The project represents the following:
The RE&CT Framework is designed for accumulating, describing and classification actionable Incident Response techniques.
(Image generated by RE&CT Navigator)
The main use cases:
The main resources:
The ATC RE&CT project inherits the "Actionable Analytics" paradigm from the ATC project, which means that the analytics are:
.md) for sharing/using in operations
.yml) for automatic processing/integrations
Simply saying, the analytics are stored in
.yml files, that are automatically converted to
.md documents (with jinja) and
.json TheHive Case Templates.
Response Action is a description of a specific atomic procedure/task that has to be executed during the Incident Response. It is an initial entity that is used to construct Response Playbooks.
Here is an example of Response Action:
Each Response Action mapped to a specific Response Stage.
The first digit of the Response Action ID reflects a Stage it belongs to:
The second digit of the Response Action ID reflects a Category it belongs to:
This way, using Response Action ID, you can see the Stage and Category it belongs to.
For example, RA2202: Collect an email message is related to Stage 2 (Identification) and Category 2 (Email).
The categorization aims to improve Incident Response process maturity assessment and roadmap development.
Response Playbook is an Incident Response plan, that represents a complete list of procedures/tasks (Response Actions) that has to be executed to respond to a specific threat with optional mapping to the MITRE's ATT&CK or Misinfosec's AMITT frameworks.
Here is an example of Response Playbook:
Response Playbook could include a description of the workflow, specific conditions/requirements, details on the order of Response Actions execution, or any other relevant information.
TheHive Case Templates are built on top of the Response Playbooks. Each task in a Case Template is a Response Action (with full description).
Here is the example of an imported TheHive Case Template:
TheHive Case Templates could be found in
docs/thehive_templates directory and could be imported to TheHive via its web interface.
ATC RE&CT project plays a role of data source for the Atomic Threat Coverage framework, that uses it to generate Markdown and Confluence knowledge bases, ATT&CK Navigator layers, Elasticsearch indexes and other analytics.
Originally analytics related to Incident Response were part of the ATC, but we decided to move it into a separate project to make it easier to maintain and provide an option for integration with other projects in this area.
Make sure you are compliant with the requirements
Create configuration file by copying configuration file template
config.yml (root of the project). Modify it, following the guideline in the configuration file template.
.yml files are ready, convert them to
.md documents, import them into Confluence, generate TheHive templates and RE&CT Navigator layer using the following commands:
python3 main.py --markdown --auto --init python3 main.py --confluence --auto --init python3 main.py --thehive python3 main.py -NAV
You will find the outcome in the
docs directory and Confluence pages (according to the configuration). Also, the RE&CT Navigator layer could be opened only in the customized application.
Generate your own (private) website with your analytics, using mkdocs:
python3 main.py -MK # automatic mkdocs config (navigation) generation python3 -m mkdocs build
The website will be stored in the
site directory. You can preview it with the following command:
python3 -m mkdocs serve
python3 -m pip install -r requirements.txt
Would you like to become one? You are very welcome! Our CONTRIBUTING guideline is a good starting point.
The roadmap and related discussions could be found in the project issues by labes:
See the LICENSE file.