I have often talked about the benefits of employing flexible playbooks to deal with evolving cyber incidents and unique threat scenarios, and in these series of blogs, I am going to explore some of the points of emphasis when creating a new playbook.
The advantage to Security Automation and Orchestration (SAO) platforms, and in particular our IncMan platform, is the ability it provides to tailor playbooks or runbooks to deal with all manner of cyber incidents. These Playbooks are defined by three key factors:
1.Phases: Determine the number of phases for the response process based on the incident scenario. The phases are really a placeholder for what you are trying to achieve in your response.
2.Automation: How much automation will benefit the given scenario without hindering or otherwise adversely impacting your business.
3.Actions: What actions apply to each phase and what is the benefit to each action.
Wash, Rinse, Re-playbook.
Play books, or runbooks, should never be static and hard-coded for a fixed set of events. Ultimately, incidents will differ and you should always remain in control, ready to adapt and adjust the response workflow. This flexibility is vital should a Plan B need to be executed. The approach of IncMan to security playbooks & runbooks support both mature and emerging SOC teams by providing multi-flow advanced runbooks to the former, and for the less mature, a simplified playbook containing a dual mode where automation and manual actions can co-exist.
In talking with CSIRT/SOC managers, I have learned that they have typically aligned themselves with a particular standard. Most organizations follow the likes of ISO for Incident Response, NIST
800-62 or alternatives along the lines of CREST or NISA. Structured incident handling processes based on these standards are a great baseline, but how about also having actions and reactions pre-prepared and ready to respond immediately according to the threat you face? Can you see the instant advantage in having smaller, simpler playbooks and runbooks specific to an adversary or threat scenario?
Dealing with incidents with tailored playbooks will ultimately provide better threat coverage as each has enrichment and containment actions that are concentrated on the tasks specific to a given scenario. Additionally, allowing your SAO product to tie the dots to bring enrichment to the observables and the indicators encountered in incidents will bring measurable value to the increased speed of the incident response process. Allowing analysts dynamic interaction at all phases of the workflow will help also help your reactions become more efficient. This mix of structured playbooks and dynamic response capability can also help push the CSIRT teams into a more pro-active mindset, allowing system and network-level security policy and infrastructure configuration changes to be handled on the fly while leveraging current and accurate information, and all from a single response console.
The United States Computer Emergency Readiness Team (CERT) has announced that it will implement new cybersecurity notification guidelines, which are going to have a significant impact on how government agencies and organizations from the private sector deal with cyber incidents.
As the US-CERT states, the new guidelines will impose new requirements regarding notifications on cybersecurity incidents, that must be complied with by all Federal Departments and agencies; state, local, tribal, and territorial government agencies; along with private-sector organizations, and Information Sharing and Analysis Organizations. The cybersecurity notification guidelines will include a specific procedure involving how, when, and who the covered entities will be required to notify after they detect an incident within their organizations.
Identifying Incidents Through a Seven-Step Process
According to the guidelines, in order for an agency to be able to notify the CERT of an incident properly, it will have to complete a process consisting of seven steps. For starters, the agency must identify the current level of impact an incident has on its services or functions. Then, identification of the type of information lost, compromised, or corrupted, is required. This step should be followed by an estimation of the scope of time and resources that an agency will have to spend in order to recover from the incident.
Next, agencies should identify when the activity was first detected, after which they will be required to identify how many systems, records, and users have been impacted. The final two steps are the identification of the location of the network the activity was observed in, and identification of the point of contact information for additional follow-up.
After completing the above-named steps, agencies will have to submit the notification to the US-CERT, with a specific set of information that is required to be included in the notification, such as:
- Information on the attack vector(s) that lead to the incident
- Indicators of compromise
- Information related to any mitigation activities that the agency has taken in response to the incident
Incident Response Platforms
In order to be able to comply with the new requirements regarding cybersecurity incident notifications, organizations are advised to employ a cybersecurity platform that provides a comprehensive and automated incident and forensic case management.
A platform that provides you with a set of playbooks specifically tailored to many potential cyber threats. Your organization can save a great deal of time and resources by using a tool that can create automated incident reports and send them to your cybersecurity team, a process which would be in compliance with the new US-CERT guidelines.
Considering that the cybersecurity incident notification process under the new cybersecurity notification guidelines is extensive and can be challenging for some organizations that do not have the resources or the knowledge necessary to complete it, acquiring a platform that can do all the required steps for you is the best solution for all entities covered by the guidelines. This is where a platform containing prioritized workflows designed to help your business respond to current threats and prepare your cyber defense systems for future threats, which are bound to occur eventually, can come in handy. Finally, considering the upcoming US-CERT guidelines, every private-sector organization and government agency could use a platform that can track digital evidence and entire investigative processes, as some of the key steps that should be performed when notifying authorities of an incident.