來源:https://atc-project.github.io/atc-react/responsestages/
https://github.com/atc-project/atc-react
0 原理
RE&CT框架是為積累篷扩、描述和分類可操作的事件響應(yīng)技術(shù)而設(shè)計的。
RE&CT的哲學(xué)是基于MITRE的att&ck框架。
列表示響應(yīng)階段树埠。
這些單元格代表響應(yīng)動作磁玉。
主要用例:
1驰唬、事件響應(yīng)能力開發(fā)的優(yōu)先級份汗,包括技能開發(fā)绊起、技術(shù)措施的獲取/部署精拟、內(nèi)部過程開發(fā)等
2、差距分析-確定現(xiàn)有事件響應(yīng)能力的“覆蓋范圍”
主要資源:
RE&CT導(dǎo)航器(改進的ATT&CK導(dǎo)航器)用于可視化和觀察大的圖片
自動生成的RE&CT網(wǎng)站是獲取現(xiàn)有分析細節(jié)的最佳地點
自動生成的Atlassian Confluence知識庫-輸出功能演示
可操作的分析
ATC RE&CT項目繼承了ATC項目的“可操作分析”范式虱歪,這意味著分析如下:
人類可讀的(.md)在運營中共享/使用
機器可讀(.yml)用于自動處理/集成
通過事件響應(yīng)平臺可執(zhí)行(目前僅thehive Case模板)
簡單地說串前,分析數(shù)據(jù)存儲在.yml文件中,這些文件會自動轉(zhuǎn)換成.md文檔(帶有jinja)和.json的thehive Case模板实蔽。
響應(yīng)行動
響應(yīng)動作是對在事件響應(yīng)期間必須執(zhí)行的特定原子過程/任務(wù)的描述荡碾。它是一個初始實體,用于構(gòu)建響應(yīng)劇本局装。
每個響應(yīng)動作都映射到一個特定的響應(yīng)階段坛吁。
響應(yīng)動作ID的第一個數(shù)字反映了它所屬的階段:
1: Preparation
2: Identification
3: Containment
4: Eradication
5: Recovery
6: Lessons Learned
響應(yīng)動作ID的第二個數(shù)字反映了它所屬的類別:
0: General
1: Network
2: Email
3: File
4: Process
5: Configuration
6: Identity
通過使用響應(yīng)動作ID,您可以看到它所屬的階段和類別铐尚。
例如拨脉,RA2202: Collect an email message與階段2(識別)和類別2(電子郵件)有關(guān)。
該分類旨在改進事件響應(yīng)過程成熟度評估和路線圖開發(fā)宣增。
響應(yīng)劇本
響應(yīng)劇本是一個事件響應(yīng)計劃玫膀,它代表了一個完整的過程/任務(wù)(響應(yīng)行動)列表,必須執(zhí)行該列表以響應(yīng)特定威脅爹脾,并可選擇映射到MITRE的att&ck或Misinfosec的AMITT框架帖旨。
響應(yīng)劇本可以包括對工作流的描述、特定的條件/需求灵妨、響應(yīng)操作執(zhí)行順序的細節(jié)解阅,或者任何其他相關(guān)信息。
TheHive案例模板
TheHive Case模板是建立在響應(yīng)劇本之上的泌霍。案例模板中的每個任務(wù)都是一個響應(yīng)動作(帶有完整的描述)货抄。
下面是導(dǎo)入的TheHive Case模板的示例:
導(dǎo)入TheHive Case模板,在響應(yīng)劇本上制作(點擊展開)
來源:https://raw.githubusercontent.com/atc-project/atc-react/master/docs/thehive_templates/RP_0001_phishing_email.json
{'customFields': {},
'metrics': {},
'tlp': 2,
'pap': 0,
'tasks': [{'order': 0,
? 'title': '1 | RA1001: Practice',
? 'group': 'Preparation',
? 'description': 'Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.? \nYou need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in **your environment**, i.e. blocking an IP address or a domain name.? \n'},
? {'order': 1,
? 'title': '2 | RA1002: Take trainings',
? 'group': 'Preparation',
? 'description': '> We do not rise to the level of our expectations. We fall to the level of our training.? \n\nHere are some relevant training courses that will help you in the Incident Response activities:? \n\n1. [Investigation Theory](https://chrissanders.org/training/investigationtheory/) by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team? \n2. [Offensive Security](https://www.offensive-security.com/courses-and-certifications/) trainings. We recommend [PWK](https://www.offensive-security.com/pwk-oscp/) to begin with? \n3. [SANS Digital Forensics & Incident Response](https://digital-forensics.sans.org/training/courses) trainings? \n\nOffensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques.? \n\nAt the same time, we assume that you already have a strong technical background in fundamental disciplines — Networking, Operating Systems, and Programming.? \n'},
? {'order': 2,
? 'title': '3 | RA1004: Make personnel report suspicious activity',
? 'group': 'Preparation',
? 'description': 'Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.? \nMake sure that the personnel is aware of it, can and will use it.? \n'},
? {'order': 3,
? 'title': '4 | RA1003: Raise personnel awareness',
? 'group': 'Preparation',
? 'description': 'Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of \nsuccessful spearphishing, social engineering, and other techniques that involve user interaction.\n'},
? {'order': 4,
? 'title': '5 | RA1101: Access external network flow logs',
? 'group': 'Preparation',
? 'description': 'Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.? \nIf there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.? \n\nWarning:? \n\n- There is a feature called ["NetFlow Sampling"](https://www.plixer.com/blog/how-accurate-is-sampled-netflow/), that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it\'s disabled or you have an alternative way to collect Network Flow logs? \n'},
? {'order': 5,
? 'title': '6 | RA1104: Access external HTTP logs',
? 'group': 'Preparation',
? 'description': 'Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured.? \n'},
? {'order': 6,
? 'title': '7 | RA1106: Access external DNS logs',
? 'group': 'Preparation',
? 'description': "Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured.? \nIf there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.? \n\nWarning:? \n\n- Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.? \n- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.? \n"},
? {'order': 7,
? 'title': '8 | RA1111: Get ability to block external IP address',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets.? \n\nWarning:? \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.? \n'},
? {'order': 8,
? 'title': '9 | RA1113: Get ability to block external domain',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets.? \n\nWarning:? \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.? \n'},
? {'order': 9,
? 'title': '10 | RA1115: Get ability to block external URL',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets.? \n\nWarning:? \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.? \n'},
? {'order': 10,
? 'title': '11 | RA1201: Get ability to list users opened email message',
? 'group': 'Preparation',
? 'description': "Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.\n"},
