作流:
使用电子邮件服务器的功能列出特定电子邮件的收件人。
23、RA2204: Make sure email message is phishing
类型:Email
描述:确保电子邮件是钓鱼攻击
条件:
MS_email_server
自动化:
工作流:
查看电子邮件及其元数据,寻找钓鱼攻击的证据:
1、非个人化尝试:发送者试图将自己定义为另一个他不是的人
2、可疑的询问或优惠:下载“发票”,点击一些重要的链接等
3、心理操纵:唤起紧迫感或恐惧感是一种常见的网络钓鱼策略
4、拼写错误:合法的信息通常没有拼写错误或糟糕的语法
阅读本文的参考文献,熟悉网络钓鱼攻击的历史和例子。
https://en.wikipedia.org/wiki/Phishing
http://www.phishing.org/phishing-examples
24、RA2205: Extract observables from email message
类型:Email
描述:从电子邮件消息中提取observable
条件:
自动化: thehive
工作流:
提取数据用于进一步的响应步骤:
1、附件(使用munpack工具:munpack email.eml)
2、from, to, cc
3、邮件主题
4、收到服务器的路径
5、来自邮件正文和附件文本内容的url列表
这个响应动作可以通过hive EmlParser自动完成。
25、RA2206: Analyse email address
类型:Email
描述:分析邮件地址
条件:
自动化: thehive
工作流:
26、RA2301: List files created
类型:文件
描述:列出在过去特定时间创建的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
27、RA2302: List files modified
类型:文件
描述:列出在过去特定时间被修改的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
28、RA2303: List files deleted
类型:文件
描述:列出在过去特定时间被删除的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
29、RA2304: List files downloaded
类型:文件
描述:列出在过去特定时间被下载的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
30、RA2305: List files with tampered timestamps
类型:文件
描述:列出带有篡改时间戳的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
31、RA2306: Find file by path
类型:文件
描述:通过路径(包括名称)查找文件
条件:
DN_zeek_conn_log
自动化:
工作流:
32、RA2307: Find file by metadata
类型:文件
描述:根据文件的元数据(如签名,权限,MAC时间)查找文件
条件:
DN_zeek_conn_log
自动化:
工作流:
33、RA2308: Find file by hash
类型:文件
描述:通过文件的散列来查找文件
条件:
DN_zeek_conn_log
自动化:
工作流:
34、RA2309: Find file by format
类型:文件
描述:根据文件的格式查找文件
条件:
DN_zeek_conn_log
自动化:
工作流:
35、RA2310: Find file by content pattern
类型:文件
描述:通过内容模式(如特定字符串,关键字,二进制模式等)查找文件
条件:
DN_zeek_conn_log
自动化:
工作流:
36、RA2311: Collect file
类型:文件
描述:从(远程)主机或系统收集特定的文件
条件:
DN_zeek_conn_log
自动化:
工作流:
37、RA2312: Analyse file hash
类型:文件
描述:分析一个文件的散列
条件:
DN_zeek_conn_log
自动化:
工作流:
38、RA2313: Analyse Windows PE
类型:文件
描述:分析MS Windows可移植可执行文件
条件:
DN_zeek_conn_log
自动化:
工作流:
39、RA2314: Analyse macos macho
类型:文件
描述:分析macOS Mach-O
条件:
DN_zeek_conn_log
自动化:
工作流:
40、RA2315: Analyse Unix ELF
类型:文件
描述:分析Unix ELF
条件:
DN_zeek_conn_log
自动化:
工作流:
41、RA2316: Analyse MS office file
类型:文件
描述:分析MS Office文件
条件:
DN_zeek_conn_log
自动化:
工作流:
42、RA2317: Analyse PDF file
类型:文件
描述:分析PDF文件
条件:
DN_zeek_conn_log
自动化:
工作流:
43、RA2318: Analyse script
类型:文件
描述:分析脚本文件(如Python, PowerShell, Bash脚本等)
条件:
DN_zeek_conn_log
自动化:
工作流:
44、RA2319: Analyse jar
类型:文件
描述:分析jar文件
条件:
自动化:
工作流:
45、RA2320: Analyse filename
类型:文件
描述:分析文件名
条件:
自动化:
工作流:
46、RA2401: List processes executed
类型:进程
描述:列出当前或过去某个特定时间正在执行的进程
条件:
自动化:thehive
工作流:
47、RA2402: Find process by executable path
类型:进程
描述:通过其可执行路径(包括名称)查找当前或过去某个特定时间正在执行的进程
条件:DN_zeek_conn_log
自动化:
工作流:
48、RA2403: Find process by executable metadata
类型:进程
描述:通过它的可执行元数据(例如,签名,权限,MAC时间)找到一个正在执行的进程
条件:DN_zeek_conn_log
自动化:
工作流:
49、RA2404: Find process by executable hash
类型:进程
描述:查找当前或过去某个特定时间正在由其可执行散列执行的进程
条件:DN_zeek_conn_log
自动化:
工作流:
50、RA2405: Find process by executable format
类型:进程
描述:查找当前或过去某个特定时间按其可执行格式正在执行的流程
条件:DN_zeek_conn_log
自动化:
工作流:
51、RA2406: Find process by executable content pattern
类型:进程
