When responding to a breach, or formalizing a threat hunt strategy, note taking is of crucial importance when coordinating with other responders. Whether the meetings are in-person or over a conference call, its vital to record concise, accurate notes about the incident or TTPs. What I kept noticing was my notebooks would constantly fill up with the same bullet points and feedback needlessly recording the same responses: IR, Data Leak, WebApp, Details Points of Contact (POCs), Status, Logs, Indicators, Systems, Objectives, Tasks... it was killing my time to focus during a meeting, not to mention all the dead whitespace. So I challenged myself to condense this recordkeeping into manageable sections that also allowed flexibility for recording investigation requirements and track the progress of the various objectives and tasks. This iterative process morphed into the Blue Team Planner and it's simplistic style can very nearly record an entire investigations lifecycle in only six small pages.
The six-page, structured "Investigation Template" is grouped by progressive stages throughout the incident or hunt. They are a no-frills block style design to maximize data tracking by grouping important topics. Also the pages are arranged so that each opposing page is relevant to the topic or task at hand. Let's look at the first section of an Investigation Template for customer requirements and objectives.
Here you will notice each of the two opposing pages relates to investigation data and not surprisingly is the first section. This makes it easy to write without having to flip the page to other sections. Also notice the check boxes for frequently recorded data points. Now just check the box which corresponds and save your ink. You have a good amount of space to record concisely and a little snippet of graph paper for freehand note taking like a quick network diagram.
The Event Tracking pages also oppose each other and allow for essential tracking of tasks, timeline, systems, and indicators. Each task can be checked off with a "FIN" when completed and shows what blue team member was responsible. Tracking the timeline of events as they are uncovered is vitally important to assemble as accurate a picture of the incident or hunt under taken on a network. Lastly, plenty of space was left for Systems possibly involved and Indicators. These sections are important for noting systems likely involved and the the possible indicators found across these systems, i.e. persistence technique or binaries on a compromised system. I pretty much left it open to the user to decide.
And finally we have the "Reports Data" to record all the findings and recommendations for the responders or blue team to take action. These sections can be added to periodically throughout an investigation as issues are found and solutions devised. A sheet of bullet paper was included as the last page so users can create their own freeform notes, tracking mechanism, or just doodle some thoughts.
In the back are 40 sheets of graph paper and bullet paper for other note taking adventures and a Contacts section for POC's and Team member details.
I truly hope users find the Blue Team Planner useful in their engagements. Many months of trial and error went into the composition of this planner, and I'm sure many more revisions will be made over time. I'm available for any feedback @netmux on corrections, enhancements, or suggestions on how to make the Blue Team Planner even better. I look at this as an evolving planner that tries to simplify an investigation and let team members focus more on the task at hand. Hopefully I have accomplished this goal for many of you.
Subscribe below for updates and future posts.
We just sent you an email. Please click the link in the email to confirm your subscription!