? {'order': 11,
? 'title': '12 | RA1202: Get ability to list email message receivers',
? 'group': 'Preparation',
? 'description': "Make sure you have the ability to list receivers of a particular email message using the Email Server's functionality.\n"},
? {'order': 12,
? 'title': '13 | RA1203: Get ability to block email domain',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality.? \n'},
? {'order': 13,
? 'title': '14 | RA1204: Get ability to block email sender',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality.? \n'},
? {'order': 14,
? 'title': '15 | RA1205: Get ability to delete email message',
? 'group': 'Preparation',
? 'description': "Make sure you have the ability to delete an email message from an Email Server and users' email boxes using its native functionality.\n"},
? {'order': 15,
? 'title': '16 | RA1206: Get ability to quarantine email message',
? 'group': 'Preparation',
? 'description': 'Make sure you have the ability to quarantine an email message on an Email Server using its native functionality.? \n'},
? {'order': 16,
? 'title': '17 | RA2003: Put compromised accounts on monitoring',
? 'group': 'Identification',
? 'description': 'Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.? \nLook for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.? \nKeep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.? \n'},
? {'order': 17,
? 'title': '18 | RA2113: List hosts communicated with external domain',
? 'group': 'Identification',
? 'description': 'List hosts communicated with an external domain using the most efficient way.? \n'},
? {'order': 18,
? 'title': '19 | RA2114: List hosts communicated with external IP',
? 'group': 'Identification',
? 'description': 'List hosts communicated with an external IP address using the most efficient way.? \n'},
? {'order': 19,
? 'title': '20 | RA2115: List hosts communicated with external URL',
? 'group': 'Identification',
? 'description': 'List hosts communicated with an external URL using the most efficient way.? '},
? {'order': 20,
? 'title': '21 | RA2201: List users opened email message',
? 'group': 'Identification',
? 'description': "List users who opened/read a particular email message using the Email Server's functionality.? \n"},
? {'order': 21,
? 'title': '22 | RA2202: Collect email message',
? 'group': 'Identification',
? 'description': 'Collect an email message using the most appropriate option:? \n\n- Email Team/Email server: if there is such option? \n- The person that reported the attack (if it wasn\'t detected automatically or reported by victims)? \n- Victims: if they reported the attack? \n- Following the local computer forensic evidence collection procedure, if the situation requires it\n\nAsk for the email in `.EML` format. Instructions:? \n\n? 1. Drug and drop email from Email client to Desktop? \n? 2. Archive with password "infected" and send to IR specialists by email? \n'},
? {'order': 22,
? 'title': '23 | RA2203: List email message receivers',
? 'group': 'Identification',
? 'description': "List receivers of a particular email message using the Email Server's functionality.? "},
? {'order': 23,
? 'title': '24 | RA2204: Make sure email message is phishing',
? 'group': 'Identification',
? 'description': 'Check an email and its metadata for evidences of phishing attack:? \n\n- **Impersonalisation attempts**: sender is trying to identify himself as somebody he is not? \n- **Suspicious askings or offers**: download "invoice", click on link with something important etc? \n- **Psychological manipulations**: invoking a sense of urgency or fear is a common phishing tactic? \n- **Spelling mistakes**: legitimate messages usually don\'t have spelling mistakes or poor grammar? \n\nExplore references of the article to make yourself familiar with phishing attacks history and examples.? \n'},
? {'order': 24,
? 'title': '25 | RA2205: Extract observables from email message',
? 'group': 'Identification',
? 'description': 'Extract the data for further response steps:? \n\n- attachments (using munpack tool: `munpack email.eml`)? \n- from, to, cc? \n- subject of the email? \n- received servers path? \n- list of URLs from the text content of the mail body and attachments? \n\nThis Response Action could be automated with [TheHive EmlParser](https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/).? \n'},
? {'order': 25,
? 'title': '26 | RA3101: Block external IP address',
? 'group': 'Containment',
? 'description': "Block an external IP address from being accessed by corporate assets, using the most efficient way.? \n\nWarning:? \n\n- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action? \n"},
? {'order': 26,
? 'title': '27 | RA3103: Block external domain',
? 'group': 'Containment',
? 'description': "Block an external domain name from being accessed by corporate assets, using the most efficient way.? \n\nWarning:? \n\n- Be careful blocking doman names. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action? \n"},
? {'order': 27,
? 'title': '28 | RA3105: Block external URL',
? 'group': 'Containment',
? 'description': 'Block an external URL from being accessed by corporate assets, using the most efficient way.? \n'},
? {'order': 28,
? 'title': '29 | RA3201: Block domain on email',
? 'group': 'Containment',
? 'description': 'Block a domain name on an Email Server using its native filtering functionality.? \n'},
? {'order': 29,
? 'title': '30 | RA3202: Block sender on email',
