Incident-Playbook

Incident-Playbook copied to clipboard

If you have an idea for the project please start a discusssion.

PURPOSE OF PROJECT

That this project will be created by the SOC/Incident Response Community

• Develop a Catalog of Incident Response Playbook for every MITRE Technique (Keep in mind it won't work for some tactics).
• Develop a Catalog of Incident Response Playbook for uncommon incidents.
• Develop JSON Setup for Playbooks
• Develop a Catalog of Exercise Scenarios that can be used for training purposes.
• Develop a Catalog of tools used for Incident Response [Plus Reviews for the different tools].
• Develop a Catalog of Incident Response Automations.
• Develop a Catalog of Checklists [For Before, During, After Incidents].
• Develop a Catalog of Roles that a organization can use, to build their own program.
• Develop a Catalog of Event Codes and API Actions that you can/will see in a SIEM Detections.

• Develop a Battle Card Book, that can be reference for immediate help during a incident.

MITRE ATTACK

Tactic

Intial Access

• [X] Playbook: T1133 - Unauthorized VPN and VDI Access
• [X] Playbook: T1189 - Drive By Compromise
• [X] Playbook: T1566 - Phishing

Collection

• [X] Playbook: T1114 - Cloud Email Compromise

Credential Access

• [ ] Playbook: T1110.003 - Password Spraying

Defense Evasion

• [X] Playbook: T1055 - Process Injection

Persistence

• [X] Playbook: T1053 - Scheduled Task/Job

Exfiltration

• [X] Playbook: T1052.001 - Exfiltration over USB

Impact

• [ ] Playbook: T1485 - Data Destruction
• [X] Playbook: T1486 - Data Encrypted for Impact Ransomware
• [ ] Playbook: T1489 - Service Stop
• [X] Playbook: T1491.002 - External Defacement

For every pull request submitted a issue must also be created.

• Please Read Creating a New Playbook;
• Check the list of MITRE Techniques to choose from and create a new issue;
• Or you can just look at the list of issues that are ready to be worked on.

Immediate Goals/Projects

• Figure out how to Integrate Atomic Red Team

Wiki

• Creating a Playbook
• Combining Techniques Into One Playbook
• Incident Response Phases

Contributors

Planning on Adding Photos later

• Dominik Sigl

Sponsors