🇷🇺 Русская версия

RE&CT

The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques.

RE&CT's philosophy is based on the MITRE's ATT&CK framework.
The columns represent Response Stages.
The cells repsresent Response Actions.

The main use cases are:

  • Prioritization of Incident Response capabilities development, including skills development, technical measures acquisition/deployment, internal procedures development, etc
  • Gap analysis — determine "coverage" of existing Incident Response capabilities

The main resources:

Preparation Identification Containment Eradication Recovery Lessons Learned
Practice List victims of security alert* Patch vulnerability* Report incident to external companies Reinstall host from golden image* Develop incident report
Take trainings List host vulnerabilities* Block external IP address Remove rogue network device* Restore data from backup* Conduct lessons learned exercise
Raise personnel awareness Put compromised accounts on monitoring Block internal IP address Delete email message Unblock blocked IP
Make personnel report suspicious activity List hosts communicated with internal domain* Block external domain Remove file* Unblock blocked domain
Set up relevant data collection* List hosts communicated with internal IP* Block internal domain Remove registry key* Unblock blocked URL
Set up a centralized long-term log storage* List hosts communicated with internal URL* Block external URL Remove service* Unblock blocked port*
Develop communication map* Analyse domain name* Block internal URL Revoke authentication credentials Unblock blocked user*
Make sure there are backups* Analyse IP* Block port external communication Remove user account* Unblock domain on email
Get network architecture map* Analyse URI* Block port internal communication Unblock sender on email
Get access control matrix* List hosts communicated by port* Block user external communication Restore quarantined email message
Develop assets knowledge base* List hosts connected to VPN* Block user internal communication Restore quarantined file*
Check analysis toolset* List hosts connected to intranet* Block data transferring by content pattern* Unblock blocked process*
Access vulnerability management system logs* List data transferred* Block domain on email Enable disabled service*
Connect with trusted communities Collect transferred data* Block sender on email Unlock locked user account*
Access external network flow logs Identify transferred data* Quarantine email message
Access internal network flow logs* List hosts communicated with external domain Quarantine file by format*
Access internal HTTP logs* List hosts communicated with external IP Quarantine file by hash*
Access external HTTP logs List hosts communicated with external URL Quarantine file by path*
Access internal DNS logs* Find data transferred by content pattern* Quarantine file by content pattern*
Access external DNS logs Analyse user-agent* Block process by executable path*
Access VPN logs* List users opened email message Block process by executable metadata*
Access DHCP logs* Collect email message Block process by executable hash*
Access internal packet capture data* List email message receivers Block process by executable format*
Access external packet capture data* Make sure email message is phishing Block process by executable content pattern*
Get ability to block external IP address Extract observables from email message Disable system service*
Get ability to block internal IP address* Analyse email address* Lock user account*
Get ability to block external domain List files created*
Get ability to block internal domain* List files modified*
Get ability to block external URL List files deleted*
Get ability to block internal URL* List files downloaded*
Get ability to block port external communication* List files with tampered timestamps*
Get ability to block port internal communication* Find file by path*
Get ability to block user external communication* Find file by metadata*
Get ability to block user internal communication* Find file by hash*
Get ability to find data transferred by content pattern* Find file by format*
Get ability to block data transferring by content pattern* Find file by content pattern*
Get ability to list data transferred* Collect file*
Get ability to collect transferred data* Analyse file hash*
Get ability to identify transferred data* Analyse Windows PE*
Find data transferred by content pattern* Analyse macos macho*
Get ability to analyse user-agent* Analyse Unix ELF*
Get ability to list users opened email message Analyse MS office file*
Get ability to list email message receivers Analyse PDF file*
Get ability to block email domain Analyse script*
Get ability to block email sender Analyse jar*
Get ability to delete email message Analyse filename*
Get ability to quarantine email message List processes executed*
Get ability to collect email message* Find process by executable path*
Get ability to analyse email address* Find process by executable metadata*
Get ability to list files created* Find process by executable hash*
Get ability to list files modified* Find process by executable format*
Get ability to list files deleted* Find process by executable content pattern*
Get ability to list files downloaded* List registry keys modified*
Get ability to list files with tampered timestamps* List registry keys deleted*
Get ability to find file by path* List registry keys accessed*
Get ability to find file by metadata* List registry keys created*
Get ability to find file by hash* List services created*
Get ability to find file by format* List services modified*
Get ability to find file by content pattern* List services deleted*
Get ability to collect file* Analyse registry key*
Get ability to quarantine file by path* List users authenticated*
Get ability to quarantine file by hash*
Get ability to quarantine file by format*
Get ability to quarantine file by content pattern*
Get ability to remove file*
Get ability to analyse file hash*
Get ability to analyse windows pe*
Get ability to analyse macos macho*
Get ability to analyse unix elf*
Get ability to analyse ms office file*
Get ability to analyse pdf file*
Get ability to analyse script*
Get ability to analyse jar*
Get ability to analyse filename*
Get ability to list processes executed*
Get ability to find process by executable path*
Get ability to find process by executable metadata*
Get ability to find process by executable hash*
Get ability to find process by executable format*
Get ability to find process by executable content pattern*
Get ability to block process by executable path*
Get ability to block process by executable metadata*
Get ability to block process by executable hash*
Get ability to block process by executable format*
Get ability to block process by executable content pattern*
Manage remote computer management system policies*
Get ability to list registry keys modified*
Get ability to list registry keys deleted*
Get ability to list registry keys accessed*
Get ability to list registry keys created*
Get ability to list services created*
Get ability to list services modified*
Get ability to list services deleted*
Get ability to remove registry key*
Get ability to remove service*
Get ability to analyse registry key*
Manage identity management system*
Get ability to lock user account*
Get ability to list users authenticated*
Get ability to revoke authentication credentials*
Get ability to remove user account*


