From 7e3a8d3f4fcc598a606113475c45f9b4b750db5b Mon Sep 17 00:00:00 2001
From: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Date: Wed, 6 Feb 2019 01:44:48 +0100
Subject: [PATCH] added new Response Actions; Phishing Playbook updated

---
 ...ication_revoke_compromised_credentials.yml | 18 +++++-----
 ..._phishing_attack_to_external_companies.yml | 25 +++++++++++++
 ...licious_activity_to_external_companies.yml | 12 -------
 ...essons_learned_develop_incident_report.yml | 19 ++++++----
 ...arned_conduct_lessons_learned_exercise.yml | 21 +++++++----
 ...put_on_monitoring_compromised_accounts.yml | 10 ++++++
 ..._report_incident_to_external_companies.yml | 18 ++++++++++
 response_actions/respose_action.yml.template  |  2 +-
 response_actions/status.md                    | 36 -------------------
 response_actions/untitled.md                  | 36 -------------------
 response_playbooks/RP_0001_phishing_email.yml |  3 +-
 11 files changed, 94 insertions(+), 106 deletions(-)
 create mode 100644 response_actions/RA_0012_eradication_report_phishing_attack_to_external_companies.yml
 delete mode 100644 response_actions/RA_0012_eradication_report_source_of_malicious_activity_to_external_companies.yml
 create mode 100644 response_actions/RA_0040_identification_put_on_monitoring_compromised_accounts.yml
 create mode 100644 response_actions/RA_0041_eradication_report_incident_to_external_companies.yml
 delete mode 100644 response_actions/status.md
 delete mode 100644 response_actions/untitled.md

diff --git a/response_actions/RA_0011_eradication_revoke_compromised_credentials.yml b/response_actions/RA_0011_eradication_revoke_compromised_credentials.yml
index 3a12100..cca55ce 100644
--- a/response_actions/RA_0011_eradication_revoke_compromised_credentials.yml
+++ b/response_actions/RA_0011_eradication_revoke_compromised_credentials.yml
@@ -1,12 +1,14 @@
 title: RA_0011_eradication_revoke_compromised_credentials
 stage: eradication
-author: Name Surname
-creation_date: DD.MM.YYYY
-references: 
-  - https://example.com
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
+references:
+  - https://adsecurity.org/?p=556
+  - https://adsecurity.org/?p=483
 description: >
-  Response Action for 
+  Response Action for revokation of compromised credentials.
 workflow: |
-  Description of how to handle multiple Response Actions (if it is an aggregated Response Action) or workflow for single Response Action in markdown format.
-  Here newlines will be saved.  
-
+  On this step you supposed to know what kind of credentials have beed compromised.
+  You need to revoke them in your Identity and Access Management system where they were created (like, Windows AD) using native functionality.
+  Warning:
+  - If adversary has generated Golden Ticket in Windows Domain/forest, you have to revoke KRBTGT Account password **twice** for each domain in a forest and proceed monitor malicious activity for next 20 minutes (Domain Controller KDC service doesn’t perform validate the user account until the TGT is older than 20 minutes old)
diff --git a/response_actions/RA_0012_eradication_report_phishing_attack_to_external_companies.yml b/response_actions/RA_0012_eradication_report_phishing_attack_to_external_companies.yml
new file mode 100644
index 0000000..467f692
--- /dev/null
+++ b/response_actions/RA_0012_eradication_report_phishing_attack_to_external_companies.yml
@@ -0,0 +1,25 @@
+title: RA_0012_eradication_report_phishing_attack_to_external_companies
+stage: eradication
+automation:
+  - thehive                 # integration with MISP
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
+references: 
+  - https://www.antiphishing.org/report-phishing/
+  - https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
+  - https://www.ic3.gov/default.aspx
+  - http://www.us-cert.gov/nav/report_phishing.html
+  - https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/
+  - https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/
+description: >
+  Report phishing attack to external companies
+workflow: |
+  Report phishing attack to external companites:
+
+  1. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)
+  2. [U.S. government-operated website](http://www.us-cert.gov/nav/report_phishing.html)
+  3. [Anti-Phishing Working Group (APWG)](http://antiphishing.org/report-phishing/)
+  4. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)
+  5. [The FBI's Intenet Crime Complaint Center (IC3)](https://www.ic3.gov/default.aspx)
+
+  This Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).
