├── .gitignore ├── GS-CIRT-After-Action-Report-Template.docx ├── LICENSE ├── README.md ├── _config.yml ├── docs ├── Makefile └── source │ ├── assets.rst │ ├── ckc.rst │ ├── coa.rst │ ├── conf.py │ ├── contributors.rst │ ├── index.rst │ ├── ioc.rst │ ├── license.rst │ ├── meta-logo.png │ ├── meta.txt │ ├── notes.rst │ ├── ofi.rst │ ├── references.rst │ ├── roc.rst │ ├── summary.rst │ └── timelines.rst └── images ├── gh.mm.1.png ├── gh.mm.2.png └── gh.mm.3.png /.gitignore: -------------------------------------------------------------------------------- 1 | *build/ 2 | -------------------------------------------------------------------------------- /GS-CIRT-After-Action-Report-Template.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_mission-model/26ea2e7e2b9e28946f4220c076a1d22a3e3d80f1/GS-CIRT-After-Action-Report-Template.docx -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2018 GuardSight, Inc. https://www.guardsight.com 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # How-To Develop An Incident Response Report Journal Using GitHub, Sphinx, RTD 2 | ### Documenting Incident Response Using GitHub, Sphinx, RTD 3 | 4 | #### Prologue 5 | 6 | GuardSight analysts use a systematic approach to achieve the objectives of containment, eradication, and recovery during its BreachMasters™ incident response. One component of this approach includes developing content iteratively, in the style of journaling, to describe the adversary compromise as well as the allied response. The aggregated journal content ultimately results in an after action report. Producing the report documentation while conducting the response activities has many benefits including memorializing in near real-time, the increased accuracy of observations and collections, and improved precision of knowledge transfers when transitioning between analysts to manage response fatigue. This document discusses a mechanism for developing the incident response content using the revision control hosting system [Github](https://www.github.com), use of the [Sphinx](http://www.sphinx-doc.org/en/master/) documentation generator, and the optional use of the software hosting system [Read the Docs](https://readthedocs.com/). 7 | 8 | ![img](images/gh.mm.2.png) 9 | 10 | ![img](images/gh.mm.3.png) 11 | 12 | 13 | #### Prerequisites 14 | 15 | 1. Familiarity with contributing to Github 16 | 1. Authorized access to Github 17 | 1. Familiarity with publishing documentation using Sphinx 18 | 1. Sphinx software for Local builds (optional but recommended) 19 | ```bash 20 | pip install sphinx sphinx-autobuild 21 | 1. Authorized access to Read the Docs for business **private** hosting (optional) 22 | 23 | * Non-redacted public postings of after action reports is probably **not smart** - readthedocs.com is **private** - readthedocs.io is **public** 24 | 1. Github Settings 25 | ```bash 26 | vi ~/.gitconfig 27 | [user] 28 | name = myName 29 | email = myName@myEmailDomain 30 | 31 | #### Instruction 32 | 33 | ![img](images/gh.mm.1.png) 34 | 35 | ##### Bootstrap 36 | 37 | 1. Create a new repo that will contain the after action report (**notice the private key has its boolean value set to true**) 38 | ```bash 39 | cd ~/sandbox/code/github 40 | MISSION=$(date +'MISSION-%Y%m%d-1') 41 | MYORG=guardsight # e.g. ==> https://github.com/${MYORG} <== assign MYORG=yourOrganization 42 | curl -u $(grep name ~/.gitconfig | awk '{print $NF}') -d '{ "name": "'${MISSION}'", "description": "Incident Response Journal", "private": true, "has_wiki": false }' https://api.github.com/orgs/${MYORG}/repos 43 | Enter host password for user 'myName': 44 | 1. Duplicate a template repo without forking it and mirror-push its contents into the new repo 45 | ```bash 46 | git clone --bare git@github.com:guardsight/gsvsoc_mission-model MISSION-BOOTSTRAP 47 | cd MISSION-BOOTSTRAP/ 48 | git push --mirror git@github.com:${MYORG}/${MISSION} 49 | cd .. && rm -rf MISSION-BOOTSTRAP 50 | 1. Create a development branch and incorporate the remote repo into the local branch 51 | ```bash 52 | git clone git@github.com:${MYORG}/${MISSION} ${MISSION} 53 | cd ${MISSION} 54 | git checkout develop 55 | git pull origin develop 56 | cd docs 57 | 1. Replace some default content 58 | ```bash 59 | sed -i "s/MISSION-YYYYMMDD-n/${MISSION}/g" source/index.rst source/meta.txt source/conf.py 60 | 1. Replace the GuardSight copyright with ${MYORG} copyright 61 | 1. Replace docs/source/meta-logo.png with ${MYORG} logo 62 | 63 | IT **IS PERMISSABLE** TO REPLACE THE LOGO AND COPYRIGHT NOTICE IN THE CLONED ${MISSION} AND THE GUARDSIGHT PERMISSION NOTICE **IS NOT REQUIRED** TO BE INCLUDED IN THE CLONED ${MISSION} OR ANY PORTION OF THE AFTER ACTION REPORT 64 | 65 | ##### Edit <=> Commit 66 | 67 | 1. Develop -> Commit -> Push 68 | ```bash 69 | cd ${MISSION} 70 | git checkout develop; git pull origin develop; cd docs 71 | gedit source/*.rst source/meta.txt # sudo apt install gedit-plugin-git; # this shows lines that have changed since last commit; 72 | # make some changes 73 | git commit -a -m "Mission update" 74 | git push --tags origin develop 75 | 1. Merge into Master -> Push 76 | ```bash 77 | git checkout master 78 | git merge develop 79 | git push --tags origin master 80 | git checkout develop 81 | 82 | ##### Local Build 83 | 84 | 1. Make up the build 85 | ```bash 86 | cd ${MISSION}/docs 87 | make singlehtml 88 | make latexpdf 89 | 90 | 1. View the document 91 | ```bash 92 | google-chrome build/singlehtml/index.html 93 | google-chrome build/latex/gsvsoc_mission-model.pdf 94 | 95 | ##### Read the Docs For Business Build (optional) 96 | 97 | 1. Import the repo into RTD 98 | ```bash 99 | google-chrome https://readthedocs.com/dashboard/import/? 100 | 101 | 1. View the document 102 | ```bash 103 | google-chrome https://${MYORG}-$(echo ${MISSION} | tr [[:upper:]] [[:lower:]]).readthedocs-hosted.com/en/latest/ 104 | 105 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-slate -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = build 9 | 10 | # User-friendly check for sphinx-build 11 | ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) 12 | $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) 13 | endif 14 | 15 | # Internal variables. 16 | PAPEROPT_a4 = -D latex_paper_size=a4 17 | PAPEROPT_letter = -D latex_paper_size=letter 18 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source 19 | # the i18n builder cannot share the environment and doctrees with the others 20 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source 21 | 22 | .PHONY: help 23 | help: 24 | @echo "Please use \`make ' where is one of" 25 | @echo " html to make standalone HTML files" 26 | @echo " dirhtml to make HTML files named index.html in directories" 27 | @echo " singlehtml to make a single large HTML file" 28 | @echo " pickle to make pickle files" 29 | @echo " json to make JSON files" 30 | @echo " htmlhelp to make HTML files and a HTML help project" 31 | @echo " qthelp to make HTML files and a qthelp project" 32 | @echo " applehelp to make an Apple Help Book" 33 | @echo " devhelp to make HTML files and a Devhelp project" 34 | @echo " epub to make an epub" 35 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 36 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 37 | @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" 38 | @echo " text to make text files" 39 | @echo " man to make manual pages" 40 | @echo " texinfo to make Texinfo files" 41 | @echo " info to make Texinfo files and run them through makeinfo" 42 | @echo " gettext to make PO message catalogs" 43 | @echo " changes to make an overview of all changed/added/deprecated items" 44 | @echo " xml to make Docutils-native XML files" 45 | @echo " pseudoxml to make pseudoxml-XML files for display purposes" 46 | @echo " linkcheck to check all external links for integrity" 47 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 48 | @echo " coverage to run coverage check of the documentation (if enabled)" 49 | 50 | .PHONY: clean 51 | clean: 52 | rm -rf $(BUILDDIR)/* 53 | 54 | .PHONY: html 55 | html: 56 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 57 | @echo 58 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 59 | 60 | .PHONY: dirhtml 61 | dirhtml: 62 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 63 | @echo 64 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 65 | 66 | .PHONY: singlehtml 67 | singlehtml: 68 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 69 | @echo 70 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 71 | 72 | .PHONY: pickle 73 | pickle: 74 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 75 | @echo 76 | @echo "Build finished; now you can process the pickle files." 77 | 78 | .PHONY: json 79 | json: 80 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 81 | @echo 82 | @echo "Build finished; now you can process the JSON files." 83 | 84 | .PHONY: htmlhelp 85 | htmlhelp: 86 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 87 | @echo 88 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 89 | ".hhp project file in $(BUILDDIR)/htmlhelp." 90 | 91 | .PHONY: qthelp 92 | qthelp: 93 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 94 | @echo 95 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 96 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 97 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/gsvsoc_mission-model.qhcp" 98 | @echo "To view the help file:" 99 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/gsvsoc_mission-model.qhc" 100 | 101 | .PHONY: applehelp 102 | applehelp: 103 | $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp 104 | @echo 105 | @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." 