Response Actions marked by "*" sign are just placeholders, listed to define the way RE&CT will grow.
The links lead to GitHub issues, that you can use to contribute your analytics.

Actionable Analytics

The ATC RE&CT project inherits the "Actionable Analytics" paradigm from the ATC project, which means that the analytics are:

  • human-readable (.md) for sharing/using in operations
  • machine-readable (.yml) for automatic processing/integrations
  • executable by Incident Response Platform (TheHive Case Templates only, at the moment)

Simply saying, the analytics are stored in .yml files, that are automatically converted to .md documents (with jinja) and .json TheHive Case Templates.
For information about customization and usage, please refer to the usage section of the project README.

Response Action

Response Action is a description of a specific atomic procedure/task that has to be executed during the Incident Response. It is an initial entity that is used to construct Response Playbooks.

Each Response Action mapped to a specific Response Stage.
The first digit of the Response Action ID reflects a Stage it belongs to:

  • 1: Preparation
  • 2: Identification
  • 3: Containment
  • 4: Eradication
  • 5: Recovery
  • 6: Lessons Learned

The second digit of the Response Action ID reflects a Category it belongs to:

  • 0: General
  • 1: Network
  • 2: Email
  • 3: File
  • 4: Process
  • 5: Configuration
  • 6: Identity

This way, using Response Action ID, you can see the Stage and Category it belongs to.
For example, RA2202: Collect an email message is related to Stage 2 (Identification) and Category 2 (Email).

The categorization aims to improve Incident Response process maturity assessment and roadmap development.

Response Playbook

Response Playbook is an Incident Response plan, that represents a complete list of procedures/tasks (Response Actions) that has to be executed to respond to a specific threat with optional mapping to the MITRE's ATT&CK or Misinfosec's AMITT frameworks.

Response Playbook could include a description of the workflow, specific conditions/requirements, details on the order of Response Actions execution, or any other relevant information.

TheHive Case Templates

TheHive Case Templates are built on top of the Response Playbooks. Each task in a Case Template is a Response Action (with full description).

Here is the example of an imported TheHive Case Template:

Imported TheHive Case Template, made on top of a Response Playbook (click to expand)
One of the Tasks in TheHive Case, made on top of a Response Action (click to expand)


TheHive Case Templates could be found in docs/thehive_templates directory and could be imported to TheHive via its web interface.

Contacts

Contributors

Would you like to become one? You are very welcome! Our CONTRIBUTING guideline is a good starting point.

Roadmap

The roadmap and related discussions could be found in the project issues by labes:

License

See the LICENSE file.