From 7f73e8f93ea0228885359be3f215e734be94d728 Mon Sep 17 00:00:00 2001 From: tuckner Date: Mon, 29 Apr 2024 09:24:55 -0500 Subject: [PATCH] Create acm-export.json --- examples/acm-export.json | 1543 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 1543 insertions(+) create mode 100644 examples/acm-export.json diff --git a/examples/acm-export.json b/examples/acm-export.json new file mode 100644 index 00000000..2ff18a09 --- /dev/null +++ b/examples/acm-export.json @@ -0,0 +1,1543 @@ +{ + "schema": 1, + "config": { + "board": [ + { + "id": "0", + "name": "SOC Automation Capability Matrix", + "columns": [ + { + "id": "0", + "name": "Alert Handling", + "tasks": [ + { + "name": "Phishing Alerts and Reports", + "category": "Alert Handling", + "id": 1005, + "last_edited": "2023-12-02T15:07:00.000Z", + "description": "Identifying phishing email campaigns that are occurring in an organization is unique in that many filters applied in email security gateways can be successfully implemented to dramatically reduce the number of phishing emails that users receive. Many of these solutions create phishing alerts which can provide raw email content for analysis.", + "services": [], + "techniques": [ + "Read emails through an email server protocol (IMAP, POP3)", + "Read emails through API", + "Receive emails through an email service like SendGrid, AWS SES, or Tines", + "Receive email alerts from email protection services" + ], + "stats": [ + { + "name": "Time saved", + "value": "2000" + }, + { + "name": "Runs", + "value": "200000" + } + ], + "examples": [ + "https://www.tines.com/library/stories/1162281/receive-and-analyze-emails-with-rules-in-sublime-security", + "https://www.tines.com/library/stories/1177807/analyze-and-triage-suspicious-emails-with-various-tools", + "https://www.tines.com/story-library/87600/triage-email-attachments-with-material-security", + "https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-phishing", + "https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Phishing" + ], + "references": [ + "https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-phishing", + "https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Phishing" + ], + "subtasks": [ + { + "id": "5a102698-e47d-4785-8291-a4d987d849f7", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Alert Handling" + }, + { + "name": "SIEM Alerts", + "category": "Alert Handling", + "id": 1003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "SIEM alerts refers to the alerts generated by a security information and event management (SIEM) system. A SIEM system is a security tool that collects, analyzes, and manages security-related data and events from a variety of sources, such as network logs, system alerts, and security alerts from other tools. SIEM alerts typically involve potential issues or threats related to network and system security, such as malware infections, unauthorized access, and other security incidents.", + "services": [], + "time_saved": "4000", + "techniques": [ + "Receive alerts from Azure Sentinel", + "Query Elasticsearch for new SIEM alerts" + ], + "examples": [ + "https://www.tines.com/story-library/87703/manage-logz-io-siem-alerts", + "https://www.tines.com/story-library/87618/take-action-on-azure-sentinel-alerts-depending-on-severity-level", + "https://www.tines.com/story-library/87607/get-host-log-alerts-from-devo-siem" + ], + "references": [], + "subtasks": [ + { + "id": "4ffdcf9b-bd3d-4686-aa24-f07656efa56c", + "title": "Azure Sentinel alert handling", + "isCompleted": false + }, + { + "id": "da50e099-2e6a-40d3-bc06-bea6b27f1cb5", + "title": "Splunk alert handling", + "isCompleted": false + } + ] + }, + { + "name": "Cloud Alerts", + "category": "Alert Handling", + "id": 1004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Most cloud platforms produce rich audit telemetry of each action taken in the cloud platform and generally feature advanced native security alerting for common known exploit behavior. Utilize these native alerts or utilize cloud security posture management (CSPM) tools to respond to threats as they occur.", + "services": [], + "techniques": [ + "Use AWS SNS to send AWS GuardDuty findings to a webhook", + "Subscribe to the Microsoft Graph APIs for security alerts which will get sent to a webhook", + "Poll the Microsoft Graph API for security alerts" + ], + "examples": [ + "https://www.tines.com/story-library/87717/get-more-context-via-guardduty-to-remediate-aws-alerts", + "https://www.tines.com/story-library/87593/investigate-remediate-lacework-alerts" + ], + "references": [], + "subtasks": [], + "status": "Alert Handling" + }, + { + "name": "Bespoke Alerts", + "category": "Alert Handling", + "id": 1006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Bespoke alerts in cybersecurity refer to alerts that are custom-designed or are of interest for a specific organization or environment. These alerts are typically created by security professionals to address specific security issues or threats that are unique to the organization, and are not covered by generic or standardized alert systems.", + "services": [], + "techniques": [ + "Receive fraud alerts from database systems", + "Handle Data Loss Prevention (DLP) alerts from DLP systems or services that identify public resources." + ], + "examples": [ + "https://www.tines.com/story-library/87718/implement-data-loss-prevention-policies" + ], + "references": [], + "subtasks": [], + "status": "Alert Handling" + }, + { + "name": "Endpoint Alerts", + "category": "Alert Handling", + "id": 1002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Endpoint alerts refer to alerts related to endpoint detection and response (EDR) or antivirus systems and processes. EDR is the practice of monitoring and protecting the endpoints of an organization's networks and systems, such as computers, servers, and mobile devices. EDR alerts typically involve potential issues or threats related to endpoint security, such as malware infections, unauthorized access, and other security incidents.", + "services": [], + "techniques": [ + "Retrieve new alerts in CrowdStrike", + "Understand operating system vulnerabilities present after scanning with Tenable" + ], + "examples": [ + "https://www.tines.com/story-library/87599/analyze-crowdstrike-detections", + "https://www.tines.com/story-library/87510/manage-qualys-ec2-vulnerabilities-in-jira", + "https://www.tines.com/story-library/87612/investigate-edr-alerts-from-carbon-black" + ], + "references": [], + "subtasks": [], + "status": "Alert Handling" + }, + { + "name": "IAM Alerts", + "category": "Alert Handling", + "id": 1001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "IAM alerts are alerts related to identity and access management (IAM) systems and processes. IAM is the practice of managing and protecting the identities of users, devices, and systems within an organization. IAM alerts typically involve potential issues or threats related to user authentication, access controls, and other aspects of IAM.", + "services": [], + "techniques": [ + "Receive Okta suspicious login attempts", + "Identify when new multi-factor authentication devices are added to a user account" + ], + "examples": [ + "https://www.tines.com/story-library/87710/manage-okta-login-threshold-limit-in-jira-via-slack", + "https://www.tines.com/story-library/107118/monitor-duo-security-logs-for-new-mfa-devices" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "1", + "name": "Issue Tracking", + "tasks": [ + { + "name": "Tracking Location", + "category": "Issue Tracking", + "id": 2001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Having a single source of truth for tracking of cybersecurity alerts and events is critical when running a security operations center. When involving many different analysts and engineers across multiple different work shifts, having a current status of any security incident allows for teams to dramatically reduce the impact of any issue.", + "services": [], + "techniques": [ + "Creating issues in ticket systems", + "Add rows to a shared spreadsheet", + "Utilize database systems with purpose driven user interfaces" + ], + "examples": [ + "https://www.tines.com/story-library/87694/create-a-security-incident-in-airtable", + "https://www.tines.com/story-library/87653/create-jira-issues-via-slack", + "https://en.wikipedia.org/wiki/Single_source_of_truth" + ], + "references": [ + "https://en.wikipedia.org/wiki/Single_source_of_truth" + ], + "subtasks": [ + { + "id": "472020c8-b200-4d78-84ea-1cf7448fc0b9", + "title": "Phishing response workflow", + "isCompleted": false + }, + { + "id": "1e7eb014-ff04-46d5-af24-2f70dc19361c", + "title": "Splunk alert handling", + "isCompleted": false + } + ], + "status": "Issue Tracking" + }, + { + "name": "Handle Dates", + "category": "Issue Tracking", + "id": 2002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Normalizing dates, usually to UTC (Coordinated Universal Time), is important in cybersecurity because it provides a consistent and standardized reference point for date and time information. In the context of cybersecurity, date and time information is often used to track the timing and duration of security events, such as network connections, authentication attempts, and security alerts.", + "services": [], + "techniques": [ + "Parse dates in alerts and identify if they are in the correct time format", + "Store dates in known fields in order to provide analysis between when an alert occurred, when an issue was opened, and when an issue was resolved." + ], + "examples": [ + "https://www.tines.com/story-library/87675/manage-time-formats-in-tines" + ], + "references": [], + "subtasks": [ + { + "id": "7e6b779b-ca63-4d87-8ce0-8d3ba0b1ea6d", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Issue Tracking" + }, + { + "name": "Standard Issue Format", + "category": "Issue Tracking", + "id": 2003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "The use of standardized tickets for cybersecurity alerts is important for a number of reasons. First, standardized tickets provide a consistent and organized way of tracking and managing cybersecurity alerts, making it easier for security professionals to identify and prioritize potential threats. By using standardized tickets, security professionals can quickly and easily access important information about an alert, such as its severity, origin, and status, allowing