Runbooks comprise a particular methodology, a series of tactics, techniques, and procedures collectively known as TTPs. Runbooks are executed and turned into an engagement tied to a specific client. Once the engagement is finished and submitted, it becomes a report.
RunbooksDB enables the reuse of the pieces that build an engagement to decrease the time spent on authoring and decrease errors when creating the TTPs.
Users access by clicking Content Library in the application's main menu and then clicking RunbooksDB.
The RunbooksDB page consists of the following tabs:
- Repositories: A collection of procedures to be reused in which access can be controlled.
- Procedures: A grouping of execution steps that need to be accomplished. For example, if a tactic is persistence and the technique is browser extensions, then a procedure could detail how a hostile browser extension is injected to maintain persistence.
- Techniques: A grouping of procedures. Techniques are added to a tactic for use in an engagement. For example, if a tactic is persistence, a technique could exist for browser extensions.
- Tactics: A grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence or a privilege escalation from the MITRE ATT&CK framework. This can also be a logical grouping or structure for techniques.
- Methodologies: A grouping of tactics that are put into a runbook. It contains a title, ID, description, and the series of tactics selected. Tactics can be chosen to apply to the methodology when used as a runbook. This is similar to how the MITRE ATT&CK is broken down, where the methodology represents the framework for TTPs.