? 'group': 'Containment',
? 'description': 'Block an email sender on an Email Server using its native filtering functionality.? \n'},
? {'order': 30,
? 'title': '31 | RA3203: Quarantine email message',
? 'group': 'Containment',
? 'description': 'Quarantine an email message on an Email Server using its native functionality.? \n'},
? {'order': 31,
? 'title': '32 | RA4001: Report incident to external companies',
? 'group': 'Eradication',
? 'description': "Report incident to external security companites, i.e. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/).? \nProvide all Indicators of Compromise and Indicators of Attack that have been observed.? \n\nA phishing attack could be reported to:? \n\n1. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)? \n2. [U.S. government-operated website](http://www.us-cert.gov/nav/report_phishing.html)? \n3. [Anti-Phishing Working Group (APWG)](http://antiphishing.org/report-phishing/)? \n4. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)? \n5. [The FBI's Intenet Crime Complaint Center (IC3)](https://www.ic3.gov/default.aspx)? \n\nThis Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).? \n"},
? {'order': 32,
? 'title': '33 | RA4201: Delete email message',
? 'group': 'Eradication',
? 'description': "Delete an email message from an Email Server and users' email boxes using its native functionality.\n"},
? {'order': 33,
? 'title': '34 | RA5101: Unblock blocked IP',
? 'group': 'Recovery',
? 'description': 'Unblock a blocked IP address in the system(s) used to block it.? \n'},
? {'order': 34,
? 'title': '35 | RA5102: Unblock blocked domain',
? 'group': 'Recovery',
? 'description': 'Unblock a blocked domain name in the system(s) used to block it.? \n'},
? {'order': 35,
? 'title': '36 | RA5103: Unblock blocked URL',
? 'group': 'Recovery',
? 'description': 'Unblock a blocked URL in the system(s) used to block it.? \n'},
? {'order': 36,
? 'title': '37 | RA5201: Unblock domain on email',
? 'group': 'Recovery',
? 'description': 'Unblock an email domain on an Email Server using its native functionality.? \n'},
? {'order': 37,
? 'title': '38 | RA5202: Unblock sender on email',
? 'group': 'Recovery',
? 'description': 'Unblock an email sender on an Email Server using its native functionality.? \n'},
? {'order': 38,
? 'title': '39 | RA5203: Restore quarantined email message',
? 'group': 'Recovery',
? 'description': 'Restore a quarantined email message on an Email Server using its native functionality.? \n'},
? {'order': 39,
? 'title': '40 | RA6001: Develop incident report',
? 'group': 'Lessons Learned',
? 'description': 'Develop the Incident Report using your corporate template.? \n\nIt should include:? \n\n1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)? \n2. Detailed timeline of adversary actions mapped to [ATT&CK tactics](https://attack.mitre.org/tactics/enterprise/) (you can use the [Kill Chain](https://en.wikipedia.org/wiki/Kill_chain), but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)? \n3. Detailed timeline of actions taken by Incident Response Team? \n4. Root Cause Analysis and Recommendations for improvements based on its conclusion? \n5. List of specialists involved in Incident Response with their roles? \n'},
? {'order': 40,
? 'title': '41 | RA6002: Conduct lessons learned exercise',
? 'group': 'Lessons Learned',
? 'description': "The Lessons Learned phase evaluates the team's performance through each step. \nThe goal of the phase is to discover how to improve the incident response process.? \nYou need to answer some basic questions, using developed incident report:? \n\n- What happened?? \n- What did we do well?? \n- What could we have done better?? \n- What will we do differently next time?? \n\nThe incident report is the key to improvements.? \n"}],
'description': 'Response playbook for Phishing Email case\n\nWorkflow:\n\n1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)\n2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts\n3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook\n4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time\n',
'name': 'RP0001: Phishing email',
'status': 'Ok',
'severity': 2,
'titlePrefix': '',
'tags': ['attack.initial_access',
? 'attack.t1566.001',
? 'attack.t1566.002',
? 'phishing']}
TheHive案例中的一個任務(wù),在響應(yīng)操作(單擊展開)之上完成蟹地。
thehive案例模板可以在docs/thehive_templates目錄中找到积暖,可以通過web界面導(dǎo)入到thehive中。
一怪与、響應(yīng)階段
1呀酸、準(zhǔn)備(Preparation)
為安全事件做好準(zhǔn)備。
2琼梆、識別(Identification)
收集關(guān)于觸發(fā)安全事件的威脅、其TTPs和受影響資產(chǎn)的信息窿吩。
3茎杂、遏制(Containment)
防止威脅實現(xiàn)其目標(biāo)和/或在環(huán)境中傳播。
4纫雁、根除(Eradication)
從環(huán)境中移除一個威脅煌往。
5、恢復(fù)(Recovery)
從事故中恢復(fù)轧邪,并使所有資產(chǎn)恢復(fù)正常運行刽脖。
6、經(jīng)驗教訓(xùn)(Lessons Learned)
了解如何改進事件響應(yīng)流程并實現(xiàn)改進忌愚。
二曲管、準(zhǔn)備
1、RA1001: Practice
描述:在真實的環(huán)境中練習(xí)硕糊。加強組織內(nèi)部的響應(yīng)行動院水。
確保您的事件響應(yīng)團隊已在內(nèi)部演習(xí)中執(zhí)行了大多數(shù)響應(yīng)行動。
你需要確保當(dāng)事件發(fā)生時简十,團隊不會只是嘗試遵循他們第一次看到的劇本檬某,而是能夠在你的環(huán)境中快速執(zhí)行實際步驟,例如阻止IP地址或域名螟蝙。
2恢恼、RA1002: Take trainings
描述:參加培訓(xùn)課程以獲得相關(guān)知識
我們不會上升到我們期望的水平。我們的訓(xùn)練水平下降了胰默。
以下是一些有關(guān)的培訓(xùn)課程场斑,有助你應(yīng)付事故:
(1)克里斯·桑德斯的《調(diào)查理論》。我們建議你們對事故響應(yīng)小組的每個成員進行強制性的培訓(xùn)
(2)全面安全培訓(xùn)牵署。我們建議從PWK開始
(3)數(shù)字取證和事件響應(yīng)培訓(xùn)
全面的安全訓(xùn)練是其中之一和簸,因為為了對抗威脅,你需要了解他們的動機碟刺、戰(zhàn)術(shù)和技巧锁保。
與此同時,我們假定您已經(jīng)在基礎(chǔ)學(xué)科(網(wǎng)絡(luò)爽柒、操作系統(tǒng)和編程)方面有很強的技術(shù)背景浩村。
3心墅、RA1003: Raise personnel awareness
描述:提高人員對網(wǎng)絡(luò)釣魚怎燥、勒索軟件瘫筐、社會工程和其他涉及用戶交互的攻擊的意識