描述:通过它的可执行内容(例如特定字符串、关键字、二进制模式等)找到一个在当前或过去的特定时间正在执行的进程
条件:DN_zeek_conn_log
自动化:
工作流:
52、RA2501: List registry keys modified
类型:配置
描述:列出在过去特定时间修改的注册表项
条件:
自动化:thehive
工作流:
53、RA2502: List registry keys deleted
类型:配置
描述:列出在过去特定时间被删除的注册表项
条件:DN_zeek_conn_log
自动化:
工作流:
54、RA2503: List registry keys accessed
类型:配置
描述:列出在过去特定时间访问过的注册表项
条件:DN_zeek_conn_log
自动化:
工作流:
55、RA2504: List registry keys created
类型:配置
描述:列出在过去特定时间创建的注册表项
条件:DN_zeek_conn_log
自动化:
工作流:
56、RA2505: List services created
类型:配置
描述:列出在过去特定时间创建的服务
条件:DN_zeek_conn_log
自动化:
工作流:
57、RA2506: List services modified
类型:配置
描述:列出在过去特定时间被修改的服务
条件:DN_zeek_conn_log
自动化:
工作流:
58、RA2507: List services deleted
类型:配置
描述:列出在过去特定时间被删除的服务
条件:DN_zeek_conn_log
自动化:
工作流:
59、RA2508: Analyse registry key
类型:配置
描述:分析注册表键
条件:DN_zeek_conn_log
自动化:
工作流:
60、RA2601: List users authenticated
类型:身份
描述:列出在特定系统上过去特定时间经过身份验证的用户
条件:DN_zeek_conn_log
自动化:
工作流:
四、遏制
1、RA3001: Patch vulnerability
类型:General
描述:修补资产的漏洞
条件:
自动化:thehive
工作流:
2、RA3101: Block external IP address
类型:网络
描述:阻止外部IP地址被企业资产访问
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自动化:
工作流:
3、RA3102: Block internal IP address
类型:网络
描述:阻止内网IP地址被企业资产访问
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自动化:
工作流:
4、RA3103: Block external domain
类型:网络
描述:阻止企业资产访问外部域名
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自动化:
工作流:
5、RA3104: Block internal domain
类型:网络
描述:阻止企业资产访问内部域名
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自动化:
工作流:
以最有效的方式阻止企业资产访问内部域名。
https://en.wikipedia.org/wiki/DNS_sinkhole
6、RA3105: Block external URL
类型:网络
描述:阻止企业资产访问外部URL
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自动化:
工作流:
以最有效的方式阻止企业资产访问外部URL。
7、RA3106: Block internal URL
类型:网络
描述:阻止企业资产访问内部URL
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自动化:
工作流:
8、RA3107: Block port external communication
类型:网络
描述:阻止外部通信网络端口
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自动化:
工作流:
9、RA3108: Block port internal communication
类型:网络
描述:阻止内部通信网络端口
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自动化:
工作流:
10、RA3109: Block user external communication
类型:网络
描述:阻止用户对外通信
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_nac
自动化:
工作流:
11、RA3110: Block user internal communication
类型:网络
描述:阻止用户进行内部通信
条件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
自动化:
工作流:
12、RA3111: Block data transferring by content pattern
类型:网络
描述:通过其内容模式(即特定字符串、关键字、二进制模式等)阻塞传输块数据
条件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
自动化:
工作流:
13、RA3202: Block sender on email
类型:email
描述:在邮件服务器上阻止邮件发送者
条件:
MS_email_server
自动化:
工作流:
14、RA3203: Quarantine email message
类型:email
描述:隔离电子邮件
条件:
MS_email_server
自动化:
工作流:
15、RA3301: Quarantine file by format
类型:文件
描述:按文件的格式隔离文件
条件:
MS_email_server
自动化:
工作流:
16、RA3302: Quarantine file by hash
类型:文件
描述:通过文件的散列隔离文件
条件:
MS_email_server
自动化:
工作流:
17、RA3303: Quarantine file by path
类型:文件
描述:按文件路径隔离文件
条件:
MS_email_server
自动化:
工作流:
18、Quarantine file by content pattern
类型:文件
描述:根据文件的内容模式隔离文件
条件:
自动化:thehive/phantom/demisto/etc
工作流:
19、RA3401: Block process by executable path
类型:进程
描述:通过可执行路径(包括名称)阻止进程执行
条件:DN_zeek_conn_log
自动化:
工作流:
20、RA3402: Block process by executable metadata