106 | @echo "N.B. You won't be able to view it unless you put it in" \ 107 | "~/Library/Documentation/Help or install it in your application" \ 108 | "bundle." 109 | 110 | .PHONY: devhelp 111 | devhelp: 112 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 113 | @echo 114 | @echo "Build finished." 115 | @echo "To view the help file:" 116 | @echo "# mkdir -p $$HOME/.local/share/devhelp/gsvsoc_mission-model" 117 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/gsvsoc_mission-model" 118 | @echo "# devhelp" 119 | 120 | .PHONY: epub 121 | epub: 122 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 123 | @echo 124 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 125 | 126 | .PHONY: latex 127 | latex: 128 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 129 | @echo 130 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 131 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 132 | "(use \`make latexpdf' here to do that automatically)." 133 | 134 | .PHONY: latexpdf 135 | latexpdf: 136 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 137 | @echo "Running LaTeX files through pdflatex..." 138 | $(MAKE) -C $(BUILDDIR)/latex all-pdf 139 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 140 | 141 | .PHONY: latexpdfja 142 | latexpdfja: 143 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 144 | @echo "Running LaTeX files through platex and dvipdfmx..." 145 | $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja 146 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 147 | 148 | .PHONY: text 149 | text: 150 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 151 | @echo 152 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 153 | 154 | .PHONY: man 155 | man: 156 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 157 | @echo 158 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 159 | 160 | .PHONY: texinfo 161 | texinfo: 162 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 163 | @echo 164 | @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." 165 | @echo "Run \`make' in that directory to run these through makeinfo" \ 166 | "(use \`make info' here to do that automatically)." 167 | 168 | .PHONY: info 169 | info: 170 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 171 | @echo "Running Texinfo files through makeinfo..." 172 | make -C $(BUILDDIR)/texinfo info 173 | @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." 174 | 175 | .PHONY: gettext 176 | gettext: 177 | $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale 178 | @echo 179 | @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." 180 | 181 | .PHONY: changes 182 | changes: 183 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 184 | @echo 185 | @echo "The overview file is in $(BUILDDIR)/changes." 186 | 187 | .PHONY: linkcheck 188 | linkcheck: 189 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 190 | @echo 191 | @echo "Link check complete; look for any errors in the above output " \ 192 | "or in $(BUILDDIR)/linkcheck/output.txt." 193 | 194 | .PHONY: doctest 195 | doctest: 196 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 197 | @echo "Testing of doctests in the sources finished, look at the " \ 198 | "results in $(BUILDDIR)/doctest/output.txt." 199 | 200 | .PHONY: coverage 201 | coverage: 202 | $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage 203 | @echo "Testing of coverage in the sources finished, look at the " \ 204 | "results in $(BUILDDIR)/coverage/python.txt." 205 | 206 | .PHONY: xml 207 | xml: 208 | $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml 209 | @echo 210 | @echo "Build finished. The XML files are in $(BUILDDIR)/xml." 211 | 212 | .PHONY: pseudoxml 213 | pseudoxml: 214 | $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml 215 | @echo 216 | @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." 217 | -------------------------------------------------------------------------------- /docs/source/assets.rst: -------------------------------------------------------------------------------- 1 | .. _impacted_assets: 2 | 3 | Impacted Resources & Assets 4 | ################################## 5 | The following lists general resources that are believed to have been negatively impacted: 6 | 7 | #. Customer Data 8 | 9 | #. Employee Data 10 | 11 | #. Financial Data 12 | 13 | #. Legal Data 14 | 15 | #. Intellectual Property 16 | 17 | 18 | The following lists specific critical assets that are believed to have been negatively impacted: 19 | 20 | #. 21 | 22 | #. 23 | 24 | #. 25 | 26 | #. 27 | 28 | #. 