培訓(xùn)用戶了解對手的訪問或操作企圖,以降低魚叉釣魚铐姚、社會工程和其他涉及用戶交互的技術(shù)的成功風(fēng)險策肝。
4、RA1004: Make personnel report suspicious activity
描述:確保工作人員會報告可疑活動隐绵,如可疑電子郵件之众、鏈接、文件依许、電腦上的活動等
開發(fā)一種簡化的棺禾、公司眾所周知的方式,在用戶系統(tǒng)發(fā)生可疑活動時聯(lián)系IR團隊峭跳。
確保員工意識到它帘睦,能夠并且將要使用它。
5坦康、RA1005: Set up relevant data collection
描述:通常古胆,數(shù)據(jù)收集由日志管理/安全監(jiān)控/威脅檢測團隊管理夭谤。您需要向他們提供一個數(shù)據(jù)列表参淹,這對IR過程至關(guān)重要开呐。大多數(shù)情況下阻肿,DNS姨伤、DHCP日志等數(shù)據(jù)不被收集届慈,因為它們的檢測值比較低。您可以參考現(xiàn)有的響應(yīng)動作(準(zhǔn)備階段)來開發(fā)列表
以markdown格式描述響應(yīng)操作的工作流程。
這里將保存換行符。
6猪狈、RA1006: Set up a centralized long-term log storage
描述:建立一個集中的長期日志存儲状共。這是當(dāng)今公司面臨的最關(guān)鍵的問題之一冯袍。即使有這樣一個系統(tǒng)舶吗,在大多數(shù)情況下,它存儲的是不相關(guān)的數(shù)據(jù),或者保留時間過短
以markdown格式描述響應(yīng)操作的工作流程。
這里將保存換行符。
7巧颈、RA1007: Develop communication map
描述:為內(nèi)部(c級攻锰,其他部門的經(jīng)理和技術(shù)專家,可能參與IR過程)和外部(執(zhí)法部門楷拳,CERT奋蔚,你缺少的主題專家,等等)制定一個溝通圖。
以markdown格式描述響應(yīng)操作的工作流程。
這里將保存換行符。
8压昼、RA1008: Make sure there are backups
描述:確保有在線備份和離線備份。確保它們能正常工作韭山。在一個成功的勒索病毒蠕蟲攻擊的情況下似枕,這是唯一的事情冗恨,將幫助你保護你的至關(guān)重要的數(shù)據(jù)
9傲武、RA1009: Get network architecture map
描述:獲取網(wǎng)絡(luò)架構(gòu)圖土童。通常罢吃,它由網(wǎng)絡(luò)安全團隊管理就谜。它將幫助您選擇遏制策略喧枷,例如隔離特定的網(wǎng)段
10、RA1010: Get access control matrix
描述:獲取訪問控制矩陣。通常茬腿,它由網(wǎng)絡(luò)安全團隊管理禀综。它將幫助你識別對手的機會苔严,比如橫向移動等等
11定枷、RA1011: Develop assets knowledge base
描述:建立資產(chǎn)知識庫。它將幫助您將觀察到的活動與特定主機届氢、用戶或網(wǎng)段的正城分希活動配置文件進行比較
12惜犀、RA1012: Check analysis toolset
描述:確保您用于分析和管理的工具集是更新的并且完全可操作的晴圾。確保授予了所有必需的權(quán)限
13腌且、RA1013: Access vulnerability management system logs
描述:訪問漏洞管理系統(tǒng)日志。它將有助于識別特定主機在過去特定時間的漏洞
14、RA1014: Connect with trusted communities
描述:連接可信的社區(qū)以交換信息
其它條件:
與其他團隊的MISP連接或在另一個機構(gòu)的MISP實例上工作
郵件列表
slack的通道
15姆钉、RA1101: Access external network flow logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問外部通信網(wǎng)絡(luò)流日志
其它條件:
MS_border_firewall
MS_border_ngfw
DN_zeek_conn_log
工作流:
確保為外部通信(從公司資產(chǎn)到Internet)配置了一組網(wǎng)絡(luò)流日志涩僻。
如果沒有在網(wǎng)絡(luò)設(shè)備上配置它的選項,您可以在每個端點上安裝一個特殊的軟件并從它們那里收集它护奈。
警告:
有一個特性叫做“NetFlow Sampling”胖眷,它消除了一些任務(wù)中網(wǎng)絡(luò)流量日志的值,例如“檢查某些主機是否與外部IP通信”疲酌。確保禁用它搀玖,否則您有另一種收集網(wǎng)絡(luò)流日志的方法
16鲁驶、RA1102: Access internal network flow logs
類型:網(wǎng)絡(luò)
描述:確保你可以訪問內(nèi)部通信網(wǎng)絡(luò)的流量日志
條件:
DN_zeek_conn_log
17、RA1103: Access internal HTTP logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問內(nèi)部通信HTTP日志
18舞骆、RA1104: Access external HTTP logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問外部通信HTTP日志
條件:
MS_border_proxy
MS_border_ngfw
DN_zeek_http_log
確保為外部通信(從公司資產(chǎn)到Internet)配置了一組HTTP連接日志钥弯。
19、RA1105: Access internal DNS logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問內(nèi)部通信DNS日志
條件:
DN_zeek_dns_log
20督禽、RA1106: Access external DNS logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問外部通信DNS日志
條件:
MS_dns_server
DN_zeek_dns_log
工作流:
確保為外部通信(從公司資產(chǎn)到Internet)配置了一組DNS日志脆霎。
如果沒有在網(wǎng)絡(luò)設(shè)備/DNS服務(wù)器上配置它的選項,您可以在每個端點上安裝一個特殊的軟件狈惫,并從它們收集它睛蛛。
警告:
請確保DNS查詢和應(yīng)答日志都已收集。在Windows DNS服務(wù)器和ISC綁定上配置這樣的集合是相當(dāng)困難的胧谈。有時忆肾,使用第三方解決方案來滿足這一需求要容易得多。
確保到外部(公共)DNS服務(wù)器的DNS通信被邊界防火墻阻止菱肖。這樣客冈,企業(yè)DNS服務(wù)器就是資產(chǎn)可以解析域名的唯一地方。
21稳强、RA1107: Access VPN logs
類型:網(wǎng)絡(luò)
描述:確保你能訪問VPN日志
22场仲、RA1108: Access DHCP logs
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問DHCP日志
23、RA1109: Access internal packet capture data
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問內(nèi)部通信包捕獲數(shù)據(jù)
24退疫、RA1110: Access external packet capture data
類型:網(wǎng)絡(luò)
描述:確保您能夠訪問外部通信數(shù)據(jù)包捕獲數(shù)據(jù)
25渠缕、RA1111: Get ability to block external IP address
類型:網(wǎng)絡(luò)
描述:確保您有能力阻止企業(yè)資產(chǎn)訪問外部IP地址
26、RA1112: Get ability to block internal IP address
類型:網(wǎng)絡(luò)
描述:確保您可以阻止企業(yè)資產(chǎn)訪問內(nèi)部IP地址
條件:
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
27褒繁、RA1113: Get ability to block external domain
類型:網(wǎng)絡(luò)
描述:確保你有能力阻止外部域名被公司資產(chǎn)訪問
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
工作流:
確保您能夠在列出的緩解系統(tǒng)之一中創(chuàng)建策略規(guī)則或特定配置褐健,以阻止企業(yè)資產(chǎn)訪問外部域名。
警告:
確保使用列出的系統(tǒng)(1個或多個)可以控制對基礎(chǔ)設(shè)施中所有資產(chǎn)的internet的訪問澜汤。在某些情況下蚜迅,你需要一個有保證的方法來阻止外部域名被公司資產(chǎn)完全訪問。如果一些資產(chǎn)不在所列緩解系統(tǒng)的管理之下(以便它們可以繞過這些系統(tǒng)接入互聯(lián)網(wǎng))俊抵,就無法完全實現(xiàn)應(yīng)對行動的最終目標(biāo)谁不。
28、RA1114: Get ability to block internal domain
類型:網(wǎng)絡(luò)
描述:確保您可以阻止企業(yè)資產(chǎn)訪問內(nèi)部域名
29徽诲、RA1115: Get ability to block external URL
類型:網(wǎng)絡(luò)
描述:確保您有能力阻止企業(yè)資產(chǎn)訪問外部URL
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
工作流:
確保您能夠在列出的緩解系統(tǒng)之一中創(chuàng)建策略規(guī)則或特定配置刹帕,以阻止企業(yè)資產(chǎn)訪問外部URL吵血。
警告:
確保使用列出的系統(tǒng)(1個或多個)可以控制對基礎(chǔ)設(shè)施中所有資產(chǎn)的internet的訪問。在某些情況下偷溺,您將需要一種有保證的方法來阻止企業(yè)資產(chǎn)完全訪問外部URL蹋辅。如果一些資產(chǎn)不在所列緩解系統(tǒng)的管理之下(以便它們可以繞過這些系統(tǒng)接入互聯(lián)網(wǎng)),就無法完全實現(xiàn)應(yīng)對行動的最終目標(biāo)挫掏。
30侦另、RA1116: Get ability to block internal URL
類型:網(wǎng)絡(luò)
描述:確保您可以阻止企業(yè)資產(chǎn)訪問內(nèi)部URL
條件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_dns_server
31、RA1117: Get ability to block port external communication
類型:網(wǎng)絡(luò)
描述:確保您可以阻止一個網(wǎng)絡(luò)端口進行外部通信
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
32尉共、RA1118: Get ability to block port internal communication
類型:網(wǎng)絡(luò)
描述:確保您可以阻止一個網(wǎng)絡(luò)端口進行內(nèi)部通信
條件:
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
33褒傅、RA1119: Get ability to block user external communication
類型:網(wǎng)絡(luò)
描述:確保您可以阻止一個用戶進行外部通信
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_nac
