├── .github
└── workflows
│ └── build.yml
├── .meta.json
├── Data Collection
├── .gitignore
├── Anomaly Detection
│ ├── README.md
│ └── anomdetsketch.png
├── Automated Malware Analysis
│ ├── README.md
│ └── malwareclassification.png
├── README.md
└── tactics
│ ├── .meta.json
│ ├── Command and Control
│ ├── .gitkeep
│ ├── README.md
│ └── T1071
│ │ ├── README.md
│ │ ├── T1071.001
│ │ └── README.md
│ │ └── T1071.002
│ │ └── README.md
│ ├── Credential Access
│ ├── .gitkeep
│ ├── README.md
│ ├── T1003
│ │ ├── README.md
│ │ └── T1003.001
│ │ │ └── README.md
│ ├── T1056
│ │ ├── README.md
│ │ └── T1056.001
│ │ │ └── README.md
│ └── T1110
│ │ ├── README.md
│ │ └── T1110.003
│ │ └── README.md
│ ├── Defence Evasion
│ ├── .gitkeep
│ ├── README.md
│ ├── T1070
│ │ ├── README.md
│ │ └── T1070.004
│ │ │ └── README.md
│ └── T1140
│ │ └── README.md
│ ├── Discovery
│ ├── .gitkeep
│ ├── README.md
│ ├── T1016
│ │ └── README.md
│ ├── T1083
│ │ └── README.md
│ └── T1087
│ │ ├── README.md
│ │ ├── T1087.001
│ │ └── README.md
│ │ └── T1087.002
│ │ └── README.md
│ ├── Execution
│ ├── .gitkeep
│ ├── README.md
│ └── T1059
│ │ ├── README.md
│ │ ├── T1059.001
│ │ └── README.md
│ │ ├── T1059.003
│ │ └── README.md
│ │ └── T1059.005
│ │ └── README.md
│ ├── Lateral Movement
│ ├── .gitkeep
│ ├── README.md
│ ├── T1021
│ │ ├── README.md
│ │ ├── T1021.001
│ │ │ └── README.md
│ │ └── T1021.002
│ │ │ └── README.md
│ └── T1570
│ │ └── README.md
│ ├── Persistence
│ ├── .gitkeep
│ ├── README.md
│ ├── T1053
│ │ ├── README.md
│ │ ├── T1053.002
│ │ │ └── README.md
│ │ └── T1053.005
│ │ │ └── README.md
│ ├── T1078
│ │ ├── README.md
│ │ ├── T1078.001
│ │ │ └── README.md
│ │ ├── T1078.002
│ │ │ └── README.md
│ │ └── T1078.003
│ │ │ └── README.md
│ └── T1547
│ │ ├── README.md
│ │ └── T1547.001
│ │ └── README.md
│ └── Privilege Escalation
│ ├── .gitkeep
│ ├── README.md
│ ├── T1053
│ ├── README.md
│ ├── T1053.002
│ │ └── README.md
│ └── T1053.005
│ │ └── README.md
│ ├── T1078
│ ├── README.md
│ ├── T1078.001
│ │ └── README.md
│ ├── T1078.002
│ │ └── README.md
│ └── T1078.003
│ │ └── README.md
│ └── T1543
│ ├── README.md
│ └── T1543.003
│ └── README.md
├── Enrichment
├── Feature-Extractor
│ ├── .gitkeep
│ └── README.md
├── README.md
├── Threat Intelligence
│ ├── .gitkeep
│ ├── Mitre Att&ck
│ │ ├── .gitkeep
│ │ └── README.md
│ ├── Open Source Intelligence
│ │ ├── README.md
│ │ ├── analyze_ip_address.ipynb
│ │ ├── finnish_domains.ipynb
│ │ └── upload_file_to_virustotal.ipynb
│ └── README.md
└── Time Series Analysis and Log Anomaly Detection
│ └── README.md
├── Eradicate-Recover
└── README.md
├── Hypotheses
├── .gitignore
├── README.md
├── Risk Management
│ ├── Plan Implementation
│ │ └── README.md
│ ├── README.md
│ ├── Reporting
│ │ └── README.md
│ ├── Risk Assessment
│ │ ├── Hypotheses
│ │ │ ├── README.md
│ │ │ ├── hypothesis1.md
│ │ │ └── hypothesis2.md
│ │ ├── README.md
│ │ ├── Risk Analysis
│ │ │ └── README.md
│ │ ├── Risk Evaluation
│ │ │ └── README.md
│ │ ├── Risk Identification
│ │ │ └── README.md
│ │ └── Risk to Threat
│ │ │ └── README.md
│ ├── Risk Mitigation Plan
│ │ └── README.md
│ └── Risk Monitoring
│ │ └── README.md
└── Threat Modeling
│ ├── Methodologies
│ ├── Attack Tree
│ │ ├── .gitignore
│ │ ├── README.md
│ │ └── attack.gif
│ ├── CVSS
│ │ └── README.md
│ ├── DREAD
│ │ ├── .gitignore
│ │ └── README.md
│ ├── MITRE ATT&CK
│ │ └── README.md
│ ├── Mitre Atlas
│ │ ├── .gitkeep
│ │ └── README.md
│ ├── OCTAVE
│ │ └── README.md
│ ├── OWASP
│ │ ├── .README.md.swp
│ │ └── README.md
│ ├── PASTA
│ │ └── README.md
│ ├── README.md
│ ├── STRIDE
│ │ └── README.md
│ ├── Security Cards
│ │ ├── README.md
│ │ └── impunity.png
│ ├── Trike
│ │ └── README.md
│ └── hTMM
│ │ └── README.md
│ └── README.md
├── Improvements
└── README.md
├── Lessons Learned
└── README.md
├── Preparation
├── .gitignore
├── .meta.json
├── AI
│ ├── README.md
│ ├── Secure and Privacy-preserving Machine Learning
│ │ ├── README.md
│ │ ├── lib
│ │ │ └── common.py
│ │ └── tf_encrypted.ipynb
│ └── cyberdatalake.png
├── Incident Response Tools and Tracking
│ ├── MISP
│ │ ├── .gitkeep
│ │ └── README.md
│ ├── README.md
│ └── TheHive
│ │ ├── .gitkeep
│ │ └── README.md
├── README.md
├── Security Controls
│ ├── EDR
│ │ ├── .gitkeep
│ │ ├── README.md
│ │ └── Wazuh
│ │ │ ├── .gitkeep
│ │ │ └── README.md
│ ├── IDS
│ │ └── IPS
│ │ │ ├── .gitkeep
│ │ │ ├── README.md
│ │ │ └── Snort
│ │ │ ├── .gitkeep
│ │ │ └── README.md
│ ├── MFA
│ │ ├── .gitkeep
│ │ └── README.md
│ └── SIEM
│ │ ├── .gitkeep
│ │ ├── Elastic SIEM
│ │ ├── .gitkeep
│ │ └── README.md
│ │ └── README.md
└── Threat Hunting Tools
│ ├── Honeypots
│ ├── .gitkeep
│ ├── Cowrie
│ │ ├── .gitkeep
│ │ └── README.md
│ └── README.md
│ ├── Jupyter Notebooks
│ ├── .gitkeep
│ └── README.md
│ └── README.md
├── Prepare_Hunt_Respond_Poster.pdf
├── README.md
├── Threat Hunting
├── README.md
└── Threat Hunting with Jupyter Notebooks
│ ├── README.md
│ ├── threat_hunting_IDS2018.ipynb
│ └── threat_hunting_deepblue.ipynb
├── Triage-Respond
├── .meta.json
├── Investigations
│ ├── .gitkeep
│ ├── CyberChef
│ │ ├── .gitkeep
│ │ └── README.md
│ ├── Memory-Forensics
│ │ ├── Analyzing-memory-dump.md
│ │ ├── Autovola.md
│ │ ├── README.md
│ │ ├── binary-virustotal-results.png
│ │ └── malfind-virustotal-results.png
│ ├── README.md
│ ├── data_breach_checklist.md
│ ├── ddos_attack_checklist.md
│ ├── firewalls_checklist.md
│ ├── large_scale_attack_checklist.md
│ ├── malware_infection_checklist.md
│ ├── network_device_checklist.md
│ ├── recon_phishing_social_engineering_checklist.md
│ ├── server_checklist.md
│ └── workstation_checklist.md
├── README.md
└── Triage
│ ├── .gitkeep
│ └── README.md
└── _images
├── .gitkeep
├── JYVSECTEC-logo2.png
├── JYVSECTEC_by_jamk.png
├── OKM-logo1.png
├── Prepare_Hunt_Respond.png
├── jamk-logo1.png
└── polamk-logo1.png
/.github/workflows/build.yml:
--------------------------------------------------------------------------------
1 | name: CI
2 |
3 | on:
4 | push:
5 | branches: [ master ]
6 | pull_request:
7 | branches: [ master ]
8 |
9 | jobs:
10 | build:
11 | runs-on: ubuntu-latest
12 | steps:
13 | - uses: actions/checkout@v2
14 |
15 | - name: Trigger jekyll workflow on jyvsectec.github.io repo
16 | run: |
17 | curl -XPOST \
18 | -u "${{ secrets.PAT_USERNAME}}:${{secrets.PAT_TOKEN}}" \
19 | -H "Accept: application/vnd.github.everest-preview+json" \
20 | -H "Content-Type: application/json" https://api.github.com/repos/JYVSECTEC/jyvsectec.github.io/actions/workflows/jekyll.yml/dispatches \
21 | --data '{"ref": "main"}'
22 |
--------------------------------------------------------------------------------
/.meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "child_order": [
3 | "Preparation",
4 | "Hypotheses",
5 | "Data Collection",
6 | "Enrichment",
7 | "Playbooks",
8 | "Triage-Respond",
9 | "Eradicate-Recover",
10 | "Lessons Learned",
11 | "Improvements"
12 | ]
13 | }
--------------------------------------------------------------------------------
/Data Collection/.gitignore:
--------------------------------------------------------------------------------
1 | !.gitignore
2 |
--------------------------------------------------------------------------------
/Data Collection/Anomaly Detection/anomdetsketch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/Anomaly Detection/anomdetsketch.png
--------------------------------------------------------------------------------
/Data Collection/Automated Malware Analysis/README.md:
--------------------------------------------------------------------------------
1 | # Malware classification with machine learning
2 |
3 | Traditionally antivirus software compare hash signatures to malware databases to verify if suspected executables are malicious. Malware variants that use packing or obfuscating techniques can circumvent this verification easily. Data analysis and machine learning methods can be used to analyze executable files and provide detection on malware variants also.
4 |
5 | A 2020 research survey describes different methods that could be utilized in [The rise of machine learning for detection and classification of malware: Research developments, trends and challenges](https://www.sciencedirect.com/science/article/pii/S1084804519303868). The paper provides a good overview of malware detection algorithms, ways to extract features from executable files and datasets to evaluate classification on. Features that can be extracted from executable files are divided into two categories: static and dynamic. Feature engineering, a practice where domain expertise is used to extract relevant features from raw data, plays an important role in creating a capable malware classifying machine learning model.
6 |
7 | ### Static features
8 |
9 | A number of features can be gathered from the file without it being run, making static analysis quick and risk-free. Executable files in Windows for example have PE headers, where fields such as Import Address Table (IAT) can be useful in determining if the file is malicious. The research survey lists other features that can be extracted using static methods:
10 | * Searching for all the text inside the executable, which could reveal file paths or IP addresses that the file will use. This is a simple method and can be performed with for example by Linux command "strings".
11 | * List all the imported functions to gain insight into the functionality of the file. [An open source tool Dependencies](https://github.com/lucasg/Dependencies) can be used to extract the imported functions.
12 | * Analyzing headers and sections of the PE file. [Malwarebytes blog post lists five PE analysis tools here.](https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/)
13 | * PE file ".text" - sections can have encrypted code in them, that is decrypted during runtime using a decryption stub. The amount of encrypted code segments and sections labeled as ".stub" could be indication of malware.
14 | * Disassembling the program and performing automated analysis on the assembly code. [Xori is an open souurce automation-ready disassembly tool, requires installation of Rust.](https://github.com/endgameinc/xori)
15 |
16 | ### Dynamic features
17 |
18 | Dynamic features are gathered when the file is executed in a secure sandbox environment, enabling the analysis of function calls, network traffic or file system modifications that the file performs. Extracting features from sandbox is time and resource consuming compared to static analysis. Some malware are able to detect sandbox environments or are coded to delay it's malicious actions for days after execution, making them seem benign with quick analysis.
19 |
20 | [Cuckoo Sandbox](https://cuckoosandbox.org/) is an open source automated malware analysis system which generates reports from executed files. The sandbox can simulate realistic Android, Linux, macOS and Windows operating system environments.
21 |
22 | # Creating a malware detection system
23 |
24 | ### Gather data
25 |
26 | First thing needed is a directory with clean Portable Executable (PE) samples, and malware PE samples.
27 |
28 | 1. Clean PE samples can be acquired for example, from a personal Windows computer.
29 | 2. Malware PE samples can be acquired online for example, from VirusShare or theZoo GitHub repository.
30 | * https://virusshare.com/
31 | * https://github.com/ytisf/theZoo
32 |
33 | ### Create dataset from gathered data
34 |
35 | When samples of clean and malware PE samples have been downloaded, a dataset to train the classifier needs to be created. Static features according to the picture below  can be extracted from the PE file.
36 |
37 | The n-grams, function names and embedded text are extracted into columns for a dataset where one row is one PE file sample. Some research has also used a method where images are created from executable files, and the image is used as a feature to analyze whether the file is malicious or not. One such dataset is the [MalImg dataset](https://vision.ece.ucsb.edu/abstract/563).
38 |
39 | ### Training a model from the created dataset
40 |
41 | Machine learning models, such as a random forest classifier, can be trained using the PE file dataset. The random forest algorithm also provides insight into what features are most useful in classifying a file into clean or malware sample. Neural networks can create a classifier from large amounts of features and possibly one with better accuracy, but the system requires more processing power and data than training machine learning algorithms.
42 |
43 | ### Example open source system
44 |
45 | [Malware Classification using classical Machine Learning and Deep Learning repository](https://github.com/pratikpv/malware_detect2) provides an example implementation, where PE file features are extracted to train multiple different machine learning algorithms to detect malicious files. Deep learning is also utilized by converting binaries to grayscale images and training neural networks, such as convolutional neural networks, with the images. The project utilizes Python and it's machine learning libraries Scikit-learn and PyTorch. The researches using the system gained on average 92% classification accuracy on best neural network models, though on some malware families the accuracy drops to 64%.
46 |
--------------------------------------------------------------------------------
/Data Collection/Automated Malware Analysis/malwareclassification.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/Automated Malware Analysis/malwareclassification.png
--------------------------------------------------------------------------------
/Data Collection/tactics/.meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "By Mitre ATT&CK"
3 | }
--------------------------------------------------------------------------------
/Data Collection/tactics/Command and Control/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Command and Control/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Command and Control/README.md:
--------------------------------------------------------------------------------
1 | # Command and Control
2 |
3 | ## Description
4 |
5 | Command and control (C&C) is a tactic category where the adversary remotely controls systems they have compromised in the target environment. The servers used to control compromised machines usually reside outside of the victim network, on the Internet.
6 |
7 | Adversaries use various methods to hide their communication. Common network protocols, such as HTTP and DNS are often used for communication to mimic normal network traffic occurring in the environment. Data obfuscation and encryption techniques also make it harder to detect and analyze command and control traffic
8 |
9 | ## References
10 |
11 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0011/)
12 |
13 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Command and Control/T1071/README.md:
--------------------------------------------------------------------------------
1 | # T1071 - Application Layer Protocol
2 |
3 | ## Sub techniques
4 |
5 | * [T1071.001 - Web Protocols](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Command%20and%20Control/T1071/T1071.001/README.md)
6 | * [T1071.002 - File Transfer Protocols](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Command%20and%20Control/T1071/T1071.002/README.md)
7 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Command and Control/T1071/T1071.001/README.md:
--------------------------------------------------------------------------------
1 | # T1071.001 - Web Protocols
2 |
3 | ## Description
4 |
5 | Adversaries may use standard application layer protocols that are used in every IT environment to blend their command and control traffic within normal network communications.
6 |
7 | Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 3: Network connection
12 |
13 | Sysmon can be used to monitor process network connection events (ID 3). These events should be filtered by process name or destination IP to only include suspicious network activity, such as processes that shouldn't normally communicate to Internet or that are communicating with unusual destinations.
14 |
15 | ## References
16 |
17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1071/001/)
18 |
19 | [Event ID 3](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Command and Control/T1071/T1071.002/README.md:
--------------------------------------------------------------------------------
1 | # T1071.002 - File Transfer Protocols
2 |
3 | ## Description
4 |
5 | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
6 |
7 | Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 3: Network connection
12 |
13 | Sysmon can be used to monitor process network connection events (ID 3). These events should be filtered by port numbers associated with file transfer protocols (e.g. FTP/21, TFTP/69, SMB/445).
14 |
15 | ## References
16 |
17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1071/002/)
18 |
19 | [Event ID 3](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Credential Access/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/README.md:
--------------------------------------------------------------------------------
1 | # Credential Access
2 |
3 | ## Description
4 |
5 | Credential access tactic category consists of techniques that adversaries use to steal credentials, such as account names and passwords. Stealing legitimate credentials can give an adversary access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0006/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1003/README.md:
--------------------------------------------------------------------------------
1 | # T1003 - OS Credential Dumping
2 |
3 | ## Sub techniques
4 |
5 | * [T1003.001 - LSASS Memory](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1003/T1003.001/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1003/T1003.001/README.md:
--------------------------------------------------------------------------------
1 | # T1003.001 - LSASS Memory
2 |
3 | ## Description
4 |
5 | Windows stores credentials in several databases and processes. Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. Passwords are stored in SAM as LM or NTML hashes. When a user logs on, the credentials are stored in Local Security Authority Subsystem Service (LSASS) process, which is part of Local Security Authority (LSA) subsystem. LSA maintains information about all aspects of local security in a system and Its components run in the context of the Lsass.exe process. These credential materials can be harvested by an administrative user or SYSTEM.
6 |
7 | Many tools exist for accessing credential data stored in SAM or LSASS, such as ProcDump or Mimikatz. Mimikatz is a Windows tool developed by Benjamin Delpy to learn more about Windows credentials. It can be used to extract plaintext passwords, hashes, pin codes and Kerberos tickets directly from memory. While Mimikatz binary can be directly executed on a target system, more sophisticated methods exist that allow executing Mimikatz from memory or remotely.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 7: Image loaded
12 |
13 | One approach on detecting Mimikatz is to look for specific Windows DLL modules it loads when executed. This approach is effective since it is not dependent on which process loads the code or whether Mimikatz is executed from disk or memory.
14 |
15 | Sysmon event ID 7 records DDL modules loaded into a processes.
16 |
17 | ## References
18 |
19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1003/001/)
20 |
21 |
22 | [Event ID 7](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded)
23 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1056/README.md:
--------------------------------------------------------------------------------
1 | # T1056 - Input Capture
2 |
3 | ## Sub techniques
4 |
5 | * [T1056.001 - Keylogging](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1056/T1056.001/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1056/T1056.001/README.md:
--------------------------------------------------------------------------------
1 | # T1056.001 - Keylogging
2 |
3 | ## Description
4 |
5 | Keylogging is the most widely used input capture method, where the adversary installs a software that records user’s keystrokes and sends them back to the adversary. Other common methods include presenting fake credential prompts to user, injecting code to login pages or wrapping the Windows default credential provider.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 12: RegistryEvent (Object create and delete)
10 |
11 | Windows stores credential provider definitions in registry location:
12 |
13 | * HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders
14 |
15 | Creation of new credential provider can be detected by monitoring Sysmon registry modification events for the CredentialProviders location.
16 |
17 | ## References
18 |
19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1056/001/)
20 |
21 |
22 | [Event ID 12](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete)
23 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1110/README.md:
--------------------------------------------------------------------------------
1 | # T1110 - Brute Force
2 |
3 | ## Sub techniques
4 |
5 | * [T1110.003 - Password Spraying](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Credential%20Access/T1110/T1110.003/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Credential Access/T1110/T1110.003/README.md:
--------------------------------------------------------------------------------
1 | # T1110.003 - Password Spraying
2 |
3 | ## Description
4 |
5 | Brute force is a credential access technique where an adversary attempts to access user accounts without knowledge of the password. The adversary may attempt logins with a list of commonly used passwords. This method usually leads to numerous failed logins, which can trigger alarms or account lockouts. A more sophisticated strategy, called password spraying uses a single password or a small list of passwords against many different accounts to avoid triggering account lockouts or alarms.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 4625: An account failed to log on
10 | * Event ID 4771: Kerberos pre-authentication failed
11 |
12 | Brute force attempts can be detected by monitoring operating system authentication logs for an unusually high number of failed logins. Windows logs several authentication failure related events, such as ID 4625 and ID 4771. The event ID 4625 is generated on a local computer when a log on fails. The event ID 4771 is generated on a domain controller when Kerberos Key Distribution Center fails to issue Ticket Grantisng Ticket (TGT). This event occurs when a user fails to authenticate using domain credentials.