类型:进程
描述:通过其可执行元数据(例如签名、权限、MAC时间)阻塞进程的执行
条件:DN_zeek_conn_log
自动化:
工作流:
21、RA3403: Block process by executable hash
类型:进程
描述:通过可执行散列阻塞进程的执行
条件:DN_zeek_conn_log
自动化:
工作流:
22、RA3404: Block process by executable format
类型:进程
描述:通过可执行格式阻塞进程的执行
条件:DN_zeek_conn_log
自动化:
工作流:
23、RA3405: Block process by executable content pattern
类型:进程
描述:通过其可执行内容模式(例如特定字符串、关键字、二进制模式等)阻塞进程的执行
条件:DN_zeek_conn_log
自动化:
工作流:
24、RA3501: Disable system service
类型:配置
描述:关闭系统服务
条件:DN_zeek_conn_log
自动化:
工作流:
25、RA3601: Lock user account
类型:身份
描述:锁定用户
条件:DN_zeek_conn_log
自动化:
工作流:
五、根除
1、RA4001: Report incident to external companies
类型:General
描述:向外部公司报告事件
条件:
自动化:thehive
工作流:
向外部安全公司报告事件,即国家计算机安全事件响应小组(CSIRTs)。
提供已观察到的所有危害指标和攻击指标。
2、RA4101: Remove rogue network device
类型:网络
描述:移除非法网络设备
条件:
自动化:thehive/phantom/demisto/etc
工作流:
3、RA4201: Delete email message
类型:Email
描述:移除非法网络设备
条件:MS_email_server
自动化:
工作流:
删除邮件服务器和用户邮箱中的邮件信息
4、RA4301: Remove file
类型:文件
描述:从(远程)主机或系统中移除特定的文件
条件:
自动化:thehive/phantom/demisto/etc
工作流:
5、RA4501: Remove registry key
类型:配置
描述:删除注册表项
条件:DN_zeek_conn_log
自动化:
工作流:
6、RA4502: Remove service
类型:配置
描述:删除服务
条件:DN_zeek_conn_log
自动化:
工作流:
7、RA4601: Revoke authentication credentials
类型:身份
描述:撤销认证证书
条件:DN_zeek_conn_log
自动化:
工作流:
8、RA4602: Remove user account
类型:身份
描述:删除用户帐户
条件:DN_zeek_conn_log
自动化:
工作流:
六、恢复
1、RA5001: Reinstall host from golden image
类型:General
描述:从黄金映像重新安装主机操作系统
条件:
自动化:thehive
工作流:
2、RA5002: Restore data from backup
类型:General
描述:从备份中恢复数据
条件:DN_zeek_conn_log
自动化:
工作流:
3、RA5101: Unblock blocked IP
类型:网络
描述:解除阻塞IP地址
条件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
自动化:
工作流:
4、RA5102: Unblock blocked domain
类型:网络
描述:解除阻塞的域名
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_dns_server
自动化:
工作流:
5、RA5103: Unblock blocked URL
类型:网络
描述:解除阻塞的URL
条件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
自动化:
工作流:
6、RA5104: Unblock blocked port
类型:网络
描述:解除封锁端口
条件:
DN_zeek_conn_log
自动化:
工作流:
7、RA5105: Unblock blocked user
类型:网络
描述:解除阻塞用户
条件:
DN_zeek_conn_log
自动化:
工作流:
8、RA5201: Unblock domain on email
类型:email
描述:解除封锁电子邮件的域名
条件:
MS_email_server
自动化:
工作流:
9、RA5202: Unblock sender on email
类型:email
描述:解除对邮件中的发件人的阻止
条件:
MS_email_server
自动化:
工作流:
10、RA5203: Restore quarantined email message
类型:email
描述:恢复隔离的电子邮件
条件:
MS_email_server
自动化:
工作流:
11、RA5301: Restore quarantined file
类型:文件
描述:恢复隔离文件
条件:
DN_zeek_conn_log
自动化:
工作流:
12、RA5401: Unblock blocked process
类型:进程
描述:解除阻塞进程
条件:
DN_zeek_conn_log
自动化:
工作流:
13、RA5501: Enable disabled service
类型:配置
描述:启用禁用的服务
条件:
DN_zeek_conn_log
自动化:
工作流:
14、RA5601: Unlock locked user account
类型:身份
描述:解锁被锁定用户
条件:
DN_zeek_conn_log
自动化:
工作流:
七、经验教训
1、RA6001: Develop incident report
类型:General
描述:编制事件报告
条件:
自动化:
工作流:
使用公司模板开发事件报告。
它应该包括:
1、执行摘要,简要描述损害、采取的措施、根本原因和关键指标(检测时间、响应时间、恢复时间等)
2、对手行动的时间线映射到ATT&CK战术(你可以使用杀戮链,但大多数行动可能是在目标阶段的行动,这不是很有代表性和有用)
3、事件响应小组采取行动的详细时间表
4、根据结论进行根本原因分析并提出改进建议
5、参与事件响应的专家及其角色的列表
2、RA6002: Conduct lessons learned exercise
类型:General
描述:进行经验教训练习
条件:
自动化:
工作流:
经验教训阶段通过每个步骤来评估团队的绩效。该阶段的目标是发现如何改进事件响应流程。
你需要回答一些基本的问题,使用开发的事件报告:
1、发生了什么事?
2、我们做得好的是什么?
3、我们还能做得更好吗?
4、下次我们会有什么不同?
事件报告是改进的关键。