If the repository is not an "Open" type repository, admins can manage users by clicking Users & Permissions.

Adding Users

Step 1: From the Repositories tab of the RunbooksDB home page, click the card of the repository to modify.

Step 2: Click Users & Permissions.

Step 3: Click Add User.

Step 4: Type in the user from the pulldown menu and select the permission. Repeat as necessary. Click Add X Users.

Step 5: Edit the permission or delete a user, if needed. Click Done.

Modifying Users

Step 1: From the RunbooksDB home page, click the desired repository card and click Users & Permissions.

Step 2: Select the user to modify and change permissions from the pulldown menu.

Step 3: When finished, click Done.

Deleting Users

Step 1: From the RunbooksDB home page, click the desired repository card and click Users & Permissions.

Step 2: Select the user to remove and click the X in that row.

Step 3: When finished, click Done.

Changing Settings

Admins can modify the repository name, prefix, description, and access settings.

Step 1: From the Repositories tab of the RunbooksDB home page, click the card of the repository to modify.

Step 2: Click Repository Settings.

Step 3: Make the desired changes, then click Save.

Deleting a Repository

From the RunbooksDB home page's Repositories tab, click the three dots in the repository card and then click Delete Repository.

A warning message appears asking for validation. Click Delete Repository.

RunbooksDB enables collaborative testing for threat emulation and simulation, known as Purple Teaming. Organizations can create reusable test plans that encompass a set of procedures.

Users access by clicking Content Library in the application's main menu and then clicking RunbooksDB.

Overview

Runbooks comprise a particular methodology, a series of tactics, techniques, and procedures collectively known as TTPs. Runbooks are executed and turned into an engagement tied to a specific client. Once the engagement is finished and submitted, it becomes a report.

RunbooksDB offers several benefits:

• Standardization: Runbooks provide standardized procedures and workflows for various tasks and processes. This consistency helps ensure that critical steps are not missed during an operation.

• Efficiency: By having predefined procedures and automation scripts within runbooks, teams can respond to incidents and complete tasks more efficiently, which reduces the time and effort required for routine operations.

• Consistency: Runbooks help maintain consistency in task performance. This is crucial in cybersecurity and incident response, as consistent procedures are necessary to identify and mitigate threats effectively.

• Training and Onboarding: Runbooks are valuable training materials for new team members. They can use runbooks to learn how to perform various tasks and understand best practices, ensuring a smooth onboarding process.

Step 1: From the Repositories tab of the RunbooksDB module, click New Repository.

Step 2: Enter information in the fields and select the desired security access for the repository.

1. Repository Name: Describes the repository and is displayed on the repository card from the Repositories tab.

3. Description: Describes the repository.

4. Repository Access: Defines what users and roles can access the writeups in this repository.

Step 3: Click Create.

The new repository now has a card on the Repositories tab.

Cyber attackers or threat actors use specific methods, tactics, and procedures known as techniques to compromise computer systems, gain unauthorized access, or achieve their malicious objectives. These techniques exploit vulnerabilities and weaknesses in computer systems and networks by adversaries.

Step 1: Click the Techniques tab of the RunbooksDB module.

Step 2: Click New Technique.

Step 3: Fill out the provided fields.

1. Technique Title (required)

2. Technique ID (required)

3. Procedures: Click Add Procedures to bring up a new modal to add procedures to the technique.

4. Tactic: Click Add Tactics to bring up a new modal to add tactics to the technique.

5. Technique Description: A rich-text field to enter any content, images, or tables to describe the technique.

6. Tags: Enter any tags to help future search and filtering tasks.

Step 4: Click Save.

The technique is now available from the Techniques tab, which can be viewed, edited, or deleted.

A methodology is a structured approach or framework to guide a comprehensive and systematic process. In cybersecurity, a methodology is often a documented set of guidelines and procedures for performing tasks such as penetration testing, risk assessment, security assessments, or incident response. Methodologies provide a structured way to conduct activities and ensure consistency in approach.

Step 1: Click the Methodologies tab of the RunbooksDB module.

Step 2: Click New Methodology.

Step 3: Enter a methodology title and ID (both fields are required).

Step 4: Click Add Tactics. A modal will appear with available tactics to add to the methodology. Click Select next to the tactics to add, and the selected tactics will appear in the right column.

Step 5: When finished, click Add X Tactics.

Enter a methodology description and any desired tags.

Step 6: Click Save at the top of the page.

The methodology is now available from the Methodologies tab and can be viewed, edited, or deleted from this location.

A procedure is a predefined set of steps and actions that must be followed to accomplish a specific security-related task or address a particular issue. Procedures are often documented and provide a systematic approach to incident response, patch management, access control, and vulnerability assessment. They help ensure that tasks are executed consistently and comply with security policies.

Step 1: Click the Procedures tab of the RunbooksDB module.

Step 2: Click New Procedure.

Step 3: Fill out the provided fields.

