Runbooks Overview
This page explains runbooks and why they are important.
Runbooks comprise of a particular Methodology; a series of Tactics, Techniques, and Procedures collectively known as TTPs. Runbooks are then executed and turned into an engagement that is tied to a specific client. Once the engagement is finished and submitted, it becomes a report.
In PlexTrac, runbook management is separated into two collections/pages: Engagements and Manage.
The Engagements page lists all runbooks that have been executed for a client.
The Manage page is where new runbooks can be created, imported, exported, and edited.
The Manage page consists of the following tabs:
  • Procedures: a grouping of execution steps that need to be accomplished. For example, if a tactic is persistence and the technique is browser extensions, then a procedure could detail how a hostile browser extension is injected to maintain persistence.
  • Technique: a grouping of procedures. Techniques are added to a tactic for use in a runbook. For example, if a tactic is persistence, a technique could exist for browser extensions.
  • Tactics: a grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence, or privilege escalation from the MITRE ATT&CK® framework. This can also be a logical grouping or structure for techniques.
  • Methodologies: a grouping of tactics that are put into a runbook. It contains a title, ID, description, and the series of tactics selected. Tactics can be selected to apply to the methodology when using as a Runbook. This is similar to how the MITRE ATT&CK® is broken down where the methodology represents the framework for TTPs. MITRE ATT&CK would be a methodology, and it is included with Runbooks.
Click Next to learn how to set up a methodology.
Copy link