them to respond more effectively and efficiently.", + "services": [], + "techniques": [ + "Utilize a single workflow to create a large majority of issues related to alerts received", + "Normalize alert details to specific fields described in the standard issue format" + ], + "examples": [ + "https://www.tines.com/story-library/89753/manage-jira-issues-via-slackbot", + "https://www.tines.com/library/stories/1189726/transform-alerts-to-the-ocsf-format-using-chatgpt-and-create-a-case", + "https://www.tines.com/library/stories/1192475/create-issues-using-the-elastic-common-schema" + ], + "references": [], + "subtasks": [ + { + "id": "29c68ea5-81f3-47ef-acce-59b6536128d6", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Issue Tracking" + }, + { + "name": "Set Custom Fields", + "category": "Issue Tracking", + "id": 2004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Decide on and create a documented list of additional fields or sections of issues that can be utilized for your organizations purposes in order to track extra data related to alerts or incidents. Augmenting issues with structured custom metadata is incredibly powerful in the possibility you may need to search across that data for correlation or reporting capabilities through automation.", + "services": [], + "techniques": [ + "Create an entity field in Jira to track the offending device, user, or service related to an alert.", + "Add a custom field to a Table in ServiceNow", + "Manage custom fields in TheHive and write data to them" + ], + "examples": [ + "https://www.tines.com/library/stories/1193465/manage-jira-custom-fields-and-individual-issue-values-with-pages?redirected-from=/library/stories?s=custom+fields", + "https://www.tines.com/library/stories/1202223/create-issues-utilizing-custom-fields-in-jira", + "https://developer.servicenow.com/dev.do#!/learn/learning-plans/quebec/new_to_servicenow/app_store_learnv2_buildneedit_quebec_adding_fields_to_a_table", + "https://support.atlassian.com/jira-cloud-administration/docs/create-a-custom-field/", + "https://docs.thehive-project.org/thehive/user-guides/administrators/custom-fields/" + ], + "references": [ + "https://developer.servicenow.com/dev.do#!/learn/learning-plans/quebec/new_to_servicenow/app_store_learnv2_buildneedit_quebec_adding_fields_to_a_table", + "https://support.atlassian.com/jira-cloud-administration/docs/create-a-custom-field/", + "https://docs.thehive-project.org/thehive/user-guides/administrators/custom-fields/" + ], + "subtasks": [ + { + "id": "b2552496-36ad-4386-8634-d4cd54100327", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Issue Tracking" + }, + { + "name": "Trend Escalation", + "category": "Issue Tracking", + "id": 2009, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "If many issues including the same alert or same host happen within a time period, escalate the severity or priority of the original issue.", + "services": [], + "techniques": [ + "Track number of related issues over a time period", + "Use IoC enrichment to raise priority of alerts", + "Search SIEM for related behaviors across different hosts and raise severity of original alert" + ], + "examples": [ + "https://www.tines.com/story-library/87647/group-related-issues-in-jira" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Issue Freshness", + "category": "Issue Tracking", + "id": 2010, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Without routine oversight, open issues can linger, become stale, and potentially even forgotten. This can cause minor problems to exist for far too long and potentially major issues to be left without attention. Issue freshness can be common in operations centers which have direct issue assignment and shift rotations combined with scheduled vacations or holidays.", + "services": [], + "techniques": [ + "Request routine updates by leaving Jira comments", + "Request routine updates by leaving ServiceNow comments", + "Maintain proper time periods for issues to contain updates", + "Reach out with out communication tools like chat or email to request updates." + ], + "examples": [ + "https://www.tines.com/story-library/1178695/request-updates-to-stale-jira-issues", + "https://venturebeat.com/security/manage-alerts-vulnerabilities/" + ], + "references": [ + "https://venturebeat.com/security/manage-alerts-vulnerabilities/" + ], + "subtasks": [] + }, + { + "name": "Quality Sampling", + "category": "Issue Tracking", + "id": 2008, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Cybersecurity alert quality sampling is a process used in security operations centers (SOCs) to evaluate the quality of the alerts generated by security systems and tools. This is important for a number of reasons, as the quality of alerts can have a significant impact on the efficiency and effectiveness of the SOC.", + "services": [], + "techniques": [ + "Routinely select a percentage of issues created over a time period. Perform an automated and manual review of adherence to standards and overall results." + ], + "examples": [ + "https://www.tines.com/story-library/1176103/analyze-quality-of-tickets-in-servicenow", + "https://expel.com/blog/how-to-measure-soc-quality/" + ], + "references": [ + "https://expel.com/blog/how-to-measure-soc-quality/" + ], + "subtasks": [] + }, + { + "name": "Related Issues", + "category": "Issue Tracking", + "id": 2006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "The process of finding related alerts refers to the process of identifying and grouping alerts that are related to the same underlying issue or threat. This can be useful for a number of reasons. For example, related alerts can provide additional information and context about a potential threat, helping security professionals to better understand and respond to the threat. Additionally, related alerts can help to identify patterns or trends that may indicate the presence of a larger, more serious threat.", + "services": [], + "techniques": [ + "Query Jira for potentially related issues and group issues together", + "Identify issues related to single entities, such as alert name or hostname, and escalate based on a threshold" + ], + "examples": [ + "https://www.tines.com/story-library/87647/group-related-issues-in-jira" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Issue Deduplication", + "category": "Issue Tracking", + "id": 2005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "The process of deduplicating alerts refers to the process of identifying and removing duplicate alerts from a set of alerts. This is important for a number of reasons. First, duplicate alerts can create confusion and waste time and resources, as security professionals may need to investigate and respond to the same alert multiple times. By removing duplicate alerts, security professionals can focus their efforts on unique and potentially serious threats, rather than being overwhelmed by multiple alerts about the same issue.", + "services": [], + "techniques": [ + "Identify and select fields, such as alert title and hostname, to use for deduplication", + "Query past issues in Jira for related alerts that might come from disparate sources" + ], + "examples": [ + "https://www.tines.com/story-library/87615/retrieve-deduplicate-google-chronicle-alerts", + "https://www.tines.com/story-library/1167650/close-similar-issues-in-jira" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Issue Closure", + "category": "Issue Tracking", + "id": 2007, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Issues can be closed through automation if they have met certain criteria. If there are many duplicate alerts over a specific time period, it can be advantageous to only leave original issues open and prioritized while still recording that additional instances of the same alert happened.", + "services": [], + "techniques": [ + "If new issues match conditions of outstanding issues, close the new issue immediately", + "Review all outstanding issues nightly for closure criteria and close any that match " + ], + "examples": [ + "https://www.tines.com/story-library/1167650/close-similar-issues-in-jira" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "2", + "name": "Enrichment", + "tasks": [ + { + "name": "IP Analysis", + "category": "Enrichment", + "id": 3003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "IP enrichment refers to the process of gathering additional information about a specific IP address in order to better understand and protect against potential threats. This can involve a variety of activities, such as looking up the IP address's history and reputation, analyzing its use and connections to other IP addresses or domains, and identifying any known malicious activity associated with it.", + "services": [], + "techniques": [ + "Discover if IP addresses used for scanning are known services or malicious actors in GreyNoise", + "Understand IP addresses tied to threat groups in Pulsedive" + ], + "examples": [ + "https://www.tines.com/library/stories/1144115/geo-lookup-ip-addresses-in-bulk", + "https://www.tines.com/story-library/87698/receive-enriched-ip-information-via-slack", + "https://www.tines.com/story-library/87582/analyze-iocs-in-pulsedive" + ], + "references": [], + "subtasks": [ + { + "id": "e49df14a-c8c9-4b3b-be69-7ad5a29263e7", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Enrichment" + }, + { + "name": "File Hash Analysis", + "category": "Enrichment", + "id": 3001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "File hash (MD5, SHA1, SHA256) enrichment refers to the process of using a file's hash value to identify and gather additional information about the file. A file's hash value is a unique string of characters that is generated based on the contents of the file. By comparing a file's hash value to a database of known hash values, it is possible to determine whether the file has been seen before and, if so, to gather additional information about it, such as its source and whether it is known to be malicious. This can be useful for identifying and mitigating potential security threats.", + "services": [], + "techniques": [ + "Submit file hash information to VirusTotal to view virus engine conclusions and community analysis", + "Retrieve file hashes information from HybridAnalysis Sandbox to understand file execution behaviors", + "Utilize Intezer to find similar file families to the hash" + ], + "examples": [ + "https://www.tines.com/story-library/87587/analyze-file-in-hybrid-analysis", + "https://www.tines.com/library/stories/1199177/analyze-a-hash-in-virustotal" + ], + "references": [], + "subtasks": [ + { + "id": "c44b2cd3-cf35-4105-a70e-2916aecef6fc", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Enrichment" + }, + { + "name": "False Positive Identification", + "category": "Enrichment", + "id": 3007, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "False positive alerts are not preventable in any security operations center. Either through poor detection logic or faulty vendor rule updates, minimizing the potential impact of conditions outside of your team’s control is critical. Curating lists of match conditions or basic text regular expressions that can be applied to alerts can help triage problems and cut down on noise quickly. While ignoring alerts in this manner is not a long term strategy, it is a good tool to alleviate a sudden increase in alerts which could cause real incidents to be missed.", + "services": [], + "techniques": [ + "Create a list of noisy hosts generating alerts should be either be deprioritized or ignored", + "Run alerts through regular expressions to match against conditions that should not open an incident" + ], + "examples": [ + "https://www.tines.com/story-library/1184708/identify-false-positive-alerts-from-elastic-using-a-database-in-notion" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Asset Lookup", + "category": "Enrichment", + "id": 3004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Asset enrichment refers to the process of gathering additional information about specific assets in order to better understand and manage them. This can include information about the assets' characteristics, such as their location, make and model, and software and hardware components. It can also include information about their usage, such as their current status and the tasks they are being used for.", + "services": [], + "techniques": [ + "Lookup assets by hostname in a Google Sheet for related information", + "Query ServiceNow CMDB for assets" + ], + "examples": [ + "https://www.tines.com/story-library/87661/search-google-sheets-information-via-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Email Attribute Analysis", + "category": "Enrichment", + "id": 3011, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Email header analysis and enrichment refers to the process of analyzing the headers of incoming emails in order to gather additional information about their origin and potential risks. Email headers are a hidden part of an email message that contain a variety of information, such as the sender's email address, the recipient's email address, and the route that the email took to reach its destination. By analyzing this information, security professionals can identify potential threats, such as spam or phishing emails, and take appropriate action to protect against them.", + "services": [], + "techniques": [ + "Understand DKIM headers, check if SPF passes, and derive a DMARC verdict on the message to prevent email spoofing", + "Lookup email sender reputation in Sublime Security’s emailrep.io" + ], + "examples": [ + "https://www.tines.com/library/stories/1189751/analyze-phishing-email-senders-urls-attachments" + ], + "references": [], + "subtasks": [], + "status": "Enrichment" + }, + { + "name": "Data Search", + "category": "Enrichment", + "id": 3010, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Leverage security data stored in SIEM solutions, databases, or data lakes to gain a greater perspective on a single alert. Many data storage solutions offer APIs or database connection protocols that can be utilized to search for data quickly. ", + "services": [], + "techniques": [ + "Use SIEM vendor specific query language to query security data", + "Use SQL to query database tables for security data", + "Have templated searches which can be used to find similar events across many logs or create correlations of multiple events" + ], + "examples": [ + "https://www.tines.com/story-library/87601/run-provided-searches-in-splunk", + "https://www.tines.com/story-library/87629/query-log-analytics-for-azure-sentinel-alerts", + "https://www.tines.com/story-library/87663/make-a-query-in-google-bigquery", + "https://www.tines.com/story-library/87667/make-a-query-in-sumo-logic", + "https://www.ibm.com/topics/siem", + "https://www.oreilly.com/library/view/the-security-data/9781491927748/ch01.html", + "https://www.tines.com/blog/capability-deep-dive-data-search" + ], + "references": [ + "https://www.ibm.com/topics/siem", + "https://www.oreilly.com/library/view/the-security-data/9781491927748/ch01.html", + "https://www.tines.com/blog/capability-deep-dive-data-search" + ], + "subtasks": [ + { + "id": "a5ef8763-9a27-4731-b6e7-6b38bc733736", + "title": "Splunk Alert handling", + "isCompleted": false + } + ] + }, + { + "name": "OAuth Application Lookup", + "category": "Enrichment", + "id": 3014, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Knowing what permission scopes an OAuth application requests and the reputation of an OAuth client ID can help to protect the security and privacy of users. OAuth is a protocol used to grant access to resources, such as APIs or web services, on behalf of a user. By understanding the permission scopes that an OAuth application requests, organizations can ensure that the application is not requesting access to sensitive or unnecessary data. Additionally, by evaluating the reputation of an OAuth client ID, organizations can determine whether the client is a trusted source or if it has a history of security issues or malicious activity. This can help to prevent users from granting access to untrusted or potentially malicious applications, which can help to protect against data breaches or other security incidents. Overall, knowing what permission scopes an OAuth application requests and the reputation of an OAuth client ID is important for ensuring the security and privacy of users in a security operations center.", + "services": [], + "techniques": [ + "Review already allowed application scopes in your environment compared to a list of approved or low sensitivity scopes", + "Lookup reputation of the OAuth " + ], + "examples": [ + "https://www.tines.com/story-library/87604/review-oauth-application-access-with-apptotal" + ], + "references": [], + "subtasks": [], + "status": "Enrichment" + }, + { + "name": "Domain Analysis", + "category": "Enrichment", + "id": 3002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Domain enrichment refers to the process of gathering additional information about a specific domain in order to better understand and protect against potential threats. This can involve a variety of activities, such as looking up the domain's history and reputation, analyzing its content and structure, and identifying any connections to known malicious domains or IP addresses. The goal of domain enrichment is to provide a more complete picture of a domain and its potential risks.", + "services": [], + "techniques": [ + "Utilize URLscan to capture screenshots of websites at a point in time", + "Use VirusTotal domain analysis to understand domain reputation" + ], + "examples": [ + "https://www.tines.com/story-library/87656/lookup-third-party-domain-in-recorded-future", + "https://www.tines.com/library/stories/87744/analyze-domains-through-multiple-sources" + ], + "references": [], + "subtasks": [], + "status": "Enrichment" + }, + { + "name": "Organization Lookup", + "category": "Enrichment", + "id": 3006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Organizations and how they are structured are generally accessible by their authentication directories. These authentication directories usually contain important group information as well as a reporting hierarchy. Some data is also contained in purpose built human resources applications.", + "services": [], + "techniques": [ + "Lookup employee location in BambooHR", + "Find supervisor for employee in order to escalate notifications", + "Set user authentication group depending on user’s business unit" + ], + "examples": [ + "https://www.tines.com/story-library/1186133/enrich-a-user-with-their-organization-details-in-azure-active-directory" + ], + "references": [], + "subtasks": [] + }, + { + "name": "File Analysis", + "category": "Enrichment", + "id": 3013, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "File analysis enrichment refers to the process of taking a file, executing it, and recording the behaviors which result from execution. This activity usually takes place in a sandbox environment which would limit the impact of executing a malicious file. Usually file analysis is only performed after ", + "services": [], + "techniques": [ + "Upload file to VirusTotal for analysis against common antivirus engines", + "Upload a file to " + ], + "examples": [ + "https://www.tines.com/story-library/87734/analyze-suspicious-files-with-any-run", + "https://www.tines.com/story-library/1164087/analyze-malware-with-intezer-using-pages" + ], + "references": [], + "subtasks": [] + }, + { + "name": "User Lookup", + "category": "Enrichment", + "id": 3005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "User account enrichment refers to the process of gathering additional information about specific user accounts in order to better manage and protect them. This can include information about the user's role and responsibilities within the organization, as well as details about their personal information, such as their name, email address, organization, expected working location, vacation schedule, and contact information.", + "services": [], + "techniques": [ + "Query Okta for a user account and find contact information and manager for escalation purposes", + "Find user in Active Directory to understand what group permissions are given to them and information like last password change date" + ], + "examples": [ + "https://www.tines.com/story-library/1170218/lookup-user-in-okta" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Active Host Processes", + "category": "Enrichment", + "id": 3012, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "The process of identifying and analyzing the processes that are currently running on a computer in order to determine whether any of them are potentially malicious. This can be done by