ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

[Draft] Remediation Category and Events

Open maxhotta opened this issue 2 years ago • 1 comments

Adding events to model remediation of entities on Windows/Linux/MacOS: These events report the status of remediation attempts (commands) on the defined target entities. Windows/Mac specific items were added as extensions for the OS. Note: There is one todo in this draft : move the startup application into the MacOS profile being added as part of the Discovery events pr.

Windows specific entities: Registry Value Registry Key

MacOS specific entities: Startup Application

OS agnostic entities: File Folder Job Module Network Connection Process Service User Session

Other:

Unsuccessful Remediation : result document (event) that captures when a remediation attempt failed

maxhotta avatar Oct 05 '23 23:10 maxhotta

Recommend distinguishing between remediation actions since they could be quite varied.

In D3FEND we define Evict, Restore, and Isolate. You could argue even Hardening could be a remediation.

netfl0 avatar Feb 15 '24 21:02 netfl0

Adding in some of the conversation from OCSF slack for posterity:

I think that having Category names being "X Remediation" is not specific enough.

For example, our (current) full taxonomy of defensive techniques looks like this:

Defensive Technique
	Application Hardening
		Application Configuration Hardening
		Dead Code Elimination
		Exception Handler Pointer Validation
		Pointer Authentication
		Process Segment Execution Prevention
		Segment Address Offset Randomization
		Stack Frame Canary Validation
	Asset Inventory
		Asset Vulnerability Enumeration
			Container Image Analysis
		Configuration Inventory
		Data Inventory
		Hardware Component Inventory
		Network Node Inventory
		Software Inventory
	Credential Eviction
		Account Locking
		Authentication Cache Invalidation
		Credential Revoking
	Credential Hardening
		Biometric Authentication
		Certificate-based Authentication
		Certificate Pinning
		Credential Rotation
		Credential Transmission Scoping
		Domain Trust Policy
		Multi-factor Authentication
		One-time Password
		Strong Password Policy
		User Account Permissions
	Decoy Environment
		Connected Honeynet
		Integrated Honeynet
		Standalone Honeynet
	Decoy Object
		Decoy File
		Decoy Network Resource
		Decoy Persona
		Decoy Public Release
		Decoy Session Token
		Decoy User Credential
	Execution Isolation
		Executable Allowlisting
		Executable Denylisting
		Hardware-based Process Isolation
		IO Port Restriction
		Kernel-based Process Isolation
			Mandatory Access Control
			System Call Filtering
	File Analysis
		Dynamic Analysis
		Emulated File Analysis
		File Content Analysis
			File Content Rules
		File Hashing
	File Eviction
		File Removal
			Email Removal
	Identifier Analysis
		Homoglyph Detection
		Identifier Activity Analysis
		Identifier Reputation Analysis
			Domain Name Reputation Analysis
			File Hash Reputation Analysis
			IP Reputation Analysis
			URL Reputation Analysis
		URL Analysis
	Message Analysis
		Sender MTA Reputation Analysis
		Sender Reputation Analysis
	Message Hardening
		Message Authentication
		Message Encryption
		Transfer Agent Authentication
	Network Isolation
		Broadcast Domain Isolation
		DNS Allowlisting
		DNS Denylisting
			Forward Resolution Domain Denylisting
				Hierarchical Domain Denylisting
				Homoglyph Denylisting
			Forward Resolution IP Denylisting
			Reverse Resolution Domain Denylisting
			Reverse Resolution IP Denylisting
		Encrypted Tunnels
		Network Traffic Filtering
			Inbound Traffic Filtering
				Email Filtering
			Outbound Traffic Filtering
	Network Mapping
		Logical Link Mapping
			Active Logical Link Mapping
			Passive Logical Link Mapping
		Network Traffic Policy Mapping
		Network Vulnerability Assessment
		Physical Link Mapping
			Active Physical Link Mapping
			Passive Physical Link Mapping
	Network Traffic Analysis
		Administrative Network Activity Analysis
		Byte Sequence Emulation
		Certificate Analysis
			Active Certificate Analysis
			Passive Certificate Analysis
		Client-server Payload Profiling
		Connection Attempt Analysis
		DNS Traffic Analysis
		File Carving
		IPC Traffic Analysis
		Inbound Session Volume Analysis
		Network Traffic Community Deviation
		Per Host Download-Upload Ratio Analysis
		Protocol Metadata Anomaly Detection
		RPC Traffic Analysis
		Relay Pattern Analysis
		Remote Terminal Session Detection
	Operational Activity Mapping
		Access Modeling
		Operational Dependency Mapping
		Operational Risk Assessment
		Organization Mapping
	Platform Hardening
		Bootloader Authentication
		Disk Encryption
		Driver Load Integrity Checking
		File Encryption
		Local File Permissions
		RF Shielding
		Software Update
		System Configuration Permissions
		TPM Boot Integrity
	Platform Monitoring
		File Integrity Monitoring
		Firmware Behavior Analysis
		Firmware Embedded Monitoring Code
		Firmware Verification
			Peripheral Firmware Verification
			System Firmware Verification
		Operating System Monitoring
			Endpoint Health Beacon
			Input Device Analysis
			Memory Boundary Tracking
			Scheduled Job Analysis
			System Daemon Monitoring
			System File Analysis
				Service Binary Verification
			System Init Config Analysis
			User Session Init Config Analysis
	Process Analysis
		Database Query String Analysis
		File Access Pattern Analysis
		Indirect Branch Call Analysis
		Process Code Segment Verification
		Process Self-Modification Detection
		Process Spawn Analysis
			Process Lineage Analysis
		Script Execution Analysis
		Shadow Stack Comparisons
		System Call Analysis
			File Creation Analysis
	Process Eviction
		Process Suspension
		Process Termination
	Restore Access
		Restore Network Access
		Restore User Account Access
			Unlock Account
	Restore Object
		Reissue Credential
		Restore Configuration
		Restore Database
		Restore Disk Image
		Restore File
			Restore Email
		Restore Software
	System Mapping
		Data Exchange Mapping
		Service Dependency Mapping
		System Dependency Mapping
		System Vulnerability Assessment
	User Behavior Analysis
		Authentication Event Thresholding
		Authorization Event Thresholding
		Credential Compromise Scope Analysis
		Domain Account Monitoring
		Job Function Access Pattern Analysis
		Local Account Monitoring
		Resource Access Pattern Analysis
		Session Duration Analysis
		User Data Transfer Analysis
		User Geolocation Logon Pattern Analysis
		Web Session Activity Analysis

netfl0 avatar Mar 25 '24 20:03 netfl0

This is a major change, adding a new category. The activities are modeled as results or status, so that needs to be reworked. There are also many discrete events, for each item being targeted. There should be a more efficient way of modeling remediation. Finally, staying true to #d3fend is highly desirable, but without duplicating/mirroring the "defensive techniques" but rather referencing them in the way we have done with ATT&CK. As part of this exercise, the associations of OCSF Objects and d3fend Artifacts becomes more important.

pagbabian-splunk avatar Apr 18 '24 15:04 pagbabian-splunk