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /docs/source/ckc.rst: -------------------------------------------------------------------------------- 1 | .. _ckc: 2 | 3 | Cyber Kill Chain 4 | ################################## 5 | Cyber Kill Chain (CKC) is a systematic analysis process used by response team members and asset owners to identify and communicate the stages of an attack. The patterns, behaviors, tactics, techniques, and procedures (TTP) used by adversaries are described using this analysis to subsequently develop :ref:`coa` designed to target and engage adversaries. 6 | 7 | 8 | Reconnaisance 9 | ********************************** 10 | Reconnaissance TTP are not currently known / do not exist. 11 | 12 | 13 | Weaponization 14 | ********************************** 15 | Weaponization and payload TTP are not currently known / do not exist. 16 | 17 | 18 | Delivery 19 | ********************************** 20 | Delivery TTP are not currently known / do not exist. 21 | 22 | 23 | Exploitation 24 | ********************************** 25 | Exploitation TTP are not currently known / do not exist. 26 | 27 | 28 | Installation 29 | ********************************** 30 | Installation TTP for creating maintained persistensence are not currently known / do not exist. 31 | 32 | 33 | Command and Control 34 | ********************************** 35 | Command and Control TTP for maintaining persistence are not currently known / do not exist. 36 | 37 | 38 | Actions on Objectives 39 | ********************************** 40 | Actions on Objectives TTP for achieving goals are not currently known / do not exist. 41 | -------------------------------------------------------------------------------- /docs/source/coa.rst: -------------------------------------------------------------------------------- 1 | .. _coa: 2 | 3 | Courses Of Action 4 | ################################## 5 | Courses Of Action (COA) derived from the :ref:`ckc` represent the countermeasures, containment & eradication, and recovery actions that are being deployed by response team members and asset owners to target and engage adversaries. 6 | 7 | 8 | Inventory 9 | ********************************** 10 | There are no current COA to inventory assets associated with the vulnerability / exploit / compromise / adversaries. 11 | 12 | 13 | ---- 14 | 15 | Containment & Eradication 16 | ********************************** 17 | 18 | Detect 19 | ================================== 20 | There are no current COA to detect the vulnerability / exploit / compromise / adversaries. 21 | 22 | 23 | Deny 24 | ================================== 25 | There are no current COA to deny the vulnerability / exploit / compromise / adversaries. 26 | 27 | 28 | Disrupt 29 | ================================== 30 | There are no current COA to disrupt the vulnerability / exploit / compromise / adversaries. 31 | 32 | 33 | Degrade 34 | ================================== 35 | There are no current COA to degrade the vulnerability / exploit / compromise / adversaries. 36 | 37 | 38 | Decieve 39 | ================================== 40 | There are no current COA to deceive the vulnerability / exploit / compromise / adversaries. 41 | 42 | 43 | Destroy 44 | ================================== 45 | There are no current COA to destroy the vulnerability / exploit / compromise / adversaries. 46 | 47 | 48 | ---- 49 | 50 | Recovery 51 | ********************************** 52 | There are no current COA to recover compromised assets. 53 | 54 | -------------------------------------------------------------------------------- /docs/source/conf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # gsvsoc_mission-model documentation build configuration file, created by 4 | # sphinx-quickstart on Thu Jul 26 16:22:48 2018. 5 | # 6 | # This file is execfile()d with the current directory set to its 7 | # containing dir. 8 | # 9 | # Note that not all possible configuration values are present in this 10 | # autogenerated file. 11 | # 12 | # All configuration values have a default; values that are commented out 13 | # serve to show the default. 14 | 15 | import sys 16 | import os 17 | 18 | # If extensions (or modules to document with autodoc) are in another directory, 19 | # add these directories to sys.path here. If the directory is relative to the 20 | # documentation root, use os.path.abspath to make it absolute, like shown here. 21 | #sys.path.insert(0, os.path.abspath('.')) 22 | 23 | # -- General configuration ------------------------------------------------ 24 | 25 | # If your documentation needs a minimal Sphinx version, state it here. 26 | #needs_sphinx = '1.0' 27 | 28 | # Add any Sphinx extension module names here, as strings. They can be 29 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 30 | # ones. 31 | extensions = [ 32 | 'sphinx.ext.autodoc', 33 | 'sphinx.ext.intersphinx', 34 | ] 35 | 36 | # Add any paths that contain templates here, relative to this directory. 