34、RA1120: Get ability to block user internal communication
類型:網(wǎng)絡(luò)
描述:確保您可以阻止用戶進行內(nèi)部通信
條件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
35袄友、RA1121: Get ability to find data transferred by content pattern
類型:網(wǎng)絡(luò)
描述:確定您有能力查找過去某個特定時間通過其內(nèi)容模式(即特定字符串殿托、關(guān)鍵字、二進制模式等)傳輸?shù)臄?shù)據(jù)
條件:
36剧蚣、RA1122: Get ability to block data transferring by content pattern
類型:網(wǎng)絡(luò)
描述:確保你有能力通過內(nèi)容模式(如特定字符串支竹,關(guān)鍵字,二進制模式等)來阻止數(shù)據(jù)傳輸鸠按。
條件:
DN_zeek_conn_log
37礼搁、RA1123: Get ability to list data transferred
類型:網(wǎng)絡(luò)
描述:確保您能夠列出當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)
條件:
DN_zeek_conn_log
38、RA1124: Get ability to collect transferred data
類型:網(wǎng)絡(luò)
描述:確保您有能力收集當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)
條件:
39待诅、RA1125: Get ability to identify transferred data
類型:網(wǎng)絡(luò)
描述:確保您有能力識別當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)(即它的內(nèi)容叹坦、值)
條件:
DN_zeek_conn_log
40、RA1126: Find data transferred by content pattern
類型:網(wǎng)絡(luò)
描述:確保您能夠找到當(dāng)前或過去某個特定時間內(nèi)根據(jù)內(nèi)容模式傳輸?shù)臄?shù)據(jù)
條件:
DN_zeek_conn_log
41卑雁、RA1127: Get ability to analyse user-agent
類型:網(wǎng)絡(luò)
描述:確保您有能力分析用戶代理請求頭
條件:
42募书、RA1201: Get ability to list users opened email message
類型:郵件
描述:確保您能夠列出打開特定電子郵件消息的用戶
條件:MS_email_server
工作流:
確保你能夠使用郵件服務(wù)器的功能列出打開/閱讀特定郵件信息的用戶。
43测蹲、RA1202: Get ability to list email message receivers
類型:郵件
描述:確保你有能力列出特定郵件的收件人
條件:MS_email_server
工作流:
請確保您能夠使用電子郵件服務(wù)器的功能列出特定電子郵件的收件人莹捡。
44、RA1203: Get ability to block email domain
類型:郵件
描述:確保你有能力阻止一個電子郵件域名
條件:MS_email_server
工作流:
確定您有能力使用電子郵件服務(wù)器的本機過濾功能屏蔽電子郵件域名扣甲。
45篮赢、RA1204: Get ability to block email sender
類型:郵件
描述:確保你有能力阻止郵件發(fā)送者
條件:MS_email_server
工作流:
確保你有能力在郵件服務(wù)器上使用其本機過濾功能來阻止郵件發(fā)送者。
46琉挖、RA1205: Get ability to delete email message
類型:郵件
描述:確保你有刪除郵件的能力
條件:MS_email_server
工作流:
確保你有能力從電子郵件服務(wù)器和用戶的電子郵箱中刪除郵件信息启泣,使用其本機功能。
47示辈、RA1206: Get ability to quarantine email message
類型:郵件
描述:確保您有隔離電子郵件的能力
條件:MS_email_server
工作流:
確保您能夠使用電子郵件服務(wù)器上的本機功能隔離電子郵件寥茫。
48、RA1207: Get ability to collect email message
類型:郵件
描述:確保你有能力收集郵件信息
條件:DN_zeek_conn_log
工作流:
49矾麻、RA1208: Get ability to analyse email address
類型:郵件
描述:確保你有能力分析一個電子郵件地址
條件:
工作流:
50纱耻、RA1301: Get ability to list files created
類型:文件
描述:確保您能夠列出在過去特定時間創(chuàng)建的文件
條件:DN_zeek_conn_log
工作流:
60芭梯、RA1302: Get ability to list files modified
類型:文件
描述:確保您能夠列出在過去特定時間被修改的文件
條件:DN_zeek_conn_log
工作流:
61、RA1303: Get ability to list files deleted
類型:文件
描述:確保您能夠列出在過去特定時間被刪除的文件
條件:DN_zeek_conn_log
工作流:
62弄喘、RA1304: Get ability to list files downloaded
類型:文件
描述:確保您能夠列出在過去某個特定時間從互聯(lián)網(wǎng)上下載的文件
條件:DN_zeek_conn_log
工作流:
63玖喘、RA1305: Get ability to list files with tampered timestamps
類型:文件
描述:確保您能夠列出帶有篡改的時間戳的文件
條件:DN_zeek_conn_log
工作流:
64、RA1306: Get ability to find file by path
類型:文件
描述:確保您能夠通過路徑(包括名稱)查找文件
條件:DN_zeek_conn_log
工作流:
65蘑志、RA1307: Get ability to find file by metadata
類型:文件
描述:確保你有能力根據(jù)文件的元數(shù)據(jù)(例如簽名累奈,權(quán)限,MAC時間)找到文件
條件:DN_zeek_conn_log
工作流:
66卖漫、RA1308: Get ability to find file by hash
類型:文件
描述:確保您能夠通過文件的HASH來查找文件
條件:DN_zeek_conn_log
工作流:
67费尽、RA1309: Get ability to find file by format
類型:文件
描述:確保您能夠根據(jù)文件的格式查找文件
條件:DN_zeek_conn_log
工作流:
68赠群、RA1310: Get ability to find file by content pattern
類型:文件
描述:確保你有能力根據(jù)內(nèi)容模式(如特定字符串羊始,關(guān)鍵字,二進制模式等)找到文件
條件:DN_zeek_conn_log
工作流:
69查描、RA1311: Get ability to collect file
類型:文件
描述:確保您能夠從(遠程)主機或系統(tǒng)收集特定的文件
條件:DN_zeek_conn_log
工作流:
70突委、RA1312: Get ability to quarantine file by path
類型:文件
描述:確保您有能力通過訪問其路徑(包括其名稱)阻止文件
條件:DN_zeek_conn_log
工作流:
71、RA1313: Get ability to quarantine file by hash
類型:文件
描述:確定你有能力訪問通過它的哈希阻止一個文件
條件:DN_zeek_conn_log
工作流:
72冬三、RA1314: Get ability to quarantine file by format
類型:文件
描述:確保您有能力通過訪問其格式阻止文件
條件:DN_zeek_conn_log
工作流:
73匀油、RA1315: Get ability to quarantine file by content pattern
類型:文件
描述:確保你有能力通過訪問它的內(nèi)容模式訪問(例如特定的字符串,關(guān)鍵字勾笆,二進制模式等)阻止一個文件
條件:DN_zeek_conn_log
工作流:
74敌蚜、RA1316: Get ability to remove file
類型:文件
描述:確保您能夠從(遠程)主機或系統(tǒng)中刪除特定的文件
條件:DN_zeek_conn_log
工作流:
74、RA1317: Get ability to analyse file hash
類型:文件
描述:確保您有能力分析文件散列
條件:
工作流:
75窝爪、RA1318: Get ability to analyse Windows PE
類型:文件
描述:確保你有能力分析Windows可移植的可執(zhí)行文件
條件:
工作流:
76弛车、RA1319: Get ability to analyse macos macho
類型:文件
描述:確保您有能力分析macOS Mach-O文件
條件:
工作流:
77、RA1320: Get ability to analyse Unix ELF
類型:文件
描述:確保您有能力分析UNIX ELF文件
條件:
工作流:
78蒲每、RA1321: Get ability to analyse MS office file
類型:文件
描述:確保你有能力分析Microsoft Office文件
條件:
工作流:
79纷跛、RA1322: Get ability to analyse PDF file
類型:文件
描述:確保你有能力分析PDF文件
條件:
工作流:
80、RA1323: Get ability to analyse script
類型:文件
描述:確保你有能力分析腳本文件(如Python, PowerShell, Bash腳本等)
條件:
工作流:
81邀杏、RA1324: Get ability to analyse jar
類型:文件
描述:確保您有能力分析JAR文件
條件:
工作流:
82贫奠、RA1325: Get ability to analyse filename
類型:文件
描述:確保你有能力分析一個文件名
條件:
工作流:
83、RA1401: Get ability to list processes executed
類型:進程
描述:確保您能夠列出當(dāng)前或過去某個特定時間正在執(zhí)行的進程
條件:DN_zeek_conn_log
工作流:
84望蜡、RA1402: Get ability to find process by executable path
類型:進程
描述:確保您能夠通過可執(zhí)行路徑(包括名稱)查找在過去特定時間執(zhí)行的進程
條件:DN_zeek_conn_log
工作流:
85唤崭、RA1403: Get ability to find process by executable metadata
類型:進程
描述:確保您有能力找到進程在過去特定時間內(nèi)通過其可執(zhí)行元數(shù)據(jù)(即簽名腹纳、權(quán)限蹋艺、MAC時間)執(zhí)行的進程。
條件:DN_zeek_conn_log
工作流:
86分歇、RA1404: Get ability to find process by executable hash
類型:進程
描述:確保您有能力查找在過去某個特定時間通過其可執(zhí)行散列執(zhí)行的進程状您。
條件:DN_zeek_conn_log
工作流:
87勒叠、RA1405: Get ability to find process by executable format