13 |
14 | Audit Logon policy must be enabled through Windows Group Policy to log event ID 4625 (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Logon)
15 |
16 | Audit Kerberos Authentication Service policy must be enabled through Windows Group Policy to log event ID 4771 (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Logon → Audit Kerberos Authentication Service)
17 |
18 | ## References
19 |
20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1110/003/)
21 |
22 | [Event ID 4625](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)
23 |
24 | [Event ID 4771](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Defence Evasion/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Defence Evasion/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Defence Evasion/README.md:
--------------------------------------------------------------------------------
1 | # Defence Evasion
2 |
3 | ## Description
4 |
5 | Adversaries utilize defense evasion techniques to avoid being detected. Defense evasion has become more important to adversaries, as the detection and defense technologies have become more sophisticated and their adoption increased. Common techniques in this tactic category include uninstalling/disabling security software, removing evidence and obfuscating/encrypting data.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0005/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Defence Evasion/T1070/README.md:
--------------------------------------------------------------------------------
1 | # T1070 - Indicator Removal on Host
2 |
3 | ## Sub techniques
4 |
5 | * [T1070.004 - File Deletion](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Defence%20Evasion/T1070/T1070.004/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Defence Evasion/T1070/T1070.004/README.md:
--------------------------------------------------------------------------------
1 | # T1070.004 - File Deletion
2 |
3 | ## Description
4 |
5 | Adversaries often create files and download tools or malware to target systems for execution. These files can cause detection by security defenses or leave clues to investigators. To prevent this, adversaries may delete the files over the course of an intrusion or at the end as part of the post-intrusion cleanup process.
6 |
7 | Operating systems have built-in tools for deleting files, such as the DEL function in Windows cmd.exe or Remove-Item cmdled in PowerShell. There are also many external tools which can be used to delete files. One such tool known to be used by adversary groups is the Windows Sysinternals SDelete.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 23: FileDelete
12 |
13 | Sysmon generates event ID 23 when a file is deleted.
14 |
15 | ## References
16 |
17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1070/004/)
18 |
19 |
20 | [Event ID 23](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-a-file-delete-was-detected)
21 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Defence Evasion/T1140/README.md:
--------------------------------------------------------------------------------
1 | # T1140 - Deobfuscate/Decode Files or Information
2 |
3 | ## Description
4 |
5 | File/information obfuscation can prevent signature-based security software from detecting the execution and make post-incident investigation harder. Common obfuscation techniques include encoding, compressing and encryption. Command-line interfaces have many built-in features that can be used for obfuscation information, such as environment variables, aliases and ability to receive commands from standard input stream.
6 |
7 | Detecting obfuscation can be challenging using traditional string matching techniques, since the obfuscated data does not usually contain predictable patterns. One way to detect obfuscation is to look for suspicious escape characters, e.g. '''^''' and '''"''' included in commands. Another approach is to use statistical methods to analyze entropy and frequency of characters to detect anomalies.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4103: Module Logging
12 |
13 | PowerShell can interpret commands encoded using the base64-encoding. PowerShell module logging (ID 4103) records the options used with execution as well as de-obfuscated commands.
14 |
15 | ## References
16 |
17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1140/)
18 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Discovery/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/README.md:
--------------------------------------------------------------------------------
1 | # Discovery
2 |
3 | ## Description
4 |
5 | Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0007/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/T1016/README.md:
--------------------------------------------------------------------------------
1 | # T1016 - System Network Configuration Discovery
2 |
3 | ## Description
4 |
5 | System Network Configuration Discovery is a technique where the adversary looks for details about the network configuration of the target system. Many native Windows tools exist for querying information about the network configuration, such as ipconfig for IP, DNS and network adapter information, arp for displaying the ARP-table content and route for displaying the routing table. PowerShell has cmdlets that display similar information, such as Get-NetAdapter, Get-NetIPAddress and Get-NetRoute.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 1: Process creation
10 |
11 | Tools used in this technique can be detected by monitoring the specific process command-line arguments (e.g. ipconfig or route print) from Sysmon Event ID 1.
12 |
13 | ## References
14 |
15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1016/)
16 |
17 | [ipconfig](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig)
18 |
19 | [Route](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961510(v=ws.11))
20 |
21 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation)
22 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/T1083/README.md:
--------------------------------------------------------------------------------
1 | # T1083 - File and Directory Discovery
2 |
3 | ## Description
4 |
5 | File and Directory Discovery tactic category involves the adversary searching files or directories from local system or network share. The goal is usually to access sensitive information or to conduct reconnaissance.
6 |
7 | Adversaries can utilize native Windows Cmd tools, for example dir or tree to enumerate the filesystem. PowerShell has the Get-Item and Get-ChildItem that can be used to browse and search the filesystem. Some adversaries have also written custom tools that use the Windows API to gather file and directory information.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4103: Module Logging
12 |
13 | PowerShell file and directory listing cmdlets Get-Item and Get-ChildItem execution can be detected by monitoring PowerShell module logging events (ID 4103).
14 |
15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1083/)
16 |
17 | [Get-Item](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-item?view=powershell-7)
18 |
19 | [Get-ChildItem](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/T1087/README.md:
--------------------------------------------------------------------------------
1 | # T1087 - Account Discovery
2 |
3 | ## Sub techniques
4 |
5 | * [T1087.001 - Local Account](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Discovery/T1087/T1087.001/README.md)
6 | * [T1087.002 - Domain Account](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Discovery/T1087/T1087.002/README.md)
7 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/T1087/T1087.001/README.md:
--------------------------------------------------------------------------------
1 | # T1087.001 - Local Account
2 |
3 | ## Description
4 |
5 | Account discovery techniques involve the adversary attempting to discover user accounts of the target system or accounts of the domain environment.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 1: Process creation
10 |
11 | Windows includes net.exe native tool that can be used to list local users (net user). Execution of the tool can be detected by monitoring the specific process command-line arguments (net user) from Sysmon Event ID 1.
12 |
13 | ## References
14 |
15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1087/001/)
16 |
17 | [Net user](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11))
18 |
19 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Discovery/T1087/T1087.002/README.md:
--------------------------------------------------------------------------------
1 | # T1087.002 - Domain Account
2 |
3 | ## Description
4 |
5 | Account discovery techniques involve the adversary attempting to discover user accounts of the target system or accounts of the domain environment.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 1: Process creation
10 |
11 | Windows Remote Server Administration Tools (RSAT) bundle includes a tool called Dsquery, which can be used to query Active Directory for users and groups information. Execution of the tool can be detected by monitoring the specific process command-line arguments (dsquery user) from Sysmon Event ID 1.
12 |
13 | ## References
14 |
15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1087/002/)
16 |
17 | [Dsquery user](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725702(v=ws.11))
18 |
19 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Execution/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/README.md:
--------------------------------------------------------------------------------
1 | # Execution
2 |
3 | ## Description
4 |
5 | Execution is a tactic where the adversary is trying to run malicious code on the systems to which he has gained access. This is often paired with techniques from other tactic categories to achieve broader goals, such as network discovery or exfiltration of data.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0002/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/T1059/README.md:
--------------------------------------------------------------------------------
1 | # T1059 - Command and Scripting Interpreter
2 |
3 | ## Sub techniques
4 |
5 | * [T1059.001 - PowerShell](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.001/README.md)
6 | * [T1059.003 - Windows Command Shell](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.003/README.md)
7 | * [T1059.005 - Visual Basic](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Execution/T1059/T1059.005/README.md)
8 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/T1059/T1059.001/README.md:
--------------------------------------------------------------------------------
1 | # T1059.001 - PowerShell
2 |
3 | ## Description
4 |
5 | PowerShell is an interactive command-line interface and scripting language built on .NET. It helps system administrators to automate common operating system management tasks and provides the command-line for executing other processes. PowerShell has been included in Windows since Windows 7 and the latest version, PowerShell Core is a fully open-source and cross-platform implementation.
6 |
7 | PowerShell has become a popular tool among adversary groups because of its versatility and wide range of capabilities to automate, hide and obscure activities. PowerShell scripts can be hidden into other files, used to run executables from the Internet and even embedded into other applications for execution without the powershell.exe interpreter. PowerShell based offensive testing tools include Empire, PowerSploit and PSAttack.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4103: Module Logging
12 | * Event ID 4104: Script Block Logging
13 |
14 | PowerShell has support for three types of logging: module logging, script block logging, and transcription. These events are written to the Windows Event Log under the path: Microsoft-windows-PowerShell/Operational. Module logging (Event ID 4103) records pipeline execution details as PowerShell executes, including variable initialization and command invocations. It also records the output of the executed commands. Script block logging (Event ID 4104) records blocks of code as they are executed by the PowerShell engine, capturing the full context of the executed code, including scripts and commands.
15 |
16 | Module and script block logging must be enabled through Windows Group Policy (Administrative Templates → Windows Components → Windows PowerShell)
17 |
18 | ## References
19 |
20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/001/)
21 |
22 | [PowerShell ♥ the Blue Team](https://devblogs.microsoft.com/powershell/powershell-the-blue-team/)
23 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/T1059/T1059.003/README.md:
--------------------------------------------------------------------------------
1 | # T1059.003 - Windows Command Shell
2 |
3 | ## Description
4 |
5 | Command-line interface (CLI) is a way to interact with computer systems by issuing commands using lines of text either locally or via a remote session. It is a common feature across many operating systems, including Windows and Unix-type operating systems such as Linux and macOS. Adversaries often use command-line interface to execute built-in commands in operating systems and launch external software.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 1: Process creation
10 |
11 | According to MITRE ATT&CK, data sources for command-line interface are process and process command-line parameter monitoring. Both data sources are captured by Sysmon event ID 1. The events should be filtered by process name being "cmd.exe", which is the main command interpreter for Windows.
12 |
13 | ## References
14 |
15 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/003/)
16 |
17 | [Event ID 1](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation)
18 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Execution/T1059/T1059.005/README.md:
--------------------------------------------------------------------------------
1 | # T1059.005 - Visual Basic
2 |
3 | ## Description
4 |
5 | Visual Basic is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript.
6 |
7 | Adversaries can use Visual Basic scripts for speeding up operations and ability to bypass process monitoring mechanisms by interacting through the operating system APIs. Adversaries can download scripts from the Internet and execute them without creating files on the system. VBA scripts can also be hidden inside other files, such as Office documents or PDF files, which execute the script when a user opens the file.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 1: Process creation
12 |
13 | Visual Basic script execution can be detected by monitoring Sysmon process creation events (ID 1), where the command line parameters contain file extensions asociated with Visual Basic scripts (.vbs, .vbe, .wsf, .wsf).
14 |
15 | ## References
16 |
17 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1059/005/)
18 |
19 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Lateral Movement/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/README.md:
--------------------------------------------------------------------------------
1 | # Lateral Movement
2 |
3 | ## Description
4 |
5 | An initial system that the adversary gains access to in the target environment is often not the ultimate system they are targeting. Reaching the ultimate target requires moving through multiple systems, a process that is called lateral movement. Lateral movement tactic category consists of techniques that enable the adversary to access and control remote systems over the network. Adversaries can take advantage of native remote access tools or install third party tools to accomplish lateral movement.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0008/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/T1021/README.md:
--------------------------------------------------------------------------------
1 | # T1021 - Remote Services
2 |
3 | ## Sub techniques
4 |
5 | * [T1021.001 - Remote Desktop Protocol](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Lateral%20Movement/T1021/T1021.001/README.md)
6 | * [T1021.002 - SMB/Windows Admin Shares](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Lateral%20Movement/T1021/T1021.002/README.md)
7 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/T1021/T1021.001/README.md:
--------------------------------------------------------------------------------
1 | # T1021.001 - Remote Desktop Protocol
2 |
3 | ## Description
4 |
5 | Remote desktop is an operating system feature that allows users to log into a system over a network and interact with the graphical user interface of the system remotely. The best known remote desktop solution is the Windows built-in remote desktop implementation called Remote Desktop Services (RDS); however, many third party remote desktop tools also exist for various operating system platforms.
6 |
7 | Adversaries with valid credentials can use remote desktop connections to easily move laterally between systems. Remote desktop connections can be detected by monitoring Windows Event Logs.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4624: An account was successfully logged on
12 |
13 | Successful authentication using remote desktop connection is recorded in the event ID 2624. The logon type 10 (RemoteInteractive) indicates that the user logged in using remote desktop connection.
14 |
15 | Audit Logon policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Logon)
16 |
17 | ## References
18 |
19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1021/001/)
20 |
21 | [Event ID 4624](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624)
22 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/T1021/T1021.002/README.md:
--------------------------------------------------------------------------------
1 | # T1021.002 - SMB/Windows Admin Shares
2 |
3 | ## Description
4 |
5 | Windows has several hidden network shares that are used for administrative purposes. Common administrative shares include disk volumes (e.g. C$), IPC$ for inter process communication, ADMIN$ for remote administration, SYSVOL and NETLOGON for Windows domain administration. Because these shares are hidden, they are not visible in Windows Explorer. They can, however, be listed on command line using the “net use” command. Accessing admin shares requires administrative access on the system.
6 |
7 | Adversaries may use these shares to access remote systems over network. Some remote administration tools, such as PsExec, also use admin shares to function. PsExec is a tool included in the Windows Sysinternal suite which can be used to execute programs on remote systems.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 5140: A network share object was accessed
12 |
13 | The use of this technique can be detected by monitoring the event ID 5140 and filtering specifically for share names that match the common admin share names.
14 |
15 | Audit File Share audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File Share)
16 |
17 | ## References
18 |
19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1021/002/)
20 |
21 | [Event ID 4150](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140)
22 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Lateral Movement/T1570/README.md:
--------------------------------------------------------------------------------
1 | # T1570 - Lateral Tool Transfer
2 |
3 | ## Description
4 |
5 | Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol.
6 |
7 | Remote file copy can be detected by monitoring file creation and access to network shares on servers and workstations. Analyzing network traffic can also reveal unusual data flows between hosts or uncommon protocols being used.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 5140: A network share object was accessed
12 |
13 | Windows file share access is recorded in event ID 5140.
14 |
15 | Audit File Share audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File Share)
16 |
17 | ## References
18 |
19 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1570/)
20 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Persistence/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/README.md:
--------------------------------------------------------------------------------
1 | # Persistence
2 |
3 | ## Description
4 |
5 | Persistence is a tactic where the adversary aims to maintain their foothold on systems where they have gained access. An adversary might lose access to the systems due to operating system restarts, credential changes, connection blocking or removal of files or tools. The techniques in this category include any access, action, or configuration changes that let the adversary maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0003/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1053/README.md:
--------------------------------------------------------------------------------
1 | # T1053 - Scheduled Task/Job
2 |
3 | ## Sub techniques
4 |
5 | * [T1053.002 - At (Windows)](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1053/T1053.002/README.md)
6 | * [T1053.005 - Scheduled Task](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1053/T1053.005/README.md)
7 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1053/T1053.002/README.md:
--------------------------------------------------------------------------------
1 | # T1053.002 - At (Windows)
2 |
3 | ## Description
4 |
5 | At.exe is a Windows command line tool for scheduling a command, a script, or a program to run at a specified date and time. An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence.
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 4698: A scheduled task was created
10 | * Event ID 4702: A scheduled task was updated
11 |
12 | Windows generates event ID 4698 when at.exe is used to schedule task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel.
13 |
14 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events)
15 |
16 | ## References
17 |
18 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/002/)
19 |
20 | [How To Use the AT Command to Schedule Tasks](https://support.microsoft.com/en-us/help/313565/how-to-use-the-at-command-to-schedule-tasks)
21 |
22 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)
23 |
24 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1053/T1053.005/README.md:
--------------------------------------------------------------------------------
1 | # T1053.005 - Scheduled Task
2 |
3 | ## Description
4 |
5 | Windows has a built-in component called Task Scheduler for performing automated tasks on a chosen computer. It executes tasks based on a trigger that can be based on features such as specific time or schedule, user logging in, system boot, or specific event happening on the system. The action that the task executes can be showing a message, sending email, executing command or firing a COM handle. Task Scheduler can be managed through graphical user interface taskschd.msc or command-line tools schtasks.exe and at.exe.
6 |
7 | An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. Adversary may, for example, create a scheduled tasks that downloads and executes malicious code to regain foothold even if the malicious process is interrupted or its code removed.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4698: A scheduled task was created
12 | * Event ID 4702: A scheduled task was updated
13 |
14 | Windows generates event ID 4698 when Task Scheduler is used to schedule a task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel.
15 |
16 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events)
17 |
18 | ## References
19 |
20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/005/)
21 |
22 | [Task Scheduler for developers](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page)
23 |
24 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)
25 |
26 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)
27 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1078/README.md:
--------------------------------------------------------------------------------
1 | # T1078 - Valid Accounts
2 |
3 | ## Sub techniques
4 |
5 | * [T1078.001 - Default Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.001/README.md)
6 | * [T1078.002 - Domain Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.002/README.md)
7 | * [T1078.003 - Local Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1078/T1078.003/README.md)
8 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1078/T1078.001/README.md:
--------------------------------------------------------------------------------
1 | # T1078.001 - Default Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4720: A user account was created
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted.
14 |
15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel.
16 |
17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/001/)
22 |
23 |
24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1078/T1078.002/README.md:
--------------------------------------------------------------------------------
1 | # T1078.002 - Domain Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4720: A user account was created
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted.
14 |
15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel.
16 |
17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/002/)
22 |
23 |
24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1078/T1078.003/README.md:
--------------------------------------------------------------------------------
1 | # T1078.003 - Local Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries may use user accounts for persistency by creating new accounts that they can use in case access to others is lost.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4720: A user account was created
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. The user account management events are particularly relevant for the persistence tactic. These events indicate for example if a user account was created, changed or deleted.
14 |
15 | The event ID 4270 is generated every time a new user object is created. These events are written to Event Log Security channel.
16 |
17 | Audit User Account Management audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/003/)
22 |
23 |
24 | [Event ID 4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1547/README.md:
--------------------------------------------------------------------------------
1 | # T1547 - Boot or Logon Autostart Execution
2 |
3 | ## Sub techniques
4 |
5 | * [T1547.001 - Registry Run Keys / Startup Folder](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Persistence/T1547/T1547.001/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Persistence/T1547/T1547.001/README.md:
--------------------------------------------------------------------------------
1 | # T1547.001 - Registry Run Keys / Startup Folder
2 |
3 | ## Description
4 |
5 | Windows registry includes specific keys called Run and RunOnce, which cause programs to run each time that a user logs on. The difference between Run and RunOnce is that Run is executed every time a user logs on whereas RunOnce key is removed after execution. The value for the keys is a command line that gets executed and it is possible to register multiple programs under any particular key.
6 |
7 | While the registry run keys are often used by legitimate software, they are also used by adversaries for establishing persistency on a system. Another common persistence technique the adversaries use is Windows startup folders. Windows startup folder contains shortcuts to an application that starts when the system boots.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 11: FileCreate
12 | * Event ID 13: RegistryEvent (Value Set)
13 |
14 | Detecting the use of registry run keys requires monitoring changes to the relevant registry keys. The paths from registry run keys are:
15 |
16 | * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
17 | * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
18 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
19 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
20 | * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
21 |
22 | Changes to the registry keys can be monitored using Sysmon, which generates Event ID 13 when registry key is set.
23 |
24 | Windows startup folders are located under individual user’s profiles (C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) and under ProgramData for all users (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp). Sysmon can be configured to monitor these location for file creation events (ID 11).
25 |
26 | ## References
27 |
28 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1547/001/)
29 |
30 | [Run and RunOnce Registry Keys](https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys?redirectedfrom=MSDN)
31 |
32 | [Event ID 11](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-11-filecreate)
33 |
34 | [Event ID 13](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-13-registryevent-value-set)
35 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Data Collection/tactics/Privilege Escalation/.gitkeep
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/README.md:
--------------------------------------------------------------------------------
1 | # Privilege Escalation
2 |
3 | ## Description
4 |
5 | Privilege escalation tactic consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries often gain initial access to systems through normal unprivileged user accounts. However, many of the techniques later in the kill chain require privileged account to be executed, thus the adversary needs a way to escalate their privileges. Common ways to accomplish privilege escalation is to take advantage of system weaknesses, misconfiguration or vulnerabilities.
6 |
7 | ## References
8 |
9 | [Mitre ATT&CK source](https://attack.mitre.org/tactics/TA0004/)
10 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1053/README.md:
--------------------------------------------------------------------------------
1 | # T1053 - Scheduled Task/Job
2 |
3 | ## Sub techniques
4 |
5 | * [T1053.002 - At (Windows)](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1053/T1053.002/README.md)
6 | * [T1053.005 - Scheduled Task](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1053/T1053.005/README.md)
7 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1053/T1053.002/README.md:
--------------------------------------------------------------------------------
1 | # T1053.002 - At (Windows)
2 |
3 | ## Description
4 |
5 | At.exe is a Windows command line tool for scheduling a command, a script, or a program to run at a specified date and time. An adversary may use at.exe to escalate their privileges by running a process under the context of a specified account (such as SYSTEM).
6 |
7 | ## Event Mapping
8 |
9 | * Event ID 4698: A scheduled task was created
10 | * Event ID 4702: A scheduled task was updated
11 |
12 | Windows generates event ID 4698 when at.exe is used to schedule task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel.
13 |
14 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events)
15 |
16 | ## References
17 |
18 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/002/)
19 |
20 | [How To Use the AT Command to Schedule Tasks](https://support.microsoft.com/en-us/help/313565/how-to-use-the-at-command-to-schedule-tasks)
21 |
22 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)
23 |
24 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1053/T1053.005/README.md:
--------------------------------------------------------------------------------
1 | # T1053.005 - Scheduled Task
2 |
3 | ## Description
4 |
5 | Windows has a built-in component called Task Scheduler for performing automated tasks on a chosen computer. It executes tasks based on a trigger that can be based on features such as specific time or schedule, user logging in, system boot, or specific event happening on the system. The action that the task executes can be showing a message, sending email, executing command or firing a COM handle. Task Scheduler can be managed through graphical user interface taskschd.msc or command-line tools schtasks.exe and at.exe.
