James Bruhl, Director of Cyber Threat Intelligence, DefenseStorm
December 2, 2024
5 Min Read
Source: Yee Xin Tan via Alamy Stock Photo
COMMENTARY
When discussing an incident response (IR) library, it's not about the number of books on a shelf related to incident response planning, how to create plans and playbooks, or the latest theories or frameworks. It's about your actual incident response plan and its accompanying playbooks. Does your organization even have them, or, if something happens, do you just rely on someone from the IT department to handle it? Unfortunately, the latter scenario is often the case. Even if playbooks exist, they usually haven't been updated in years — and that's if anyone can find them or remember where they're kept. Let's explore the difference between various IR plans and playbooks, emphasizing the importance of playbooks and providing some basic guidance on how to construct them.
What Is an Incident Response Plan?
The Cybersecurity and Infrastructure Security Agency (CISA) defines an IR plan as "a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. Your IR plan will clarify roles and responsibilities and provide guidance on key activities. It should also include a list of key people who may be needed during a crisis." Essentially, it provides overall guidance for workflow when an incident occurs.
Incident playbooks, on the other hand, should be part of the IR plan. They provide procedural guidance for specific incidents, helping to standardize responses and detailing actions to remediate specific incidents. Most organizations usually have some form of IR plan stored somewhere, but playbooks are often where documentation is lacking.
Several reasons why playbooks are essential include:
Standardization: They help standardize actions for a given incident. While each incident may have unique qualities, some standard steps can be documented and applied to nearly every case. For example, in an email account compromise, the compromised account should usually be disabled.
Efficiency: Playbooks help decrease downtime by eliminating the need to find the one person who knows how to disable an account or isolate a host. A well-written playbook allows most people in similar roles to complete these actions.
Confidence and trust: They build confidence and trust within the organization that incidents will be handled consistently and appropriately.
Preparedness: Playbooks enhance overall preparedness and help companies comply with reporting guidelines.
Cost reduction: Limiting downtime reduces the monetary cost of an incident (e.g., fines, penalties, legal costs) and mitigates reputational damage. According to IBM's "2023 Cost of a Data Breach Report," IR planning and testing, including playbook creation, are among the top three most effective cost mitigators. The report states that the average cost of a breach is now $4.45 million, with a difference of $1.49 million (34.1%) between organizations with high levels of IR planning and those with little to none. Additionally, organizations with a functioning and tested IR plan reduced dwell time by 54 days.
Creating Playbooks
At their most basic, playbooks are procedural documents — a step-by-step guide on how to complete specific actions tied to an overall incident. Let's use a malware infection on a typical user workstation as an example. You get a notification of a malware detection — now what?
Initial analysis: Who does the initial analysis, and using what tools/resources? What questions need to be answered at this phase to determine the next steps?
Containment: How and who does this? Document the process and checks to ensure containment.
Backup check: Check backups for infection and cleanliness before restoration. Determine how far back to restore from, how to restore, and what tools to use.
Removal: How to remove the malware, what tools are used, a step-by-step guide, and how to verify removal. Decide whether to wipe and reimage or attempt manual removal.
The above is not all-inclusive but provides a brief example of the type of information, steps, and considerations that could go into a malware removal playbook. This example can and should be expanded and made more granular. Using screenshots in your playbooks is also recommended. Generally, when constructing a playbook, you can follow an outline like this:
Introduction: What are you solving for? What is the playbook for?
Roles and responsibilities: Who is doing what and who is responsible for completing steps?
Incident response phases: Tools used, how-tos, identification, containment, eradication, recovery, after-action.
Communication Plan: Who should be notified, when to notifiy different teams, legal counsel and attorney client privilege considerations, C-suite notification, etc.
The structure of this outline may be modified depending on the specific type of incident for which you are developing a playbook.
Topics for Crafting Playbooks
Develop playbooks for every potential security issue imaginable. Some scenarios include malware infection, phishing attacks, account compromise, data breach, data loss prevention, insider threats, denial-of-service attacks, lost or stolen devices, unauthorized access incidents, and misconfigurations.
Once playbooks are in place, ensure those who need to use them know where to find them. They are useless if no one knows where they are when needed. Regularly test and review them to ensure tooling and processes are still applicable. Do this at least twice a year.
Ultimately, the importance of playbooks to accompany your IR plan cannot be understated. They provide efficiency and consistency in responses, help reduce downtime and dwell time, and can be a cost-saving and reputational-saving measure for your organization.