RunbooksDB enables collaborative testing for threat emulation and simulation, known as Purple Teaming. Organizations can create reusable test plans that encompass a set of procedures.

Users access by clicking Content Library in the application's main menu and then clicking RunbooksDB.

Overview

Runbooks comprise a particular methodology, a series of tactics, techniques, and procedures collectively known as TTPs. Runbooks are executed and turned into an engagement tied to a specific client. Once the engagement is finished and submitted, it becomes a report.

RunbooksDB offers several benefits:

• Standardization: Runbooks provide standardized procedures and workflows for various tasks and processes. This consistency helps ensure that critical steps are not missed during an operation.

• Efficiency: By having predefined procedures and automation scripts within runbooks, teams can respond to incidents and complete tasks more efficiently. This reduces the time and effort required for routine operations.

• Consistency: Runbooks help maintain consistency in the way tasks are performed. This is crucial in cybersecurity and incident response, as consistent procedures are necessary to identify and mitigate threats effectively.

• Training and Onboarding: Runbooks are valuable training materials for new team members. They can use runbooks to learn how to perform various tasks and understand best practices, ensuring a smooth onboarding process.

Cyber attackers or threat actors use specific methods, tactics, and procedures known as techniques to compromise computer systems, gain unauthorized access, or achieve their malicious objectives. These techniques exploit vulnerabilities and weaknesses in computer systems and networks by adversaries.

Step 1: Click the Techniques tab of the RunbooksDB module.

Step 2: Click New Technique.

Step 3: Fill out the provided fields.

1. Technique Title (required)

2. Technique ID (required)

3. Procedures: Click Add Procedures to bring up a new modal to add procedures to the technique.

4. Tactic: Click Add Tactics to bring up a new modal to add tactics to the technique.

5. Technique Description: A rich-text field to enter any content, images, or tables to describe the technique.

6. Tags: Enter any tags to help future search and filtering tasks.

Step 4: Click Save.

The technique is now available from the Techniques tab and can be viewed, edited, or deleted from this location.

The RunbooksDB home page consists of five tabs:

• Repositories: A set of processes that can be reused and have controlled access.

• Procedures: A set of steps required to execute a tactic. For example, a procedure for browser extension-based persistence could describe how a malicious extension is injected to maintain persistence.

• Techniques: A grouping of procedures. Techniques are added to a tactic for use in an engagement. For example, if a tactic is persistence, a technique could exist for browser extensions.

• Tactics: A grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence or a privilege escalation from the MITRE ATT&CK framework. This can also be a logical grouping or structure for techniques.

• Methodologies: A grouping of tactics that are put into a runbook. It contains a title, ID, description, and the series of tactics selected. Tactics can be chosen to apply to the methodology when used as a runbook. This is similar to how the MITRE ATT&CK is broken down, where the methodology represents the framework for TTPs.

Repositories Tab

PlexTrac provides a container for all instances called "PlexTrac Curated" that contains community-produced procedures on MITRE/CTI.

This repository contains over 1100 MITRE procedures from the ATT&CK matrix that can be leveraged. This repository is available to all users and cannot be deleted.

Once a test plan is imported, another repository called "Import" is created, which contains all procedures that were part of imported test plans.

Once added, any additional repositories will be displayed on the page alphabetically according to their title.

Each repository card provides the following information:

1. Repository Title

2. Repository Type: Open, Managed, or Private

3. Meatballs Menu: options to copy or delete the repository

4. Repository Description

5. Number of contained procedures

6. Number of added users

Procedures Tab

To view all procedures, click the Procedures tab. This view will display useful information such as the procedure ID, repository ID, methodology, repository, source, assigned tags, and the ability to edit or delete a procedure.

Techniques Tab

To view all techniques, click the Techniques tab. This view will display useful information such as the title, ID, leveraged tactics, and the ability to edit or delete.

Tactics Tab

To view all tactics, click the Tactics tab. This view will display useful information such as the title, ID, leveraged methodology, and the ability to edit or delete.

Methodologies Tab

To view all methodologies, click the Methodologies tab. This view will display useful information such as the title, ID, and the ability to edit or delete.

If the repository is not an "Open" type repository, admins have the option of managing users by clicking Users & Permissions.

Adding Users

Step 1: From the Repositories tab of the RunbooksDB home page, click the card of the repository to modify.

Step 2: Click Users & Permissions.

Step 3: Click Add User.

Step 4: Type in the user from the pulldown menu and select the permission. Repeat as necessary. Click Add X Users.

Step 5: Edit the permission or delete a user, if needed. Click Done.

