Open dsvetlov opened 4 years ago
Hi @dsvetlov
We agree with your opinion. The problem which we were facing was to not go too deeply in response actions as those varies in every environment, but at the same time not be too high level (Preparation: Prepare for incident ;). For example we suggest some of the tools which we tested and which worked well for us (like a munpack
in RA_2205_extract_observables_from_email_message) but a lot of RAs are dependable on what's inside environment. So to keep it adjustable we need to stay high level, however we believe that once skeleton will be ready we (and community) can add more detailed descriptions of options. It's still in alpha phase, most probably in future we will go deeper in similar fashion as ATT&CK is currently doing with introduction of sub-techniques.
Hi @dsvetlov!
[...] each RA should be modified for certain needs and processes of an organization [...]
You are absolutely right. We developed Response Actions in the way to:
Let me go through the operationalization process step by step:
main.py
to export the analytics to preferable format[...] we need to think about how to make this data more actionable [...]
That's supposed to be done on the user side. There are many unique requirements, internal specifics, systems and methods to execute a particular Response Action in an organization.
So we better focus on the Response Actions development (the variety) in the way they are right now, rather than going deeper in some specifics. We also need to integrate Data Needed and Mitigation Systems to provide analytics about the value of one system/data in comparison to the others.
We believe that it would be more valuable for the community.
This specific topic has been on my mind since first introduction to the project, and I'd just like to share some thoughts on how I think organizations could leverage ATC-RE&CT.
Nirvana-state usage of RE&CT.
From a practical perspective, I'm trying to push an organization I've worked with in the past towards RE&CT for SOAR.
Would love to hear how others are leveraging RE&CT in their organization or your views on how it could be leveraged.
The use cases and implementation process for this framework are not clear. Kindly ask everybody who is concerned to discuss it.
From my point of view. These "tactics and technics" are "theoretical" or very high-level to be actionable for a wide audience. Hence they should be clarified and detailed for each organization.
Hence atc-react could be used as a skeleton of RA catalog in Atomic Threat Coverage. But each RA should be modified for certain needs and processes of an organization.
These are my thoughts about atc-react and it's use cases. I think that @yugoslavskiy and @mrblacyk did a great job and we need to think about how to make this data more actionable.
Please share your thoughts and opinions, because I'm an active ATC user and want to know how other companies use it.