Learning how to use and work with Runbooks


What are Runbooks? How can I use them? How will they save me time? The following is an overview with links describing the pieces that make up Runbooks:
  • Gives the ability to script red and blue team engagements down to the procedure level
  • Creating repeatable playbooks to iteratively test enhancements to your defenses
  • Focusing testing efforts on key areas of the attack life cycle (if desired), such as using built-in MITRE ATT&CK as a guide
  • Focus and coordinate Red and Blue Team efforts for a unified security posture
Runbooks are comprised of a particular Methodology, a series of Tactics, Techniques, and Procedures collectively known as TTPs. Runbooks are then executed and turned into an Engagement which is tied to a specific Client and later, once the Engagement is finished and submitted, becomes a Report for that Client.
A Methodology is a grouping of tactics that are put into a runbook. It contains a Title, ID, Description, and the series of Tactics selected. Tactics can be selected to apply to the Methodology when using as a Runbook. This is similar to how the MITRE ATT&CK® is broken down where the Methodology represents the framework for your TTPs. MITRE ATT&CK would be a Methodology and is included with PlexTrac Runbooks Module.


A Tactic is a grouping of Techniques. After being populated, Tactics are then added to a Methodology for use in a Runbook. This usually represents a type of attack, such as persistence, or privilege escalation from the MITRE ATT&CK® framework. This can also be as simple as a logical grouping or structure for Techniques
A Technique is a grouping of Procedures. After being built, Techniques are then added to a Tactic for use in a Runbook. This is similar to how the Techniques in the MITRE ATT&CK® is broken down where its a particular type of Tactic. For example, if your Tactic is Persistence you might build a Technique for Browser Extensions.
A Procedure is a grouping of Execution Steps and detailed information. This is similar to how the Procedures in the MITRE ATT&CK®. Each Procedure has a series of Execution Steps that need to be accomplished to complete the Procedure. For example, if your Tactic is Persistence and your Technique is Browser Extensions, then you might have a Procedure detailing how a hostile Browser Extension is injected to maintain persistence. If desired this can be any number of Execution Steps perhaps including remediation steps.


Runbooks bring Methodology, Tactics, Techniques, and Procedures together into information sets which can be used to coordinate a team or teams towards a unified security posture. Runbooks can be executed multiple times turning them into Engagements, or edited to add or remove TTPs.
Engagements are Runbooks that are being executed towards a specific Client. They allow Procedures and their associated Execution Steps to be completed for Red and Blue Teams. This includes outcomes for Procedures, adding attachments or evidence, writing out Procedure Logs for evidentiary support, showing Targeted Assets, Attack Source, and any additional notes. Once you start an Engagement towards a specific client, it will create a report inside that client.