examining the processes' characteristics, such as their names, origins, and behavior, and comparing them to known malicious processes.", + "services": [], + "techniques": [ + "Use CrowdStrike to list all active processes on a host", + "Run a query in OSquery to track process behavior over time" + ], + "examples": [ + "https://www.tines.com/story-library/95670/enrich-command-line-utility-with-lolbas-information" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Code Ownership", + "category": "Enrichment", + "id": 3009, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Collaboration in software development has led to many organizations utilizing code repositories such as GitHub. When vulnerabilities in software occur, sensitive secrets are committed to code, or private repositories become public, knowing the primary owners of the software helps respond to possible incidents effectively.", + "services": [], + "techniques": [ + "Lookup organization members in the GitHub API", + "Retrieve Git commit author if sensitive data is found" + ], + "examples": [ + "https://www.tines.com/story-library/103501/change-github-repository-from-public-to-private", + "https://www.tines.com/story-library/87707/track-snyk-issues-in-jira" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "3", + "name": "User Interaction", + "tasks": [ + { + "name": "Email Alerts", + "category": "User Interaction", + "id": 4001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Send new alert information to an email distribution list or individuals. Helpful for notification when alerts happen so that responding teams can be notified immediately. Email is a reliable notification channel for reasonably assured delivery of critical alerts.", + "services": [], + "techniques": [ + "Query API for alerts and send email for each new alert seen", + "Receive alerts on a webhook and send custom email alerts", + "Recognize suspicious login attempts and email the user" + ], + "examples": [ + "https://www.tines.com/story-library/87731/crowdsource-suspicious-logins-and-suspend-accounts" + ], + "references": [], + "subtasks": [ + { + "id": "33f9d41f-5fe7-4f0c-b90a-ce0ad871ec26", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "User Interaction" + }, + { + "name": "Chat Alerts", + "category": "User Interaction", + "id": 4002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Send new alert information to a shared chat channel or on-call analyst when they occur. Helpful for notification when alerts happen so that responding teams can be notified immediately and collaborate on triage in a shared environment.", + "services": [], + "techniques": [ + "Send security alerts to a dedicated Slack security operations alerts channel where many analysts are present", + "Send security alerts to a shared Teams channel", + "Send specific analyst responsible for triage new alerts that occur" + ], + "examples": [ + "https://www.tines.com/story-library/87755/triage-new-alerts-in-google-alert-center-with-human-oversight", + "https://www.tines.com/blog/chatbots-for-security-and-it-teams" + ], + "references": [ + "https://www.tines.com/blog/chatbots-for-security-and-it-teams" + ], + "subtasks": [ + { + "id": "6ff0a91a-ee81-444c-bd27-e6808a87fcd7", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "User Interaction" + }, + { + "name": "Chat Modal Responses", + "category": "User Interaction", + "id": 4004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Chat modals are effective for cybersecurity response because they allow users to quickly and easily access important information or take action without leaving the chat interface. This can save time and improve the efficiency of the response by reducing the need to switch between different applications or search for information. Additionally, because chat modals are easy to use and can be customized to provide relevant information and options based on the specific situation, they can help ensure that users have the information and tools they need to respond effectively to a cybersecurity incident. For example, a chat modal could be used to provide users with information about a potential security breach and allow them to quickly report the incident or take other appropriate actions.", + "services": [], + "techniques": [ + "If an alert is determined to be a false positive, request additional context for why the alert was deemed so" + ], + "examples": [ + "https://www.tines.com/story-library/87643/send-interactive-messages-in-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Chat Events", + "category": "User Interaction", + "id": 4008, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Many chat applications offer real time notifications of messages and reactions that occur. These notifications can be leveraged to response to specific words or emoji reactions with contextual information or kickoff automation.", + "services": [], + "techniques": [ + "The Slack Events API", + "Discord Interactions websocket", + "Microsoft Teams event subscription" + ], + "examples": [ + "https://www.tines.com/story-library/87721/triage-slack-help-desk-queries", + "https://slack.engineering/distributed-security-alerting/" + ], + "references": [ + "https://slack.engineering/distributed-security-alerting/" + ], + "subtasks": [] + }, + { + "name": "Security Team Response", + "category": "User Interaction", + "id": 4005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Enabling security analysts to respond to attacks through links or buttons in email and chat platforms is important to security operations because it allows analysts to quickly and easily take action to mitigate an attack. By providing analysts with the ability to respond to attacks directly from their email or chat client, organizations can reduce the time it takes to detect and respond to attacks, which can help to minimize the impact of the attack. Additionally, providing analysts with this type of capability can improve their productivity and efficiency, as it allows them to take action without having to switch between multiple applications or systems. Overall, enabling security analysts to respond to attacks through links or buttons in email and chat platforms can help to improve the speed and effectiveness of security operations.", + "services": [], + "techniques": [ + "Utilize Slack buttons to respond quickly to alert notifications", + "Provide links in emails sent to the security team which kick off automation", + "Provide links in tracking issues that allow for quick response without logging into additional platforms" + ], + "examples": [ + "https://www.tines.com/story-library/87691/process-crowdstrike-detections-with-intezer", + "https://www.tines.com/story-library/87717/get-more-context-via-guardduty-to-remediate-aws-alerts" + ], + "references": [], + "subtasks": [ + { + "id": "4f03fc56-660c-443b-866d-971f433fec61", + "title": "Splunk alert handling", + "isCompleted": false + } + ], + "status": "User Interaction" + }, + { + "name": "User Response", + "category": "User Interaction", + "id": 4007, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Asking users for more information on cybersecurity alerts they generated can create efficiencies for security operations teams because it can help the team better understand the context and significance of the alert. This can allow the team to more accurately assess the situation and determine the appropriate response, which can save time and improve the effectiveness of the response. Additionally, by engaging with users and gathering more information, the team can potentially identify underlying issues or vulnerabilities that may have contributed to the alert, which can help prevent similar incidents from occurring in the future. Finally, engaging with users can help build trust and collaboration between the security team and other users, which can improve the overall security posture of the organization.", + "services": [], + "techniques": [ + "Send alert information related to a user in Slack and provide response buttons", + "Allow for users to submit information related to alerts in web forms" + ], + "examples": [ + "https://www.tines.com/story-library/87719/distribute-decision-making-using-chatops" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Timed Escalation", + "category": "User Interaction", + "id": 4010, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "If an individual notified of a potential incident doesn’t respond to a cybersecurity alert in situations where the alert indicates a potential risk or threat that requires immediate attention. In these cases, it may be necessary to involve the user's manager in order to ensure that the issue is addressed promptly and effectively. For example, if a user has clicked on a phishing link and their manager is in a better position to help them understand the implications and take appropriate action, it may be necessary to escalate the alert to their manager. Additionally, if a user is not responding to the alert for an extended period of time, it may be necessary to involve their manager in order to ensure that the issue is addressed in a timely manner.", + "services": [], + "techniques": [ + "After an hour, if a user has not replied to a message, send a new message to their team or their manager" + ], + "examples": [ + "https://www.tines.com/story-library/87719/distribute-decision-making-using-chatops", + "https://www.tines.com/story-library/1162551/monitor-website-certificates-for-expiration" + ], + "references": [], + "subtasks": [] + }, + { + "name": "User Notification", + "category": "User Interaction", + "id": 4006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Notifying users of cybersecurity alerts they were involved in is helpful for cybersecurity because it can help users understand the potential risks and implications of their actions, which can encourage them to be more careful and cautious in the future. By providing users with clear and timely information about the alert, the security team can help users understand what happened and what they can do to protect themselves and their data. This can also help users to recognize and avoid similar risks in the future, which can reduce the likelihood of future incidents. Additionally, by engaging with users and providing them with information about the alert, the security team can build trust and collaboration, which can improve the