6 |
7 | An adversary may use Windows Task Scheduler to escalate their privileges by running a process under the context of a specified account (such as SYSTEM).
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4698: A scheduled task was created
12 | * Event ID 4702: A scheduled task was updated
13 |
14 | Windows generates event ID 4698 when Task Scheduler is used to schedule a task. Event ID 4702 when a scheduled task is updated. These events are written to Event Log Security channel.
15 |
16 | Audit Other Object Access Events audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Other Object Access Events)
17 |
18 | ## References
19 |
20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1053/005/)
21 |
22 | [Task Scheduler for developers](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page)
23 |
24 | [Event ID 4698](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)
25 |
26 | [Event ID 4702](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)
27 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1078/README.md:
--------------------------------------------------------------------------------
1 | # T1078 - Valid Accounts
2 |
3 | ## Sub techniques
4 |
5 | * [T1078.001 - Default Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.001/README.md)
6 | * [T1078.002 - Domain Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.002/README.md)
7 | * [T1078.003 - Local Accounts](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1078/T1078.003/README.md)
8 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1078/T1078.001/README.md:
--------------------------------------------------------------------------------
1 | # T1078.001 - Default Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4672: Special privileges assigned to new logon
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events
14 |
15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel.
16 |
17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/001/)
22 |
23 |
24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1078/T1078.002/README.md:
--------------------------------------------------------------------------------
1 | # T1078.002 - Domain Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4672: Special privileges assigned to new logon
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events
14 |
15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel.
16 |
17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/002/)
22 |
23 |
24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1078/T1078.003/README.md:
--------------------------------------------------------------------------------
1 | # T1078.003 - Local Accounts
2 |
3 | ## Description
4 |
5 | User accounts in Windows can be divided into three categories: default, local and domain accounts. Default accounts include built-in accounts such as Administrator and Guest, which are created automatically and cannot be removed. Accounts can also be categorized into user, administrator and service accounts. User accounts are used by normal users and often have low privileges. Administrator accounts are used by system administrators and have high privileges. Service accounts are created for system services to allow them to access local and network resources.
6 |
7 | Adversaries can accomplish privilege escalation using existing unprivileged user or service accounts.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 4672: Special privileges assigned to new logon
12 |
13 | The main method for monitoring user account related activity in Windows is the security audit logs. User account privilege escalation is captured by several Windows audit events
14 |
15 | The event ID 4672 is generated when a new logon session has sensitive privileges assigned to it. This event is an indicator that a user account has escalated privileges. These events are written to Event Log Security channel.
16 |
17 | Audit Special Logon policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff → Audit Special Logon)
18 |
19 | ## References
20 |
21 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1078/003/)
22 |
23 |
24 | [Event ID 4672](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672)
25 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1543/README.md:
--------------------------------------------------------------------------------
1 | # T1543 - Create or Modify System Process
2 |
3 | ## Sub techniques
4 |
5 | * [T1543.003 - Windows Service](https://github.com/JYVSECTEC/PHR-model/tree/master/Data%20Collection/tactics/Privilege%20Escalation/T1543/T1543.003/README.md)
6 |
--------------------------------------------------------------------------------
/Data Collection/tactics/Privilege Escalation/T1543/T1543.003/README.md:
--------------------------------------------------------------------------------
1 | # T1543.003 - Windows Service
2 |
3 | ## Description
4 |
5 | Services in Windows are applications that run in the system background without user interaction. Many of the core operating system features, such as event logging, file serving and printing are run as services. Services are often started automatically when the operating system boots
6 |
7 | Services can be executed using LocalSystem account, which enables an adversary with administrator account to escalate privileges to SYSTEM level.
8 |
9 | ## Event Mapping
10 |
11 | * Event ID 7045: A new service was installed in the system
12 | * Event ID 4697: A service was installed in the system
13 |
14 | The event ID 7045 is generated in all modern Windows versions when a new service is created. There is also event ID 4697, which is generated in newer versions of Windows (Windows 10 and Server 2016).
15 |
16 | Audit Security System Extension policy audit policy must be enabled through Windows Group Policy (Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System → Audit Security System Extension)
17 |
18 | ## References
19 |
20 | [Mitre ATT&CK source](https://attack.mitre.org/techniques/T1543/003/)
21 |
22 |
23 | [Event ID 4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)
24 |
--------------------------------------------------------------------------------
/Enrichment/Feature-Extractor/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Feature-Extractor/.gitkeep
--------------------------------------------------------------------------------
/Enrichment/Feature-Extractor/README.md:
--------------------------------------------------------------------------------
1 | # Feature Extractor
2 |
3 | ### Introduction
4 |
5 | Feature extractor is a Dockerized tool that can be used to enrich an organization's collected data using open source threat intelligence APIs. The tool can be quickly setup, confingured and run with a couple of commands. The motivation for the tool is to make the work of analysts quicker by aiding in the process of deciding relevance of various IoCs (indicators of compromise). The open source code for the tool is provided in GitLab https://gitlab.com/CinCan/wp1/tree/master/feature_extractor and the docker container can be downloaded from DockerHub https://hub.docker.com/r/cincan/feature_extractor. The tool provides access to a variety of OSINT APIs, including:
6 |
7 | * AbuseIPDB
8 | * Censys
9 | * DShield
10 | * EmergingThreats
11 | * GoogleSafebrowsing
12 | * Greynoise
13 | * MISPWarningLists2
14 | * OTXQuery
15 | * PhishTank
16 | * Shodan
17 | * Threatcrowd
18 | * VirusTotal
19 |
20 | If a potentially malicious file has been downloaded or a potential attacker IP is discovered, the file hash or the IP address can be supplied to the feature extractor. The feature extractor queries the above-mentioned APIs and compiles the returned results into an HTML report. The results contain information if the provided file or IP address is malicious or not.
21 |
22 | ### Usage
23 |
24 | Most of the APIs require API keys for usage, which need to be manually requested from each API and configured in the tool. Docker commands and necessary configurations can be found in the README https://gitlab.com/CinCan/tools/-/tree/feature-extractor/feature_extractor. You can also follow this blog tutorial, where IoCs are extracted from a WannaCry executable https://cincan.io/blog/2020_05_25_wannacry/. The dockerized tool of extracting IoCs from file can also be sent to a Cortex server for analysis by Cortex analyzers, check this blog for a tutorial https://cincan.io/blog/2020_06_10_dockerized_cortex_and_ioc_strings/.
25 |
26 | In short, IoCs can be given to analyze.py Python script in format of:
27 | ```bash
28 | ./analyze.py datatype:data
29 | ```
30 | where datatatype is ip, domain, url, fqdn, hash or mail. For example:
31 | ```bash
32 | ./analyze.py url:https://www.iltalehti.fi
33 | ./analyze.py ip:8.8.8.8
34 | ```
35 |
36 | The IoCs can be read from a newline separated file or in jsonl format. The tool can also read CSV - files provided by ioc_parser tool https://github.com/armbues/ioc_parser
37 |
38 | An example docker run command after configuration:
39 | ```bash
40 | sudo docker run -v $(pwd)/docker_volume:/data -v $(pwd)/samples:/samples cincan/feature_extractor:dev --path /data --injsonl /samples/jsonl_input
41 | ```
42 |
--------------------------------------------------------------------------------
/Enrichment/README.md:
--------------------------------------------------------------------------------
1 | # Enrichment
2 |
3 | **Introduction:**
4 | Enrichment contains additional methods to enrich data that has been collected for detection and analysis purposes. More contextual information that can be added to collected data, helps utilize it in a meaningful way. Enrichment can be done in various ways, depending on collected data and the environment. One of biggest methods to enrich data is to use technical threat intellicence data to identify already known malicious activies from the environment.
5 |
6 | **Benefits:**
7 | * Enrichment can add additional information to existing data
8 | * Enrichment can make the existing data more meaningful for detection capabilities or analysts investigating cyber attack
9 |
10 | **Worth noticing:**
11 |
12 | **Features:**
13 |
14 | **Use cases:**
15 |
--------------------------------------------------------------------------------
/Enrichment/Threat Intelligence/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Threat Intelligence/.gitkeep
--------------------------------------------------------------------------------
/Enrichment/Threat Intelligence/Mitre Att&ck/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Enrichment/Threat Intelligence/Mitre Att&ck/.gitkeep
--------------------------------------------------------------------------------
/Enrichment/Threat Intelligence/Mitre Att&ck/README.md:
--------------------------------------------------------------------------------
1 | # Mitre Att&ck
2 |
3 |
4 | https://attack.mitre.org/
5 |
6 |
7 | **Worth noticing:**
8 |
9 |
10 | - When adding autamatically tehnique IDs with rules, rules need to be specific enough.
11 |
12 |
13 | **How this tool integrates to our PHR model:**
14 |
15 |
16 | Adding/Mapping tehnique IDs to our detections, we will get bigger view about what is going on. We can detect different attack phases. By knowing who is introducer and what tehniques are commonly used, we might be able to stop attack chain. Also helps us to choose controls that we need to be able to detect/prevent attacks.
17 |
18 |
19 | **Use case:** Enrichment alerts
20 |
21 |
22 | **Question:** How enrichment with Mitre Att&ck can help us
23 |
24 |
25 | We get logs from multiple places, it is hard to determine which alerts are false or true positives, or what does these alerts actually mean. To make it easier for analyzer to make decisions/understand the situation we can encrich our alerts data for certain tehnique IDs
26 |
27 |
28 | **Use case:** Enrichment reports
29 |
30 |
31 | Requires a shift in analyst thinking. Changing from indicators to behaviors. So basically from reports we try to map what happened by translating behaviour to tactic. Forces analytics to learn techinal side of reports.
32 |
--------------------------------------------------------------------------------
/Enrichment/Threat Intelligence/Open Source Intelligence/README.md:
--------------------------------------------------------------------------------
1 | # Open Souce Intelligence (OSINT)
2 |
3 | **Introduction:**
4 |
5 | OSINT is the gathering of intelligence from free and open sources, usually utilizing an API. [OSINT Framework](https://osintframework.com/) provides a huge list of available sources ranging from username search engines to geolocation tools. The website [Cyber Threat Feeds](https://www.cyberthreatfeeds.com/) provides links to sources specific to threat intelligence. [Threatfeeds](https://threatfeeds.io/) contains a simplified list of free and open source threat intelligence feeds. The list contains minimal information about the feeds: who manages the feed, how many IoCs are contained and when it was last updated.
6 |
7 | Some tools provide easy command line access to multiple OSINT sources, for example [the Harpoon tool](https://github.com/Te-k/harpoon).
8 |
9 | **Benefits:**
10 |
11 | - Easy to access source of information, most sources follow REST API guidelines
12 | - APIs are often utilized and updated by other cybersecurity professionals worldwide
13 |
14 | **Worth noticing:**
15 | - APIs may require a an API key, which is provided after registration
16 | - APIs may also impose usage restrictions that are lifted when premium access is purchased
17 |
18 | **Use cases:**
19 | - Uploading a suspicious file to VirusTotal to scan it from multiple different virus databases, see [Upload file to Virustotal notebook for an example](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/upload_file_to_virustotal.ipynb)
20 | - Querying IP addresses for geolocation etc. information
21 | - See the [Jupyter Notebook for an example](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/analyze_ip_address.ipynb)
22 | - Usually more useful for whitelisting IP addresses due to attackers using proxies.
23 | - A defender could download a daily threat feed for example from [Mrlooquer threat feed](https://iocfeed.mrlooquer.com/), which provides IPv4 and IPv6 Indicators of Compromise (IoCs) and parse if the IP addresses listed in the feed are found in the defender's network logs. The threat feed is available in JSON or CSV format.
24 | - Gathering new domain registrations in order to prepare for possible phishing attacks where domains closely related to other common domains (amazon vs amazoon) are registered.
25 | - The latest four days of newly registered domains can be downloaded from [WhoisDS](https://whoisds.com/newly-registered-domains)
26 | - Some countries provide a publicly accessible database of their domain's registrations. In Finland, Traficom provides a database of finnish domain registration data, which includes the holder, postal code and area and registrar of the domain. Check the [notebook](https://github.com/JYVSECTEC/PHR-model/blob/master/Enrichment/Threat%20Intelligence/Open%20Source%20Intelligence/finnish_domains.ipynb) for instructions on how to load finnish domain registrations in OData format to Pandas Dataframes in Python
27 |
28 | **Combining intelligence sources**
29 |
30 | - Combining multile threat intelligence sources using [ThreatIngestor](https://github.com/InQuest/ThreatIngestor). The tool aims to easily automate gathering of IoCs from multiple intelligence sources with minimal configuration. The tool provides examples of parsing Twitter feeds and SQS queues to generate YARA rules which are sent to a MISP operator. The image from ThreatIngestor documentation provides an example of how much is possible to automate with a single configuration file: [ThreatIngestor](https://inquest.readthedocs.io/projects/threatingestor/en/latest/_images/mermaid-everything.png)
31 |
32 | **List of open source threat intelligence**
33 |
34 | **IP addresses and websites**
35 | - [AbuseIPDB](https://www.abuseipdb.com/) - User reported IP addresses and hostnames. Reports contain log lines as comment and category of abuse
36 |
37 | **Indicators of compromise and threat information**
38 | - [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - An API for latest threats and IoCs. Features Direct Connect agents which provide a way to update intrusion detection systems and firewalls with new threat data from subscriptions.
39 | - [Yara Rules](https://github.com/Yara-Rules/rules) - A repository of Yara signatures, which can be easily imported to MISP
40 |
41 | **[Abuse.ch](https://abuse.ch/) - Community-driven projects which mostly provide blocklists:**
42 | - [MalwareBazaar](https://bazaar.abuse.ch/browse/) - Search malware samples by hash, ClamAV signature, tag or malware family.
43 | - [FeodoTracker](https://feodotracker.abuse.ch/) - An IP blocklist, designed to block command-and-control (C2) servers used by Dridex, Heodo and Trickbot. There are a number of [different blocklists available](https://feodotracker.abuse.ch/blocklist/), ranging from how "aggressive" they are. The more aggressive ones may cause a high number of false positive cases, while the more passive ones only provide IP addresses of active C2 servers. If you are running Suricata or Snort intrusion detection systems (IDS), the blocklists are available as premade rulesets, which you can download and easily put into use in your own IDS.
44 | - [SSL Blacklist](https://sslbl.abuse.ch/) - Contains a blacklist of SHA1 fingerprints of SSL certificates that have been associated with C2 servers. The certificates can be associated with multiple servers, so another C2 IP address blacklist is available with IP address and port combinations. [JA3](https://github.com/salesforce/ja3), which is a method that creates easily shareable SSL/TLS client fingerprints, blocklist is also available. Like in the feodoro blocklist, these blocklist also contain "aggressive" versions and Suricata/Snort rulesets.
45 | - [URLhaus](https://urlhaus.abuse.ch/) - A database of malware URLs. The [API section](https://urlhaus.abuse.ch/api/) provides database dumps, daily MISP events and ClamAV signature databases.
46 | - [ThreatFox](https://threatfox.abuse.ch/) - A platform for sharing IoCs. IoCs not older than 90 days are available for download. Older IoC data can be downloaded from data dumps. Like the URLhaus database, ThreatFox also provides Daily MSIP events.
47 |
--------------------------------------------------------------------------------
/Enrichment/Threat Intelligence/README.md:
--------------------------------------------------------------------------------
1 | # Threat Intelligence
2 |
3 | **Introduction:** To protect our assests, we need to know who might be targeting us, what tools/techniques they usually use, so that we can then know where to focus our defence.
4 |
5 | **Benefits:**
6 | - Choosing where to focus on defence. Targeted attacks needs targeted defence.
7 | - Detecting new threats
8 | - Identifying threats
9 | - Understaning what is going on
10 |
11 | **Worth noticing:**
12 |
13 | - Where does the information come from? Can it be trusted? Do the attackers have access to the same information?
14 |
15 | **Features:**
16 | - Indicators of Compromise (IoCs) - data gathered from logs or files that indicate that potentially malicious activity has happened on a system or a network. IoCs are gathered and shared by automated tools and cybersecurity professionals on multiple platforms. Finding an IoC on your own network does not guarantee that your network has been compromised, but it should definitely guide further investigation.
17 | - Indicators of Attack (IoAs) - are proactive to IoCs, where early signs of malicious activity are searched for before the cyber attack itself has a chance to happen. Defenders could for example receive alarms of multiple failed SSH login attemps and then search the machine's log files for unauthorized access. On a larger scale, social media, news and threat intelligence sources could be monitored for possible cybercrime motivations , cyber attack campaigns or other causes for an organization to anticipate an attack.
18 | - Tactics, techniques and procedures (TTPs) - Gathering of data enables the organization to reveal the possible attackers' motives and the means of executing their attack. This allows the organization to prepare their networkm protection and monitoring platforms accordingly to prevent and detect attacks.
19 |
20 | **Use cases**
21 |
22 | Data can be easily gathered from different services, but the problem is that it is often in various formats, so the big obstacle is aggregating the data in an easy manner of automation. Data sources should provide data in a specific format, so it can be easily sent to a server, queried, filtered and visualized. Same problem applies to threat intelligence, there are a lot of different data sources publicly available, but the threat data needs to be in an easily shareable format. Platforms such as [Malware information sharing platform](https://www.misp-project.org/) or MISP aims to make sharing threat information as easy as possible.
23 |
24 | When data sources are in a specific format and available from a centralized server, they can be used to enhance other tools and services. For example the intrusion detection systems Suricata and Snort rulesets can be downloaded from open threat intelligence sources. AI-powered systems also benefit from large amounts of log data, they could be used to perform anomaly detection and create alerts when something is out of the ordinary.
25 |
26 | Whatever threat intelligence sharing tool a organization uses, it has many benefits. [This blog describes simple steps to bring threat intelligence sharing to an organization.](https://www.helpnetsecurity.com/2020/09/21/5-simple-steps-to-bring-cyber-threat-intelligence-sharing-to-your-organization/)
27 |
28 | A list of tools to create, download and share threat information:
29 | - [JA3](https://github.com/salesforce/ja3) - Fingerprinting the TLS negotiation between client and server, meaning for example when a user connects to a bank website secured by HTTPS. If a bad actor uses the HTTPS protocol to connect to a command-and-control server, the TLS negotiation can still be fingerprinted using the JA3 method, even though the messages are encrypted. Sharing JA3 fingerprints allows organizations to detect if a device in their network is connecting to a known command-and-control server, that would send directions to malware inside the organizations network.
30 | - [OpenIOC](https://github.com/mandiant/OpenIOC_1.1) - An XML schema for sharing indicators of compromise.
31 | - [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html) - A language and serialization format for exchanging threat intelligence. STIX objects can be sent in JSON format, which makes it easy to transfer.
32 | - [Elastic Common Schema](https://www.elastic.co/blog/introducing-the-elastic-common-schema) - An open source log format specification designed to combine log data from multiple sources into a unified scheme. Different log files following Elastic Common Schema could be combined in Elasticsearch or other server, making alert creation and anomaly detection easier. The use of the schema makes it easy to parse log files, query the server where log files are aggregated and visualize data from different services.
33 | - [YARA](https://github.com/VirusTotal/yara) - Yara is a tool for identifying malware. It specifies binary patterns and text strings, which tell the malware or the malware family the analyzed sample belongs to. Many threat intelligence sources offer easily downloadable YARA rules, which can be used to spot malware on the organization's devices.
34 |
--------------------------------------------------------------------------------
/Enrichment/Time Series Analysis and Log Anomaly Detection/README.md:
--------------------------------------------------------------------------------
1 | # Time Series Analysis
2 |
3 | Time series analysis tools can be used to detect anomalies or patterns in a time series dataset. A time series dataset would be for example a log, where events are in time-based order and are recorded when the event occurs. In this case, the measurements are gathered in irregular time intervals, where as a sensor that records a measurement every second would gather at regular time intervals. The most common use cases for time series analysis would be network traffic analysis or system event logs analysis.
4 |
5 | ### Tools
6 | * [STUMPY](https://github.com/TDAmeritrade/stumpy) - A Python library for constructing matrix profiles, which enable pattern discovery, anomaly detection etc.
7 | * [tslearn](https://github.com/tslearn-team/tslearn) - A machine learning toolkit for time series related data, makes preprocessing and training machine learning algorithms with time series data more streamlined and easier.
8 |
9 | # Log Anomaly Detection
10 |
11 | The amount of log data available in organization's environments can be overwhelming. Even if alarms about specific log entries are configured, malicious activity may disguise itself as a normal log entry. In log anomaly detection, machine learning models are used to parse through large files in search for anomalies or patterns that may indicate unusual behaviour.
12 |
13 | ## Deep learning in anomaly detection
14 |
15 | Automating log analysis with deep learning eliminates the need to create a large amount of rules for each new IoC / malicious IP address. With good domain expertise, the deep learning model could adapt to the target network traffic well and raise alerts on potentially malicious activity to administrators.
16 |
17 | ### Components of an anomaly detection model
18 | * Streaming log entries from multiple systems
19 | * [Elastic Beats](https://www.elastic.co/beats/) - Lightweight data shippers to Logstash or Elasticsearch
20 | * Centralized service for log data
21 | * [Elasticserch, Logstash and Kibana or ELK stack](https://www.elastic.co/elastic-stack) - Combining multiple open-source products for searching and visualizing data
22 | * A log parser
23 | * [Logparser](https://github.com/logpai/logparser) - Toolkit for automated log parsing. Can extract fields from raw log messages according to a defined structure.
24 | * Preprocessing / feature engineering logs for machine learning
25 | * [Loglizer](https://github.com/logpai/loglizer) - A log analysis toolkit by the same developers as Logparser, provides a way to extract relevant features for machine learning algorithms from structured logs.