37 | templates_path = ['_templates'] 38 | 39 | # The suffix(es) of source filenames. 40 | # You can specify multiple suffix as a list of string: 41 | # source_suffix = ['.rst', '.md'] 42 | source_suffix = '.rst' 43 | 44 | # The encoding of source files. 45 | #source_encoding = 'utf-8-sig' 46 | 47 | # The master toctree document. 48 | master_doc = 'index' 49 | 50 | # General information about the project. 51 | project = u'Incident Response Mission' 52 | copyright = u'2018, GuardSight, Inc.' 53 | author = u'johnmac@guardsight.com' 54 | 55 | 56 | # The version info for the project you're documenting, acts as replacement for 57 | # |version| and |release|, also used in various other places throughout the 58 | # built documents. 59 | # 60 | # The short X.Y version. 61 | # version = u'0.0.1' 62 | import re 63 | version = re.sub('^v', '', os.popen('git tag').read().strip()) 64 | release = os.popen('git describe').read().strip() 65 | # The full version, including alpha/beta/rc tags. 66 | # release = u'0.0.1' 67 | 68 | 69 | # The language for content autogenerated by Sphinx. Refer to documentation 70 | # for a list of supported languages. 71 | # 72 | # This is also used if you do content translation via gettext catalogs. 73 | # Usually you set "language" from the command line for these cases. 74 | language = None 75 | 76 | # There are two options for replacing |today|: either, you set today to some 77 | # non-false value, then it is used: 78 | #today = '' 79 | # Else, today_fmt is used as the format for a strftime call. 80 | #today_fmt = '%B %d, %Y' 81 | 82 | # List of patterns, relative to source directory, that match files and 83 | # directories to ignore when looking for source files. 84 | exclude_patterns = [] 85 | 86 | # The reST default role (used for this markup: `text`) to use for all 87 | # documents. 88 | #default_role = None 89 | 90 | # If true, '()' will be appended to :func: etc. cross-reference text. 91 | #add_function_parentheses = True 92 | 93 | # If true, the current module name will be prepended to all description 94 | # unit titles (such as .. function::). 95 | #add_module_names = True 96 | 97 | # If true, sectionauthor and moduleauthor directives will be shown in the 98 | # output. They are ignored by default. 99 | #show_authors = False 100 | 101 | # The name of the Pygments (syntax highlighting) style to use. 102 | pygments_style = 'sphinx' 103 | 104 | # A list of ignored prefixes for module index sorting. 105 | #modindex_common_prefix = [] 106 | 107 | # If true, keep warnings as "system message" paragraphs in the built documents. 108 | #keep_warnings = False 109 | 110 | # If true, `todo` and `todoList` produce output, else they produce nothing. 111 | todo_include_todos = False 112 | 113 | 114 | # -- Options for HTML output ---------------------------------------------- 115 | 116 | # The theme to use for HTML and HTML Help pages. See the documentation for 117 | # a list of builtin themes. 118 | html_theme = 'sphinx_rtd_theme' 119 | 120 | # Theme options are theme-specific and customize the look and feel of a theme 121 | # further. For a list of options available for each theme, see the 122 | # documentation. 123 | #html_theme_options = {} 124 | 125 | # Add any paths that contain custom themes here, relative to this directory. 126 | #html_theme_path = [] 127 | 128 | # The name for this set of Sphinx documents. If None, it defaults to 129 | # " v documentation". 130 | #html_title = None 131 | 132 | # A shorter title for the navigation bar. Default is the same as html_title. 133 | #html_short_title = None 134 | 135 | # The name of an image file (relative to this directory) to place at the top 136 | # of the sidebar. 137 | #html_logo = None 138 | 139 | # The name of an image file (relative to this directory) to use as a favicon of 140 | # the docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 141 | # pixels large. 142 | #html_favicon = None 143 | 144 | # Add any paths that contain custom static files (such as style sheets) here, 145 | # relative to this directory. They are copied after the builtin static files, 146 | # so a file named "default.css" will overwrite the builtin "default.css". 147 | html_static_path = ['_static'] 148 | 149 | # Add any extra paths that contain custom files (such as robots.txt or 150 | # .htaccess) here, relative to this directory. These files are copied 151 | # directly to the root of the documentation. 152 | #html_extra_path = [] 153 | 154 | # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, 155 | # using the given strftime format. 156 | #html_last_updated_fmt = '%b %d, %Y' 157 | 158 | # If true, SmartyPants will be used to convert quotes and dashes to 159 | # typographically correct entities. 