類型:進程
描述:確保您有能力查找在過去特定時間按其可執(zhí)行格式執(zhí)行的進程兜挨。
條件:DN_zeek_conn_log
工作流:
88、RA1406: Get ability to find process by executable content pattern
類型:進程
描述:確保你有能力找到在過去特定時間通過其可執(zhí)行內(nèi)容模式(即特定字符串眯分、關(guān)鍵字拌汇、二進制模式等)執(zhí)行的進程
條件:DN_zeek_conn_log
工作流:
89、RA1407: Get ability to block process by executable path
類型:進程
描述:確保您能夠通過其可執(zhí)行路徑(包括其名稱)阻塞進程
條件:DN_zeek_conn_log
工作流:
90弊决、RA1408: Get ability to block process by executable metadata
類型:進程
描述:確保你有能力通過可執(zhí)行的元數(shù)據(jù)(例如噪舀,簽名,權(quán)限飘诗,MAC時間)阻塞進程
條件:DN_zeek_conn_log
工作流:
91与倡、RA1409: Get ability to block process by executable hash
類型:進程
描述:確保您有能力通過其可執(zhí)行散列來阻塞進程
條件:DN_zeek_conn_log
工作流:
92、RA1410: Get ability to block process by executable format
類型:進程
描述:確保您有能力按其可執(zhí)行格式阻塞進程
條件:DN_zeek_conn_log
工作流:
93昆稿、RA1411: Get ability to block process by executable content pattern
類型:進程
描述:確保你有能力通過它的可執(zhí)行內(nèi)容模式(例如特定字符串纺座,關(guān)鍵字,二進制模式等)來阻塞進程溉潭。
條件:DN_zeek_conn_log
工作流:
94净响、RA1501: Manage remote computer management system policies
類型:配置
描述:確保您可以管理遠程計算機管理系統(tǒng)的策略
條件:
工作流:
95、RA1502: Get ability to list registry keys modified
類型:配置
描述:確保您有能力列出在過去特定時間修改的注冊表項
條件:
工作流:
96喳瓣、RA1503: Get ability to list registry keys deleted
類型:配置
描述:確保您有能力列出在過去特定時間刪除的注冊表項
條件:DN_zeek_conn_log
工作流:
97馋贤、RA1504: Get ability to list registry keys accessed
類型:配置
描述:確保您有能力列出在過去特定時間訪問的注冊表項
條件:DN_zeek_conn_log
工作流:
98、RA1505: Get ability to list registry keys created
類型:配置
描述:確保您有能力列出在過去特定時間創(chuàng)建的注冊表項
條件:DN_zeek_conn_log
工作流:
99畏陕、RA1506: Get ability to list services created
類型:配置
描述:確保您能夠列出在過去特定時間創(chuàng)建的服務(wù)
條件:DN_zeek_conn_log
工作流:
100配乓、RA1507: Get ability to list services modified
類型:配置
描述:確保您能夠列出在過去特定時間被修改的服務(wù)
條件:DN_zeek_conn_log
工作流:
101、RA1508: Get ability to list services deleted
類型:配置
描述:確保您能夠列出在過去特定時間被刪除的服務(wù)
條件:DN_zeek_conn_log
工作流:
102惠毁、RA1509: Get ability to remove registry key
類型:配置
描述:確保您有能力刪除注冊表項
條件:DN_zeek_conn_log
工作流:
103犹芹、RA1510: Get ability to remove service
類型:配置
描述:確保您有能力刪除服務(wù)
條件:DN_zeek_conn_log
工作流:
104、RA1511: Get ability to analyse registry key
類型:配置
描述:確保你有能力分析注冊表項
條件:
工作流:
105仁讨、RA1601: Manage identity management system
類型:身份
描述:確保您可以管理身份管理系統(tǒng)羽莺,即刪除/阻止用戶,撤銷憑證洞豁,并執(zhí)行其他響應(yīng)操作
條件:
工作流:
106盐固、RA1602: Get ability to lock user account
類型:身份
描述:確保您有能力鎖定用戶帳戶不被使用
條件:
工作流:
107、RA1603: Get ability to list users authenticated
類型:身份
描述:確保您能夠列出在特定系統(tǒng)上過去特定時間經(jīng)過身份驗證的用戶
條件:
工作流:
108丈挟、RA1604: Get ability to revoke authentication credentials
類型:身份
描述:確保您有能力撤銷身份驗證憑據(jù)
條件:DN_zeek_conn_log
工作流:
109刁卜、RA1605: Get ability to remove user account
類型:身份
描述:確保您有能力刪除用戶帳戶
條件:DN_zeek_conn_log
工作流:
三、識別
1曙咽、RA2001: List victims of security alert
類型:通用
描述:列出安全告警的受害者
條件:DN_zeek_conn_log
自動化:thehive
工作流:
2蛔趴、RA2002: List host vulnerabilities
類型:通用
描述:獲取關(guān)于特定主機現(xiàn)有漏洞的信息,或關(guān)于它在過去特定時間擁有的漏洞的信息
條件:DN_zeek_conn_log
自動化:thehive/phantom/demisto/etc
工作流:
3例朱、RA2003: Put compromised accounts on monitoring
類型:通用
描述:將(可能)泄露的賬戶置于監(jiān)控之中
條件:
自動化:
工作流:
開始監(jiān)控身份驗證嘗試和所有(潛在的)泄露帳戶的潛在有害行為孝情。
尋找異常鱼蝉,不正常的網(wǎng)絡(luò)連接,不正常的工作地點/時間箫荡,以前從未執(zhí)行過的動作魁亦。
與真正的用戶保持聯(lián)系,必要時詢問他們是否有自己的可疑行為羔挡。
4洁奈、RA2101: List hosts communicated with internal domain
類型:網(wǎng)絡(luò)
描述:列出與內(nèi)部域通信的主機
條件:
自動化:thehive
工作流:
5、RA2102: List hosts communicated with internal IP
類型:網(wǎng)絡(luò)
描述:列出與內(nèi)部IP地址通信的主機
條件:
自動化:thehive
工作流:
6绞灼、RA2103: List hosts communicated with internal URL
類型:網(wǎng)絡(luò)
描述:列出與內(nèi)部URL通信的主機
條件:
自動化:thehive
工作流:
7利术、RA2104: Analyse domain name
類型:網(wǎng)絡(luò)
描述:分析域名
條件:
自動化:thehive
工作流:
8、RA2105: Analyse IP
類型:網(wǎng)絡(luò)
描述:分析IP地址
條件:
自動化:thehive
9低矮、RA2106: Analyse uri
類型:網(wǎng)絡(luò)
描述:分析URI
條件:
自動化:thehive
10印叁、RA2107: List hosts communicated by port
類型:網(wǎng)絡(luò)
描述:列出當(dāng)前或過去特定時間通過特定端口通信的主機
條件:
自動化:thehive
11、RA2108: List hosts connected to VPN
類型:網(wǎng)絡(luò)
描述:列出當(dāng)前或過去某個特定時間連接到VPN的主機
條件:
自動化:thehive/phantom/demisto/etc
12商佛、RA2109: List hosts connected to intranet
類型:網(wǎng)絡(luò)
描述:列出當(dāng)前或過去某個特定時間連接到內(nèi)部網(wǎng)絡(luò)的主機
條件:
自動化:thehive/phantom/demisto/etc
13喉钢、RA2110: List data transferred
類型:網(wǎng)絡(luò)
描述:列出當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)
條件:DN_zeek_conn_log
自動化:
14姆打、RA2111: Collect transferred data
類型:網(wǎng)絡(luò)
描述:收集當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)
條件:DN_zeek_conn_log
自動化:
15良姆、RA2112: Identify transferred data
類型:網(wǎng)絡(luò)
描述:識別當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)(即其內(nèi)容、值)
條件:DN_zeek_conn_log
自動化:
16幔戏、RA2113: List hosts communicated with external domain
類型:網(wǎng)絡(luò)
描述:列出與外部域通信的主機
條件:
DN_zeek_conn_log
DN_zeek_dns_log
DN_zeek_http_log
DN_dns_log
DN_proxy_log
DN_network_flow_log
自動化:
列出使用最有效的方式與外部域通信的主機玛追。
17、RA2114: List hosts communicated with external IP
類型:網(wǎng)絡(luò)
描述:列出與外部IP地址通信的主機
條件:
DN_network_flow_log
DN_zeek_conn_log
自動化:
列出使用最有效的方式與外部IP地址通信的主機闲延。
18痊剖、RA2115: List hosts communicated with external URL
類型:網(wǎng)絡(luò)
描述:列出與外部URL通信的主機
條件:
DN_zeek_http_log
DN_proxy_log
自動化:
列出使用最有效的方式與外部URL通信的主機。
19垒玲、RA2116: Find data transferred by content pattern
類型:網(wǎng)絡(luò)
描述:通過內(nèi)容模式(即特定字符串陆馁、關(guān)鍵字、二進制模式等)查找當(dāng)前或過去某個特定時間正在傳輸?shù)臄?shù)據(jù)
條件:
DN_zeek_conn_log
自動化:
20合愈、RA2117: Analyse user-agent
類型:網(wǎng)絡(luò)
描述:分析一個用戶代理請求頭
條件:
DN_zeek_conn_log
自動化:
21叮贩、RA2202: Collect email message
類型:Email
描述:收集郵件信息
條件:
MS_email_server
自動化:
工作流:
使用最合適的選項收集電子郵件信息:
1、電子郵件組/電子郵件服務(wù)器:如果有這樣的選擇
2佛析、報告攻擊的人(如果攻擊沒有被自動檢測到或被受害者報告)
3益老、受害者:如果他們報告了襲擊