overall security posture of the organization.", + "services": [], + "techniques": [ + "Utilize Slack’s ", + "Microsoft Teams direct user messages" + ], + "examples": [ + "https://www.tines.com/story-library/87664/send-a-message-to-user-in-microsoft-teams" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Web Form Responses", + "category": "User Interaction", + "id": 4003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Create web pages which offer user input to submit structured data or kick off processes. Web forms provide a great way offer capabilities to other teams without needing to give direct access.", + "services": [], + "techniques": [ + "Provide the ability to perform a vulnerability scan against an IP address from a form", + "Open tickets with a group that contains required information", + "Allow teams to lookup information about a user without needing access to the user directory" + ], + "examples": [ + "https://www.tines.com/story-library/109224/onboard-employees-with-flexible-forms", + "https://www.tines.com/story-library/87644/create-zendesk-ticket-via-google-forms", + "https://www.tines.com/story-library/108676/add-form-data-to-google-sheets" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Slash Commands", + "category": "User Interaction", + "id": 4009, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Slash commands in Microsoft Teams and Slack are efficient for cybersecurity operations because they allow users to quickly and easily access important information or execute common tasks without leaving the team collaboration interface. This can save time and improve productivity by reducing the need to switch between different applications or search for information. Additionally, because slash commands are easy to use and remember, they can help reduce the risk of errors or misunderstandings. For example, a slash command could be used to quickly retrieve the status of a security system or to trigger an incident response without requiring the user to navigate through a complex series of menus or enter long and potentially error-prone commands. This can be especially useful during a high-pressure situation, such as when responding to a security incident.", + "services": [], + "techniques": [ + "Use a Slack slash command to quickly analyze a domain and collaborate on the results with your team" + ], + "examples": [ + "https://www.tines.com/story-library/87624/submit-url-for-analysis-via-slackbot-and-return-screenshot-of-results", + "https://www.tines.com/story-library/87621/run-a-crowdstrike-real-time-response-command" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Chat Archive", + "category": "User Interaction", + "id": 4011, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Keeping chat records during an incident response is important for several reasons. First, it can provide a clear and concise record of the actions taken during the incident, which can be useful for reviewing and improving the response in the future. Second, it can provide evidence of the actions taken and decisions made during the incident, which can be valuable in the event of an investigation. Finally, it can help ensure that all relevant information is captured and preserved, which can be crucial for identifying the cause of the incident and preventing it from happening again.", + "services": [], + "techniques": [ + "Save Slack chat logs to a Jira issue or Amazon S3" + ], + "examples": [ + "https://www.tines.com/story-library/87589/create-manage-incident-comms-via-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Send Multifactor Prompt", + "category": "User Interaction", + "id": 4012, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "In certain critical situations, it may not be possible to trust an alert sent to a user for verification through normal channels. For example, if an attacker has compromised an account and is manipulating alert prompts to their advantage, the prompts will not serve their intended purpose. To increase the likelihood that the person responding is the correct actor, it is advisable to use multifactor authentication tools to send ad-hoc push verification to a trusted device and request user feedback.", + "services": [], + "techniques": [ + "Send push notification containing alert details in Duo Security", + "Inform user they need to confirm a push notification in Okta related to a critical alert that needs to be responded to out-of-band", + "Request a user input a TOTP " + ], + "examples": [ + "https://www.tines.com/story-library/87720/send-push-notifications-in-duo-security", + "https://www.tines.com/story-library/1116766/send-an-mfa-push-challenge-to-an-okta-user-on-demand" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "4", + "name": "Response", + "tasks": [ + { + "name": "Edit Email Inbox Rules", + "category": "Response", + "id": 5015, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Identifying and removing malicious email inbox rules can help to prevent the spread of malicious content or attacks within an organization. Inbox rules are used to automatically process incoming email messages based on certain conditions, such as the sender, the subject, or the content of the message. If an attacker is able to create malicious inbox rules within an organization's email system, they can use those rules to spread malware or exfiltrate sensitive data. By identifying and removing malicious inbox rules, organizations can prevent the spread of such attacks and protect their users from harm.", + "services": [], + "techniques": [ + "Remove email forwarding rules to destinations outside your organization" + ], + "examples": [ + "https://www.tines.com/story-library/1187117/check-mailboxes-for-external-autoforward-rules-and-filters-in-google-workspace", + "https://redcanary.com/blog/email-forwarding-rules/" + ], + "references": [ + "https://redcanary.com/blog/email-forwarding-rules/" + ], + "subtasks": [ + { + "id": "54aa940f-6736-4660-8651-4e79a1a34cda", + "title": "Phishing response workflow", + "isCompleted": false + } + ] + }, + { + "name": "Update User Group Membership", + "category": "Response", + "id": 5013, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "The ability to modify or update a user’s group membership. This could be moving the user from a normal group to a different group which has different conditional access properties, such as requiring additional multi-factor authentication, or by moving a user to a limited access group.", + "services": [], + "techniques": [ + "Move administrator account to a limited privilege group due to unusual external login", + "After authentication attempt from unusual location, move user to strict conditional access group " + ], + "examples": [ + "https://www.tines.com/story-library/1185812/update-groups-assigned-to-a-user-in-azure-active-directory" + ], + "references": [], + "subtasks": [] + }, + { + "name": "IP Blocklist", + "category": "Response", + "id": 5004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Maintain a webserver, file or list with a set of IPs which are deemed suspicious or malicious which solutions can utilize. Solutions can retrieve this list of IPs on an interval. Many solutions require a specific format which the data will be structured in, so the display of the data should be able to change based on the solution utilizing the list.", + "services": [], + "techniques": [ + "Palo Alto External Dynamic Lists read from a webserver", + "Symantec Web Gateway blocklist can receive a file upload", + "CrowdStrike IoC lists" + ], + "examples": [ + "https://www.tines.com/story-library/87666/triage-elastic-security-alerts-and-block-malicious-ips", + "https://www.tines.com/story-library/87622/query-greynoise-for-cves-and-update-blocklist", + "https://www.tines.com/story-library/87689/manage-crowdstrike-iocs-in-slack", + "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list", + "https://knowledge.broadcom.com/external/article/178081/how-to-add-a-whitelist-or-blacklist-entr.html" + ], + "references": [ + "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list", + "https://knowledge.broadcom.com/external/article/178081/how-to-add-a-whitelist-or-blacklist-entr.html" + ], + "subtasks": [] + }, + { + "name": "Block Email Sender", + "category": "Response", + "id": 5017, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Blocking email senders can prevent future phishing attempts from the same sender from reaching users. By blocking the sender, organizations can reduce the risk of users being targeted by future phishing attacks from that source. This can be particularly useful if the sender has been identified as a known phisher or if the organization has received multiple phishing attempts from the same sender. Additionally, blocking email senders can help to reduce the overall volume of phishing attempts that an organization receives, which can make it easier for security teams to focus on more pressing threats. Overall, blocking email senders can be an effective response strategy to combat phishing in a security operations center.", + "services": [], + "techniques": [ + "Add email domains to a Blocked Sender List in Proofpoint", + "Add email domains to a policy in Mimecast" + ], + "examples": [ + "https://www.tines.com/story-library/87687/query-various-mimecast-endpoints", + "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide", + "https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/090_filtersandsenderlists/Setting_up_sender_lists/How_to_edit_Safe_and_Blocked_Sender_Lists#:~:text=Navigate%20to%20Security%20Settings%20%3E%20Email,Sender%20list%20WILL%20be%20quarantined" + ], + "references": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide", + "https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/090_filtersandsenderlists/Setting_up_sender_lists/How_to_edit_Safe_and_Blocked_Sender_Lists#:~:text=Navigate%20to%20Security%20Settings%20%3E%20Email,Sender%20list%20WILL%20be%20quarantined" + ], + "subtasks": [ + { + "id": "880a50e4-c937-4840-888a-b1f6249a47bb", + "title": "Phishing response workflow", + "isCompleted": false + } + ], + "status": "Response" + }, + { + "name": "Domain Blocklist", + "category": "Response", + "id": 5005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Maintain a webserver, file or list with a set domains which are deemed suspicious or malicious which solutions can utilize. Solutions can retrieve