diff --git a/response_actions/RA_0012_eradication_report_source_of_malicious_activity_to_external_companies.yml b/response_actions/RA_0012_eradication_report_source_of_malicious_activity_to_external_companies.yml
deleted file mode 100644
index 3966605..0000000
--- a/response_actions/RA_0012_eradication_report_source_of_malicious_activity_to_external_companies.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-title: RA_0012_eradication_report_source_of_malicious_activity_to_external_companies
-stage: eradication
-author: Name Surname
-creation_date: DD.MM.YYYY
-references: 
-  - https://example.com
-description: >
-  Response Action for 
-workflow: |
-  Description of how to handle multiple Response Actions (if it is an aggregated Response Action) or workflow for single Response Action in markdown format.
-  Here newlines will be saved.  
-
diff --git a/response_actions/RA_0013_lessons_learned_develop_incident_report.yml b/response_actions/RA_0013_lessons_learned_develop_incident_report.yml
index 0973c90..fe354fe 100644
--- a/response_actions/RA_0013_lessons_learned_develop_incident_report.yml
+++ b/response_actions/RA_0013_lessons_learned_develop_incident_report.yml
@@ -1,12 +1,19 @@
 title: RA_0013_lessons_learned_develop_incident_report
 stage: lessons_learned
-author: Name Surname
-creation_date: DD.MM.YYYY
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
 references: 
-  - https://example.com
+  - https://attack.mitre.org/tactics/enterprise/
+  - https://en.wikipedia.org/wiki/Kill_chain
 description: >
-  Response Action for 
+  Develop Incident Report
 workflow: |
-  Description of how to handle multiple Response Actions (if it is an aggregated Response Action) or workflow for single Response Action in markdown format.
-  Here newlines will be saved.  
+  Develop Incident Report using your corporate template.
+  
+  It should include:
 
+  1. Executive Summary with short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover)
+  2. Detailed timeline of adversary actions, mapped to [ATT&CK tactics](https://attack.mitre.org/tactics/enterprise/) (you can use [Kill Chain](https://en.wikipedia.org/wiki/Kill_chain), but 95% of all actions will be in Actions On Objective stage, which is not really representative, meaningfull and usefull)
+  3. Detailed timeline of actions taken by Incident Responders
+  4. Root Cause Analysis and Recommendations for improvements based on its conclusion
+  5. List of specialists involved into Incident Response with their roles
diff --git a/response_actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.yml b/response_actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.yml
index 7c20e7b..1859adc 100644
--- a/response_actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.yml
+++ b/response_actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.yml
@@ -1,12 +1,21 @@
 title: RA_0014_lessons_learned_conduct_lessons_learned_exercise
 stage: lessons_learned
-author: Name Surname
-creation_date: DD.MM.YYYY
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
 references: 
-  - https://example.com
+  - http://shop.oreilly.com/product/0636920043614.do
+  - https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684
 description: >
-  Response Action for 
+  Conduct lessons learned exercise
 workflow: |
-  Description of how to handle multiple Response Actions (if it is an aggregated Response Action) or workflow for single Response Action in markdown format.
-  Here newlines will be saved.  
+  This Lessons Learned phase evaluates the team's performance through each step. 
+  Basically, this takes the incident report and answers some basic questions:
 
+  - What happened?
+  - What did we do well?
+  - What could we have done better?
+  - What will we do differently next time?
+
+  The goal of the Lessons Learned phase is to discover how to make the next incident response go faster, smoother, or ideally never happen at all.
+  Keep in mind that incident report is a key. If, for example, Time To Respond looks horrible, it was caused by some problem.
+  The only way to solve it is to bring it up and start working on it.
diff --git a/response_actions/RA_0040_identification_put_on_monitoring_compromised_accounts.yml b/response_actions/RA_0040_identification_put_on_monitoring_compromised_accounts.yml
new file mode 100644
index 0000000..5d04650
--- /dev/null
+++ b/response_actions/RA_0040_identification_put_on_monitoring_compromised_accounts.yml
@@ -0,0 +1,10 @@
+title: RA_0040_identification_put_on_monitoring_compromised_accounts
+stage: identification
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
+description: >
+  Put (potentially) compromised accounts on monitoring
+workflow: |
+  Start monitoring for authentification attempts and all potentially harmful actions from potentially compromised accounts.