26 | * A machine learning model, that calculates a score for log events. The score is used to determine if the event is a anomaly or not. This can either be a machine learning algorithm or a deep learning neural network. The machine learning algorithms are quick to deploy and require less computing power, however they may not adapt to a target environment as flexibly as a neural network, which could lead to more false alarms.
27 | * [A universal transformer](https://github.com/tensorflow/tensor2tensor/blob/master/tensor2tensor/models/research/universal_transformer.py) trained with either TensorFlow or PyTorch
28 | * An outlier detection algorithm, like k-nearest neighbors or isolation forest
29 | * A visualization of the anomaly (for exmaple frequency and location of network traffic)
30 | * A whitelist database to prevent false alarms
31 |
32 | ### Open-source anomaly detection tools and systems
33 |
34 | * [Log Anomaly Detector](https://github.com/AICoE/log-anomaly-detector) - Uses Word2Vec and SOM (Self-organizing map) for unsupervised learning. Grafana visualization for metrics and a "fact store", where false positives are registered.
35 | * [PyOD](https://github.com/yzhao062/pyod) - Python toolkit for anomaly detection with multiple pre-defined machine learning models
36 | * [PyODDS](https://github.com/datamllab/pyodds) - Anomaly detection system similar to PyOD, but aims to provide usage for developers not familiar with machine learning too. The system queries data straight from a database for analysis and visualization.
37 | * [PySAD](https://github.com/selimfirat/pysad) - Streaming anomaly detection, integrations to PyOD models
38 | * [Cyber Log Accelerator](https://github.com/rapidsai/clx) - Utilize graphical processing units (GPUs) to accelerate log analysis.
39 |
40 | **Automated log analysis tools**
41 |
42 | **Windows Event Logs**
43 | * [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - A useful tool for a threat hunter, where PowerShell script for gathering windows event log data is provided and then analyzed with a Python script, where for example common executables used by attackers are searched and the number of logins is documented.
44 | * [DeepBlue](https://github.com/sans-blue-team/DeepBlueCLI) - Another useful PowerShell script, where specific log event ID's are searched for in Windows EVTX log files and a description of why it might indicate malicious activity is provided.
--------------------------------------------------------------------------------
/Eradicate-Recover/README.md:
--------------------------------------------------------------------------------
1 | # Eradication
2 | Eradication is important phase to ensure the attacker foothold and access has been removed from environment. Eradication procedures depend on the nature of attack but it can include removal of attacker tools/software (e.g. malware), reconstruction of systems or reinstallation from backups.
3 |
4 | # Recovery
5 | The recovery phase can be moved on to when it is found that the remedies have worked. Recovery phase measures may include restoring data from backups, patching, updating and reinstalling vulnerabilities, and replacing equipment. During the recovery phase, operations are restored to normal.
6 |
7 | The end of the disruption should be communicated to the target groups, with communications tailored to the needs of each group. The communication can include, for example, a description of what happened, the general reason for the incident and the outcome of the incident. At this stage, information is also provided on any recommendations for action and instructions on how to return to normal operations. After the incident and its effects, it is also useful to organise a joint meeting to discuss the shortcomings and successes identified.
8 |
9 | ## Documentation
10 | It is important to accurately document the steps involved in mitigation and recovery, as well as any associated evidence and indicators of compromise. This will help to understand what happened and prevent similar situations from occurring in the future. It can often be challenging to document in real time alongside other recovery activities, but it is important to take sufficient notes to prepare for future incidents and prevent potential threats from occurring. The shorter the period of time after recovery, the more likely it is that an accurate picture of what happened will be recorded.
11 |
12 | Improvements in recovery capacity should also be documented by analysing the current situation and the recovery phases of previous disorders, and identifying key factors such as problems that caused significant delays or small but recurring problems.
13 |
14 | ## Recovery plan
15 | Systems and processes should have their own recovery plans, which are regularly updated and easily accessible. Recovery plans describe, among other things, the measures, roles and responsibilities for returning to normal and how to communicate in the event of a disruption. Continuity planning must take into account the recovery of individual systems and processes as well as recovery at organisational level. In the event of a large-scale failure, the criticality of systems and the priority of their recovery must be defined. It is important to consider the interactions between systems and any subsystems.
16 |
17 | Service providers and subcontractors must also be required to have recovery plans for their services. Recovery plans must be continuously developed according to identified deficiencies, including the definition of timelines and responsible persons for the implementation of repairs. Deficiencies in outsourced services should be addressed and corrected with service providers. Complaints may also be an option if it is clearly seen that the service provider has acted in breach of contract or practice.
18 |
19 |
20 |
--------------------------------------------------------------------------------
/Hypotheses/.gitignore:
--------------------------------------------------------------------------------
1 | !.gitignore
2 |
--------------------------------------------------------------------------------
/Hypotheses/README.md:
--------------------------------------------------------------------------------
1 | # Hypotheses
2 |
3 | Hypotheses contains two different sections called threat modeling and risk management. Threat modeling is used as a part of risk management to find threats. Under threat modeling, there is information about different threat modeling [methodologies](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Threat%20Modeling/Methodologies/README.md).
4 |
5 | Risk management contains different phases of risk management process. As a difference compared to several other risk management processes, this documentation contains [hypotheses](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Hypotheses/README.md) and [risk to threat](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20to%20Threat/README.md) sections under risk assessment. These two sections are important in this risk management documentation.
6 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Plan Implementation/README.md:
--------------------------------------------------------------------------------
1 | # Plan Implementation
2 |
3 | Implementation is part where the risk mitigation plan is carried out. Different stakeholders responsible for mitigating certain risks are informed about the risk(s) and they are instructed how to deal with these risks. Risk management team may understand these risks well, but personnel in the team may not be the best for mitigating certain risks, if they have no knowledge about the area of the risk. Depending on the risk, the mitigation may be done more efficiently if person or team with experience on the area, are the ones doing the mitigation related tasks. Cost-effectiveness for example could be a thing that influences the decision of whom should do the mitigation. This of course depends on risk management team and stakeholders opinions on what is the best option.
4 |
5 | Staff responsible for mitigating risks, should keep risk management team informed about the mitigation process and potential issues they have noticed during the mitigation, which for example could make the mitigation plan difficult to accomplish. If the staff have their own opinions on how to do the mitigation process or parts of it, they should inform risk management team with these proposals. If anything is done in a different way than originally planned, risk management team should be informed. Performing actions without discussing about them with risk management team, may create new risks if the mitigation is not done accordingly. Supervising mitigation staff is documented in the next step, which is [monitoring](../Risk Monitoring/).
6 |
7 | As stated in [evaluation](../Risk Assessment/Risk Evaluation/) section, risks can be dealt with different ways depending on the risk. For example mitigation process of some risks may be transferred to 3rd party if the mitigation is an insurance for some technical system. There are also positive risks. E.g. company may be too overpowered on certain business area, so the company may be considered as a monopoly by regulators.
8 |
9 | ### References
10 |
11 |
12 | - https://simplicable.com/new/risk-response
13 | - https://simplicable.com/new/positive-risk
14 |
15 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/README.md:
--------------------------------------------------------------------------------
1 | # Risk Management
2 |
3 | Risk management is process of identifying risks from organization, evaluating those risks, prioritizing risks by level of their potential threat, creating risk management plan, sorting out threat actors that could abuse these risks turning them into real threats, implementing the plan and continuing surveillance of these risks. There are many different views for the steps taken or processes performed in risk management. Some models may consist of less steps and other models contain many operations in a single phase.
4 |
5 | In this documentation the risk management phases are these:
6 |
7 |
8 | 1. [Risk assessment](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/README.md)
9 | 1.1 [Risk Identification](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Identification/README.md)
10 | 1.2 [Risk Analysis](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Analysis/README.md)
11 | 1.3 [Risk Evaluation](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20Evaluation/README.md)
12 | 1.4 [Hypotheses](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Hypotheses/README.md)
13 | 1.5 [Risk to Threat](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Assessment/Risk%20to%20Threat/README.md)
14 | 2. [Risk Mitigationt Plan](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Mitigation%20Plan/README.md)
15 | 3. [Plan Implementation](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Plan%20Implementation/README.md)
16 | 4. [Risk Monitoring](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Risk%20Monitoring/README.md)
17 | 5. [Reporting](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Risk%20Management/Reporting/README.md)
18 |
19 |
20 | Steps are divided into their own sections where actions performed in the step are explained. Purpose of these steps and why risk management is done, is to pre-emptively prepare for potential threats that the risks comprise. Damage caused by the threats can be mitigated before the damage happens. Risks that are unknown may cause shockingly more serious consequences than the risks which are prepared for.
21 |
22 | Risk management process shouldn't be a one time thing. It should be continuous process done between certain time frames or milestones like notable infrastructure changes in organization. This way the new risks can be discovered as soon as possibilities for their exploitation appear. After risk management is done for the first time, future processes will go much smoother since mistakes done previously can be recognized and avoided. It is also important to notify good things done in previous processes and make sure they are utilized in future processes.
23 |
24 | ### References
25 |
26 |
27 | - https://www.dau.edu/tools/se-brainbook/Pages/Management%20Processes/Risk-Management.aspx
28 | - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
29 | - https://www.dhs.gov/xlibrary/assets/rma-risk-management-fundamentals.pdf
30 |
31 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Reporting/README.md:
--------------------------------------------------------------------------------
1 | # Reporting
2 |
3 | During the reporting phase, organization informs personnel about what has been done during risk management process. One important thing that report should include is risk mitigation strategy for each risk and information about the implementation results. E.g. did the strategies used have desired results. Report is useful for internal organization personnel, but also for the team doing risk management. The old report can be utilized next time when doing risk management. It contains information about the old risks, how they were mitigated and was the mitigation successful etc. So, the report is also a documentation for next risk management processes to come.
4 |
5 | ### Report content
6 |
7 | Reports are unique for each organization, since risk management processes vary. E.g. the report could include these sections:
8 |
9 |
10 | - Risk decription: Description of the risk, which can be general or more detailed information.
11 | - Risk impact: Potential impacts that risk may cause. This should contain sufficient information about the risk, so that internal audiences will get extensive understanding related to impact.
12 | - previous plans and goals: Information about potential previous mititigation that may have been used on the risk.
13 | - Risk mitigation: Mitigation methods that were used during this risk assessment process and personnel who are responsible for the mitigations to succeed.
14 | - Mitigation effects: Detailed effects of the mitigation strategy used.
15 |
16 |
17 | ### Reporting tips
18 |
19 |
20 | - Report structure should not be too comples, so that its contents are easy to understand. Think about your audience when writing the report.
21 | - Avoid using complex technical terms that may confuse people whom do not know meaning of these terms.
22 | - Risk impacts should be defined in cumulative way, not one-by-one.
23 |
24 |
25 | ### References
26 |
27 |
28 | - https://www.cimaglobal.com/Documents/ImportedDocuments/Tech_MAG_Reporting_Organisational_Risks_for_Decision_Making_Sept06.pdf
29 | - https://www.erminsightsbycarol.com/risk-reporting/
30 |
31 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Hypotheses/README.md:
--------------------------------------------------------------------------------
1 | ## Risks into hypotheses
2 |
3 | Hypotheses can be created based on the known risks. These hypotheses expand understanding of impact area caused by the potential risk. With a single hypothese, future impact chain caused by risk can be envisioned before it has even happened. These impact chains may also vary depending on the type of the risk. If the risk impact is caused by some malicious attacker, the attacker's motivations and goals may define what kind of impact the risk will have. This will be discussed more in the [risk to threat](../Risk%20to%20Threat/) section. You can think about different threat scenarios and consider all the risks that may be part of this scenario, since combined together, risks create chains and some risks may cause same the impact, meaning there are variety of attack chains for same impact at the end of the chain. For example [attack tree](../../../Threat%20Modeling/Methodologies/Attack%20Tree/) is a threat modeling methodology that can be used to create these chains. This directory contains few examples of different hypotheses.
4 |
5 | Hypotheses may help to find new undiscovered risks. Whenever a new risk is found, it should be [analysed](../Risk%20Analysis/) and [evaluated](../Risk%20Evaluation/) like all the previously found risks. This creates a cycle inside risk assessment, where risk management team moves backwards after finding new risks.
6 |
7 | ## References
8 |
9 |
10 | - https://magoo.medium.com/hypothesis-risk-and-science-439fc8b05ffb
11 | - https://attack.mitre.org/
12 |
13 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Hypotheses/hypothesis2.md:
--------------------------------------------------------------------------------
1 | ### Hypothesis example 2: Software source code stealing
2 |
3 | Organization called Globex develops software. Organization has an AD environment with about 500 users. Worstations and servers in AD are patched. Environment contains internal Git server where all the software projects are stored. Recently the company did a large purchase by buying 100 new laptops for developer team of a major AI related project. This customer project has been under work for 3 years and rumors about it have spread into other companies that are interested about the technology they are developing.
4 |
5 | #### Chain of events
6 |
7 | One of the new laptops given to the employees contains extra component in the motherboard. This component gives remote access to the laptop by a malicious actor. When the laptop is first time put into use, it calls to the attacker's CnC server for instructions using rootkit that the malicious component installed on the system. Attacker wants to remain as silent as possible, so it commands the rootkit to slowly send information about laptop's system and files to CnC, so the malware affects the system's performance as little as possible. When attacker has received enough information about the system, it has determined based on the information that the company has internal Git server containing all the software projects. Rootkit activates [keylogger](../../../Data%20Collection/tactics/Credential%20Access/T1056/T1056.001/README.md) on the system to capture user's credentials for the internal Git server account. Next time the user updates the project and insert's his username and password along the process, keylogger captures the combination and sends it to CnC.
8 |
9 | With the username and password combination, the malware can now log into the Git server through the user's machine, since the user has not added [MFA](https://attack.mitre.org/mitigations/M1032/) for authentication. User has access to all internal projects in the Git server. Attacker commands the malware to list all the projects that user has access to. After receiving the list, attacker orders the malware to slowly send all the data in projects to CnC. This goes on for six months. Malware keeps sending updated data of the Git projects to the CnC. Eventually person from the company security team notices connections to weird domains from firewall logs. Laptop is seized from the employee and it is investigated. The extra component in motherboard is found and all the laptops from same purchase are also checked for it, but all of them come up clean.
10 |
11 | #### Risks associated with the hypothesis
12 |
13 | This hypothesis did not contain any vulnerabilities in any software, unlike the previous hypothesis. As a result this kind of data exfiltration can be very harmful for company reputation. Attacker had access to the AI project's source code, which is a big setback, especially since customer owns the project and not the software company itself, which is just developing the project. Attacker was targeting the AI project, but also got access to other projects as well, which made the attack more severe. Depending on the attacker, they may for example sell the projects data in dark web or blackmail the organization for ransom.
14 |
15 | Some of the risks listed in the hypothesis are gathered below:
16 |
17 |
18 | - Backdoor in laptop motherboard: One of the new laptops bought had a malicious component attached to it. This component established backdoor to the laptop for attackers interested in the software they were developing. The method for initial access that the attackers used, is called hardware supply chain compromise. In this attack the malicious component was visible, but firmware based attacks would leave no visible components to look for. Noticing this kind of attack would require thorough exploration of all new devices components and their firmware. This activity would require lot of extra work and a better investment could for example be a trusted platform module in each system or a SOC service doing threat hunting, which would also be helpful in different threat scenarios.
19 | - Git account had no MFA: If user had added MFA for his Git account, capturing user credentials would have not been enough for the the attacker to gain access to the Git account. There are several types of ways to implement MFA, e.g. SMS token or biometric verification.
20 | - Git account had permissions to all the projects: User affected by the malware had an internal Git account with access to all the projects. Attacker acquired the account's credentials using keylogger. Attacker was then able to fetch all the Git projects using user's laptop as a proxy between internal Git server and attacker's CnC server. User account should have only had access to projects he actually was developing and not to all of them. Far less different projects would have been compromised, if this would have been the case.
21 | - Data leak: Attacker was able to transmit data from organization network into their CnC network. Organization did not have any way to stop the data from leaking to internet. One way to mitigate this activity would be more restrictive firewall rules to filter network traffic or implement some sort of network intrusion prevention.
22 | - Slow reaction: It took 6 months from the organization to react to this data exfiltration. These incidents can be hard to spot, since you have to manually look for traces of them if there is no IDS implemented or other kind of surveillance like SOC sercice. In come cases these events are never detected, especially if attacker has access to system logs and is able to manipulate them, while administrators are not doing any realtime exploration and only rely on logs.
23 |
24 |
25 | ## References
26 |
27 |
28 | - https://attack.mitre.org/
29 | - https://www.loginradius.com/blog/start-with-identity/2019/06/what-is-multi-factor-authentication/
30 |
31 |
32 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/README.md:
--------------------------------------------------------------------------------
1 | # Risk Assessment
2 |
3 | Risk management starts with risk assessment that consists of five consecutive phases. These phases cover identification of risks, analysis of the risks found, evaluation of their criticality, hypotheses based on the risks and risk to threat where risks are refined to threats. After the risk assessment is done, potential risks should be identified, analysed and categorized, so next [step](../Risk Mitigation Plan/) of the process can be conducted. Risk assessment steps can be different depending on documentation. Usually risk assessment consists of the first three steps (Identification, analysis and evaluation). In this documentation, hypotheses and risk to threat were added as their own steps for risk assessment process.
4 |
5 | Risk assessment should be planned carefully before its execution. Preparation includes identification of the assessment's purpose, determination of the risk assessment scope, identification of risk model and analytic approaches used during the assessment etc.
6 |
7 | ### References
8 |
9 |
10 | - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
11 |
12 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Risk Analysis/README.md:
--------------------------------------------------------------------------------
1 | # Risk Analysis
2 |
3 | After the risks are identified in the first phase of risk assessment process, they should be analyzed. Analysis is done to understand possibility and consequences of each risk. Information like historical data and theoretical analysis about each risk should gathered to gain greater understanding of the risk.
4 |
5 | ### Analysis Methods
6 |
7 | Risks can be assessed by using different methodologies. In this documentation the methods are based on quolitative, semi-quontitave and quontitave methodologies.
8 |
9 | In **quolitative**, potential losses caused by risk are determined using different metrics like vulnerabilities related to the risk or controls that reduce effectiveness of the risk. After risk is identified using those metrics, it can be assessed in a matrix using importance and occurring possibility as metrics. CIRA and CORAS are methodologies using qualitative approach.
10 |
11 | **Semi-quantitative** methods are used to describe the relative risk scale. This approach tries to combine benefits of quolitative and quontitative methodologies to decrease disadvantages of the two. Risks can be classified into different rankings like low, medium, high etc. Minimum of these ranking levels is 3. Risk-Level matrix with two metrics; impact and threat likelihood is created using these levels. Each level equals to certain number of points e.g. medium level impact could be 10 points and critical level impact could be 100 points. Higher impact and likelihood mean greater points. Table below contains example of Risk-Level matrix.
12 |
13 | | | Impact | Impact | Impact | Impact |
14 | |-----------------------|-----------------------|---------------------------|--------------------------|----------------------------|
15 | | **Threat Likelihood** | Low (10) | Medium (50) | High (75) | Critical (100) |
16 | | Critical (1.0) | Low (1.0 x 10 = 10) | Medium (1.0 x 50 = 50) | High (1.0 x 75 = 75) | Critical (1.0 x 100 = 100) |
17 | | High (0.75) | Low (0.75 x 10 = 7.5) | Medium (0.75 x 50 = 37.5) | High (0.75 x 75 = 56.25) | High (0.75 x 100 = 75) |
18 | | Medium (0.5) | Low (0.5 x 10 = 5) | Medium (0.5 x 50 = 25) | Medium (0.5 x 75 = 37.5) | Medium (0.5 x 100 = 50) |
19 | | Low (0.1) | Low (0.1 x 10 = 1) | Low (0.1 x 50 = 5) | Low (0.1 x 75 = 7.5) | Low (0.1 x 100 = 10) |
20 |
21 | As seen from the table above, each risk has rating between 1-100. The rating can be used to reflect seriousness of the risk and should be taken to account when doing [risk evaluation](../Risk%20Evaluation/).
22 |
23 | **Quantitative** risk assessment offers more mathematical and objective approach compared to qualitative methods. Quantitative approaches are Monte Carlo method, historical simulation method, IS, ISRAM and Delphi method.
24 |
25 | ### References
26 |
27 |
28 | - https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
29 | - http://www.madrid.org/cs/StaticFiles/Emprendedores/Analisis_Riesgos/pages/pdf/metodologia/4AnalisisycuantificaciondelRiesgo%28AR%29_en.pdf
30 | - http://www.jcomputers.us/vol12/jcp1201-06.pdf
31 | - http://anale.feaa.uaic.ro/anale/resurse/50_I02_Radu.pdf
32 | - https://www.projectpractical.com/quantitative-risk-analysis/
33 |
34 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Risk Evaluation/README.md:
--------------------------------------------------------------------------------
1 | # Risk Evaluation
2 |
3 | When the risks are analysed, their significance to the organization should be evaluated. Based on the evaluation, each risk should be accepted or treated some way. Impact caused by some lesser risks may be so insignificant that they can be accepted without any need for preparation. There is no specific criteria for what kind of risks should be accepted and each team doing risk evaluation should assess these risks considering their own environment, which the risks could potentially affect.
