Skip to content

Latest commit

 

History

History
102 lines (47 loc) · 2.45 KB

T1489-Service-Stop.md

File metadata and controls

102 lines (47 loc) · 2.45 KB

Playbook: Service Stop

MITRE

Tactic Technique ID Technique Name Sub-Technique Name Platforms Permissions Required
(P) Preparation
  
 

Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.


Investigate

TODO: Expand investigation steps, including key questions and strategies, for <Type of Incident>.


Remediate

  • Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
  • Consider the timing and tradeoffs of remediation actions: your response has consequences.

Contain

TODO: Customize containment steps, tactical and strategic, for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

TODO: Consider automating containment measures using orchestration tools.

  • Inventory (enumerate & assess)
  • Detect | Deny | Disrupt | Degrade | Deceive | Destroy
  • Observe -> Orient -> Decide -> Act

Eradicate

TODO: Customize eradication steps, tactical and strategic, for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

Reference: Remediation Resources

TODO: Specify financial, personnel, and logistical resources to accomplish remediation.


Communicate

TODO: Customize communication steps for <Type of Incident>

TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan.

In addition to the general steps and guidance in the incident response plan:


Recover

TODO: Customize recovery steps for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

In addition to the general steps and guidance in the incident response plan:


Lessons Learned

TODO: Add items that will occur post recover.

  1. Perform routine cyber hygiene due diligence
  2. Engage external cybersecurity-as-a-service providers and response professionals

Resources

Additional Information

  1. "Title", Author Last Name (Date)