+  Look for anomalies, strange network connections, unusual geolocation/time of work, actions which were never executed before.
+  Keep in touch with real users and in case of need ask them if they executing these actions by themselves or not.
diff --git a/response_actions/RA_0041_eradication_report_incident_to_external_companies.yml b/response_actions/RA_0041_eradication_report_incident_to_external_companies.yml
new file mode 100644
index 0000000..f92b7eb
--- /dev/null
+++ b/response_actions/RA_0041_eradication_report_incident_to_external_companies.yml
@@ -0,0 +1,18 @@
+title: RA_0041_eradication_report_incident_to_external_companies
+stage: eradication
+automation:
+  - thehive                 # integration with MISP
+author: Daniil Yugoslavskiy
+creation_date: 31.01.2019
+references: 
+  - https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/
+  - https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/
+  - https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
+  - https://mitre.github.io/unfetter/about/
+description: >
+  Report incident to external companies
+workflow: |
+  Report incident to external companites, like [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/).
+  Provide all Indicators of Compromise and Indicators of Attack you've observed.
+  
+  This Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).
diff --git a/response_actions/respose_action.yml.template b/response_actions/respose_action.yml.template
index 3e83aa9..f0570f4 100644
--- a/response_actions/respose_action.yml.template
+++ b/response_actions/respose_action.yml.template
@@ -10,7 +10,7 @@ creation_date: DD.MM.YYYY
 references: 
   - https://example.com
 description: >
-  Aggregated Response Action for blocking threats on Network Level.
+  (Aggregated) Response Action for blocking threats on Network Level.
 linked_ra: # could be empty in case of single Response Action
   - RA_0006_containment_block_domain_on_email         # Response Actions could be aggregated 
   - RA_0009_containment_block_url_on_proxy            # and contain links to multiple Response Actions
diff --git a/response_actions/status.md b/response_actions/status.md
deleted file mode 100644
index e791ac2..0000000
--- a/response_actions/status.md
+++ /dev/null
@@ -1,36 +0,0 @@
-
-- [x] RA_0001_identification_get_original_email
-- [x] RA_0002_identification_extract_observables_from_email
-- [x] RA_0003_identification_make_sure_email_is_a_phising
-- [x] RA_0004_identification_analyse_obtained_indicators_of_compromise  
-      + [ ] RA_0015_identification_analyse_domain_name  
-      + [ ] RA_0016_identification_analyse_filehash  
-      + [ ] RA_0017_identification_analyse_ip  
-      + [ ] RA_0018_identification_analyse_macos_macho  
-      + [ ] RA_0019_identification_analyse_ms_office_file  
-      + [ ] RA_0020_identification_analyse_pdf  
-      + [ ] RA_0021_identification_analyse_unix_elf  
-      + [ ] RA_0022_identification_analyse_uri  
-      + [ ] RA_0023_identification_analyse_windows_pe  
-- [x] RA_0005_identification_find_all_phising_attack_victims  
-      + [ ] RA_0026_identification_find_emails_opened  
-      + [ ] RA_0030_identification_find_all_hosts_communicated_with_domain  
-      + [ ] RA_0031_identification_find_all_hosts_communicated_with_ip  
-      + [ ] RA_0032_identification_find_all_hosts_communicated_with_url  
-      + [ ] RA_0033_identification_find_files_created  
-      + [ ] RA_0034_identification_find_all_victims_in_security_alerts  
-- [x] RA_0006_containment_block_domain_on_email  
-- [x] RA_0028_containment_block_threat_on_network_level  
-      + [x] RA_0007_containment_block_ip_on_border_firewall  
-      + [x] RA_0008_containment_block_domain_on_dns  
-      + [x] RA_0009_containment_block_url_on_proxy  
-      + [x] RA_0035_containment_block_domain_on_ips  