4 |
5 | ### Risk Criteria
6 |
7 | Risk criteria should be used as aid when doing the evaluation. Criteria could include risk's associated costs, stakeholder opinion, enviromental factors regarding the risk etc. Impact and likelihood of the risks were defined in the previous analysis phase and its results should be used as basis for the criteria. In some cases fixing risk may cost more than impact caused by the risk. In these situations it is important to notify likelihood of the risk and how many times the impact caused by the risk may occur. If the threat caused by the risk is likely to happen and the impact isn't one time thing, it might be better to fix the risk rather than accept it. Other way around the impact caused by the risk could only occur once and fixing it would be more expensive than the financial cost caused by the impact. In this situation it does not matter how likely the risk is to happen, since it is cheaper to take the impact rather than fix the risk being abused. Though it should be notified that risks may lead to other risks and abusing them all could cause a chain reaction leading to much higher expenses than originally expected. This is related to risk refining and hypotheses, which are explained in [risk to threat](../Risk%20to%20Threat/) and [hypotheses](../Hypotheses/) sections.
8 |
9 | ### Risk prioritization
10 |
11 | Risk evaluation is balancing between acceptance and handling of the risks. Many factors need to be taken into account when the evaluation is under process. Risks should be prioritized based on demand to fix them. Some risks may be so critical that they require quick and immediate fix. These are the risks that should be of the highest priority. Lower priority risks should be mitigated after the higher priority risks have been fixed, which is point of the risk priorization.
12 |
13 | ### References
14 |
15 |
16 | - http://www.safedor.org/resources/SAFEDOR-D-04.05.02-2005-10-21-DNV-RiskEvaluationCriteria-rev-3.pdf
17 | - https://www.theseus.fi/bitstream/handle/10024/150499/Kallio_Riikka.pdf?sequence=1
18 |
19 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Risk Identification/README.md:
--------------------------------------------------------------------------------
1 | # Risk Identification
2 |
3 | Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. All the potential risk sources should be mapped, so all the areas of compromise will be considered. The process of finding risk sources and new risks continues throughout the risk management. New undiscovered areas of the program will be found when the scope is being digged deeper. All the potential risks are not most likely found during this phase and more risks will be added to known risks later on, which requires going back to previous phases, so the new risks will be added to old models, lists and graphs. Finding new risk may also reveal path to several other risks that have not been considered yet.
4 |
5 | ### Risk Identification Techniques
6 |
7 | There are many different [techniques](https://www.researchgate.net/publication/264789624_Methods_of_risk_identification_in_companies%27_investment_projects) that can be used when doing risk identification. Different techniques have various benefits and disadvantages. E.g. SWOT analysis offers structured approach for identifying risks, but it tends to produce generic risks that are not project specific. Organization may use several techniques during their risk identification process or use the techniques as a guidance for creating their own techniques. Techniques used in risk identification should be considered based on their suitability for the organization's needs. Techniques can be different threat modeling [metholodogies](../../../Threat Modeling/Methodologies/) like [PASTA](../../../Threat modeling/Methodologies/PASTA/), which can be used to identify risks.
8 |
9 | ### Risk sources
10 |
11 | Risks can be found from different environments. It is important for personnel doing risk assessment to recognize these environments. Risk sources can be at least found from physical, social, political, operational, economic, legal and cognitive environments. There can be risks in suprising places. E.g. government may implement new strict rules for certain industry affecting businesses on high scale in that area or earthquake could happen in some geographical area demolishing part or all of organization's infrastructure.
12 |
13 | ### References
14 |
15 |
16 | - https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification
17 | - https://www.researchgate.net/publication/264789624_Methods_of_risk_identification_in_companies%27_investment_projects
18 | - https://www.acqnotes.com/Attachments/DoD%20Risk%20Management%20Guidebook,%20Aug%2006.pdf
19 | - https://www.pmi.org/learning/library/risk-identification-life-cycle-tools-7784
20 | - https://www.emerald.com/insight/content/doi/10.1108/09566160210431088/full/pdf?title=risk-identification-basic-stage-in-risk-management
21 |
22 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Assessment/Risk to Threat/README.md:
--------------------------------------------------------------------------------
1 | ## Risk to Threat
2 |
3 | Risk to threat is the process of refining risk with a threat actor who would abuse the risk. Defining different threat actors helps organization to envision different kinds of attacks, since the attackers may have variety of goals depending on the attacker. These goals can be achieved using the risks defined during risk management and other risks that were not taken into account. Different threat actors may abuse different risks depending on the goal. E.g. in [1st](../Hypotheses/hypothesis1.md) hypothesis example, the attacker spread ransomware across organization network. Attacker's goal was to gain money. Another threat actor may have just tried to be as quiet as possible to avoid being found like in the [2nd](../Hypotheses/hypothesis2.md) hypothesis example. If risk management team succeeds to notice potential threat actors and their motives, different attack chains can be proactively identified and the organization can prepare for them before they happen.
4 |
5 | Threat modeling can be used to identify threat actors. There are several different threat modeling methodologies are presented in [metholodgies section](../../../Threat%20Modeling/Methodologies). Some of the methodologies are appropriate for identifying threat actors, like [MITRE ATT&CK](../../../Threat%20Modeling/Methodologies/MITRE%20ATT&CK/). ATT&CK knowledge base contains information about different APTs and what tactics they have used previously. Organization can for example view techniques used by certain APT and check if their organization would be vulnerable to such attacks. Checking APTs previous attack targets may also help organizations to clarify, that would they be potential targets for certain APTs. If the previous targets have been operating on same industry area as the organization doing risk management, they should take the APT into account, since the organization might also be targeted by the APT.
6 |
7 | When the threat actors are knowledged, [hypotheses](../Hypotheses/) can be created with real actors. This gives a new perspective to hypotheses, since organizations can actually prepare for real threat actors and not just for certain chain of events that could occur. Threat actors should be categorized in order from biggest threat to smallest threat. Biggest threat actors moves should be monitored, so that organization stays up to date with their techniques and targets.
8 |
9 | ### References
10 |
11 | - https://www.sans.org/reading-room/whitepapers/threatintelligence/quantifying-threat-actor-assessments-39585
12 |
13 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Mitigation Plan/README.md:
--------------------------------------------------------------------------------
1 | # Risk Mitigation Plan
2 |
3 | When all the found risks are evaluated, risk mitigation plan is created to mitigate the risks in a predefined way. Cost-effectiveness of mitigation strategies should be taken into account when the plan is created. There may be several ways to deal with a certain risk, but some ways may be cheaper than others, which is why it is important to brainstorm different ways of mitigating the risk, if it isn't obvious how it should be dealt with. If the risk is too critical, it might be best to mitigate it even if the process is not cost-effective. Planning requires time and it is cheaper to plan the future procedure well, rather than do the execution poorly and fix potential mistakes created by the poor execution later on.
4 |
5 | Mitigation tasks should be assigned to appropriate personnel that are capable of doing the task they are given. There are different strategies for mitigating the found risks. For example some risks can be accepted if their impact is low compared to mitigation cost. Risk avoidance may also be used if it is possible. If risks cannot be completely mitigated, their impact or possibility may still be reduced partially.
6 |
7 | Risks classifications may change during mitigation process, which is why backup plan should be created as a part of the mitigation plan. Plan should at least include reevaluation of existing risks and discovering new risks during project.
8 |
9 | ## References
10 |
11 |
12 | - https://silverbulletrisk.com/blog-5-risk-mitigation-strategies-and-how-to-properly-manage-the-risk-mitigation/
13 | - https://www.projectmanager.com/blog/risk-management-plan
14 |
15 |
--------------------------------------------------------------------------------
/Hypotheses/Risk Management/Risk Monitoring/README.md:
--------------------------------------------------------------------------------
1 | # Risk Monitoring
2 |
3 | After the plan has been implemented, organization should monitor effectiveness of the implementation. They should check if risk response actions have been implemented as planned, responses are as effective as expected, proper policies and procedures are followed, risk trigger has occurred or new risks have occurred that were not previously identified. With help of monitoring, old strategies may be updated accordingly when monitoring discovers flaws in implemention process or aftermath of the process. So that this can happen, all positive and negative things should be noted and gathered up to understand what works and what does not work. Risk monitoring is important since it helps to demonstrate whether strategies are effective or not.
4 |
5 | Risk monitoring can be categorized into four different categories as stated in [here](https://www.skillmaker.edu.au/risk-monitoring/):
6 |
7 |
8 | - Voluntary: Used to learn from events, which have occurred in the past. This is not mandatory or required by law.
9 | - Obligatory: Risk monitoring strategies, which are required by the law to ensure that proper risk monitoring and management methods are in use.
10 | - Reassessment: Secondary or tertiary assessment of risk and risk management strategies.
11 | - Continual: Always ongoing monitoring.
12 |
13 |
14 | ### Levels of monitoring
15 |
16 | Some risks may require more monitoring than others and some risks do not need to be monitored at all. Low impact risks with low likelihood to happen are the risks that require the least monitoring. Whereas high impact risks with high likelihood require more monitoring than other risks. Leaving those risks without monitoring exposes a risk in itself. Monitoring is a continuously changing process. Some risks may require more monitoring at certain point, but as the monitoring goes on, you may learn that particular risk needs less monitoring or even more.
17 |
18 | ### Sources for risk monitoring information
19 |
20 | Risk monitoring is itself a research-oriented task to see how a risk or risk source is changing. Resources for risk monitoring can be categorized into internal and external sources. Internal sources include people working in the organization with information about the risk and internal audit reports. External sources can include data mining and industry specific magazines/publications. These were just examples. There are many other sources that can be found helpful.
21 |
22 | ### References
23 |
24 |
25 | - https://www.skillmaker.edu.au/risk-monitoring/
26 | - https://faculty.kfupm.edu.sa/CEM/alkhalil/PDF_CEM_516/L07%20Risk%20Monitoring%20&%20%20Control.pdf
27 | - https://www.erminsightsbycarol.com/risk-monitoring/
28 |
29 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Attack Tree/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Attack Tree/README.md:
--------------------------------------------------------------------------------
1 | # Attack Tree
2 |
3 | Attack Tree is a visual model that describes ways that computer system can be attacked. Method was developed in 1999 by Bruce Schneier. Tree contains nodes called leafes which correspond to attacker goals in the computer system. Subnodes under each node are subgoals that attacker has to accomplish before reaching the upper node. Tree may include AND nodes and OR nodes. OR nodes can be used to describe several ways that attacker can reach a goal, whereas AND nodes are connected to each other and all their goals have to be achieved before attacker can move to upper node. Attackers ultimate goal is to climb up the tree hierarchy and reach root node. After the tree structure is created, each leaf should be given a value based on the attackers cost of accomplishing the goal in the leaf and damage cost to company which occurs if the attack succeeds. There isn't an actual basis for the damage/attack cost calculations, since costs can differ a lot depending on organization structure and the system targeted. Organization using attack tree as part of threat modeling should brainstorm all the individual costs reflecting their own enviroment.
4 |
5 | Image below contains example of an attack tree with costs included.
6 |
7 | 
8 |
9 |
10 | **Benefits**:
11 |
12 |
13 | - Tree structure is easy to modify if more leafes need to be added to the structure later on.
14 | - Graphical embodiment of the model makes it easier to understand.
15 |
16 |
17 | ### References
18 |
19 |
20 | - https://www.schneier.com/academic/archives/1999/12/attack_trees.html
21 | - http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.875.9918&rep=rep1&type=pdf
22 | - https://www.theseus.fi/bitstream/handle/10024/220967/Selin_Juuso.pdf?sequence=2&isAllowed=y
23 |
24 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Attack Tree/attack.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Hypotheses/Threat Modeling/Methodologies/Attack Tree/attack.gif
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/CVSS/README.md:
--------------------------------------------------------------------------------
1 | # CVSS (Common Vulnerability Scoring System)
2 |
3 | CVSS is framework and standard for grading software vulnerabilities. Framework is owned by FIRST.Org. First version (1.0) of CVSS was introduced in 2005. Version 2.0 came out in 2007 fixing 1.0 issues like inconsistency and lack of granularity. Latest CVSS version 3.1 was released in 2019. National Vulnerability Database (NVD) contains most of known vulnerabilities with CVSS score.
4 |
5 | CVSS 3.0 Ratings:
6 |
7 | | Severity | Base Score Range |
8 | |----------|------------------|
9 | | None | 0.0 |
10 | | Low | 0.1-3.9 |
11 | | Medium | 4.0-6.9 |
12 | | High | 7.0-8.9 |
13 | | Critical | 9.0-10.0 |
14 |
15 | CVSS uses 3 different metric groups for score evaluation: Temporal, Base and Enviromental. Base metric produces value between 0 to 10, which can be modified using temporal and enviromental metrics. Each of these 3 metric groups contain set of metrics that are used in score evaluation. Details of all metrics can be found from official [CVSS 3.1 specification document](https://www.first.org/cvss/v3.1/specification-document).
16 |
17 | **Benefits**:
18 |
19 |
20 | - CVSS is standardized and widely used.
21 | - Most known vulnerabilities have been rated using CVSS.
22 | - Provides transparency by being open framework.
23 |
24 |
25 | ### References
26 |
27 |
28 | - https://www.first.org/cvss/specification-document
29 | - https://nvd.nist.gov/vuln-metrics/cvss
30 | - https://searchsecurity.techtarget.com/definition/CVSS-Common-Vulnerability-Scoring-System
31 |
32 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/DREAD/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.swo
3 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/DREAD/README.md:
--------------------------------------------------------------------------------
1 | # DREAD (Damage potential, Reproducibility, Exploitability, Affected users and Discoverability)
2 |
3 | DREAD is Microsoft developed threat modeling methodology. Model is used to create risk rating based on threat or vulnerability damage potential, reproducibility, exploitability, affected users and discoverability. Each of these categories is given a rating between 0-10, depending how threat or vulnerability performs on the category. Higher value corresponds to more severe threat/vulnerability. E.g. if vulnerability affects all organization users and its clients users, the affected users category rating could be as high as 10. When each category's rating is calculated, sum of all ratings is added up and divided by 5, which results in a value between 0-10. Value 0 means that threat/vulnerability causes no impact and value 10 means worst possible outcome.
4 |
5 | **Benefits**:
6 |
7 |
8 | - Simple to use, since the model does not require many steps.
9 | - Provides mechanism to compare threats/vulnerabilities with each other, so potential fixes can be prioritized based on the rating.
10 | - Vulnerability/threat ratings from long period of time can be used to determine which components have more serious risks compared to others.
11 |
12 |
13 | ### References
14 |
15 |
16 | - https://docs.microsoft.com/fi-fi/archive/blogs/david_leblanc/dreadful
17 | - https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD
18 |
19 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/MITRE ATT&CK/README.md:
--------------------------------------------------------------------------------
1 | # MITRE ATT&CK
2 |
3 | MITRE ATT&CK is a knowledge base model for adversaries different attack techniques. Model was created in 2013 and has been developed since. ATT&CK model consists of different categories like privilege escalation, lateral movement and initial access. Under these categories are different category related techniques. Each technique section contains information of how it works and technique may also contain sub-techniques, which are shown to user. E.g. brute force technique under credential access contains 4 sub-techniques; password guessing, cracking, spraying and stuffing. Technique section also contains different APTs that have used the technique and ways to detect and mitigate the technique.
4 |
5 | Organizations may use the ATT&CK model to emulate adversary movement and different threats. Model is also good for assessing internal defensive tools and processes, so security program investments can be prioritized based on the assessment. Organizations may also use the model to test SOC's detection capability for different attacks. Red teams can use the model to plan new attack scenarios and design new attack vectors that may bypass defenses.
6 |
7 | **Benefits**:
8 |
9 |
10 | - ATT&CK model offers large database of attacking techniques, their mitigations, APTs etc.
11 | - Model can be used by both blue and red teams for assessing their tools and techniques.
12 | - Information about different APT techniques can be useful when defending against them or investigating their attacks.
13 |
14 |
15 | ### References
16 |
17 |
18 | - https://attack.mitre.org/
19 | - https://www.mitre.org/sites/default/files/publications/mitre-getting-started-with-attack-october-2019.pdf
20 | - https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
21 |
22 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Mitre Atlas/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Hypotheses/Threat Modeling/Methodologies/Mitre Atlas/.gitkeep
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Mitre Atlas/README.md:
--------------------------------------------------------------------------------
1 | # MITRE ATLAS
2 | MITRE ATLAS, Adversarial Threat Landscape for Artificial-Intelligence Systems, is a knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups, and the state of the possible from academic research.
3 |
4 | Benefits:
5 |
6 | ATLAS model offers database of attacking techniques against AI and Machine Learning systems.
7 | Model can be used by both blue and red teams for assessing their tools and techniques.
8 | Information about different APT techniques can be useful when defending against them or investigating their attacks.
9 |
10 |
11 | References
12 |
13 | https://atlas.mitre.org/
14 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/OCTAVE/README.md:
--------------------------------------------------------------------------------
1 | # OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
2 |
3 | OCTAVE is methodology for identifying and managing information security risks. OCTAVE's first version 1.0 was released in 1999. Methodology has been developed since and its latest version OCTAVE Allegro 1.0 was released in 2007. Three major distinctive versions of OCTAVE are OCTAVE, OCTAVE-S and OCTAVE Allegro. These different versions of OCTAVE are implemented in different ways, so organization desiring to use this methodology should explore all of the versions to find one that suits the organisation's needs.
4 |
5 | ## OCTAVE
6 |
7 | First version of OCTAVE was implemented for large organizations (+300 personnel). Small group consisting of organization IT department members and business unit members create an analysis team. This team plans and conducts different workshops for company employees. There are two types of workshops; Discussions with employees and activities conducted by analysis team. Data is gathered from each workshop and it is used to find out different threats in organization and mitigate these threats.
8 |
9 | OCTAVE is performed in three phases:
10 |
11 | 1. Identification of company assets, their security requirements, threats interfering with the requirements and protection strategies. This is mainly done by interviewing employees.
12 | 2. Identification of vulnerabilities based mostly on phase 1 threat analysis.
13 | 3. Based on data gathered in phases 1 and 2, analysis team does risk analysis, develops risk mitigation plans and security strategy.
14 |
15 | ## OCTAVE-S
16 |
17 | OCTAVE-S is similar to OCTAVE. Main difference is that OCTAVE-S is designed for smaller ogranizations. The three phases described in OCTAVE section are used by OCTAVE-S as well, but number and sequencing of activities differ from phases used in OCTAVE.
18 |
19 | OCTAVE-S does not rely on initial information gathering workshops, since it expects that analysis team has wide knowledge of their organization. OCTAVE-S is also more friendly for less experienced security personnel because OCTAVE-S is more structured than OCTAVE. OCTAVE-S is designed to limit amount of infrastructure examination compared to OCTAVE, since smaller organizations may not have resources to invest on high-end vulnerability scanning tools.
20 |
21 | ## OCTAVE Allegro
22 |
23 | Allegro is modernized version of OCTAVE. It puts more focus on simplicity of the threat modeling process by reducing resource, training and knowledge requirements. Allegro is also suitable for individuals doing risk assessment rather than just large organizations. It does not have to include workshops and questonnaires like original OCTAVE.
24 |
25 | Allegro contains 8 steps which can be categorized into 4 different areas of activity:
26 |
27 | 1. Drivers are established. Drivers are used to develop risk measurement criteria to evaluate organization's risks.
28 | 2. Profile information assets. Profiling is done by describing different information about the assets e.g. characteristics, usage and value. Phase also contains identification of information asset containers. Containers describe where assets are processed, transported and stored.
29 | 3. Identification of threats for information assets identified in 2nd phase. Assets threats are identified in context to their containers.
30 | 4. Identification and mitigation of risks. After identifying and analyzing risks, proper mitigation strategy is chosen depending on type of the risks.
31 |
32 | ## References
33 |
34 |
35 | - https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf
36 | - https://apps.dtic.mil/sti/pdfs/ADA448425.pdf
37 | - https://www.researchgate.net/publication/305229476_Information_Technology_Risk_Assessment_Octave-S_Approach/link/5785ea1608aef321de2b9190/download
38 | - https://www.researchgate.net/publication/263966515_Implementation_of_the_OCTAVE_Methodology_in_Security_Risk_Management_Process_for_Business_Resources
39 | - https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf
40 |
41 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/OWASP/.README.md.swp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Hypotheses/Threat Modeling/Methodologies/OWASP/.README.md.swp
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/OWASP/README.md:
--------------------------------------------------------------------------------
1 | # OWASP (Open Web Application Security Project)
2 |
3 | OWASP is a software security based non-profit foundation that was started by Mark Curphey in 2001. OWASP offers lots of different community created tools, documents, guides etc. Organizations can use these assets in their own threat modeling process to create software, patch software and maintain the software.
4 |
5 | ### OWASP top 10
6 |
7 | One very known OWASP project is called OWASP top 10, which contains top 10 web application security vulnerabilities. Vulnerabilities are documented and each of them has own section in the document. Sections contain vulnerability related attack vectors, security weaknesses allowing these attacks to happen, impacts of potential attacks, attack scenario examples, references and preventation strategies. Top 10 documents have been published since 2003 and the latest version was released in 2017.
8 |
9 | ### Web Application Testing Guide
10 |
11 | OWASP has also released web application testing guides since 2004. Newest version (22.04.2021) [4.1](https://owasp.org/www-project-web-security-testing-guide/v41/) was released in 2020. Testing guide contains different wep application based vulnerabilities. Vulnerabilities are explained and different ways to abuse those vulnerabilities are also documented by showing different payloads and techniques to achieve exploitation.
12 |
13 | ### Threat Dragon
14 |
15 | Threat Dragon is an open-source threat modeling tool created by OWASP. It can be used to create threat modeling diagrams (DFDs). It is available as web application and standalone desktop app.
16 |
17 |
18 | **Benefits**:
19 |
20 |
21 | - OWASP offers many different tools to use when threat modeling web applications.