Modifying Users

Step 1: From the RunbooksDB home page, click the desired repository card and click Users & Permissions.

Step 2: Select the user to modify and change permissions from the pulldown menu.

Step 3: When finished, click Done.

Deleting Users

Step 1: From the RunbooksDB home page, click the desired repository card and click Users & Permissions.

Step 2: Select the user to remove and click the X in that row.

Step 3: When finished, click Done.

Tactics are higher-level categories or strategies used by adversaries to achieve their goals. In the MITRE ATT&CK framework, tactics are broader than techniques and represent the overall objectives of an attack. For example, tactics might include "Execution," "Persistence," "Privilege Escalation," and "Defense Evasion." Tactics encompass a range of techniques that support a specific objective.

Step 1: Click the Tactics tab of the RunbooksDB module.

Step 2: Click New Tactic.

Step 3: Fill out the provided fields.

1. Tactic Title (required)

2. Tactic ID (required)

3. Techniques: Click Add Techniques to bring up a new modal to add techniques to the tactic.

4. Methodologies: Click Add Methodologies to bring up a new modal to add methodologies to the tactic.

5. Tactic Description: A rich-text field to enter any content, images, or tables to describe the tactic.

6. Tags: Enter any tags to help future search and filtering tasks.

Step 4: Click Save.

The tactic is now available from the Tactics tab and can be viewed, edited, or deleted from this location.

Step 1: From the Repositories tab of the RunbooksDB module, click New Repository.

Step 2: Enter information in the fields (a red asterisk marks required fields), select the desired security access for the repository, and click Save.

• Repository Name: Describes the repository and is displayed on the repository card from the Repositories tab.

• Writeup ID Prefix: A three-character value that is unique to this repository. If the prefix already exists, an error message will display after clicking the Create button.

• Description: Describes the repository.

• Repository Access: Defines what users and roles can access the writeups in this repository.

The new repository now has a card on the Repositories tab.

Changing Settings

Admins can modify the repository name, prefix, description and access setting.

Step 1: From the Repositories tab of the RunbooksDB home page, click the card of the repository to modify.

Step 2: Click Repository Settings.

Step 3: Make the desired changes, then click Save.

Deleting a Repository

Click the three dots in the repository card and click Delete Repository.

A warning message appears asking for validation. Click Delete Repository.

A methodology is a structured approach or framework to guide a comprehensive and systematic process. In cybersecurity, a methodology is often a documented set of guidelines and procedures for performing tasks such as penetration testing, risk assessment, security assessments, or incident response. Methodologies provide a structured way to conduct activities and ensure consistency in approach.

Step 1: Click the Methodologies tab of the RunbooksDB module.

Step 2: Click New Methodology.

Step 3: Enter a methodology title and ID (both fields are required).

Step 4: Click Add Tactics. A modal will appear with available tactics to add to the methodology. Select the tactics, click Add X Tactics, and the added tactics appear on the page.

Step 5: Enter a methodology description and any desired tags.

Step 6: Click Save at the top of the page.

The methodology is now available from the Methodologies tab and can be viewed, edited, or deleted from this location.

A procedure is a predefined set of steps and actions that need to be followed to accomplish a specific security-related task or address a particular issue. Procedures are often documented and provide a systematic approach to incident response, patch management, access control, and vulnerability assessment. Procedures help ensure that tasks are executed consistently and comply with security policies.

Step 1: Click the Procedures tab of the RunbooksDB module.

Step 2: Click New Procedure.

Step 3: Fill out the provided fields.

1. Procedure Title (required): The procedure title should include MITRE technique numbers when applicable (i.e., T1027) with an additional local indicator to distinguish from the official MITRE technique, such as "Obfuscated Files or Information AE-T1027."

2. Procedure ID (required): The procedure title should include MITRE technique numbers when applicable (i.e., T1027) with an additional local indicator to distinguish from the official MITRE technique, such as "AE-T1027."

3. RunbooksDB Repository (required): Every procedure must be associated with a RunbooksDB repository, and only repositories that the user can edit appear in the pulldown menu.

5. Procedure Description (required): A rich-text field to enter any content, images, or tables needed to describe the procedure.

6. Tags: Enter any tags to help future search and filtering tasks.

7. Execution Steps (required): A set of steps to achieve specific security-related goals and address potential threats or vulnerabilities. A procedure must have at least one step.

8. Add Step Success Criteria: Click this to access a rich-text field to provide the success criteria of the previously entered step.

9. Add Another Execution Step: Click this button to add additional steps.

Step 4: Click Save at the top of the page.

The procedure is now available from the Procedures tab and can be viewed, edited, or deleted from this location.