4、如果需要寸莫,請按照本地計算機取證程序進行取證
請求. eml格式的電子郵件捺萌。產(chǎn)品說明:
1、將電子郵件從電子郵件客戶端轉(zhuǎn)移到桌面
2膘茎、存檔密碼為“感染”桃纯,并通過電子郵件發(fā)送給IR專家
22酷誓、RA2203: List email message receivers
類型:Email
描述:列出特定電子郵件的收件人
條件:
MS_email_server
自動化:
工作流:
使用電子郵件服務(wù)器的功能列出特定電子郵件的收件人。
23态坦、RA2204: Make sure email message is phishing
類型:Email
描述:確保電子郵件是釣魚攻擊
條件:
MS_email_server
自動化:
工作流:
查看電子郵件及其元數(shù)據(jù)呛牲,尋找釣魚攻擊的證據(jù):
1、非個人化嘗試:發(fā)送者試圖將自己定義為另一個他不是的人
2驮配、可疑的詢問或優(yōu)惠:下載“發(fā)票”娘扩,點擊一些重要的鏈接等
3、心理操縱:喚起緊迫感或恐懼感是一種常見的網(wǎng)絡(luò)釣魚策略
4壮锻、拼寫錯誤:合法的信息通常沒有拼寫錯誤或糟糕的語法
閱讀本文的參考文獻琐旁,熟悉網(wǎng)絡(luò)釣魚攻擊的歷史和例子。
https://en.wikipedia.org/wiki/Phishing
http://www.phishing.org/phishing-examples
24猜绣、RA2205: Extract observables from email message
類型:Email
描述:從電子郵件消息中提取observable
條件:
自動化: thehive
工作流:
提取數(shù)據(jù)用于進一步的響應(yīng)步驟:
1灰殴、附件(使用munpack工具:munpack email.eml)
2、from, to, cc
3掰邢、郵件主題
4牺陶、收到服務(wù)器的路徑
5、來自郵件正文和附件文本內(nèi)容的url列表
這個響應(yīng)動作可以通過hive EmlParser自動完成辣之。
25掰伸、RA2206: Analyse email address
類型:Email
描述:分析郵件地址
條件:
自動化: thehive
工作流:
26、RA2301: List files created
類型:文件
描述:列出在過去特定時間創(chuàng)建的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
27怀估、RA2302: List files modified
類型:文件
描述:列出在過去特定時間被修改的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
28狮鸭、RA2303: List files deleted
類型:文件
描述:列出在過去特定時間被刪除的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
29、RA2304: List files downloaded
類型:文件
描述:列出在過去特定時間被下載的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
30多搀、RA2305: List files with tampered timestamps
類型:文件
描述:列出帶有篡改時間戳的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
31歧蕉、RA2306: Find file by path
類型:文件
描述:通過路徑(包括名稱)查找文件
條件:
DN_zeek_conn_log
自動化:
工作流:
32、RA2307: Find file by metadata
類型:文件
描述:根據(jù)文件的元數(shù)據(jù)(如簽名康铭,權(quán)限惯退,MAC時間)查找文件
條件:
DN_zeek_conn_log
自動化:
工作流:
33、RA2308: Find file by hash
類型:文件
描述:通過文件的散列來查找文件
條件:
DN_zeek_conn_log
自動化:
工作流:
34从藤、RA2309: Find file by format
類型:文件
描述:根據(jù)文件的格式查找文件
條件:
DN_zeek_conn_log
自動化:
工作流:
35催跪、RA2310: Find file by content pattern
類型:文件
描述:通過內(nèi)容模式(如特定字符串,關(guān)鍵字呛哟,二進制模式等)查找文件
條件:
DN_zeek_conn_log
自動化:
工作流:
36叠荠、RA2311: Collect file
類型:文件
描述:從(遠程)主機或系統(tǒng)收集特定的文件
條件:
DN_zeek_conn_log
自動化:
工作流:
37、RA2312: Analyse file hash
類型:文件
描述:分析一個文件的散列
條件:
DN_zeek_conn_log
自動化:
工作流:
38扫责、RA2313: Analyse Windows PE
類型:文件
描述:分析MS Windows可移植可執(zhí)行文件
條件:
DN_zeek_conn_log
自動化:
工作流:
39榛鼎、RA2314: Analyse macos macho
類型:文件
描述:分析macOS Mach-O
條件:
DN_zeek_conn_log
自動化:
工作流:
40、RA2315: Analyse Unix ELF
類型:文件
描述:分析Unix ELF
條件:
DN_zeek_conn_log
自動化:
工作流:
41、RA2316: Analyse MS office file
類型:文件
描述:分析MS Office文件
條件:
DN_zeek_conn_log
自動化:
工作流:
42者娱、RA2317: Analyse PDF file
類型:文件
描述:分析PDF文件
條件:
DN_zeek_conn_log
自動化:
工作流:
43抡笼、RA2318: Analyse script
類型:文件
描述:分析腳本文件(如Python, PowerShell, Bash腳本等)
條件:
DN_zeek_conn_log
自動化:
工作流:
44、RA2319: Analyse jar
類型:文件
描述:分析jar文件
條件:
自動化:
工作流:
45黄鳍、RA2320: Analyse filename
類型:文件
描述:分析文件名
條件:
自動化:
工作流:
46推姻、RA2401: List processes executed
類型:進程
描述:列出當(dāng)前或過去某個特定時間正在執(zhí)行的進程
條件:
自動化:thehive
工作流:
47、RA2402: Find process by executable path
類型:進程
描述:通過其可執(zhí)行路徑(包括名稱)查找當(dāng)前或過去某個特定時間正在執(zhí)行的進程
條件:DN_zeek_conn_log
自動化:
工作流:
48框沟、RA2403: Find process by executable metadata
類型:進程
描述:通過它的可執(zhí)行元數(shù)據(jù)(例如藏古,簽名,權(quán)限忍燥,MAC時間)找到一個正在執(zhí)行的進程
條件:DN_zeek_conn_log
自動化:
工作流:
49拧晕、RA2404: Find process by executable hash
類型:進程
描述:查找當(dāng)前或過去某個特定時間正在由其可執(zhí)行散列執(zhí)行的進程
條件:DN_zeek_conn_log
自動化:
工作流:
50、RA2405: Find process by executable format
類型:進程
描述:查找當(dāng)前或過去某個特定時間按其可執(zhí)行格式正在執(zhí)行的流程
條件:DN_zeek_conn_log
自動化:
工作流:
51梅垄、RA2406: Find process by executable content pattern
類型:進程
描述:通過它的可執(zhí)行內(nèi)容(例如特定字符串厂捞、關(guān)鍵字、二進制模式等)找到一個在當(dāng)前或過去的特定時間正在執(zhí)行的進程
條件:DN_zeek_conn_log
自動化:
工作流:
52队丝、RA2501: List registry keys modified
類型:配置
描述:列出在過去特定時間修改的注冊表項
條件:
自動化:thehive
工作流:
53靡馁、RA2502: List registry keys deleted
類型:配置
描述:列出在過去特定時間被刪除的注冊表項
條件:DN_zeek_conn_log
自動化:
工作流:
54、RA2503: List registry keys accessed
類型:配置
描述:列出在過去特定時間訪問過的注冊表項
條件:DN_zeek_conn_log
自動化:
工作流:
55机久、RA2504: List registry keys created
類型:配置
描述:列出在過去特定時間創(chuàng)建的注冊表項
條件:DN_zeek_conn_log
自動化:
工作流:
56臭墨、RA2505: List services created
類型:配置
描述:列出在過去特定時間創(chuàng)建的服務(wù)
條件:DN_zeek_conn_log
自動化:
工作流:
57、RA2506: List services modified
類型:配置
描述:列出在過去特定時間被修改的服務(wù)
條件:DN_zeek_conn_log
自動化:
工作流:
58吞加、RA2507: List services deleted
類型:配置
描述:列出在過去特定時間被刪除的服務(wù)
條件:DN_zeek_conn_log
自動化:
工作流:
59裙犹、RA2508: Analyse registry key
類型:配置
描述:分析注冊表鍵
條件:DN_zeek_conn_log
自動化:
工作流:
60、RA2601: List users authenticated
類型:身份
描述:列出在特定系統(tǒng)上過去特定時間經(jīng)過身份驗證的用戶
條件:DN_zeek_conn_log
自動化:
工作流:
四衔憨、遏制
1、RA3001: Patch vulnerability
類型:General
描述:修補資產(chǎn)的漏洞
條件:
自動化:thehive
工作流:
2袄膏、RA3101: Block external IP address
類型:網(wǎng)絡(luò)
描述:阻止外部IP地址被企業(yè)資產(chǎn)訪問
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自動化:
工作流:
3践图、RA3102: Block internal IP address
類型:網(wǎng)絡(luò)
描述:阻止內(nèi)網(wǎng)IP地址被企業(yè)資產(chǎn)訪問
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自動化:
工作流:
4、RA3103: Block external domain
類型:網(wǎng)絡(luò)
描述:阻止企業(yè)資產(chǎn)訪問外部域名
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自動化:
工作流:
5沉馆、RA3104: Block internal domain
類型:網(wǎng)絡(luò)
描述:阻止企業(yè)資產(chǎn)訪問內(nèi)部域名
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自動化:
工作流:
以最有效的方式阻止企業(yè)資產(chǎn)訪問內(nèi)部域名码党。
https://en.wikipedia.org/wiki/DNS_sinkhole
6、RA3105: Block external URL
類型:網(wǎng)絡(luò)
描述:阻止企業(yè)資產(chǎn)訪問外部URL
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自動化:
工作流:
以最有效的方式阻止企業(yè)資產(chǎn)訪問外部URL斥黑。
7揖盘、RA3106: Block internal URL
類型:網(wǎng)絡(luò)
描述:阻止企業(yè)資產(chǎn)訪問內(nèi)部URL
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_dns_server
自動化:
工作流:
8、RA3107: Block port external communication
類型:網(wǎng)絡(luò)
描述:阻止外部通信網(wǎng)絡(luò)端口
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自動化:
工作流:
9锌奴、RA3108: Block port internal communication
類型:網(wǎng)絡(luò)
描述:阻止內(nèi)部通信網(wǎng)絡(luò)端口
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_host_firewall
自動化:
工作流:
10兽狭、RA3109: Block user external communication
類型:網(wǎng)絡(luò)
描述:阻止用戶對外通信
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_nac
自動化:
工作流:
11、RA3110: Block user internal communication
類型:網(wǎng)絡(luò)
描述:阻止用戶進行內(nèi)部通信
條件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
自動化:
工作流:
12、RA3111: Block data transferring by content pattern
類型:網(wǎng)絡(luò)
描述:通過其內(nèi)容模式(即特定字符串箕慧、關(guān)鍵字服球、二進制模式等)阻塞傳輸塊數(shù)據(jù)
條件:
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_nac
自動化:
工作流:
13、RA3202: Block sender on email
類型:email
描述:在郵件服務(wù)器上阻止郵件發(fā)送者
條件:
MS_email_server
自動化:
工作流:
14颠焦、RA3203: Quarantine email message
類型:email
描述:隔離電子郵件
條件:
MS_email_server
自動化:
工作流:
15斩熊、RA3301: Quarantine file by format
類型:文件
描述:按文件的格式隔離文件
條件:
MS_email_server
自動化:
工作流:
16、RA3302: Quarantine file by hash
類型:文件
描述:通過文件的散列隔離文件
條件:
MS_email_server
自動化:
工作流:
17伐庭、RA3303: Quarantine file by path
類型:文件
描述:按文件路徑隔離文件
條件:
MS_email_server
自動化:
工作流:
18粉渠、Quarantine file by content pattern
類型:文件
描述:根據(jù)文件的內(nèi)容模式隔離文件
條件:
自動化:thehive/phantom/demisto/etc
工作流:
19、RA3401: Block process by executable path
類型:進程
描述:通過可執(zhí)行路徑(包括名稱)阻止進程執(zhí)行
條件:DN_zeek_conn_log
自動化:
工作流:
20圾另、RA3402: Block process by executable metadata
類型:進程
描述:通過其可執(zhí)行元數(shù)據(jù)(例如簽名渣叛、權(quán)限、MAC時間)阻塞進程的執(zhí)行
條件:DN_zeek_conn_log
自動化:
工作流:
21盯捌、RA3403: Block process by executable hash
類型:進程
描述:通過可執(zhí)行散列阻塞進程的執(zhí)行
條件:DN_zeek_conn_log
自動化:
工作流:
22淳衙、RA3404: Block process by executable format
類型:進程
描述:通過可執(zhí)行格式阻塞進程的執(zhí)行
條件:DN_zeek_conn_log
自動化:
工作流:
23、RA3405: Block process by executable content pattern
類型:進程
描述:通過其可執(zhí)行內(nèi)容模式(例如特定字符串饺著、關(guān)鍵字箫攀、二進制模式等)阻塞進程的執(zhí)行
條件:DN_zeek_conn_log
自動化:
工作流:
24、RA3501: Disable system service
類型:配置
描述:關(guān)閉系統(tǒng)服務(wù)
條件:DN_zeek_conn_log
自動化:
工作流:
25幼衰、RA3601: Lock user account
類型:身份
描述:鎖定用戶
條件:DN_zeek_conn_log
自動化:
工作流:
五靴跛、根除
1、RA4001: Report incident to external companies
類型:General
描述:向外部公司報告事件
條件:
自動化:thehive
工作流:
向外部安全公司報告事件渡嚣,即國家計算機安全事件響應(yīng)小組(CSIRTs)梢睛。
提供已觀察到的所有危害指標(biāo)和攻擊指標(biāo)。
2识椰、RA4101: Remove rogue network device
類型:網(wǎng)絡(luò)
描述:移除非法網(wǎng)絡(luò)設(shè)備
條件:
自動化:thehive/phantom/demisto/etc
工作流:
3绝葡、RA4201: Delete email message
類型:Email
描述:移除非法網(wǎng)絡(luò)設(shè)備
條件:MS_email_server
自動化:
工作流:
刪除郵件服務(wù)器和用戶郵箱中的郵件信息
4、RA4301: Remove file
類型:文件
描述:從(遠程)主機或系統(tǒng)中移除特定的文件
條件:
自動化:thehive/phantom/demisto/etc
工作流:
5腹鹉、RA4501: Remove registry key
類型:配置
描述:刪除注冊表項
條件:DN_zeek_conn_log
自動化:
工作流:
6藏畅、RA4502: Remove service
類型:配置
描述:刪除服務(wù)
條件:DN_zeek_conn_log
自動化:
工作流:
7、RA4601: Revoke authentication credentials
類型:身份
描述:撤銷認證證書
條件:DN_zeek_conn_log
自動化:
工作流:
8功咒、RA4602: Remove user account
類型:身份
描述:刪除用戶帳戶
條件:DN_zeek_conn_log
自動化:
工作流:
六愉阎、恢復(fù)
1、RA5001: Reinstall host from golden image
類型:General
描述:從黃金映像重新安裝主機操作系統(tǒng)
條件:
自動化:thehive
工作流:
2力奋、RA5002: Restore data from backup
類型:General
描述:從備份中恢復(fù)數(shù)據(jù)
條件:DN_zeek_conn_log
自動化:
工作流:
3榜旦、RA5101: Unblock blocked IP
類型:網(wǎng)絡(luò)
描述:解除阻塞IP地址
條件:
MS_border_firewall
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_firewall
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_host_firewall
自動化:
工作流:
4、RA5102: Unblock blocked domain
類型:網(wǎng)絡(luò)
描述:解除阻塞的域名
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
MS_dns_server
自動化:
工作流:
5景殷、RA5103: Unblock blocked URL
類型:網(wǎng)絡(luò)
描述:解除阻塞的URL
條件:
MS_border_proxy
MS_border_ips
MS_border_ngfw
MS_intranet_proxy
MS_intranet_ips
MS_intranet_ngfw
自動化:
工作流:
6溅呢、RA5104: Unblock blocked port
類型:網(wǎng)絡(luò)
描述:解除封鎖端口
條件:
DN_zeek_conn_log
自動化:
工作流:
7澡屡、RA5105: Unblock blocked user
類型:網(wǎng)絡(luò)
描述:解除阻塞用戶
條件:
DN_zeek_conn_log
自動化:
工作流:
8、RA5201: Unblock domain on email
類型:email
描述:解除封鎖電子郵件的域名
條件:
MS_email_server
自動化:
工作流:
9藕届、RA5202: Unblock sender on email
類型:email
描述:解除對郵件中的發(fā)件人的阻止
條件:
MS_email_server
自動化:
工作流:
10挪蹭、RA5203: Restore quarantined email message
類型:email
描述:恢復(fù)隔離的電子郵件
條件:
MS_email_server
自動化:
工作流:
11、RA5301: Restore quarantined file
類型:文件
描述:恢復(fù)隔離文件
條件:
DN_zeek_conn_log
自動化:
工作流:
12休偶、RA5401: Unblock blocked process
類型:進程
描述:解除阻塞進程
條件:
DN_zeek_conn_log
自動化:
工作流:
13梁厉、RA5501: Enable disabled service
類型:配置
描述:啟用禁用的服務(wù)
條件:
DN_zeek_conn_log
自動化:
工作流:
14、RA5601: Unlock locked user account
類型:身份
描述:解鎖被鎖定用戶
條件:
DN_zeek_conn_log
自動化:
工作流:
七踏兜、經(jīng)驗教訓(xùn)
1词顾、RA6001: Develop incident report
類型:General
描述:編制事件報告
條件:
自動化:
工作流:
使用公司模板開發(fā)事件報告。
它應(yīng)該包括:
1碱妆、執(zhí)行摘要肉盹,簡要描述損害、采取的措施疹尾、根本原因和關(guān)鍵指標(biāo)(檢測時間上忍、響應(yīng)時間、恢復(fù)時間等)
2纳本、對手行動的時間線映射到ATT&CK戰(zhàn)術(shù)(你可以使用殺戮鏈窍蓝,但大多數(shù)行動可能是在目標(biāo)階段的行動,這不是很有代表性和有用)
3繁成、事件響應(yīng)小組采取行動的詳細時間表
4吓笙、根據(jù)結(jié)論進行根本原因分析并提出改進建議
5、參與事件響應(yīng)的專家及其角色的列表
2巾腕、RA6002: Conduct lessons learned exercise
類型:General
描述:進行經(jīng)驗教訓(xùn)練習(xí)
條件:
自動化:
工作流:
經(jīng)驗教訓(xùn)階段通過每個步驟來評估團隊的績效面睛。該階段的目標(biāo)是發(fā)現(xiàn)如何改進事件響應(yīng)流程。
你需要回答一些基本的問題尊搬,使用開發(fā)的事件報告:
1叁鉴、發(fā)生了什么事?
2、我們做得好的是什么?
3毁嗦、我們還能做得更好嗎?
4亲茅、下次我們會有什么不同?
事件報告是改進的關(guān)鍵。