22 | - OWASP is open source project, so all the materials are available for free.
23 | - OWASP Top 10 helps organizations prioritize web application vulnerabilities.
24 | - Web Application Testing Guide helps companies to identify potential attack vectors during threat modeling process.
25 | - Threat Dragon helps to visualize potential attack vectors.
26 |
27 |
28 | ### References
29 |
30 |
31 | - https://raw.githubusercontent.com/OWASP/Top10/master/2017/OWASP%20Top%2010-2017%20(en).pdf
32 | - https://www.synopsys.com/glossary/what-is-owasp-top-10.html
33 | - https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
34 | - https://owasp.org/www-project-web-security-testing-guide/v41/
35 | - https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/E-History
36 | - https://docs.threatdragon.org/
37 | - https://owasp.org/www-project-threat-dragon/
38 | - https://opus.hs-offenburg.de/frontdoor/deliver/index/docId/3339/file/Bachelorthesis_Tobias_Reski_18.02.2019.pdf
39 |
40 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/PASTA/README.md:
--------------------------------------------------------------------------------
1 | # PASTA (Process for Attack Simulation and Threat Analysis)
2 |
3 | PASTA is a seven step framework for assessing organization's risks like potential business impacts caused by attacks. PASTA was developed by Tony UcedaVélez in 2012. PASTA can be used as risk or asset based model that also has attacker-centric elements. PASTA has capability to assess entire cybersecurity posture of an organization by going through all seven stages of the framework. PASTA's goal is to provide framework that can be used to model sophisticated and unpredictable threats.
4 |
5 | Seven stages of PASTA:
6 |
7 | 1. Define business and security objectives.
8 | 2. Define technical scope.
9 | 3. Decompose and analyse application.
10 | 4. Execution of threat analysis.
11 | 5. Analysis of weaknesses and vulnerabilities found in 4th stage.
12 | 6. Enumeration and modeling of attacks and exploits.
13 | 7. Risk analysis, identification of countermeasures and risk migitations measures.
14 |
15 | **Benefits**:
16 |
17 |
18 | - PASTA stages cover organization assets in large range.
19 | - Method can be used for different kind of approaches.
20 | - PASTA gives big picture of threats that organization is facing.
21 |
22 |
23 | ### References
24 |
25 |
26 | - https://owasp.org/www-pdf-archive/APAC13_TonyUV.pdf
27 | - https://www.theseus.fi/bitstream/handle/10024/220967/Selin_Juuso.pdf?sequence=2&isAllowed=y
28 | - https://www.cynance.co/pasta-threat-modelling/
29 |
30 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/README.md:
--------------------------------------------------------------------------------
1 | # Methodologies
2 |
3 | **Introduction:**
4 |
5 | Methodologies offer different models for threat modeling. Some models are designed for specific cases. E.g. [CVSS](https://github.com/JYVSECTEC/PHR-model/tree/master/Hypotheses/Threat%20Modeling/Methodologies/CVSS/README.md) is scoring system that can be used to determine potential risk of a vulnerability by observing its CVSS score. This is as a great model for classifying vulnerabilities, but it is more of an [alternative](https://owasp.org/www-pdf-archive/AdvancedThreatModeling.pdf) way to do threat modeling, since it is scoring system rather than actual framework. Alternative threat models are great addition for ordinary threat models and generally different methodologies can be used together if they match with assets within scope.
6 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/STRIDE/README.md:
--------------------------------------------------------------------------------
1 | # STRIDE
2 |
3 | STRIDE is acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. STRIDE is used to model in-place system and identify associated threats by building data flow diagrams (DFDs). DFD describes different system assets and what kind of interaction they have with each other by graphical data flows and trust boundaries between the assets. After the DFDs are done, different threats can be documented by doing brainstorming based on the events and boundaries between the DFD assets. STRIDE model is more focused on software development and e.g. it can be used to show data flows between processes, APIs, databases etc. which helps software developers model potential threats like bugs for different software components. STRIDE model was originally invented by Loren Kohnfelder and Praerit Garg in 1999 and the model has been evolving since.
4 |
5 | **Benefits**:
6 |
7 |
8 | - Model is easy to learn.
9 | - Highly mature methodology.
10 | - Produces high-level diagram of system assets and their connections.
11 |
12 |
13 | ### References
14 |
15 |
16 | - https://apps.dtic.mil/sti/pdfs/AD1084024.pdf
17 | - http://article.nadiapub.com/IJSIA/vol8_no2/28.pdf
18 | - https://www.theseus.fi/bitstream/handle/10024/220967/Selin_Juuso.pdf?sequence=2&isAllowed=y
19 |
20 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Security Cards/README.md:
--------------------------------------------------------------------------------
1 | # Security Cards
2 |
3 | Security cards is a security related pack of cards. Deck contains cards from 4 different categories; Human Impact, Adversary's Motivations, Adversary's Resources and Adversary's Methods. Each card has title related to its category. Main content in cards are title related questions and context examples that organizations can use in their brainstorming process. Security cards is more of a tool to use in brainstorming rather than formal threat modeling method.
4 |
5 | Example of Adversary's Resources category card Impunity:
6 |
7 | 
8 |
9 | **Benefits**:
10 |
11 |
12 | - Predefined examples and questions give security team more time for actual brainstorming.
13 | - Various packs contain cards for different environments.
14 | - Non-tech people can possibly relate to this more easily.
15 |
16 |
17 | ### References
18 |
19 |
20 | - https://resources.sei.cmu.edu/asset_files/TechnicalNote/2018_004_001_516627.pdf
21 | - https://apps.dtic.mil/sti/pdfs/AD1084024.pdf
22 |
23 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Security Cards/impunity.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Hypotheses/Threat Modeling/Methodologies/Security Cards/impunity.png
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/Trike/README.md:
--------------------------------------------------------------------------------
1 | # Trike
2 |
3 | Trike is a conceptual open source framework for security auditing from a risk management perspective through the generation of threat models. Trike requirement model focuses on looking at actors interacting with system, what things the system acts upon, actions taken by personnel that the system is supposed to support and rules that define situations where an action can occur. Requirement model also includes organization assets and Actor-Asset-Action Matrix, which is explained in next chapter. When the requirements are gathered, next step is implementation model. In this step, system actions that do not fit into intended actions framework are checked and how actions interact with state of the system is also checked. Then the model looks into different software and hardware components fit together, which is visualized in data flow diagram. Data flow diagram is also used for visualising actions and state of the system. Actual threat model is then build based on the generated DFDs. DFDs are thoroughly explored and all the potential threats are identified. Risk model can then be build, which is not properly implemented to Trike.
4 |
5 | Trike categories all threats into one of two categories, either denial of service or elevation of privilege. Trike uses actor-asset-action matrix to represent all data about the requirements model in grid format. The columns of the matrix represent the assets in the system, and the rows represent the roles that actors can take on. Matrix cells are divided into four for each action in CRUD, which stands for "create”, “read”, “update”, and “delete”. Each action-cell can be set to one of three different values that are disallowed action, action with rules and allowed action. Rule tree is then attached to these cells.
6 |
7 | Trike appears to be no longer maintained and the latest Trike tool can be found from [here](https://github.com/octotrike/trike).
8 |
9 | **Benefits**:
10 |
11 |
12 | - Trike is open source and its materials are available to everybody.
13 | - Trike is good at threat modeling automation.
14 |
15 |
16 | ### References
17 |
18 |
19 | - https://www.octotrike.org/papers/Trike_v1_Methodology_Document-draft.pdf
20 | - https://www.theseus.fi/bitstream/handle/10024/220967/Selin_Juuso.pdf?sequence=2&isAllowed=y
21 | - https://www.esecurityplanet.com/networks/selecting-a-threat-risk-model-for-your-organization-part-two/
22 |
23 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/Methodologies/hTMM/README.md:
--------------------------------------------------------------------------------
1 | # hTMM (Hybrid Threat Modeling Method)
2 |
3 | hTMM was developed by Carnegie Mellon University (Software Engineering Institute) research team in 2018. The method research can be read [here](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=516617). The method is a combination of SQUARE, Security Cards and PnG (Personae non gratae). hTMM was created considering weaknesses of other threat modeling methods and desirable characteristics which a threat modeling methodology would have. E.g. these desirable characteristics contain cost-effectiveness and no overlooking of threats. Additional characteristics like intuitiviness and tool support were also considered.
4 |
5 | hTMM contains 5 different steps, which are shortly described here:
6 |
7 | 1. Identification of threat modeled system.
8 | 2. Use [security cards](../Security Cards) for brainstorming session and gather all data generated by the session.
9 | 3. Prune out unlikely PnGs and non-realistic attack vectors to gather up realistic misuse cases.
10 | 4. Summarization of first three steps utilizing tool support.
11 | 5. Potentially continue with formal risk assessment method by using results gained with hTMM.
12 |
13 | **Benefits**:
14 |
15 |
16 | - hTMM was developed thinking about desirable TMM characteristics and the method tries to implement these characteristics.
17 |
18 |
19 | ### References
20 |
21 |
22 | - https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=516617
23 |
24 |
--------------------------------------------------------------------------------
/Hypotheses/Threat Modeling/README.md:
--------------------------------------------------------------------------------
1 | # Threat Modeling
2 |
3 | **Introduction:**
4 |
5 | Threat Modeling is process of finding and identifying assets in a predefined scope, searching vulnerabilites and threats from these assets, prioritizing found risks by level of their criticality and remediating these risks. There is no canonical way to do threat modeling, which lets individual groups and organizations design their own way of doing it. There are also many predefined methodologies that can be used partly or entirely as a basis for threat modeling process.
6 |
7 | **Benefits:**
8 |
9 |
10 | - Threat modeling helps to discover security issues in design-level. This potentially saves resources, since amount of threats can be mitigated already during product design phase. Fixing vulnerabilities from production system is much more expensive.
11 | - Helps personnel understand what kind of threats exist and how they can preclude these threats with their own activity.
12 | - Classifying threats by their impact to assets helps to create big picture of the worst case scenarios.
13 | - Organizations can prepare for potential outbreaks before they happen by preemptively producing plans for these situations.
14 |
15 |
--------------------------------------------------------------------------------
/Improvements/README.md:
--------------------------------------------------------------------------------
1 | # Improvements
2 | Improvements means continues development of security posture and capabilities to detect and analyze cyber attacks. The improvements can be identified during the post-analysis (lessons learned) phase or based on by threat intelligence of current vulnerabilities, attacks or technologies. Improvements depend on the target environment and should always be assessed on the value that it brings and costs.
3 |
4 | The value of improvement needs to be evaluated against hypotheses of expected attack and how the improvement can help to protect the business services or other critical functionalities of organization
5 |
--------------------------------------------------------------------------------
/Lessons Learned/README.md:
--------------------------------------------------------------------------------
1 | # Post-analysis = Lessons Learned
2 | It is important to conduct an after-action analysis and reporting of the cyber incident/incident. The after-action analysis will go through the steps of the incident in detail and try to identify how the incident was handled successfully, what could be improved in the future and what needs to be done to improve the environment so that something similar does not happen again or how to detect and handle it more effectively.
3 |
4 | The lessons learned analysis is used to develop the organisation's capabilities and to address potential gaps and vulnerabilities. It can also be seen as a need for further training of staff. Corrections are made to guidelines and plans according to the shortcomings identified in the analysis. This is an important part of the organisation's recovery, learning and development process. Lessons learned should also be shared with the appropriate parties for dissemination and feedback. In the after-action analysis, it is important to identify which areas need to be improved or changed as a result of the incident, for example in security controls, practices, guidelines or policies.
5 |
6 |
7 | # Recover Checklist
8 | * Planned recovery process initiated, if necessary:
9 | * Recover data from backup system to main system
10 | * Restoring data from backups
11 | * Patching/mitigation of vulnerabilities
12 | * Upgrading or reinstalling systems
13 | * Purchase or replacement of equipment
14 | * Monitoring the progress of recovery measures
15 | * Normal operations restored as quickly and cost-effectively as possible
16 | * Decision to return to normal operations made after recovery plan measures
17 | * Intensified environmental monitoring until it is confirmed that the anomaly is unlikely to recur
18 | * The impact of the disruption on the organisation's operations, finances, and/or reputation is minimised
19 |
20 | ## Communication
21 | * Stakeholders informed during the incident when needed
22 | * Stakeholders are informed after the incident
23 | * Organised a joint meeting to discuss the situation, its implications, and the shortcomings identified
24 | * Press release where appropriate
25 | * Lessons learned from the situation are shared with the with the authorities and appropriate parties
26 |
27 | ## Reporting and Lessons Learned analysis
28 | * Evidence and risk indicators documented
29 | * Reporting and post-event analysis of incident actions and decisions
30 | * Description of how the incident was detected
31 | * Description of the information systems and data affected by the disruption
32 | * Knowing who is responsible for the system and data
33 | * What caused the disruption
34 | * Whether the identified incident was an identified risk in risk management and hypotheses
35 | * Description of how the incident was dealt with and how it was successfully dealt with
36 | * Whether the situation was handled according to instructions and practice
37 | * Whether the response to the incident report was sufficiently rapid
38 | * Was the effectiveness of the incident handling sufficient
39 | * Recommendations and measures to prevent similar disruptions in the future
40 | * What can be done better next time
41 | * What to practice
42 | * Where additional training or external help is needed
43 | * Identifying security remediation needs
44 | * Lessons learned from the walkthrough; how to improve incident handling for future situations
45 | * Timeline of events and actions from detection to closure of the incident
46 | * Evaluation of the effectiveness of communication (internal and external)
47 | * Including in the post-analysis those involved in the management of the incident, the owners of the systems and data, management representatives and those who could have helped in the event of an incident
48 | * Existing continuity and recovery plans and other guidelines reviewed, and corrected for identified deficiencies
49 | * Updating policies and training staff where necessary
50 | * Complaining if it is clear that the service provider has acted in breach of contract or practice
51 |
52 |
--------------------------------------------------------------------------------
/Preparation/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/.gitignore
--------------------------------------------------------------------------------
/Preparation/.meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "child_order": [
3 | "Asset Management",
4 | "Change Management",
5 | "Security Policy and Guidelines",
6 | "Security Controls",
7 | "Documentation",
8 | "Staff Training",
9 | "Threat Hunting Tools",
10 | "Incident Response Tools and Tracking"
11 | ]
12 | }
--------------------------------------------------------------------------------
/Preparation/AI/Secure and Privacy-preserving Machine Learning/README.md:
--------------------------------------------------------------------------------
1 | ### Secure and privacy-preserving machine learning
2 |
3 | Machine learning models are usually trained with unecrypted data, which is problematic when dealing with highly sensitive data, where unique identifiers about persons are present or the data could be a vital and sensitive part of a business process. Some machine learning applications could receive data and send predictions to other machines, where there is a possibility for a hijacking of data.
4 |
5 | There are frameworks currently available for encrypted machine learning for the most popular machine learning libraries:
6 | * [The open-souce CrypTen framework](https://github.com/facebookresearch/CrypTen), which is usable with their PyTorch machine learning framework. The CrypTen creates encrypted tensors, when unencrypted tensors would normally be used. Models are also encrypted, and when inference is run, the model output is decrypted. A blog post about the tool can be found [here.](https://ai.facebook.com/blog/crypten-a-new-research-tool-for-secure-machine-learning-with-pytorch/)
7 | * Encrypted tensors are also available for TensorFlow and Keras frameworks with [TF-Encrypted](https://github.com/tf-encrypted/tf-encrypted). Code examples for usage of encrypted tensors to TensorFlow and Keras models are provided in [the TF-encrypted repository.](https://github.com/tf-encrypted/tf-encrypted/tree/master/examples/)
8 |
9 | Check the code example from the repository's [Encrypted Machine Learning notebook](tf_encrypted.ipynb), where a medical CSV - dataset is first loaded in plaintext and then encrypted. A Keras model is also converted into a encrypted model, which is trained on the encrypted dataset. The model is then used to predict on encrypted data, and the predictions of the model are converted to "plaintext", or in this case, the class which is predicted from input data.
--------------------------------------------------------------------------------
/Preparation/AI/Secure and Privacy-preserving Machine Learning/lib/common.py:
--------------------------------------------------------------------------------
1 | """From https://github.com/tf-encrypted/tf-encrypted/blob/master/examples/logistic/common.py"""
2 |
3 | """Provide classes to perform private training and private predictionn"""
4 | import tensorflow as tf
5 | import tf_encrypted as tfe
6 |
7 |
8 | class DataOwner:
9 | """Contains code meant to be executed by a data owner Player."""
10 |
11 | def __init__(
12 | self, player_name, num_features, training_set_size, test_set_size, batch_size
13 | ):
14 | self.player_name = player_name
15 | self.num_features = num_features
16 | self.training_set_size = training_set_size
17 | self.test_set_size = test_set_size
18 | self.batch_size = batch_size
19 | self.train_initializer = None
20 | self.test_initializer = None
21 |
22 | @property
23 | def initializer(self):
24 | return tf.group(self.train_initializer, self.test_initializer)
25 |
26 | @tfe.local_computation
27 | def provide_training_data(self,x,y):
28 | """Preprocess training dataset
29 |
30 | Return single batch of training dataset
31 | """
32 |
33 | def norm(x, y):
34 | return tf.cast(x, tf.float32), tf.expand_dims(y, 0)
35 |
36 | train_set = (
37 | tf.data.Dataset.from_tensor_slices((x, y))
38 | .map(norm)
39 | .repeat()
40 | .shuffle(buffer_size=self.batch_size)
41 | .batch(self.batch_size)
42 | )
43 |
44 | train_set_iterator = train_set.make_initializable_iterator()
45 | self.train_initializer = train_set_iterator.initializer
46 |
47 | x, y = train_set_iterator.get_next()
48 | x = tf.reshape(x, [self.batch_size, self.num_features])
49 | y = tf.reshape(y, [self.batch_size, 1])
50 |
51 | return x, y
52 |
53 | @tfe.local_computation
54 | def provide_testing_data(self,x,y):
55 | """Preprocess testing dataset
56 |
57 | Return single batch of testing dataset
58 | """
59 |
60 | def norm(x, y):
61 | return tf.cast(x, tf.float32), tf.expand_dims(y, 0)
62 |
63 | test_set = (
64 | tf.data.Dataset.from_tensor_slices((x, y))
65 | .map(norm)
66 | .batch(self.test_set_size)
67 | )
68 |
69 | test_set_iterator = test_set.make_initializable_iterator()
70 | self.test_initializer = test_set_iterator.initializer
71 |
72 | x, y = test_set_iterator.get_next()
73 | x = tf.reshape(x, [self.test_set_size, self.num_features])
74 | y = tf.reshape(y, [self.test_set_size, 1])
75 |
76 | return x, y
77 |
78 | class PredictionClient:
79 | """Contains methods meant to be executed by a prediction client."""
80 |
81 | def __init__(self, player_name, num_features):
82 | self.player_name = player_name
83 | self.num_features = num_features
84 |
85 | @tfe.local_computation
86 | def provide_input(self):
87 | return tf.random.uniform(
88 | minval=-0.5, maxval=0.5, dtype=tf.float32, shape=[1, self.num_features]
89 | )
90 |
91 | @tfe.local_computation
92 | def receive_output(self, result):
93 | return tf.print("Result on {}:".format(self.player_name), result)
--------------------------------------------------------------------------------
/Preparation/AI/cyberdatalake.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/AI/cyberdatalake.png
--------------------------------------------------------------------------------
/Preparation/Incident Response Tools and Tracking/MISP/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Incident Response Tools and Tracking/MISP/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Incident Response Tools and Tracking/MISP/README.md:
--------------------------------------------------------------------------------
1 | # MISP
2 |
3 |
4 | https://www.misp-project.org/
5 |
6 |
7 | **Introduction:** " Malware Information Sharing Platform is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. "
8 |
9 | **Features:**
10 | - Sharing IoCs
11 | - Enrich events
12 | - Exporting IoCs to security controls
13 |
14 | **Worth noticing:**
15 | - There are multiple ways how/for what MISP can be used
16 |
17 |
18 | **Also fits in:** Threat Intelligence, Incident Response
19 |
20 | **How this tool integrates to our PHR model:**
21 |
22 |
23 | Can be used to handling events & IoCs & Feeds & Threat Intelligence
24 |
25 |
26 | **Use case:** From event to incident
27 |
28 |
29 | **Question:** How we can benefit for using MISP
30 |
31 |
32 | **Answer:** When we inspect events/alerts from other tools, there might be something so suspicious that it needs more investigation. We can add it to MISP with Observables that it has (IP-addresses, hashes, etc..), and then we can manually or automatically continue investigation further. Enrich data. Form bigger picture that what is going on, and which events are related to others. Share this data to others.
--------------------------------------------------------------------------------
/Preparation/Incident Response Tools and Tracking/README.md:
--------------------------------------------------------------------------------
1 | **Introduction:** To keep track what incident there are, what info we have on them, who is working on what case etc. Sharing information and collecting data/ IoCs. Final goal is to manage incidents so that harm/damage can be minimized.
2 |
3 |
4 | **Benefits:**
5 | - Makes it easier to see: What is solved, what is still on investigation, and what observables we have
6 |
7 |
8 | **Worth noticing:**
9 | - These tools helps to keep track
10 | - By having right tools and practise how to use those, will help you when real situation raises.
11 | - Tools should be easy to use, so that you can fast find what is situation. What information we have etc.
