2-more-about-playbooks.md

More about Playbooks

Previously, you learned that playbooks are tools used by cybersecurity professionals to identify and respond to security issues. In this reading, you’ll learn more about playbooks and their purpose in the field of cybersecurity.

Playbook Overview

A playbook is a manual that provides details about any operational action. Essentially, a playbook provides a predefined and up-to-date list of steps to perform when responding to an incident.

Purpose and Strategy

• Strategy: Outlines expectations of team members assigned a task and lists the individuals responsible.
• Plan: Dictates how the specific task outlined in the playbook must be completed.
• Living Documents: Frequently updated to address industry changes and new threats.
• Collaborative Effort: Managed collaboratively since security team members have different levels of expertise.

Reasons for Updates

• Identified Failure: Oversights in outlined policies and procedures or in the playbook itself.
• Industry Standards Changes: Changes in laws or regulatory compliance.
• Evolving Threats: Changes in the cybersecurity landscape due to evolving threat actor tactics and techniques.

Types of Playbooks

Playbooks sometimes cover specific incidents and vulnerabilities, such as ransomware, vishing, business email compromise (BEC), and other attacks. Incident and vulnerability response playbooks are very common, but organizations develop various other types of playbooks as well.

Factors Affecting Playbook Content

• Government-Imposed Laws and Regulations: Affect content based on where the incident originated and the type of data affected.
• Compliance Standards: Differ by country and influence the playbook content.

Incident and Vulnerability Response Playbooks

These playbooks are developed based on the goals outlined in an organization’s business continuity plan, which is an established path forward allowing a business to recover and continue to operate despite a disruption like a security breach.

• Purpose: Contains predefined and up-to-date lists of steps to perform when responding to an incident.
• Necessity: Ensures adherence to legal and organizational standards and protocols, minimizes errors, and ensures actions are performed within a specific timeframe.

Risk and Urgency

• Risk Formula: Risk equals the likelihood of a threat.
• Forensic Tasks: Mishandling data can compromise forensic data, making it unusable.

Common Steps in Incident and Vulnerability Playbooks

1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication
6. Recovery from an Incident
7. Post-Incident Activities
8. Coordination of Efforts

Key Takeaways

• Refinement: Essential to refine processes and procedures outlined in a playbook.
• Learning and Improvement: With every documented incident, consider lessons learned and improvements needed.
• Structure and Compliance: Playbooks create structure and ensure compliance with the law.

Resources for More Information

Incident and vulnerability response playbooks are only two examples of the many playbooks that an organization uses. If you plan to work as a cybersecurity professional outside of the U.S., you may want to explore the following resources:

• United Kingdom, National Cyber Security Center (NCSC) - Incident Management
• Australian Government - Cyber Incident Response Plan
• Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) - Vulnerability Handling and Related Guidelines
• Government of Canada - Ransomware Playbook
• Scottish Government - Playbook Templates