-      + [x] RA_0036_containment_block_domain_on_ngfw  
-      + [x] RA_0037_containment_block_ip_on_ips  
-      + [x] RA_0038_containment_block_ip_on_ngfw  
-      + [x] RA_0039_containment_block_url_on_ngfw  
-- [x] RA_0010_eradication_delete_malicious_emails    
-- [ ] RA_0011_eradication_revoke_compromised_credentials
-- [ ] RA_0012_eradication_report_source_of_malicious_activity_to_external_companies
-- [ ] RA_0013_lessons_learned_develop_incident_report
-- [ ] RA_0014_lessons_learned_conduct_lessons_learned_exercise
diff --git a/response_actions/untitled.md b/response_actions/untitled.md
deleted file mode 100644
index d90bf44..0000000
--- a/response_actions/untitled.md
+++ /dev/null
@@ -1,36 +0,0 @@
-
-- [x] RA_0001_identification_get_original_email
-- [x] RA_0002_identification_extract_observables_from_email
-- [x] RA_0003_identification_make_sure_email_is_a_phising
-- [x] RA_0004_identification_analyse_obtained_indicators_of_compromise
-      + [ ] RA_0015_identification_analyse_domain_name
-      + [ ] RA_0016_identification_analyse_filehash
-      + [ ] RA_0017_identification_analyse_ip
-      + [ ] RA_0018_identification_analyse_macos_macho
-      + [ ] RA_0019_identification_analyse_ms_office_file
-      + [ ] RA_0020_identification_analyse_pdf
-      + [ ] RA_0021_identification_analyse_unix_elf
-      + [ ] RA_0022_identification_analyse_uri
-      + [ ] RA_0023_identification_analyse_windows_pe
-- [x] RA_0005_identification_find_all_phising_attack_victims
-      + [ ] RA_0026_identification_find_emails_opened
-      + [ ] RA_0030_identification_find_all_hosts_communicated_with_domain
-      + [ ] RA_0031_identification_find_all_hosts_communicated_with_ip
-      + [ ] RA_0032_identification_find_all_hosts_communicated_with_url
-      + [ ] RA_0033_identification_find_files_created
-      + [ ] RA_0034_identification_find_all_victims_in_security_alerts
-- [x] RA_0006_containment_block_domain_on_email
-- [x] RA_0028_containment_block_threat_on_network_level
-      + [x] RA_0007_containment_block_ip_on_border_firewall
-      + [x] RA_0008_containment_block_domain_on_dns
-      + [x] RA_0009_containment_block_url_on_proxy
-      + [x] RA_0035_containment_block_domain_on_ips
-      + [x] RA_0036_containment_block_domain_on_ngfw
-      + [x] RA_0037_containment_block_ip_on_ips
-      + [x] RA_0038_containment_block_ip_on_ngfw
-      + [x] RA_0039_containment_block_url_on_ngfw
-- [x] RA_0010_eradication_delete_malicious_emails
-- [ ] RA_0011_eradication_revoke_compromised_credentials
-- [ ] RA_0012_eradication_report_source_of_malicious_activity_to_external_companies
-- [ ] RA_0013_lessons_learned_develop_incident_report
-- [ ] RA_0014_lessons_learned_conduct_lessons_learned_exercise
diff --git a/response_playbooks/RP_0001_phishing_email.yml b/response_playbooks/RP_0001_phishing_email.yml
index 3a702c7..f050369 100644
--- a/response_playbooks/RP_0001_phishing_email.yml
+++ b/response_playbooks/RP_0001_phishing_email.yml
@@ -19,13 +19,14 @@ identification:
   - RA_0003_identification_make_sure_email_is_a_phising
   - RA_0004_identification_analyse_obtained_indicators_of_compromise
   - RA_0005_identification_find_all_phising_attack_victims
+  - RA_0040_identification_put_on_monitoring_compromised_accounts
 containment:
   - RA_0006_containment_block_domain_on_email
   - RA_0028_containment_block_threat_on_network_level
 eradication:
   - RA_0010_eradication_delete_malicious_emails
   - RA_0011_eradication_revoke_compromised_credentials
-  - RA_0012_eradication_report_source_of_malicious_activity_to_external_companies
+  - RA_0012_eradication_report_phishing_attack_to_external_companies
 lessons_learned:
   - RA_0013_lessons_learned_develop_incident_report
   - RA_0014_lessons_learned_conduct_lessons_learned_exercise