Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Draft] Remediation Category and Events #818

Closed
wants to merge 5 commits into from
Closed

[Draft] Remediation Category and Events #818

wants to merge 5 commits into from

Conversation

maxhotta
Copy link
Contributor

@maxhotta maxhotta commented Oct 5, 2023

Adding events to model remediation of entities on Windows/Linux/MacOS:
These events report the status of remediation attempts (commands) on the defined target entities.
Windows/Mac specific items were added as extensions for the OS.
Note: There is one todo in this draft : move the startup application into the MacOS profile being added as part of the Discovery events pr.

Windows specific entities:
Registry Value
Registry Key

MacOS specific entities:
Startup Application

OS agnostic entities:
File
Folder
Job
Module
Network Connection
Process
Service
User Session

Other:

Unsuccessful Remediation : result document (event) that captures when a remediation attempt failed

@maxhotta maxhotta added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes labels Oct 5, 2023
@pagbabian-splunk pagbabian-splunk added the v1.2.0 Changes marked for version v1.2.0 of OCSF label Jan 16, 2024
@netfl0
Copy link

netfl0 commented Feb 15, 2024

Recommend distinguishing between remediation actions since they could be quite varied.

In D3FEND we define Evict, Restore, and Isolate. You could argue even Hardening could be a remediation.

@netfl0
Copy link

netfl0 commented Mar 25, 2024

Adding in some of the conversation from OCSF slack for posterity:

I think that having Category names being "X Remediation" is not specific enough.

For example, our (current) full taxonomy of defensive techniques looks like this:

Defensive Technique
	Application Hardening
		Application Configuration Hardening
		Dead Code Elimination
		Exception Handler Pointer Validation
		Pointer Authentication
		Process Segment Execution Prevention
		Segment Address Offset Randomization
		Stack Frame Canary Validation
	Asset Inventory
		Asset Vulnerability Enumeration
			Container Image Analysis
		Configuration Inventory
		Data Inventory
		Hardware Component Inventory
		Network Node Inventory
		Software Inventory
	Credential Eviction
		Account Locking
		Authentication Cache Invalidation
		Credential Revoking
	Credential Hardening
		Biometric Authentication
		Certificate-based Authentication
		Certificate Pinning
		Credential Rotation
		Credential Transmission Scoping
		Domain Trust Policy
		Multi-factor Authentication
		One-time Password
		Strong Password Policy
		User Account Permissions
	Decoy Environment
		Connected Honeynet
		Integrated Honeynet
		Standalone Honeynet
	Decoy Object
		Decoy File
		Decoy Network Resource
		Decoy Persona
		Decoy Public Release
		Decoy Session Token
		Decoy User Credential
	Execution Isolation
		Executable Allowlisting
		Executable Denylisting
		Hardware-based Process Isolation
		IO Port Restriction
		Kernel-based Process Isolation
			Mandatory Access Control
			System Call Filtering
	File Analysis
		Dynamic Analysis
		Emulated File Analysis
		File Content Analysis
			File Content Rules
		File Hashing
	File Eviction
		File Removal
			Email Removal
	Identifier Analysis
		Homoglyph Detection
		Identifier Activity Analysis
		Identifier Reputation Analysis
			Domain Name Reputation Analysis
			File Hash Reputation Analysis
			IP Reputation Analysis
			URL Reputation Analysis
		URL Analysis
	Message Analysis
		Sender MTA Reputation Analysis
		Sender Reputation Analysis
	Message Hardening
		Message Authentication
		Message Encryption
		Transfer Agent Authentication
	Network Isolation
		Broadcast Domain Isolation
		DNS Allowlisting
		DNS Denylisting
			Forward Resolution Domain Denylisting
				Hierarchical Domain Denylisting
				Homoglyph Denylisting
			Forward Resolution IP Denylisting
			Reverse Resolution Domain Denylisting
			Reverse Resolution IP Denylisting
		Encrypted Tunnels
		Network Traffic Filtering
			Inbound Traffic Filtering
				Email Filtering
			Outbound Traffic Filtering
	Network Mapping
		Logical Link Mapping
			Active Logical Link Mapping
			Passive Logical Link Mapping
		Network Traffic Policy Mapping
		Network Vulnerability Assessment
		Physical Link Mapping
			Active Physical Link Mapping
			Passive Physical Link Mapping
	Network Traffic Analysis
		Administrative Network Activity Analysis
		Byte Sequence Emulation
		Certificate Analysis
			Active Certificate Analysis
			Passive Certificate Analysis
		Client-server Payload Profiling
		Connection Attempt Analysis
		DNS Traffic Analysis
		File Carving
		IPC Traffic Analysis
		Inbound Session Volume Analysis
		Network Traffic Community Deviation
		Per Host Download-Upload Ratio Analysis
		Protocol Metadata Anomaly Detection
		RPC Traffic Analysis
		Relay Pattern Analysis
		Remote Terminal Session Detection
	Operational Activity Mapping
		Access Modeling
		Operational Dependency Mapping
		Operational Risk Assessment
		Organization Mapping
	Platform Hardening
		Bootloader Authentication
		Disk Encryption
		Driver Load Integrity Checking
		File Encryption
		Local File Permissions
		RF Shielding
		Software Update
		System Configuration Permissions
		TPM Boot Integrity
	Platform Monitoring
		File Integrity Monitoring
		Firmware Behavior Analysis
		Firmware Embedded Monitoring Code
		Firmware Verification
			Peripheral Firmware Verification
			System Firmware Verification
		Operating System Monitoring
			Endpoint Health Beacon
			Input Device Analysis
			Memory Boundary Tracking
			Scheduled Job Analysis
			System Daemon Monitoring
			System File Analysis
				Service Binary Verification
			System Init Config Analysis
			User Session Init Config Analysis
	Process Analysis
		Database Query String Analysis
		File Access Pattern Analysis
		Indirect Branch Call Analysis
		Process Code Segment Verification
		Process Self-Modification Detection
		Process Spawn Analysis
			Process Lineage Analysis
		Script Execution Analysis
		Shadow Stack Comparisons
		System Call Analysis
			File Creation Analysis
	Process Eviction
		Process Suspension
		Process Termination
	Restore Access
		Restore Network Access
		Restore User Account Access
			Unlock Account
	Restore Object
		Reissue Credential
		Restore Configuration
		Restore Database
		Restore Disk Image
		Restore File
			Restore Email
		Restore Software
	System Mapping
		Data Exchange Mapping
		Service Dependency Mapping
		System Dependency Mapping
		System Vulnerability Assessment
	User Behavior Analysis
		Authentication Event Thresholding
		Authorization Event Thresholding
		Credential Compromise Scope Analysis
		Domain Account Monitoring
		Job Function Access Pattern Analysis
		Local Account Monitoring
		Resource Access Pattern Analysis
		Session Duration Analysis
		User Data Transfer Analysis
		User Geolocation Logon Pattern Analysis
		Web Session Activity Analysis

@floydtree floydtree added v1.3.0 and later Changes marked for versions beyond v1.3.0 of OCSF and removed v1.2.0 Changes marked for version v1.2.0 of OCSF labels Apr 15, 2024
@pagbabian-splunk
Copy link
Contributor

This is a major change, adding a new category. The activities are modeled as results or status, so that needs to be reworked. There are also many discrete events, for each item being targeted. There should be a more efficient way of modeling remediation. Finally, staying true to #d3fend is highly desirable, but without duplicating/mirroring the "defensive techniques" but rather referencing them in the way we have done with ATT&CK. As part of this exercise, the associations of OCSF Objects and d3fend Artifacts becomes more important.

@maxhotta
Copy link
Contributor Author

Closing PR; This was taken forward by Paul in #1066

@maxhotta maxhotta closed this May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonbreimer jasonbreimer Awaiting requested review from jasonbreimer

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@rmouritzen-splunk rmouritzen-splunk Awaiting requested review from rmouritzen-splunk

@rroupski rroupski Awaiting requested review from rroupski

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 will be requested when the pull request is marked ready for review Aniak5 is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber will be requested when the pull request is marked ready for review zschmerber is a code owner

Assignees
No one assigned
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.3.0 and later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@maxhotta @netfl0 @pagbabian-splunk @floydtree