160 | #html_use_smartypants = True 161 | 162 | # Custom sidebar templates, maps document names to template names. 163 | #html_sidebars = {} 164 | 165 | # Additional templates that should be rendered to pages, maps page names to 166 | # template names. 167 | #html_additional_pages = {} 168 | 169 | # If false, no module index is generated. 170 | #html_domain_indices = True 171 | 172 | # If false, no index is generated. 173 | #html_use_index = True 174 | 175 | # If true, the index is split into individual pages for each letter. 176 | #html_split_index = False 177 | 178 | # If true, links to the reST sources are added to the pages. 179 | #html_show_sourcelink = True 180 | 181 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 182 | #html_show_sphinx = True 183 | 184 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 185 | #html_show_copyright = True 186 | 187 | # If true, an OpenSearch description file will be output, and all pages will 188 | # contain a tag referring to it. The value of this option must be the 189 | # base URL from which the finished HTML is served. 190 | #html_use_opensearch = '' 191 | 192 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 193 | #html_file_suffix = None 194 | 195 | # Language to be used for generating the HTML full-text search index. 196 | # Sphinx supports the following languages: 197 | # 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja' 198 | # 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr' 199 | #html_search_language = 'en' 200 | 201 | # A dictionary with options for the search language support, empty by default. 202 | # Now only 'ja' uses this config value 203 | #html_search_options = {'type': 'default'} 204 | 205 | # The name of a javascript file (relative to the configuration directory) that 206 | # implements a search results scorer. If empty, the default will be used. 207 | #html_search_scorer = 'scorer.js' 208 | 209 | # Output file base name for HTML help builder. 210 | htmlhelp_basename = 'gsvsoc_mission-modeldoc' 211 | 212 | # -- Options for LaTeX output --------------------------------------------- 213 | 214 | latex_elements = { 215 | # The paper size ('letterpaper' or 'a4paper'). 216 | #'papersize': 'letterpaper', 217 | 218 | # The font size ('10pt', '11pt' or '12pt'). 219 | #'pointsize': '10pt', 220 | 221 | # Additional stuff for the LaTeX preamble. 222 | #'preamble': '', 223 | 224 | # Latex figure (float) alignment 225 | #'figure_align': 'htbp', 226 | } 227 | 228 | # Grouping the document tree into LaTeX files. List of tuples 229 | # (source start file, target name, title, 230 | # author, documentclass [howto, manual, or own class]). 231 | latex_documents = [ 232 | (master_doc, 'gsvsoc_mission-model.tex', u'MISSION-YYYYMMDD-n Journal', 233 | u'GuardSight, Inc.', 'manual'), 234 | ] 235 | 236 | # The name of an image file (relative to this directory) to place at the top of 237 | # the title page. 238 | #latex_logo = None 239 | 240 | # For "manual" documents, if this is true, then toplevel headings are parts, 241 | # not chapters. 242 | #latex_use_parts = False 243 | 244 | # If true, show page references after internal links. 245 | #latex_show_pagerefs = False 246 | 247 | # If true, show URL addresses after external links. 248 | #latex_show_urls = False 249 | 250 | # Documents to append as an appendix to all manuals. 251 | #latex_appendices = [] 252 | 253 | # If false, no module index is generated. 254 | #latex_domain_indices = True 255 | 256 | 257 | # -- Options for manual page output --------------------------------------- 258 | 259 | # One entry per manual page. List of tuples 260 | # (source start file, name, description, authors, manual section). 261 | man_pages = [ 262 | (master_doc, 'gsvsoc_mission-model', u'MISSION-YYYYMMDD-n Journal', 263 | [author], 1) 264 | ] 265 | 266 | # If true, show URL addresses after external links. 267 | #man_show_urls = False 268 | 269 | 270 | # -- Options for Texinfo output ------------------------------------------- 271 | 272 | # Grouping the document tree into Texinfo files. List of tuples 273 | # (source start file, target name, title, author, 274 | # dir menu entry, description, category) 275 | texinfo_documents = [ 276 | (master_doc, 'gsvsoc_mission-model', u'gsvsoc_mission-model Documentation', 277 | author, 'gsvsoc_mission-model', 'One line description of project.', 278 | 'Miscellaneous'), 279 | ] 280 | 281 | # Documents to append as an appendix to all manuals. 282 | #texinfo_appendices = [] 283 | 284 | # If false, no module index is generated. 