12 | - Different tools fit better for different people/organization
13 |
14 |
15 | **Features:**
16 |
--------------------------------------------------------------------------------
/Preparation/Incident Response Tools and Tracking/TheHive/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Incident Response Tools and Tracking/TheHive/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Incident Response Tools and Tracking/TheHive/README.md:
--------------------------------------------------------------------------------
1 | # TheHive
2 |
3 |
4 |
5 | https://thehive-project.org/
6 |
7 |
8 | **Introduction:** " A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. "
9 |
10 |
11 | **Features:**
12 |
13 |
14 | - Multiple persons can work same time on same case
15 | - Case can have as many task sas you want
16 | - Case can be created from alert / MISP event
17 | - Alerts can come form multiple sources (SIEM, email, IDS, MISP..)
18 | - Export cases to multiple MISP
19 |
20 |
21 | **Worth noticing:**
22 |
23 |
24 | - With Cortex can be used to Query analyzers, or Query check if MISP has information about observables
25 | - Can create analysis reports
26 |
27 |
28 | **Also fits in:**
29 |
30 |
31 | Threat Intelligence, Incident Response
32 |
33 |
34 |
35 | **How this tool integrates to our PHR model:**
36 |
37 |
38 | Can be usedwith MISP to automatically check observables from MISP
39 |
40 |
41 | **Use case:**
42 |
43 |
44 | **Question:** How TheHive helps us
45 |
46 |
47 | **Answer:** We can add/export data/events from multiple sources, like E-mail reports, SIEM, Threat Intel provider, MISP etc... Which observables will be analyzed further with Cortex analzer, like sandboxes, virustotal, MISP, etc.. Then we can import findings to multiple MISP instances.
48 |
49 |
50 | **Question:** How automation with TheHive is done?
51 |
52 |
53 | **Answer:** On our environment we have ElastAlert configured to automatically pick observables from data (like IP addresses, urls..) and then send those to TheHive for further analysis
--------------------------------------------------------------------------------
/Preparation/README.md:
--------------------------------------------------------------------------------
1 | Preparations are critical for organization to be able to protect their critical assets and business services. Preparations include essential processes, technologies, and procedures to manage the environment and prepare for handling the attacks. Everything begins by identifying relevant assets, modifying Security Policies and Guidelines to support protecting those assets. Then finding Security Controls and Threat hunting tools that fit best for company to protect their critical assets. Also documenting and staff training are important on preparation.
2 |
3 | Incident Response Tools and tracking should also be adjusted so that they support other PHR-model phases. There are multiple tools for different jobs, it is unneccessary to use all of them, it makes more sense to focus on the essential tools. The essential tools depend on the needs of the organization and the complexity of their technical environment. Tools should be chosen based on the type of attacks they work against. The most likely attacks should be determined on [hypotheses](../Hypotheses).
4 |
--------------------------------------------------------------------------------
/Preparation/Security Controls/EDR/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/EDR/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/EDR/README.md:
--------------------------------------------------------------------------------
1 | **Introduction:** Endpoint Detection and Response; Antivirus can detect malicious files, but EDR focuses more for suspicious activity
2 |
3 | **Benefits:**
4 | - It is important to get visibility for what is going to endpoint devices and EDR helps on that. Getting knowledge about running processes, user logins and file modification helps to detect malisious activity
5 | - Can be used to detect know bad actions, but also for finding suspicious activity on end devices.
6 |
7 |
8 | **Worth noticing:**
9 | - It is possible to protect/ get visibility for ceratin parts TTPs that attackers might use. But it is important to keep in your mind that this gives only visibility to anomalous behaviour on endpoints.
10 | - Attackers can do anomalous activity on other places for example getting credentials might be done via social media, fake sites etc, e-mails... that isn't visible for EDR...
11 | - To get most use of for EDR data, combine it with other controls; What is going on network, what actors are targetting us etc...
12 | - Doesn't eliminate need for antivirus software; AV focuses on malicious files, EDR gives visibility on bigger picture. And also helps to analyzing attack phases
13 | - Sometimes it is hard to find what are things that should be causing alerts, so that there won't be too many false positives.
14 |
15 |
16 |
17 | **Features:**
18 | - File integrity checks
19 | - continuous monitoring and response to advanced threats
20 | - Suspicious activity detection
21 | - Data exploration
--------------------------------------------------------------------------------
/Preparation/Security Controls/EDR/Wazuh/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/EDR/Wazuh/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/EDR/Wazuh/README.md:
--------------------------------------------------------------------------------
1 | # Wazuh, https://wazuh.com/
2 | "Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. "
3 |
4 |
5 | **Worth noticing:**
6 | Wazuh provides necessary security controls, required by standards such as PCI DSS, HIPAA, GDPR and others.
7 |
8 |
9 | **Also fits in:** Threat hunting, Incident Response Tools and Tracking
10 |
11 | **How this tool integrates to our PHR model:**
12 | By combining with other tools, Wazuh really helps to get visibility of endpoint devices.
13 |
14 |
15 | **Use case**: Detecting malicious activity.
16 | **Basis**: Organization has Windows AD environment, attacker has gained access to it.
17 | **Question**: How can Wazuh help us to detect malicious activity
18 |
19 |
20 | Attackers activity was simulated by running certain scripts (APTSimulator, https://github.com/NextronSystems/APTSimulator and https://github.com/endgameinc/RTA), Wazuh gave alert from multiple suspicious activities, also Windows defender did block some activities from those scripts. So with Wazuh you can get hints that something suspicious is going on, for some tehniques you can be 100% sure that it is malicious activity, but sometimes you have to combine that info with threat intelligence data and other info you have. Also to decrease false positives it is really important to tune what files, processes and activities you are logging and what is baseline.
--------------------------------------------------------------------------------
/Preparation/Security Controls/IDS/IPS/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/IDS/IPS/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/IDS/IPS/README.md:
--------------------------------------------------------------------------------
1 | # IDS/IPS:
2 | **Introduction:** Intrusion Detection / Prevention System focuses finding suspicious activity from network and/or device
3 |
4 | **Benefits:**
5 |
6 | - Detecting suspicious activity
7 |
8 | **Worth noticing:**
9 |
10 | - Outcome depends where IDS/IPS is located
11 |
12 |
13 | **Features:**
14 |
15 | - Rule based
16 | - Heuristics based
--------------------------------------------------------------------------------
/Preparation/Security Controls/IDS/IPS/Snort/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/IDS/IPS/Snort/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/IDS/IPS/Snort/README.md:
--------------------------------------------------------------------------------
1 | # Snort,
2 |
3 |
4 | https://www.snort.org/
5 |
6 |
7 | **Introduction:** " It is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. "
8 |
9 |
10 | **Worth noticing:**
11 | - Most important thing is to find what is baseline for organizations traffic, to make precise rules for avoiding false positives, not cathing all true positives
12 | - If location is after firewall, can help to adjust firewall rules
13 |
14 |
15 | **Also fits in:** yyy,zzz
16 |
17 | **How this tool integrates to our PHR model:**
18 |
19 |
20 | Combining snort with firewall...
21 |
22 |
23 | **Use case:**
24 |
25 |
26 | **Basis:**
27 |
28 |
29 | **Question:**
--------------------------------------------------------------------------------
/Preparation/Security Controls/MFA/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/MFA/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/MFA/README.md:
--------------------------------------------------------------------------------
1 | # MFA
2 |
3 |
4 | **Introduction:** Multi-factor authentication
5 |
6 | **Benefits:**
7 |
8 |
9 | - Prevents harm from account leakage.
10 |
11 |
12 | - Additional level of protection
13 |
14 |
15 |
16 | **Worth noticing:**
17 |
18 |
19 | - Should be forced to use by company policy
20 |
21 |
22 | **Features:**
23 |
24 |
25 | - Mobile application, SMS, Voice call, Hardware token etc..
26 |
27 |
28 |
29 | **How this tool integrates to our PHR model/ Use case:**
30 |
31 |
32 | On many of our scenarious, attacker wouldn't been able to use stolen credentials.
--------------------------------------------------------------------------------
/Preparation/Security Controls/SIEM/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/SIEM/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/SIEM/Elastic SIEM/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Security Controls/SIEM/Elastic SIEM/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Security Controls/SIEM/Elastic SIEM/README.md:
--------------------------------------------------------------------------------
1 | # Elastic SIEM, https://www.elastic.co/siem
2 |
3 |
4 | **Introduction:** " Everything you love about the free and open Elastic Stack — geared toward security information and event management (SIEM). Leverage the speed, scale, and relevance of Elastic SIEM to drive your security operations and threat hunting. "
5 |
6 | **Worth noticing:**
7 | -
8 |
9 |
10 | **Features:**
11 | - Correlation rules, that detect tools, tactics, and procedures indicative of potential threats. Content is aligned with the MITRE ATT&CK knowledge base and ready for immediate implementation.
12 | - Machine learning
13 | - Pre-built Beats integrations
14 |
15 |
16 | **Also fits in:** Threat Hunting, Triage
17 |
18 | **How this tool integrates to our PHR model:**
19 | Events, alerts and data we gather with other tools are send to elastic SIEM, where we can analyze situation
20 |
21 |
22 | **Use case:** Monitoring logins
23 |
24 |
25 | **Basis:** Our environment has honey accounts & honeypots
26 |
27 |
28 | **Question:** How will monitoring logins help us
29 |
30 |
31 | **Answer 1:** If someone even tries to login using honey account or to honey pot, we know that it shouldn't be our employee.
32 |
33 |
34 | **Answer 2:** We can monitor also if there is login attempts to people who are on vacation
35 |
36 |
37 | **Answer 3:** Same user tryng to login tomultiple places at same time is suspicious
38 |
39 |
40 |
41 | **Use case:** Using SIEM for investigation
42 |
43 |
44 | **Basis:** In our environment we monitor all device logins & admin actions
45 |
46 |
47 | **Question:** How will SIEM helps us finding breach & investigating
48 |
49 |
50 | **Answer:** Our SIEM did alett us from suspicious activity, We did find that soon after knocking our honeypot, on other device new account was created. With SIEMs time-line featurewe we're able to find what attacker tried to do with that account. Also our firewall was logging all activity, which we did decrypt with proxy, so we we're able to see on which url/ ip-addresses attacker was accessing. By gathering these evidence IoCs to our MISP, our analyst can form Threat Intelligence
--------------------------------------------------------------------------------
/Preparation/Security Controls/SIEM/README.md:
--------------------------------------------------------------------------------
1 | # SIEM:
2 | **Introduction:** SIEMs are used to centralize log and alert information from various systems
3 |
4 |
5 | **Benefits:**
6 |
7 |
8 | - By connecting data from multiple sources, we can easierto understand what is going on
9 |
10 |
11 | **Worth noticing:**
12 |
13 |
14 | - Depends on where we get data and what data
15 |
16 |
17 |
18 | **Features:**
19 | - Gathering all inforamtion on one place
20 | - Correlating informations
21 | - Alerts
22 | - Helps to draw bigger picture on systems
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Honeypots/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Threat Hunting Tools/Honeypots/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Honeypots/Cowrie/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Threat Hunting Tools/Honeypots/Cowrie/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Honeypots/Cowrie/README.md:
--------------------------------------------------------------------------------
1 | # Cowrie (former known as Kippo), https://github.com/cowrie/cowrie
2 |
3 |
4 | **Introduction:** " Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system"
5 |
6 | **Worth noticing:**
7 | - Easy to play realtime replay from attackers activity
8 | - Customizable
9 |
10 |
11 |
12 | **How this tool integrates to our PHR model:**
13 | With cowrie we try to lure attackers to wrong place, which gives us alert and buys moretime for us to plan our defence and gather threat intelligence
14 |
15 |
16 | **Use case:** Using honeytraps to get alerts from outsider on system
17 | On organization system there is multiple honey traps, when any of those are used we start investigation who it is and where it comes. By having good network/system monitoring, we can trace where attacker has been before, what he/she has done on our systems etc. Then we need to decide if we have enough knowledge to block attacker, or wait and try to get more knowledge (Combining IoCs, attackers tehniques, Threat Intelligence), so that we can be sure when we block attacker, he/she doesn't have other ways to get back to our systems
18 |
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Honeypots/README.md:
--------------------------------------------------------------------------------
1 | # Honeypots
2 |
3 |
4 | **Introduction**: Honeypots are used to lure attacker to monitored server, which looks like it has value to attacker. Because no one on organization shouldn't be accessing honeypot, every connection to honeypot should be treated as introducer.
5 |
6 | **Benefits:**
7 |
8 |
9 | - Alerts from breach (when access is monitored)
10 |
11 |
12 | - Distracting attacker
13 |
14 |
15 | - Learning attackers actions
16 |
17 |
18 |
19 | **Worth noticing:**
20 |
21 |
22 | - Should contain as much misleading information as possible, to keep attacker distracted longer
23 | - Should be isolated so that can't be used to attack further
24 |
25 |
26 | **Features:**
27 |
28 |
29 | - SSH-honeypots
30 | - databases
31 | - Honey tokens / honey accounts
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Jupyter Notebooks/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Preparation/Threat Hunting Tools/Jupyter Notebooks/.gitkeep
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/Jupyter Notebooks/README.md:
--------------------------------------------------------------------------------
1 | # Jupyter Notebooks
2 |
3 | https://jupyter.org/
4 |
5 |
6 | **Introduction:** " The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more."
7 |
8 |
9 | **Features:**
10 |
11 | - Data Analytics
12 | - Visualization
13 | - Machine Learning
14 |
15 |
16 | **Worth noticing:**
17 |
18 | - Can be used many ways
19 | - Can be used to test what do we have detection rules for certain events
20 | - Can be usedto querry mail for certain malicious events etc..
21 |
22 |
23 | **Also fits in:** Threat hunting, Triage
24 |
25 | **How this tool integrates to our PHR model:**
26 | Jupyter Notebooks can be used on so many places: We can make queries from our SIEM& IDS system, draw analytics from data that we have. Can even help us to analyze that if our baseline for rules is too strict or loose by comparing our realtime data vs baseline data. Really good tool for threat hunting for investigation anomalies/suspicious behaviour.
27 |
28 |
29 | **Use case:**
30 |
31 |
32 | **Basis:**
33 |
34 |
35 | **Question:**
--------------------------------------------------------------------------------
/Preparation/Threat Hunting Tools/README.md:
--------------------------------------------------------------------------------
1 | # Threat Hunting
2 |
3 |
4 | **Introduction:** Threat Hunting is proactively searching signs of breach/ malicious / adversary activity on your environment. Like finding modified files, that shouldn't be touched by anyone, suspicious files/ accounts. Many times when we get new threat intelligence/ IoCs, it is good to check our systems againts those new information we have.
5 |
6 | **Benefits:**
7 |
8 | - Can be used also to find sings of older breaches
9 |
10 |
11 |
12 |
13 | **Worth noticing:**
14 |
15 |
16 | - Needs understanding of adversary activity/behaviour
17 | - Helps to undrestand state of your systems
18 | - The better hunters understand their system/environment, easier it comes to detect things that shouldn't be there / know where to look anomalies
19 |
20 | **Features:**
21 |
--------------------------------------------------------------------------------
/Prepare_Hunt_Respond_Poster.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Prepare_Hunt_Respond_Poster.pdf
--------------------------------------------------------------------------------
/Threat Hunting/README.md:
--------------------------------------------------------------------------------
1 | # Threat Hunting
2 |
3 | Threat hunting is a process for searching active attacks from organization's environment. Threat Hunting often is assosiated to finding attacks that are hidden and not detected by any security controls. Some sources claims that threat hunting is also a process of finding the parts of the attack that are not detected by any control but is a part of Incident Response. In Prepare, Hunt, and Respond model, the threat hunting is considered as a process to find attacks that are not detected in anyway. The hunting should be related to searching specific attack vectors and techniques based on hypotheses that are based on organization's environment and risk assessment.
4 |
5 | Threat hunting requires security controls and measures to have data collected from different systems and endpoints to be able to find threat actors activities in the environment. Threat hunting can partly be automated (especially trying to find known IoCs (Indicators of Compromise)) but is activity performed by humans. Threat hunting can be either continuous process or something that is done periodically (depending on available resources).
6 |
7 | ## Threat hunting teams
8 | TODO
9 |
10 | ## Threat hunting types
11 | TODO
12 |
13 | ## Threat hunting models
14 | TODO
15 |
16 | ## Threat hunting tools
17 | TODO
18 |
19 | ### Datasets
20 | Datasets provide a quick way to practice or educate others on threat hunting methods without having to put resources on generating or gathering attack data.
21 |
22 | * [IDS 2018](https://www.unb.ca/cic/datasets/ids-2018.html) - A cybersecurity exercise with all operating system log data recorded to EVTX files and network traffic to PCAP files.
23 | * [Mordor Dataset](https://mordordatasets.com/introduction.html) - Security events in JSON format
24 |
25 | ### Tools
26 |
27 | * [Sysmon](https://github.com/SwiftOnSecurity/sysmon-config)
28 | * [Osquery](https://github.com/palantir/osquery-configuration)
29 |
30 | ### Resources
31 |
32 | * [Threat Hunter Playbook](https://threathunterplaybook.com/introduction.html) - contains a Windows knowledge library, which contains information for example about TaskScheduler related logs and it's IDs. The book also contains instructions for pre-hunt data management steps and specific threat hunting playbook examples, where the attacks are divided into MITRE ATT&CK categories.
33 |
--------------------------------------------------------------------------------
/Threat Hunting/Threat Hunting with Jupyter Notebooks/README.md:
--------------------------------------------------------------------------------
1 | **Introduction:**
2 |
3 | Jupyter Notebooks are a useful tool for faster and easily documentable threat hunting. Jupyter Notebook servers can be quickly deployed locally in a desktop or in a remote server. Installation options include using the [Anaconda data science distribution platform for easy installation of data-analysis and machine learning libraries](https://jupyter.org/install) or by [downloading premade Docker images in order to run a Docker container.](https://jupyter-docker-stacks.readthedocs.io/en/latest/index.html)
4 |
5 | **Benefits:**
6 | * Jupyter Notebooks are JSON - formatted documents, and so templates can be easily made by scripts, which would be called when a threat hunter starts a new hunt. This simplifies and eases the start of a hunting process and helps unify the results of different hunting processes.
7 | * Markdown documents can be inserted between programming code to provide notes for the threat hunter or be shared with other team members
8 |
9 | **Use cases:**
10 | Jupyter runs code in kernels. Each kernel can have a different programming language and different libraries installed. Switching kernels is quick, so the jupyter environment is really flexible. The most common programming language used in Jupyter Notebooks is Python, but there is also support for .NET Interactive, where C# code and PowerShell scripts can be run on the same notebook. [Installation for .NET kernels can be found here](https://devblogs.microsoft.com/dotnet/net-interactive-is-here-net-notebooks-preview-2/). The .NET Interactive notebooks could be used to run for example [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI), which is a PowerShell module for threat hunting Windows XML Event (EVTX) logs.
11 |
12 | [The example notebook](threat_hunting_IDS2018.ipynb) contains a threat hunting example from [IDS 2018 dataset](https://www.unb.ca/cic/datasets/ids-2018.html), where EVTX logs were compiled to Elasticsearch, and Elasticsearch data is queried and processed locally in the notebook. From the event logs, a hunter needs to find indications of infiltration, using windows event codes. An example for running DeepBlue on EVTX log files is provided [in the notebook here.](threat_hunting_deepblue.ipynb)
13 |
14 | **Frameworks:**
15 | * [HELK](https://github.com/Cyb3rWard0g/HELK) - An open source threat hunting platform, streaming multiple Elastic Beats data sources into Elasticsearch, Logstash and Kibana (ELK) stack with options for Big Data analytics, SIGMA rule creation and hunting with Jupyter Notebooks.
16 | * [MSTIC Jupyter and Python Security Tools](https://github.com/microsoft/msticpy) - Microsoft Threat Intelligence's library for hunting in Jupyter Notebooks, provides ability to query log data from multiple sources, enriching data with OSINT or Azure data and perform analysis with multiple tools such as anomalous session detection and time series decomposition. Data can be visualized with interactive timelines and process trees.
--------------------------------------------------------------------------------
/Triage-Respond/.meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "Triage / Respond"
3 | }
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Triage-Respond/Investigations/.gitkeep
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/CyberChef/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Triage-Respond/Investigations/CyberChef/.gitkeep
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/Memory-Forensics/Autovola.md:
--------------------------------------------------------------------------------
1 | # Autovola
2 |
3 | Autovola is a dockerized system built to automate certain memory forensic processes using Volatility 3. The system is result of this [thesis](https://www.theseus.fi/handle/10024/503247). Autovola is open source project and it can be found from [here](https://github.com/JYVSECTEC/Autovola).
4 |
5 | Memory dumps and corresponding ISF files can be uploaded to Autovola. After that users can choose, which Volatility 3 plugins they wants to run on these dumps. Each plugin's output can be viewed later on in a designated analysis page. The page allows users to filter out plugins output using regex. E.g. user can filter processes using PID, PPID or process name and then the page will only display data containing that information. User can also filter out memory dumps by using certain data in plugin output as a search query.
6 |
7 | Autovola does not support Volatility 3 utilities like volshell. The system should be addressed as a centralized storage for memory dumps, where users can do upper analysis by filtering the data they are interested in. E.g. users can upload bunch of dumps from different systems to Autovola and then they can check which of these dumps contain artifact of a specific malware. This way they can determine which of the systems have been infected.
8 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/Memory-Forensics/binary-virustotal-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Triage-Respond/Investigations/Memory-Forensics/binary-virustotal-results.png
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/Memory-Forensics/malfind-virustotal-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Triage-Respond/Investigations/Memory-Forensics/malfind-virustotal-results.png
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/README.md:
--------------------------------------------------------------------------------
1 | # Detailed investigation
2 | Detailed investigation should determine what really has happened, what kind of attack the incident is, what systems are affected, what attack methods the attacker used, and what weaknesses and/or vulnerabilities attacker exploited.