this list of domains on an interval. Many solutions require a specific format which the data will be structured in, so the display of the data should be able to change based on the solution utilizing the list. Some solutions also provide access for blocking specific URL paths.", + "services": [], + "techniques": [ + "Palo Alto External Dynamic Lists read from a webserver", + "Symantec Web Gateway blocklist can receive a file upload", + "CrowdStrike IoC lists" + ], + "examples": [ + "https://www.tines.com/story-library/87671/request-urls-to-be-added-to-zscaler-allowlist" + ], + "references": [], + "subtasks": [ + { + "id": "e9dfb774-d779-42f7-9f5a-c84a53c539f0", + "title": "Phishing response workflow", + "isCompleted": false + } + ] + }, + { + "name": "File Hash Blocklist", + "category": "Response", + "id": 5006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Maintain a webserver, file or list with a set of hashes which are deemed suspicious or malicious which solutions can utilize. Solutions can retrieve this list of hashes on an interval. Many solutions require a specific format which the data will be structured in, so the display of the data should be able to change based on the solution utilizing the list.", + "services": [], + "techniques": [ + "Use CrowdStrike IoC lists", + "Scan endpoints looking for hashes" + ], + "examples": [ + "https://www.tines.com/story-library/87689/manage-crowdstrike-iocs-in-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Password Invalidation", + "category": "Response", + "id": 5008, + "last_edited": "2023-12-02T21:53:00.000Z", + "description": "Invalidate current password based credentials without disabling a user account. Sometimes known as ‘forced password change’. Helpful in situations when an account could be compromised, but does not have any identifiable information that it has been utilized maliciously.", + "services": [], + "techniques": [ + "If publicly compromised password hashes (”Have I Been Pwned” among other services) match current passwords, force password change on user." + ], + "examples": [ + "https://www.tines.com/story-library/1139843/invalidate-user-s-password-in-azure-active-directory", + "https://www.tines.com/blog/breaches-are-inevitable-and-early-detection-is-crucial" + ], + "references": [ + "https://www.tines.com/blog/breaches-are-inevitable-and-early-detection-is-crucial" + ], + "subtasks": [] + }, + { + "name": "Modify Visibility Settings", + "category": "Response", + "id": 5009, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Preventing resources like S3 buckets and Google Drive documents from becoming public can help to protect sensitive data and prevent unauthorized access to resources. S3 buckets and Google Drive documents can contain a wide range of sensitive data, including confidential documents, financial data, or personal information. If these resources are accidentally or intentionally made public, they can be accessed by anyone with an internet connection, which can pose a significant security risk. By preventing resources like S3 buckets and Google Drive documents from becoming public, organizations can ensure that sensitive data is not exposed and that access to resources is controlled and restricted. Also consider the impact of code repositories becoming public unintentionally. This can help to improve the overall security posture of an organization and reduce the risk of data breaches or other security incidents.", + "services": [], + "techniques": [ + "Change visibility settings of an S3 bucket to prevent public and anonymous access", + "Change sharing of Google Drive documents to prevent access from “anyone with the link”", + "Revert EBS snapshots that may contain sensitive data from becoming public", + "Change GitHub repository settings from public to private" + ], + "examples": [ + "https://www.tines.com/story-library/87718/implement-data-loss-prevention-policies", + "https://www.tines.com/story-library/1116939/find-remediate-publicly-exposed-s3-buckets-with-wiz", + "https://www.tines.com/story-library/1187415/alert-when-gitlab-projects-become-public", + "https://www.tines.com/story-library/103501/change-github-repository-from-public-to-private" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Host Isolation", + "category": "Response", + "id": 5001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Isolate hosts from networks using a set of network restricted firewall rules. Useful for limiting impact of post exploitation activity, such as lateral movement, while maintaining management connectivity through direct terminal access or select domains. Many Endpoint Detection & Response (EDR) tools provide the ability to isolate hosts while maintaining connectivity to their management platform. Hypervisor platforms provide capability to restrict network connectivity to hypervisor guests. Networks which utilize micro-segmentation can be sued to limit network routes, inbound, and outbound access.", + "services": [], + "techniques": [ + "Isolate host in CrowdStrike or other EDR platform", + "Apply security group in AWS" + ], + "examples": [ + "https://www.tines.com/library/stories/103434/contain-a-registered-device-with-crowdstrike", + "https://www.tines.com/library/stories/1195811/create-snapshot-and-isolate-a-compromised-aws-instance", + "https://www.tines.com/library/stories/1197367/isolate-machines-in-microsoft-defender", + "https://www.tines.com/library/stories/1203823/isolate-a-host-protected-by-elastic-endpoint", + "https://www.tines.com/library/stories/1203145/manage-limacharlie-sensor-isolation-with-tines-pages", + "https://www.tines.com/library/stories/1199181/isolate-and-take-a-snapshot-of-an-instance-in-google-cloud", + "https://www.tines.com/library/stories/87658/identify-and-remediate-malicious-sentinelone-threats-with-virustotal" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Application Execution Policy", + "category": "Response", + "id": 5016, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Keeping an application execution policy and blocklist can help to prevent unauthorized or malicious software from running on systems within an organization. By maintaining an application execution policy and blocklist, organizations can ensure that only authorized applications are allowed to run on their systems, which can help to prevent the execution of malware or other malicious software. This can improve the overall security posture of an organization by reducing the risk of successful attacks and data breaches. Additionally, organizations can centralize and automate the process of managing application execution, which can improve the efficiency and effectiveness of their security operations. Overall, keeping an application execution policy and blocklist is an important aspect of security operations.", + "services": [], + "techniques": [ + "Add malicious executables to a Carbon Black Protection list", + "Add executable hashes to an execution policy in CrowdStrike" + ], + "examples": [ + "https://www.tines.com/story-library/87689/manage-crowdstrike-iocs-in-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "End Running Process", + "category": "Response", + "id": 5012, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Long running malware usually presents itself on hosts via active processes on hosts. Command and control techniques often utilize executables and processes on hosts to maintain persistence. Cryptocurrency miners actively run on hosts and consume CPU in order to generate income for attackers. Ending these processes can be effective in remediating incidents.", + "services": [], + "techniques": [ + "Kill process in CrowdStrike using Real Time Response" + ], + "examples": [ + "https://www.tines.com/story-library/1164461/kill-an-active-process-in-crowdstrike", + "https://www.crowdstrike.com/blog/tech-center/file-remediation-rtr/" + ], + "references": [ + "https://www.crowdstrike.com/blog/tech-center/file-remediation-rtr/" + ], + "subtasks": [] + }, + { + "name": "Authentication Session Invalidation", + "category": "Response", + "id": 5003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "If an account has been found to be compromised, invalidate current login sessions associated with the account. With Single Sign on (SSO) technologies, some compromised session cookies can still be valid after accounts are suspended or passwords have been changed. Invalidating login sessions can greatly reduce the chance of persistence by an attacker.", + "services": [], + "techniques": [ + "Revoke authentication sessions in Okta", + "Revoke authentication sessions in Azure AD", + "Invalidate AWS IAM session" + ], + "examples": [ + "https://www.tines.com/story-library/87717/get-more-context-via-guardduty-to-remediate-aws-alerts", + "https://www.tines.com/story-library/1166837/invalidate-authentication-sessions-for-a-user-in-azure-ad", + "https://www.tines.com/story-library/1164625/invalidate-authentication-sessions-for-a-user-in-okta" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Disable Multifactor Authentication Device", + "category": "Response", + "id": 5011, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Multifactor authentication (MFA) devices are generally limited to a single device per account. Disabling MFA devices can reduce the risk of a stolen MFA device being utilized or the potential for a second MFA device being registered to an account in order to maintain persistence.", + "services": [], + "techniques": [ + "Monitor for new MFA devices in Duo Security and remove the newest one", + "Disable redundant MFA devices in Okta so users only have one" + ], + "examples": [ + "https://www.tines.com/story-library/1172853/disable-new-mfa-devices-in-okta" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Artifact Gathering", + "category": "Response", + "id": 5002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Many successfully executed threats leave known artifacts behind such as changed registry keys or files in directories on hosts. Retrieving those artifacts and analyzing them can provide information towards finding a root cause or knowing what happened during an attack.", + "services": [], + "techniques": [ + "Check the Windows registry for new keys like SysInternals EULA agreement", + "Retrieve Google Chrome extensions currently installed by checking the file path they are installed to" + ], + "examples": [ + "https://www.tines.com/story-library/1182802/manage-velociraptor-artifact-collection-via-slack" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Run Command on Remote Host", + "category": "Response", + "id": 5018, + "last_edited": "2023-12-03T19:10:00.000Z", + "description": "Responding promptly in security operations is crucial for the protection and integrity of an organization's digital assets. Leveraging platforms which provide the ability to run remote commands on endpoints, organizations can detect, investigate, analyze, and mitigate potential threats before they escalate into significant incidents. This proactive approach not only prevents data breaches and system compromises but also reinforces the organization's commitment to safeguarding its stakeholders' interests.", + "services": [], + "techniques": [ + "Utilize the ‘Real Time Response’ feature of CrowdStrike to execute commands and scripts for investigation and artifact gathering.", + "Check for a file existing on all hosts in a specific folder using LimaCharlie’s remote command features." + ], + "examples": [ + "https://www.tines.com/story-library/87621/run-a-crowdstrike-real-time-response-command", + "https://www.tines.com/library/stories/87605/run-remote-commands-in-limacharlie" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Email Deletion", + "category": "Response", + "id": 5010, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Remove emails from user inboxes before they have a chance to download malicious attachments or click on phishing URLs. Many email providers allow for moving individual emails into Trash folders by email ID while email protection services can classify wider phishing campaigns which can send many similar but different emails to many users. These permissions usually require an elevated admin permission at your organization.", + "services": [], + "techniques": [ + "Remove individual email by ID in Office 365", + "Move an email to the trash in Gmail", + "Query for specific emails by properties (potentially using regular expressions) and remove all matching results for all users." + ], + "examples": [ + "https://www.tines.com/story-library/87730/delete-an-email-from-a-specified-user-s-mailbox", + "https://www.tines.com/story-library/87655/query-for-protect-emails-in-material-security", + "https://www.tines.com/story-library/87695/take-out-the-trash-in-gmail", + "https://www.tines.com/story-library/87729/search-and-delete-spam-in-an-office-365-mailbox" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Account Suspension", + "category": "Response", + "id": 5007, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Suspend or make inactive user and service accounts from additional authentication sessions. Useful after identification of suspicious login sessions from unknown login sources or after anomalous login behaviors that result in successful authentication like during password spraying attacks.", + "services": [], + "techniques": [ + "Disable account in Okta", + "Disable account in Azure Active Directory" + ], + "examples": [ + "https://www.tines.com/story-library/87509/suspend-or-disable-accounts-in-azure-active-directory", + "https://www.tines.com/story-library/107118/monitor-duo-security-logs-for-new-mfa-devices", + "https://www.tines.com/story-library/87650/suspend-or-disable-accounts-in-google-workspace-github-and-okta" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Suggest Code Fix", + "category": "Response", + "id": 5014, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "By automatically suggesting code improvements can help to identify and fix vulnerabilities before they can be exploited. Vulnerable code can be a major security risk, as it can allow attackers to gain access to sensitive data or disrupt the operation of an application. By automatically suggesting code improvements when vulnerabilities are detected, organizations can quickly and easily identify areas of their codebase that need to be fixed and take appropriate action to address the vulnerabilities. This can help to reduce the risk of successful attacks and improve the overall security posture of an organization. Additionally, by suggesting code improvements automatically, organizations can reduce the time and effort required to identify and fix vulnerabilities, which can help to improve the efficiency of their security operations.", + "services": [], + "techniques": [ + "Utilize Semgrep to analyze code against best practices and suggest changes", + "Ask AI-based development tools for any known vulnerabilities within code examples and have it provide remediation ideas." + ], + "examples": [ + "https://www.tines.com/library/stories/1199671/analyze-github-pull-requests-for-vulnerabilities-with-chatgpt" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "5", + "name": "Continuity", + "tasks": [ + { + "name": "Automate by Documentation", + "category": "Continuity", + "id": 6004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Use documentation to perform actions by using the information in the resources to guide and direct the automated processes. For example, an automation tool might use a knowledgebase to determine the appropriate response to a specific alert or to identify the steps that need to be taken to resolve a particular issue. The automation tool can then use the information in the knowledge base to execute the appropriate actions, such as triggering a response to an alert or resolving a problem. Additionally, automation tools can use documentation to provide context and guidance for the automated processes, which can help ensure that the processes are well-defined and effective. For example, a set of instructions or a flowchart in a documentation resource could be used to guide an automation tool through the steps of a complex process, such as a data backup or recovery procedure.", + "services": [], + "techniques": [ + "Search Notion for information pertaining to an alert and provide an analyst a set of manual steps to potentially perform if automation cannot." + ], + "examples": [ + "https://www.tines.com/story-library/87674/search-notion-for-information", + "https://www.tines.com/story-library/1184708/identify-false-positive-alerts-from-elastic-using-a-database-in-notion" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Workflow Backup", + "category": "Continuity", + "id": 6001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Create backups of workflow configurations to a file server or code repository in order to have an offline copy of configuration at a state in time that can be reverted to if needed. ", + "services": [], + "techniques": [ + "Export configuration backups to a PC", + "Save configurations to AWS S3", + "Commit versions of configurations to GitHub" + ], + "examples": [ + "https://www.tines.com/story-library/87728/backup-tines-stories-to-github", + "https://www.tines.com/story-library/87683/save-tines-story-in-aws-s3" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Blocklist Updates", + "category": "Continuity", + "id": 6007, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "A blocklist is a list of entities that are blocked or restricted, such as IP addresses, domains, or applications. Over time, the effectiveness of a blocklist can decrease as the entities on the list become outdated or are no longer a threat. By maintaining and aging out old blocklist entries, organizations can ensure that their blocklist is current and relevant, which can help to improve the effectiveness of their security measures. Additionally, aging out old blocklist entries can help to reduce the risk of false positives, as it ensures that only current and relevant entries are included on the list. Overall, maintaining and aging out old blocklist entries is an important aspect of security operations.", + "services": [], + "techniques": [ + "Record date added with each blocklist entry", + "Set a policy which guides when indicators should be reviewed or aged out" + ], + "examples": [ + "https://www.tines.com/story-library/1177698/add-a-url-to-a-blocklist-in-zscaler" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Workflow Documentation", + "category": "Continuity", + "id": 6003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Teams should document their automation processes for responding to alerts because it can help ensure that the processes are well-defined, consistent, and effective. Documenting the processes can provide a clear and concise reference for team members, which can help them understand how to use the automation tools and when to apply them. Additionally, documenting the processes can help the team identify potential issues or areas for improvement, and can provide a basis for reviewing and updating the processes over time. Finally, documenting the processes can help ensure that the team has a clear and auditable record of the automation tools and processes in place, which can be valuable for compliance and regulatory purposes.", + "services": [], + "techniques": [ + "Save images of visual automation workflows that can be kept in documentation", + "Support automation with descriptive notes outlining intent when designing the automation" + ], + "examples": [ + "https://www.tines.com/story-library/87685/generate-a-tines-story-visual" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Knowledgebase Documentation", + "category": "Continuity", + "id": 6002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "A knowledgebase that documents the security automation utilized by an organization is important to security operations because it allows for quick and easy access to information about the security automation in place, which can help security personnel quickly identify and address any potential security issues. Additionally, having this information documented in a knowledgebase allows for easy sharing of information between different teams and departments, which can help ensure that everyone is on the same page when it comes to security operations.", + "services": [], + "techniques": [ + "Keep an knowledgebase page for each workflow", + "Update knowledgebase with versions when changes are made to a workflow" + ], + "examples": [ + "https://www.tines.com/story-library/1187588/document-tines-stories-in-atlassian-confluence", + "https://www.tines.com/library/stories/1191671/create-tines-story-documentation-using-chatgpt-and-store-in-notion" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Automation