RE&CT is in a constant state of development. We are always on the lookout for new information to help refine and extend what is covered. If you have additional Incident Response techniques, know about variations on one already covered, or have other relevant information, then we would like to hear from you.
All contributions and feedback to RE&CT are appreciated. Please don't hesitate to tell us what do you think could be improved by submitting GitHub issue.
If you would like to contribute a Response Action only, you need to follow How to add a new feature or create a pull request guidelines, points 1, 2, 3, 5, 7, 8, bypassing 4 and 6, as you don't need the development environment.
Here is an example of good Response Action — RA3101: Block external IP address:
title: RA_3101_block_external_ip_address
id: RA3101
description: >
Block an external IP address from being accessed by corporate assets
author: '@atc_project'
creation_date: 2020/01/31
stage: containment
requirements:
- MS_border_firewall
- MS_border_proxy
- MS_border_ips
- MS_border_ngfw
- MS_host_firewall
workflow: |
Block an external IP address from being accessed by corporate assets, using the most efficient way.
Warning:
- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action
- It is system-agnostic: it doesn't include any specific system, they are listed in the
requirements
field and could be easily extendable - It is detailed enough to be actionable and useful
- Provides some important notes for a user
For now, we would like to focus on high-level definition of what should be done on a specific IR stage. It doesn't necessary to describe a specific way to configure IP blocking policy on a specific IPS solution (or any other system) since it is its basic functionality. If an organization has an IPS, we suppose that they know how to use it. If not, RE&CT will not (and doesn't suppose to) help.
Please use the same approach for your contribution.
You can pick up one of the Response Actions marked by "*" sign in the Matrix. The links lead to GitHub issues, that you can use to contribute your analytics. All of the Response Actions mentioned in the issues have a special placeholder file with pre-defined ID and description that you should use to contribute your analytics. Don't hesitate to put your name to the author
field, since these issues and placeholders have been created for one reason — to describe the way RE&CT should grow.
If you would like to contribute a completely new Response Action, please use a special Response Action template.
If you would like to contribute a Response Playbook only, you need to follow How to add a new feature or create a pull request guideline, points 1, 2, 3, 5, 7, 8, bypassing 4 and 6, since you don't need the development environment.
Please use a special Response Playbook template and existing RP0001: Phishing email response playbook as a reference.
First, please refer to contribution-guide.org for the steps we expect from contributors before submitting an issue or bug report. Be as concrete as possible, include relevant logs, package versions etc.
The proper place for open-ended questions is Slack or Telegram.
- Fork the atc-react repository
- Clone your fork:
git clone https://github.com/<YOUR GITHUB USERNAME>/atc-react.git
- Create a new branch based on
develop
:git checkout -b my-feature develop
- Setup your Python enviroment
- Create a new virtual environment:
pip install virtualenv; virtualenv atc_env
and activate it:- For linux:
source atc_env/bin/activate
- For windows:
atc_env\Scripts\activate
- For linux:
- Install ATC and its test dependencies in editable mode —
pip install -r requirements.txt
- Create a new virtual environment:
- Implement your changes
- Check your code for PEP8 requirements
- Add files, commit and push:
git add ... ; git commit -m "my commit message"; git push origin my-feature
- Create a PR on Github. Write a clear description for your PR, including all the context and relevant information, such as:
- The issue that you fixed, e.g.
Fixes #123
- Motivation: why did you create this PR? What functionality did you set out to improve? What was the problem + an overview of how you fixed it? Whom does it affect and how should people use it?
- Any other useful information: links to other related Github or mailing list issues and discussions, benchmark graphs, academic papers…
- Note that your Pull Request should be into the develop branch, not master
- The issue that you fixed, e.g.