Runbooks comprise of a particular methodology; a series of tactics, techniques, and procedures collectively known as TTPs. Runbooks are executed and turned into an engagement tied to a specific client. Once the engagement is finished and submitted, it becomes a report.
In PlexTrac, runbook management is separated into two collections/pages: Engagements and Manage.
The Engagements page lists all runbooks that have been executed for a client.
The Manage page is where new runbooks can be created, imported, exported, and edited.
The Manage page consists of the following tabs:
- Procedures: A grouping of execution steps that need to be accomplished. For example, if a tactic is persistence and the technique is browser extensions, then a procedure could detail how a hostile browser extension is injected to maintain persistence.
- Techniques: A grouping of procedures. Techniques are added to a tactic for use in an engagement. For example, if a tactic is persistence, a technique could exist for browser extensions.
- Tactics: A grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence, or a privilege escalation from the MITRE ATT&CK framework. This can also be a logical grouping or structure for techniques.
- Methodologies: A grouping of tactics that are put into a runbook. It contains a title, ID, description, and the series of tactics selected. Tactics can be selected to apply to the methodology when using as a runbook. This is similar to how the MITRE ATT&CK is broken down where the methodology represents the framework for TTPs.