285 | #texinfo_domain_indices = True 286 | 287 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 288 | #texinfo_show_urls = 'footnote' 289 | 290 | # If true, do not generate a @detailmenu in the "Top" node's menu. 291 | #texinfo_no_detailmenu = False 292 | -------------------------------------------------------------------------------- /docs/source/contributors.rst: -------------------------------------------------------------------------------- 1 | Contributors 2 | ################################## 3 | -------------------------------------------------------------------------------- /docs/source/index.rst: -------------------------------------------------------------------------------- 1 | MISSION-YYYYMMDD-n 2 | ****************************** 3 | 4 | This document is an after-action report that provides the details of an Information Security Incident signifying a violation of computer security policies, acceptable use policies, or standard security practices resulting in a compromise of this organization's assets. 5 | 6 | .. include:: meta.txt 7 | 8 | 9 | .. toctree:: 10 | :maxdepth: 3 11 | 12 | summary 13 | roc 14 | timelines 15 | assets 16 | ioc 17 | ckc 18 | coa 19 | ofi 20 | notes 21 | references 22 | contributors 23 | license 24 | 25 | 26 | -------------------------------------------------------------------------------- /docs/source/ioc.rst: -------------------------------------------------------------------------------- 1 | .. _ioc: 2 | 3 | Indicators Of Compromise 4 | ################################## 5 | Indicators Of Compromise (IOC) represent artifacts and attributes observed and collected by response team members and asset owners. IOC supply the evidence to support assertions of a high of degree of confidence that adversary activity resulted in successful asset compromise. 6 | 7 | 8 | Atomic 9 | ********************************** 10 | Atomic artifacts are currently not known / do not exist. 11 | 12 | 13 | Computed 14 | ********************************** 15 | Computed attributes derived from data elements are currently not known / do not exist. 16 | 17 | 18 | 19 | Behavioral 20 | ********************************** 21 | Logical assertions based on atomic and computed indicators have not yet been developed. 22 | -------------------------------------------------------------------------------- /docs/source/license.rst: -------------------------------------------------------------------------------- 1 | License 2 | ################################## 3 | CONFIDENTIAL//ATTORNEY-CLIENT PRIVILEGE//TLP: AMBER 4 | 5 | This document contains confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient(s) is prohibited by law and may subject them to criminal or civil liability. 6 | 7 | This report is designated as Traffic Light Protocol (TLP): AMBER. Recipients may share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information. 8 | 9 | Copyright (c) GuardSight, Inc. https://www.guardsight.com 10 | 11 | -------------------------------------------------------------------------------- /docs/source/meta-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_mission-model/26ea2e7e2b9e28946f4220c076a1d22a3e3d80f1/docs/source/meta-logo.png -------------------------------------------------------------------------------- /docs/source/meta.txt: -------------------------------------------------------------------------------- 1 | 2 | +---------------------------+---------------------------+ 3 | | |logo|                  **Incident Response Mission** | 4 | +---------------------------+---------------------------+ 5 | | Mission Id: | MISSION-YYYYMMDD-n | 6 | +---------------------------+---------------------------+ 7 | | Revision Id: | |release| | 8 | +---------------------------+---------------------------+ 9 | | Date: | Mon Day, YYYY | 10 | +---------------------------+---------------------------+ 11 | | Rating: | SEVERE (`NCCIC CISS`_) | 12 | +---------------------------+---------------------------+ 13 | | COA Completion: | 0/0 - 0% | 14 | +---------------------------+---------------------------+ 15 | | Condition: | GUARDED (HSAS_) | 16 | +---------------------------+---------------------------+ 17 | | CONFIDENTIAL//ATTORNEY-CLIENT PRIVILEGE//TLP:AMBER | 18 | +---------------------------+---------------------------+ 19 | 20 | 21 | .. |logo| image:: meta-logo.png 22 | :scale: 70 23 | 24 | .. _NCCIC CISS: https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System 25 | 26 | .. _HSAS: https://en.wikipedia.org/wiki/Homeland_Security_Advisory_System 27 | -------------------------------------------------------------------------------- /docs/source/notes.rst: -------------------------------------------------------------------------------- 1 | Notes 2 | ################################## 3 | -------------------------------------------------------------------------------- /docs/source/ofi.rst: -------------------------------------------------------------------------------- 1 | .. _ofi: 2 | 3 | Opportunities For Improvement 4 | ################################## 5 | Opportunities For Improvement (OFI) impart reccomendations based on findings of response team members and asset owners during each phase of the response. These reccomendations are provided to help reduce attack surfaces, enhance security posture, improve operational readiness, and boost the effectiveness of future response. 