3 |
4 | During the detailed investigation many tasks needs to be performed, and the level of expertise varies in different environments depending on tools and architecture.
5 |
6 | Based on the triage analysis, a detailed analysis of the selected systems needs to be carried out to
7 | provide a clearer understanding of how the anomaly occurred and what is the best way to mitigate it.
8 | 1. List the systems and their dependencies on other systems
9 | 2. Based on the anomaly, ensure secure access to target systems
10 | * Consider username usage etc. if the attacker has system-level privileges
11 | (usernames may end up in the hands of the attacker)
12 | 3. Collect local logs from the system for analysis
13 | 4. Find out when the detection/attack occured
14 | * This can be challenging in the early stages, but you need to find
15 | attacker's first foothold or initial access.
16 | 5. Examine firewalls, logs and alerts related to systems
17 | * Check open sessions in the system
18 | * Check open sessions in the system
19 | 6. Examine netflow-data related to systems
20 | * Find out where the systems have been connected to
21 | * Find out where the systems have been connected from
22 | 7. Find out the logins to the systems
23 | 8. Find out about logins from the system to other locations/systems
24 | 9. Using attack-specific checklists or other methods, try to determine the root cause of the attack
25 | (i.e. how, when and what the attacker was able to use to carry out the attack)
26 | * Document findings, IoCs, interventions and their timestamps, and notes
27 | * Use attack specific checklists to help the investigation:
28 | * [Reconnaissance, Phishing, and Social Engineering checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/recon_phishing_social_engineering_checklist.md)
29 | * [Malware infection checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/malware_infection_checklist.md)
30 | * [Data Breach checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/data_breach_checklist.md)
31 | * [DDoS attack checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/ddos_attack_checklist.md)
32 | * [Large scale or targeted attack checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/large_scale_attack_checklist.md)
33 | 10. You can also utilize system specific checklists:
34 | * [Firewall investigation checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/firewalls_checklist.md)
35 | * [Network device investigation checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/network_device_checklist.md)
36 | * [Server investigation checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/server_checklist.md)
37 | * [Workstation investigation checklist](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/workstation_checklist.md)
38 | 11. In addition to the checklists, you might need more detailed investigations depending on nature of the attack and incident. For example, memory forensics might be needed to determine actual methods used by attacker or actual data that attacker was able to access in the system. [Memory Forensics](https://github.com/JYVSECTEC/PHR-model/tree/master/Triage-Respond/Investigations/Memory-Forensics/README.md) helps to start that
39 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/data_breach_checklist.md:
--------------------------------------------------------------------------------
1 | # Data Breach investigation
2 | Data breach in this case refers to an attack on a system or service where a user/attacker has gained
3 | access to unauthorised information and activities. A data breach may be committed using existing
4 | access rights or by exploiting a vulnerability.
5 |
6 | It is important to analyse and document the data breach:
7 | 1. Time of observation
8 | 2. Targeting system
9 | 3. Is this an unauthorised use of access rights?
10 | * If yes, what level of access rights are involved?
11 | * If yes, are any of user IDs with IT management privileges?
12 | 4. Is this an exploitation of vulnerability?
13 | * If yes, what was the method used to break into the system?
14 | * If yes, is the vulnerability publicly known?
15 | * If not, prepare a dossier on the vulnerability and contact your local authority (e.g. National CERT) to
16 | coordinate the vulnerability.
17 | * If yes, is there a more detailed description of the exploitation method for
18 | the vulnerability?
19 | * If yes, is there a mitigation method for the vulnerability?
20 | 5. Are there similar anomalies observed in other systems?
21 | 6. What information has the attacker/user had access to through the system?
22 | * Is the data classified?
23 | * If yes, is this confidential information of the organisation?
24 | * If yes, is this confidential information of the organisation's customers?
25 | * Is there any personal data in the system?
26 | * If yes, please contact the Data Protection Officer
27 | * If yes, has access been gained to the information?
28 | * If yes, find out whose data has been seen/available to the attacker/user
29 | 7. From which source IP was the data breach committed?
30 | 8. What method has the attacker/user used?
31 | 9. Was the attacker/user able to execute malicious code on the system?
32 | * If yes, which process or application was added by the attacker/user?
33 | * If yes, where is the malicious code located on the system?
34 | * If yes, does the malicious code open a command channel for the attacker to enter
35 | the system?
36 | * If yes, what is the communication channel between the system and the
37 | attacker's server?
38 | * If yes, what is the destination IP address of the command line?
39 | * If yes, find out whether a similar command channel is used elsewhere in
40 | the environment
41 |
42 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/ddos_attack_checklist.md:
--------------------------------------------------------------------------------
1 | # Distributed Denial of Service Attack
2 | In the case of denial of service attacks, the situation is often critical from the moment of detection. For
3 | this reason, it is important to accurately identify the characteristics of the denial of service attack in
4 | order to maximise the effectiveness of mitigation.
5 |
6 | Analysis and documentation of the denial of service
7 | attack is important:
8 | 1. Identify target system(s) and service(s) under attack
9 | 2. Start date and time
10 | 3. Is it volumetric (high traffic amount or lot of user connection)?
11 | * If yes, it is important to find out what type of traffic is
12 | * Is the traffic similar (protocol, application, etc.) to the normal traffic of
13 | the service?
14 | * If yes, it is important to identify the traffic profile that differs from the normal
15 | traffic of the service
16 | * Protocol, port, application specific features (e.g. DNS header information,
17 | HTTP header information)
18 | * Attack traffic volume: bits per second and packets per second
19 | * Other possible differences from normal traffic
20 | 4. Is this other kind of denial of service attack?
21 | * If yes, is there a specific type of traffic to the service?
22 | * If yes, is there a publicly known vulnerability in the service that allows denial of
23 | service?
24 | * If so, is there any public knowledge of how to counteract this
25 | vulnerability?
26 | * If yes, is the attack using HTTP(s) traffic?
27 | * If yes, is the HTTP method POST?
28 | * If yes, is there a form on the site that the attack will use?
29 | * If yes, is the HTTP method GET?
30 | * If yes, is the HTTP method something other than GET or POST?
31 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/firewalls_checklist.md:
--------------------------------------------------------------------------------
1 | # Firewall checklist
2 | * Identify possible alerts on the systems involved in the incident (if IDS/IPS functionality, check those)
3 | * If alerts are found, find out what the alert means and document which system the alarm is related to
4 | * Find out how the systems associated with the incident are being connected from thefirewall logs
5 | * Document abnormal traffic on a system-by-system basis (where/whom, protocol, port information, possible application information, other information)
6 | * Identify the open network connections (sessions) of the systems involved in the incident
7 | * Document open network connections (IP-src, IP-dst, protocol, port information, possible application information, other information)
8 | * Find out the firewall rules for the systems involved in the anomaly
9 | * What are the rules allowing?
10 | * Is there something different in the rules? Should the rule be in place? Does it allow only needed traffic?
11 | * Find out if there have been any changes to the firewall rules for exception-related systems
12 | * What the changes concern
13 | * When the changes were made
14 | * Who has made the changes
15 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/large_scale_attack_checklist.md:
--------------------------------------------------------------------------------
1 | # Large-scale attack investigation
2 | A large-scale attack may not be immediately clear from a single detection, but may be identified
3 | as a larger scale through different events. In the case of an organisation, a large-scale attack refers to
4 | an attack that aims to paralyse the operational activities of the organisation on a section-by-section
5 | basis. In a large-scale attack, as in any other incident, it is important to determine what everything is
6 | about before allocating resources to perform different tasks.
7 |
8 | Targeted attacks may also use highly visible attacks as a smokescreen to focus resources on investigating and resolving visible attacks. To investigate:
9 | 1. Find out the origin of the first detection
10 | 2. Investigate other suspicious findings in various security checks
11 | * Check firewall logs and alerts
12 | * Check security alerts on terminals
13 | * Check your email service alerts
14 | * Document any findings
15 | 3. Find out if there are other indications of compromise
16 | 4. Find out if there are open management interfaces from the systems to other systems
17 | 5. Find out if the systems have open C&C connections to the Internet
18 | * Which protocol, IP address, application, service, etc. is used?
19 | * Find out if there is a corresponding C&C channel open on other systems
20 | * Document IoC data from C&C connections
21 | 6. Identify the priority of the most critical systems in the recovery plan
22 | * The security team must make a final decision on the order of the investigation
23 | 7. Analyze the impact of the attack on different systems and assemble an overall picture
24 | * Document which services are impacted by the attack
25 | * Document which systems you no longer have management access to
26 | * Document which systems have lost reliability
27 | 8. Investigate the origin of the attack based on findings from different systems
28 | 9. Compile a timeline of the attack
29 | * Which systems contain IoC data (timestamps of when they first entered the
30 | systems)
31 | * Try to find out the root-cause of the attack (and how the attacker was successfull on the attack)
32 | 10. The security team, and/or Major Inciment Management (MIM) Process, and/or the crisis team should decide on the response and recovery in accordance with the recovery plan.
33 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/malware_infection_checklist.md:
--------------------------------------------------------------------------------
1 | # Malware on Workstation
2 | Workstation infection can be a combination of several things. This is why it is important to carry
3 | out a comprehensive investigation of workstation infection before taking remediation action. Modern
4 | attacks target users' workstations to a large extent, which is why they are also multi-stage, from initial
5 | infection to establishing a foothold, to installing attacker tools, to performing remediation. Many of the
6 | infection steps are automated by the attacker, so they often take place in a short period of time.
7 |
8 | It is important to analyse and document the contamination of workstations:
9 | * Date and time of first detection
10 | * What has been observed on the workstation before?
11 | * Email
12 | * New files
13 | * Web browsing and downloads
14 | * Programmes executedd
15 | * Is it ransomware?
16 | * If yes, are the user files encrypted?
17 | * If yes, which files and from which file path?
18 | * If yes, is there a blackmail message visible or has there been delivered one on other method (e.g. email)?
19 | * If yes, how did the blackmail message arrive?
20 | * If yes, what are the requirements?
21 | * Document any findings
22 | * Check the firewall logs for any alerts related to the workstation in SIEM/Log System
23 | * Check if there are any indications of abnormal traffic in the Netflow data
24 | * What new connections have been opened since the detection of malware/anomaly?
25 | * Check if there are any new/abnormal applications/services on the workstation that start automatically
26 | * Check for scheduled tasks (Scheduled task etc.)
27 | * Are workstations finding new processes or applications?
28 | * If yes, can the process be identified as a process of a non-approved
29 | application/binary?
30 | * If yes, what network connections does the process have?
31 | * If yes, what files does the process use?
32 | * If yes, under which permissions is the process run?
33 | * If yes, from which file path is the application/binary process started?
34 | * If not, do existing processes have open network connections to the Internet?
35 | * If yes, what are the identifiers of the connections (IP, TCP/UDP, port)?
36 | * If not, do existing processes have open network connections to services on the
37 | internal network?
38 | * If yes, what are the normal user activities?
39 | * If yes, what seems abnormal?
40 | * Check the register for any anomalies
41 | * Are any workstation maintenance tools (Powershell, etc.) used on the workstation?
42 | * If yes, are these approved maintenance measures?
43 | * If not, what tool has been used and what has been done with it?
44 | * Check the logs in SIEM/Log System for any information found about network
45 | connections, etc. found on workstations in other operating environments (i.e. other systems in organization environment)
46 |
47 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/network_device_checklist.md:
--------------------------------------------------------------------------------
1 | # Network device checklist
2 | * Compare with existing configuration backups to see if any changes have been made to the running configurations
3 | * If changes have been made, find out whether they are appropriate
4 | * What are the changes?
5 | * What impact will the changes have on the operation of the network device?
6 | * What is the impact of the changes on the operating environment?
7 | * Document any changes
8 | * Find out from the local logs of your network devices which usernames and when last logged on to the device.
9 | * Document any findings
10 | * Find out the monitoring data from the device
11 | * Are there any abnormal traffic volumes?
12 | * Are there any anomalies in the use of device resources?
13 | * Document the findings
14 | * Check the SIEM/local system for syslog data of network devices for anomalies
15 | * Document the findings
16 | * Find out if the routing information on your network device is normal
17 | * Document the findings
18 | * Find out when the network device was last restarted
19 | * Document the last restart
20 | * Is there added user accounts to your device?
21 | * Investigate how new user accounts have been created and when
22 | * Document any added accounts
23 | * Has the device's operating system been updated?
24 | * Document the latest version of the operating system
25 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/recon_phishing_social_engineering_checklist.md:
--------------------------------------------------------------------------------
1 | # Reconnaissance, phishing, and/or Social Engineering
2 |
3 | If the incident involves technical intelligence of the Organization's operations, it must be determined
4 | whether it relates to a past or ongoing incident. Otherwise, the investigation of technical intelligence/recon
5 | may be a waste of resources. It is, of course, sometimes useful to collect analytical data from technical
6 | intelligence/recon in order to determine whether there has been a significant increase in the activity in
7 | question.
8 |
9 | ## Reconnaissance checklist
10 | It is important to analyse and document technical intelligence/recon:
11 | 1. Date of reconnaissance
12 | 2. Destination system
13 | 3. Reconnaissance method (port scanning, operating system detection, etc.)
14 | * Firewall logs
15 | * System's own log data
16 | * Netflow-data
17 | 4. Protocol and port used
18 | 5. Source IP addresses and countries
19 |
20 | ## Phishing checklists
21 | In the case of spear phishing, it is important to clarify whether it is targeted phishing (spear phishing) or massproduced phishing. In the case of targeted phishing, it is important to analyse and document:
22 | 1. Time of arrival of the message
23 | 2. Where did the phishing message come from?
24 | 3. Has a similar phishing message been used in other parts of the world (is there any
25 | information on this in public sources)?
26 | 4. Has the message been sent to others in the organisation?
27 | 5. If the message attempts to redirect the user to a scam website
28 | * Where is it maintained?
29 | * Is it possible to ask the provider to take it offline?
30 | * Is it possible to block access to this site from the Organisation's network?
31 | 6. If there is an attachment in the message
32 | * Is it possible to analyse it with internal tools of the organisation?
33 | * Is it possible to analyse which application the attachment is using and whether
34 | the attachment is trying to exploit a vulnerability?
35 | 7. What method has been used to trick the user into activating malicious code on the
36 | workstation? Can this be mitigated?
37 |
38 |
39 | For mass-produced phishing messages, it is important to analyse and document:
40 | 1. Where did the phishing message come from?
41 | 2. Has the message been sent to everyone?
42 | 3. Can the message be identified to allow it to be blocked at the mail server?
43 |
44 | ## Social Engineering checklist
45 | Social engineering can involve the physical collection of information or gaining access to systems and
46 | physical premises. In this situation, it is important to analyse and document:
47 | 1. When did this first happen?
48 | 2. When was the user contacted?
49 | 3. What medium was used to contact the user?
50 | 4. What information did the user provide to the contact person?
51 | 5. Did the attacker gain access to the protected premises?
52 | * If yes, is there any additional/unauthorized equipment on the premises?
53 | * If yes, is the device connected to the organisation's device?
54 | * If yes, what is the organization's device used for and what does it have access
55 | to?
56 | * If yes, is the device connected to the organisation's network? (i.e. directly to network interface)
57 | * If yes, which device is communicating with the organisation's
58 | network?
59 | * If yes, does the device have external network connections (e.g. 4G)?
60 |
61 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/server_checklist.md:
--------------------------------------------------------------------------------
1 | # Server checklist
2 | * Make sure you have a management connection to the system
3 | * Take into account the username/privileges with which you connect, so that the attacker does not gain access to, for example, the root user information of the entire environment.
4 | * Check if new users or user groups have been created
5 | * Document new users and user groups
6 | * Check if the user rights have been modified
7 | * Document any changes
8 | * Check if there are new applications on the system or at system startup
9 | * Document the data for new applications
10 | * Check if there are new disk partitions on the system
11 | * Document the distribution and its contents
12 | * Check for changes in network configurations
13 | * Document any changes
14 | * Check if there are any abnormal processes or services in the system (for services, it is important to check also for non-running ones)
15 | * Document any deviating processes and services
16 | * Investigate the origin of anomalous processes and/or services (where the process was started, where the executable came from, which user started the process)
17 | * Check if the system has automated time-based actions (e.g. Scheduled tasks, cron jobs, etc.)
18 | * Document any time-based actions
19 | * Find out what time-based actions do and when
20 | * Check what changes have been made to the system and its configurations
21 | * Document any changes
22 | * Check if there are any changes in the system data
23 | * Document any changes
24 | * Check whether the attacker has left any tools/files of his own on the system
25 | * Document any findings
26 | * Use a separate investigation workstation to examine the tools/files in more detail
27 | * Go through the local system logs
28 | * User logins
29 | * Security logs
30 | * Remote access
31 | * Other possible issues related to the incident
32 | * Collect local logs from the system (.evtx for Windows, /var/log/* for Linux or other log data for the service/application)
33 | * Document any anomalies in the incident
34 | * Find out when the abnormal activity in the system started
35 | * Document the exact time and reason for the abnormal activity
36 | * Find out what happened (new files, network connections, user activities, etc.) before the abnormal behaviour started
37 | * Document any findings
38 | * Find out what happened (new files, network connections, user activities, etc.) when theabnormal behaviour started
39 | * Document any findings
40 |
--------------------------------------------------------------------------------
/Triage-Respond/Investigations/workstation_checklist.md:
--------------------------------------------------------------------------------
1 | # Workstation checklist
2 | * What has been done on the workstation before the incident?
3 | * Email activity
4 | * New files
5 | * Web browsing and downloads
6 | * Programmes executed
7 | * Latest user logins
8 | * Check Security event logs (%system root%\system32\winevt\logs\security.evtx)
9 | * Check at least Event IDs: 4624, 4625, 4634, 4648, 4672, 4720
10 | * Check RDP logins (Event IDs 4778 and 4779)
11 | * Document any anomalies from normal use
12 | * Is it ransomware?
13 | * If yes, are the user files encrypted?
14 | * If yes, which files and from which file path?
15 | * Document any findings
16 | * When was the last time the workstation was restarted?
17 | * Check if there are any applications on your workstation that start automatically
18 | * Document application data
19 | * Check for scheduled tasks (Scheduled task etc.)
20 | * Document any scheduled tasks
21 | * Are workstations running new processes or applications?
22 | * If yes, can the process be identified as a process of a non-approved application/binary?
23 | * If yes, what network connections does the process have?
24 | * If yes, what files does the process use?
25 | * If yes, under which permissions is the process run?
26 | * If yes, from which file path is the application/binary process started?
27 | * If not, do existing processes have open network connections to the Internet?
28 | * If yes, what are the identifiers of the connections (IP, TCP/UDP, port)?
29 | * If not, do existing processes have open network connections to services on the internal network?
30 | * If yes, what are the normal user activities?
31 | * If yes, what seems abnormal?
32 | * Document any findings
33 | * Check the register for any anomalies
34 | * Document any findings
35 | * Are any workstation maintenance tools (Powershell, etc.) used on the workstation?
36 | * If yes, are these approved administrative measures?
37 | * If not, what tool has been used and what has been done with it?
38 | * Document any findings
39 | * Is there any external media (USB, etc.) connected to the workstation?
40 |
--------------------------------------------------------------------------------
/Triage-Respond/Triage/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/Triage-Respond/Triage/.gitkeep
--------------------------------------------------------------------------------
/Triage-Respond/Triage/README.md:
--------------------------------------------------------------------------------
1 | # Triage
2 | Triage is the first step on incident response. During the triage stage it should be identified what has happened, when the first detection occured, what is the initial assesment of impact to business, and what can analysed quickly of the detection. Incident Response Triage has an analogy for healtcare Triage, i.e. try to quickly determine what is the nature of the incident.
3 |
4 | Triage Checklist:
5 | 1. Find out when the anomaly was first detected
6 | * Where did the observation come from?
7 | * Verify the accuracy of the observation
8 | 2. Find out if someone has already investigated the anomaly
9 | * Has anyone in the organisation dealt with the same issue?
10 | * Is there any similar information available from public sources?
11 | 3. Find out what impact the deviation will have on business services
12 | * Which business services are affected by the anomaly?
13 | * How many customers will be affected by the anomaly?
14 | * Does the incident have a clear financial impact on the operation of the
15 | organisation?
16 | 4. Find out which systems are affected by the anomaly
17 | * Which systems are targeted?
18 | * Which systems are accessible from affected systems?
19 | * Which systems are depending on the targeted systems?
20 | * Are the systems in the management environment (i.e. IT administrative tools, centralized configuration servers, monitoring etc.) targeted?
21 | 5. Find out what data is affected by the anomaly
22 | * Has there been unauthorised access to personal data?
23 | * Has confidential information of the organisation been accessed without permisssion?
24 | * Has confidential information of the Organization's customers been accessed without permission?
25 |
--------------------------------------------------------------------------------
/_images/.gitkeep:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/_images/JYVSECTEC-logo2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/JYVSECTEC-logo2.png
--------------------------------------------------------------------------------
/_images/JYVSECTEC_by_jamk.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/JYVSECTEC_by_jamk.png
--------------------------------------------------------------------------------
/_images/OKM-logo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/OKM-logo1.png
--------------------------------------------------------------------------------
/_images/Prepare_Hunt_Respond.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/Prepare_Hunt_Respond.png
--------------------------------------------------------------------------------
/_images/jamk-logo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/jamk-logo1.png
--------------------------------------------------------------------------------
/_images/polamk-logo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JYVSECTEC/PHR-model/f40a28bf7803679efcc8f4b63aecd8a79f2e6b66/_images/polamk-logo1.png
--------------------------------------------------------------------------------