Tests", + "category": "Continuity", + "id": 6008, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Automation tests are used to verify that different components or systems within an automation are working together properly. By running types of tests such as unit or integration tests, organizations can identify any issues or problems with their security automation and take appropriate action to fix them. This can help to improve the reliability and effectiveness of the automation, which is crucial for maintaining the security of an organization. Additionally, by running integration tests regularly, organizations can ensure that their security automation is up-to-date and functioning properly, which can help to reduce the risk of security incidents.", + "services": [], + "techniques": [ + "Send in expected alert payloads routinely and check for intended results" + ], + "examples": [ + "https://www.tines.com/story-library/1184528/perform-a-unit-test-on-a-story-in-tines" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Change Management", + "category": "Continuity", + "id": 6005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Utilizing change management is important to security operations because it helps to ensure that changes are made in a controlled, consistent, and predictable manner. Change management processes help to ensure that changes are thoroughly tested and validated before they are implemented, which helps to reduce the risk of disruptions or problems arising as a result of the change. Additionally, change management processes can help to coordinate the efforts of multiple teams and stakeholders, ensuring that everyone is aware of and prepared for the change. Overall, using change management when updating security automation helps to ensure that security operations are not disrupted by changes and that updates are made in a way that is consistent with the needs and goals of the organization.", + "services": [], + "techniques": [ + "Use pull requests in a Git based flow to introduce new changes in automation code", + "Notify teams when changes are approved and introduced in an environment" + ], + "examples": [ + "https://www.tines.com/library/stories/1191061/monitor-tines-audit-logs-for-action-changes-and-send-slack-alerts?redirected-from=/library/stories?s=changes+tines" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Workflow Versioning", + "category": "Continuity", + "id": 6006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Keeping version records of security automation is important to security operations because it allows for the tracking of changes made to the automation, which can help identify any potential issues, audting, or unexpected outcomes that may have been introduced over time. It also allows for the easy rollback of any changes that may have caused unintended consequences, and provides a historical record of the automation's development and evolution.", + "services": [], + "techniques": [ + "Commit workflow changes to a repository routinely" + ], + "examples": [ + "https://www.tines.com/story-library/87728/backup-tines-stories-to-github" + ], + "references": [], + "subtasks": [] + } + ] + }, + { + "id": "6", + "name": "Procedural", + "tasks": [ + { + "name": "Perform Takedown", + "category": "Procedural", + "id": 7005, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Many effective attacks like phishing often use branding and language that is designed to trick people into believing that the email or website is legitimate. It is important for security operations to take down phishing websites as soon as they are discovered.", + "services": [], + "techniques": [ + "Submit take down requests to providers with " + ], + "examples": [ + "https://www.tines.com/story-library/1168801/create-a-takedown-case-in-phish-report" + ], + "references": [], + "subtasks": [] + }, + { + "name": "User Assessment", + "category": "Procedural", + "id": 7001, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Reviewing user directories for user activity, group membership, and password rotation is important for cybersecurity operations because it helps to ensure that only authorized users have access to sensitive systems and data, and that their access is properly managed and monitored. This can help to prevent unauthorized access or misuse of resources, and can also aid in detecting and responding to potential security breaches or other threats. By regularly reviewing user directories and making sure that all user accounts are properly configured and secured, organizations can better protect themselves against security breaches and other cyber threats.", + "services": [], + "techniques": [ + "Retrieve lists of users in Azure Active Directory and find accounts which have not authenticated in 90 days", + "Retrieve lists of AWS IAM user keys that have been unused" + ], + "examples": [ + "https://www.tines.com/library/stories/1193582/scan-and-report-inactive-okta-accounts-using-tines-cases-and-deactivate", + "https://www.tines.com/library/stories/87743/cleanup-inactive-users-in-aws-iam" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Service Level Agreement (SLA) Measurement", + "category": "Procedural", + "id": 7004, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Adhering to and measuring a service level agreement (SLA) is important for cybersecurity operations because it helps to ensure that an organization's security infrastructure and processes are meeting the necessary standards and requirements. By adhering to and measuring an SLA, an organization can track its progress towards timely response and identify any areas that may need improvement. This can help to ensure that the organization's security systems and processes are effective and efficient, and can help to prevent security breaches or other cyber threats.", + "services": [], + "techniques": [ + "Retrieve list of Jira issues opened and compare the average response time against an expected SLA", + "Measure mean time to respond and mean time to close" + ], + "examples": [ + "https://www.tines.com/story-library/1176179/graph-issue-response-and-closure-times-for-a-project-in-jira", + "https://www.tines.com/library/stories/87649/search-jira-for-open-sla-breaches" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Vulnerability Identification", + "category": "Procedural", + "id": 7003, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "A security operations team should run routine vulnerability scans because doing so can help identify potential vulnerabilities in the organization's systems and networks. By regularly scanning for vulnerabilities, the team can identify and address potential weaknesses before they are exploited by attackers. This can help protect the organization from security breaches and other incidents, and can improve the overall security posture of the organization. Additionally, by regularly performing vulnerability scans, the team can monitor for changes or new vulnerabilities over time, which can help ensure that the organization's systems and networks are always as secure as possible. Finally, running routine vulnerability scans can help the team comply with industry regulations and standards, which may require regular vulnerability assessments.", + "services": [], + "techniques": [ + "Correlate multiple vulnerable hosts vulnerable to a specific attack in a single tracking issue", + "Identify problematic code and open Jira issue" + ], + "examples": [ + "https://www.tines.com/story-library/87510/manage-qualys-ec2-vulnerabilities-in-jira", + "https://www.tines.com/library/stories/87707/track-snyk-issues-in-jira" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Identify assets", + "category": "Procedural", + "id": 7006, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "A reliable source of truth is valuable for any security operations team and even more so in a security automation program. Most importantly is the ability to make sure that source of truth is up to date and contains any assets that might not be tracked by conventional means. Often organizations must deploy network equipment or specialized equipment without standard tracking agents being installed. Many organizations may utilize many different tools for discovering untracked assets and unapproved assets. By identifying assets regularly and through different means, there will be a better understanding of your organization’s attack surface and discover potential risks.", + "services": [], + "techniques": [ + "Run a scan in Tenable and cross reference with known asset lists", + "Setup alerts in Shodan for new externally available IPs or ports" + ], + "examples": [ + "https://www.tines.com/library/stories/1185668/discover-and-monitor-unmanaged-devices-using-axonius?redirected-from=/library/stories?s=shodan", + "https://www.tines.com/library/stories/1154615/check-ips-in-shodan-for-unexpected-open-ports?redirected-from=/library/stories?s=shodan" + ], + "references": [], + "subtasks": [] + }, + { + "name": "Asset Assessment", + "category": "Procedural", + "id": 7002, + "last_edited": "2023-11-26T13:14:00.000Z", + "description": "Reviewing active assets such as computers for software installed and naming convention is important for security operations because it helps to ensure that the assets are properly configured and managed. By reviewing active assets for the software that is installed, organizations can identify any unauthorized or unnecessary software that may be present, and take appropriate action to remove it. This can help to reduce the risk of security incidents, as it ensures that only authorized and necessary software is running on the assets. Additionally, by reviewing the naming convention of active assets, organizations can ensure that they are properly identified and organized within the organization's systems. This can help to improve the efficiency and effectiveness of security operations, as it makes it easier to locate and manage the assets.", + "services": [], + "techniques": [ + "Retrieve lists of assets from CMDB and compare against network scans of active hosts" + ], + "examples": [ + "https://www.tines.com/story-library/1178448/verify-crowdstrike-is-present-on-new-devices-in-jamf" + ], + "references": [], + "subtasks": [] + } + ] + } + ] + } + ], + "active": 0 + } +}