6 | 7 | Preparation 8 | ********************************** 9 | There are no current preparation OFI. 10 | 11 | 12 | Identification 13 | ********************************** 14 | There are no current identification OFI. 15 | 16 | 17 | Containment 18 | ********************************** 19 | There are no current containment OFI. 20 | 21 | 22 | Eradication 23 | ********************************** 24 | There are no current eradication OFI. 25 | 26 | 27 | Recovery 28 | ********************************** 29 | There are no current identification OFI. 30 | 31 | 32 | -------------------------------------------------------------------------------- /docs/source/references.rst: -------------------------------------------------------------------------------- 1 | References 2 | ################################## 3 | -------------------------------------------------------------------------------- /docs/source/roc.rst: -------------------------------------------------------------------------------- 1 | .. _roc: 2 | 3 | Risk Of Compromise 4 | ################################## 5 | 6 | The Risk Of Compromise to the organization's resources and assets is **CONFIRMED** due to the following factors: 7 | 8 | #. 9 | 10 | #. 11 | 12 | #. 13 | -------------------------------------------------------------------------------- /docs/source/summary.rst: -------------------------------------------------------------------------------- 1 | Summary 2 | ################################## 3 | 4 | 5 | +---------------------------+---------------------------+ 6 | | Impacted Assets: | 0 | 7 | +---------------------------+---------------------------+ 8 | | Time To Respond: | 0 Minutes | 9 | +---------------------------+---------------------------+ 10 | | Total Dwell Time: | 0 Hours | 11 | +---------------------------+---------------------------+ 12 | | Break Out Speed: | 0 Minutes | 13 | +---------------------------+---------------------------+ 14 | | Response Duration: | 0 Hours | 15 | +---------------------------+---------------------------+ 16 | | Weaponization: | Document Macro | 17 | +---------------------------+---------------------------+ 18 | | Delivery: | Email Attachment | 19 | +---------------------------+---------------------------+ 20 | | Exploitation: | CVE-YYYY-0000 | 21 | +---------------------------+---------------------------+ 22 | | Data Compromise: | Negative | 23 | +---------------------------+---------------------------+ 24 | 25 | -------------------------------------------------------------------------------- /docs/source/timelines.rst: -------------------------------------------------------------------------------- 1 | Timelines 2 | ################################## 3 | The following provides the high level timeline summary of the activities conducted by both the adversaries and the response team members. All times are represented in **local time**. 4 | 5 | 6 | ------------------ 7 | 8 | #. YYYY-MM-DD 9 | 10 | * HH:MM - [attacker] - event 11 | * HH:MM - [attacker] - event 12 | * HH:MM - [response] - event 13 | * HH:MM - [attacker] - event 14 | * HH:MM - [response] - event 15 | * HH:MM - [attacker] - event 16 | * HH:MM - [attacker] - event 17 | * HH:MM - [attacker] - event 18 | * HH:MM - [attacker] - event 19 | * HH:MM - [response] - event 20 | 21 | #. YYYY-MM-DD 22 | 23 | * HH:MM - [attacker] - event 24 | * HH:MM - [attacker] - event 25 | * HH:MM - [response] - event 26 | * HH:MM - [attacker] - event 27 | * HH:MM - [response] - event 28 | * HH:MM - [attacker] - event 29 | * HH:MM - [attacker] - event 30 | * HH:MM - [attacker] - event 31 | * HH:MM - [attacker] - event 32 | * HH:MM - [response] - event 33 | -------------------------------------------------------------------------------- /images/gh.mm.1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_mission-model/26ea2e7e2b9e28946f4220c076a1d22a3e3d80f1/images/gh.mm.1.png -------------------------------------------------------------------------------- /images/gh.mm.2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_mission-model/26ea2e7e2b9e28946f4220c076a1d22a3e3d80f1/images/gh.mm.2.png -------------------------------------------------------------------------------- /images/gh.mm.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/guardsight/gsvsoc_mission-model/26ea2e7e2b9e28946f4220c076a1d22a3e3d80f1/images/gh.mm.3.png --------------------------------------------------------------------------------