zinint/atc-react

A knowledge base of actionable Incident Response techniques

🇷🇺 Русская версия

RE&CT

The project represents the following:

1. A framework — knowledge base of actionable Incident Response techniques
2. A community-driven collection of Security Incident Response Playbooks
3. A data source of the Atomic Threat Coverage framework

The RE&CT Framework

is designed for accumulating, describing and categorizing actionable Incident Response techniques.

RE&CT's philosophy is based on the MITRE's ATT&CK framework.
The columns represent Response Stages.
The cells repsresent Response Actions.

(Image generated by RE&CT Navigator)

The main use cases:

• Prioritization of Incident Response capabilities development
• Gap analysis — determine "coverage" of existing Incident Response capabilities

The main resources:

• RE&CT website is the best place for getting details about existing analytics
• RE&CT Navigator (modified ATT&CK Navigator) for visualization and observing the big picture

Actionable Analytics

The ATC RE&CT project inherits the "Actionable Analytics" paradigm from the ATC project, which means that the analytics are:

• human-readable (.md) for sharing/using in operations
• machine-readable (.yml) for automatic processing/integrations
• executable by Incident Response Platform (TheHive Case Templates only, at the moment)

Simply saying, the analytics are stored in .yml files, that are automatically converted to .md documents (with jinja) and .json TheHive Case Templates.

Response Action

is a description of a specific atomic procedure/task that has to be executed during the Incident Response. It is an initial entity that is used to construct Response Playbooks.

Here is an example of Response Action:

Initial YAML file (click to expand)

Automatically created Markdown file (click to expand)

Automatically created (by main ATC project) Confluence page (click to expand)

Each Response Action mapped to a specific Response Stage.

The first digit of the Response Action ID reflects a Stage it belongs to:

• 1: Preparation
• 2: Identification
• 3: Containment
• 4: Eradication
• 5: Recovery
• 6: Lessons Learned

The second digit of the Response Action ID reflects a Category it belongs to:

• 0: General
• 1: Network
• 2: Email
• 3: File
• 4: Process
• 5: Configuration
• 6: Identity

This way, using Response Action ID, you can see the Stage and Category it belongs to.
For example, RA2202: Collect an email message is related to Stage 2 (Identification) and Category 2 (Email).

The categorization aims to improve Incident Response process maturity assessment and roadmap development.

Response Playbook

is an Incident Response plan, that represents a complete list of procedures/tasks (Response Actions) that has to be executed to respond to a specific threat with optional mapping to the MITRE's ATT&CK or Misinfosec's AMITT frameworks.

Here is an example of Response Playbook:

Initial YAML file (click to expand)

Automatically created Markdown file (click to expand)

Automatically created (by main ATC project) Confluence page (click to expand)

Response Playbook could include a description of the workflow, specific conditions/requirements, details on the order of Response Actions execution, or any other relevant information.

TheHive Case Templates

are built on top of the Response Playbooks. Each task in a Case Template is a Response Action (with full description).

Here is the example of an imported TheHive Case Template:

Imported TheHive Case Template, made on top of a Response Playbook (click to expand)

One of the Tasks in TheHive Case, made on top of a Response Action (click to expand)

TheHive Case Templates could be found in docs/thehive_templates directory and could be imported to TheHive via its web interface.

Data source of the ATC framework

ATC RE&CT project plays a role of data source for the Atomic Threat Coverage framework, that uses it to generate Markdown and Confluence knowledge bases, ATT&CK Navigator profiles, Elasticsearch indexes and other analytics.

Originally analytics related to Incident Response were part of the ATC, but we decided to move it into a separate project to make it easier to maintain and provide an option for integration with other projects in this area.

Usage

1. Make sure you are compliant with the requirements

2. Modify existing .yml files, or develop your own analytics using the templates of Response Actions or Response Playbooks. They should be stored in the directories according to their type.

3. When .yml files are ready, convert them to .md documents, TheHive templates and RE&CT Navigator profile using the following commands:

   python3 main.py --markdown --auto --init
   python3 main.py --thehive
   python3 main.py -NAV
   

   You will find the outcome in the docs directory.

4. Generate your own (private) website with your analytics, using mkdocs:

   python3 main.py -MK         # automatic mkdocs config (navigation) generation
   python3 -m mkdocs build
   

   The website will be stored in the site directory. You can preview it with the following command:

   python3 -m mkdocs serve
   

Requirements

• Python 3.7
• PyYAML, mkdocs, jinja2 and stix2 (optionally) Python libraries. They could be installed with the following command:

  python3 -m pip install -r requirements.txt
  

Contacts

• Folow us on Twitter for updates
• Join discussions in Slack or Telegram

Authors

• Jakob Weinzettl, @mrblacyk
• Mateusz Wydra, @sn0w0tter
• Daniil Yugoslavskiy, @yugoslavskiy

Contributors

Would you like to become one? You are very welcome! Our CONTRIBUTING guideline is a good starting point.

Roadmap

The roadmap and related discussions could be found in the project issues.

License

See the LICENSE file.