1. Procedure Title (required): The procedure title should include MITRE technique numbers when applicable (e.g., T1027), with an additional local indicator to distinguish it from the official MITRE technique, such as "Obfuscated Files or Information AE-T1027."

2. Procedure ID (required): The procedure ID should combine the MITRE technique number (e.g., T1027) with an organization-specific identifier and a sequential number, such as "AE-T1027-001" or "T1027-AE-001". This maintains consistency, links to MITRE techniques, and supports standardization within an organization.

3. RunbooksDB Repository (required): Every procedure must be associated with a RunbooksDB repository and only repositories that the user can edit appear in the pulldown menu.

5. Procedure Description (required): A rich-text field to enter any content, images, or tables needed to describe the procedure. A procedure description should be detailed and actionable, including clear objectives, step-by-step instructions, and mapping to relevant MITRE ATT&CK techniques. It should be based on real-world adversary behaviors and include technical details, expected outcomes, and potential variations. Additionally, it should provide safety precautions and guidance on detection and mitigation strategies.

6. Tags: Enter any tags to help future search and filtering tasks.

7. Execution Steps (required): A set of steps to achieve specific security-related goals and address potential threats or vulnerabilities. A procedure must have at least one step.

8. Add Step Success Criteria: Click this to access a rich-text field to provide the success criteria of the previously entered step. A good step success criteria should include measurable outcomes that align with the exercise's objectives. These criteria should be based on observable indicators that reflect real-world adversary behaviors. For example, success might be defined as achieving unauthorized access within a certain timeframe using specific tactics.

9. Add Another Execution Step: Click this button to add additional steps.

Step 4: Click Save at the top of the page.

The procedure is now available from the Procedures tab and can be viewed, edited, or deleted from this location.

The RunbooksDB home page consists of five tabs:

• Repositories: A set of processes that can be reused and have controlled access.

• Procedures: A set of steps required to execute a tactic. For example, a procedure for browser extension-based persistence could describe how a malicious extension is injected to maintain persistence.

• Techniques: A grouping of procedures. Techniques are added to a tactic for use in an engagement. For example, if a tactic is persistence, a technique could exist for browser extensions.

• Tactics: A grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence or a privilege escalation from the MITRE ATT&CK framework. This can also be a logical grouping or structure for techniques.

• Methodologies: A grouping of tactics that are put into a runbook. It contains a title, ID, description, and the selected series of tactics. Tactics can be chosen to apply to the methodology when used as a runbook. This is similar to how the MITRE ATT&CK is broken down, where the methodology represents the framework for TTPs.

Repositories Tab

PlexTrac provides a container for all instances called "PlexTrac Curated" that contains community-produced procedures on MITRE/CTI.

This repository contains over 1,500 MITRE procedures from the ATT&CK matrix that can be leveraged. It is available to all users and cannot be deleted.

Once a test plan is imported, another default repository is created. This repository contains all procedures included in the imported test plans.

Once added, any additional repositories will be displayed on the page alphabetically according to their title.

Each repository card offers an overview of its contents and settings. It includes the Repository Title, which helps identify the repository, and the Repository Type, which can be categorized as Open, Managed, or Private. The meatballs menu provides convenient options for copying or deleting the repository. Additionally, a Repository Description is available for further context. The card also displays the number of procedures contained, giving insight into the repository's complexity and the number of added users. This indicates the level of collaboration or access granted to others.

Procedures Tab

To view all procedures, click the Procedures tab. This view will display helpful information such as the procedure ID, repository ID, methodology, repository, source, assigned tags, and the ability to edit or delete a procedure.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Techniques Tab

Click the Techniques tab to view all techniques. This view will display the title, ID, leveraged tactics, and the ability to edit or delete them.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Tactics Tab

To view all tactics, click the Tactics tab. This view will display the title, ID, leveraged methodology, and the ability to edit or delete.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Methodologies Tab

Click on the Methodologies tab to see all methodologies and find the title, ID, and options to edit or delete them.

Tactics are higher-level categories or strategies used by adversaries to achieve their goals. In the MITRE ATT&CK framework, tactics are broader than techniques and represent the overall objectives of an attack. For example, tactics might include "Execution," "Persistence," "Privilege Escalation," and "Defense Evasion." Tactics encompass a range of techniques that support a specific objective.

Step 1: Click the Tactics tab of the RunbooksDB module.

Step 2: Click New Tactic.

Step 3: Fill out the provided fields.

1. Tactic Title (required)

2. Tactic ID (required)

3. Techniques: Click Add Techniques to bring up a new modal to add techniques to the tactic.

4. Methodologies: Click Add Methodologies to bring up a new modal to add methodologies to the tactic.

5. Tactic Description: A rich-text field to enter any content, images, or tables to describe the tactic.

6. Tags: Enter any tags to help future search and filtering tasks.

Step 4: Click Save.

The tactic is now available from the Tactics tab, which can be viewed, edited, or deleted.