I have often talked about the benefits of employing flexible playbooks to deal with evolving cyber incidents and unique threat scenarios, and in these series of blogs, I am going to explore some of the points of emphasis when creating a new playbook.
The advantage to Security Orchestration, Automation and Response (SOAR) platforms, and in particular our IncMan platform, is the ability it provides to tailor playbooks or runbooks to deal with all manner of cyber incidents. These Playbooks are defined by three key factors:
1.Phases: Determine the number of phases for the response process based on the incident scenario. The phases are really a placeholder for what you are trying to achieve in your response.
2.Automation: How much automation will benefit the given scenario without hindering or otherwise adversely impacting your business.
3.Actions: What actions apply to each phase and what is the benefit to each action.
Wash, Rinse, Re-playbook.
Play books, or runbooks, should never be static and hard-coded for a fixed set of events. Ultimately, incidents will differ and you should always remain in control, ready to adapt and adjust the response workflow. This flexibility is vital should a Plan B need to be executed. The approach of IncMan to security playbooks & runbooks support both mature and emerging SOC teams by providing multi-flow advanced runbooks to the former, and for the less mature, a simplified playbook containing a dual mode where automation and manual actions can co-exist.
In talking with CSIRT/SOC managers, I have learned that they have typically aligned themselves with a particular standard. Most organizations follow the likes of ISO for Incident Response, NIST
800-62 or alternatives along the lines of CREST or NISA. Structured incident handling processes based on these standards are a great baseline, but how about also having actions and reactions pre-prepared and ready to respond immediately according to the threat you face? Can you see the instant advantage in having smaller, simpler playbooks and runbooks specific to an adversary or threat scenario?
Dealing with incidents with tailored playbooks will ultimately provide better threat coverage as each has enrichment and containment actions that are concentrated on the tasks specific to a given scenario. Additionally, allowing your SOAR product to tie the dots to bring enrichment to the observables and the indicators encountered in incidents will bring measurable value to the increased speed of the incident response process. Allowing analysts dynamic interaction at all phases of the workflow will help also help your reactions become more efficient. This mix of structured playbooks and dynamic response capability can also help push the CSIRT teams into a more pro-active mindset, allowing system and network-level security policy and infrastructure configuration changes to be handled on the fly while leveraging current and accurate information, and all from a single response console.
A recently proposed bill promises to be a great help to small entities as they try to fend off an increasing number of cyber threats that they are seeing in recent years. The NIST Small Businesses Cybersecurity Act of 2017 was recently approved by the US House Committee on Science, Space and Technology, and will soon be headed to the Senate.
The main goal of the legislation is to instruct the National Institute of Standards and Technology (NIST) to allocate resources to “help small business concerns identify, assess, manage, and reduce their cyber security risks”. This bill addresses the key issues contributing to the increased cyber security risks faced by small businesses. Among other things, it recommends that the NIST security standards“disseminate resources to promote awareness of basic controls and a workplace cyber security culture”, which are some of the leading challenges for small businesses when it comes to tackling cyber threats.
Sharing information is another important aspect of cyber security that is of great relevance to small businesses and is mentioned in the proposed bill, as well. The NIST security guidelines are designed to help small businesses get the information that they need to improve their cyber defense and resilience to cyber attacks. In this regard, small businesses could use a security automation and orchestration platform, which has the ability to share cyber incident intelligence.
With a platform with cyber threat intelligence sharing capabilities, small businesses can reduce their reaction time following a cyber security event, which is of utmost importance in terms of containing the damage and bringing their computer systems back into operation as soon as possible. Exchanging information on current and past incidents, while also ensuring that you don’t share any confidential and sensitive data in the process, is one of the key steps of the broader and ongoing process of defending against and prevent cyber attacks, and keeping cyber incidents under control.
Identify Cybersecurity Risks
These types of platforms can also help small businesses identify cyber security risks and track, predict and detect breaches, enabling a proactive approach to cyber security, which is the best way to prevent attacks in this age when cyber criminals keep inventing new ways, methods, and technologies to gain access to organizations’ computer systems.
While the NIST Cybersecurity Act aimed at improving their abilities to protect against cyber attacks would certainly be of great help to them, small businesses should not rely solely on the prospect of seeing such a legislation enacted in the future. To be able to get the most out of the NIST security framework, small entities should consider utilizing an automation and orchestration platform as part of their ongoing efforts for improving cyber security for today with the ability to scale as your small business grows.
The typical cyber security incident response process is carried out in several stages, and mitigation activities are a significant part of that process, as they are meant to help eradicate an incident and prevent it from expanding. The Cybersecurity Framework, published by the National Institute of Standard and Technology (NIST) back in 2014, offers a separate section on mitigation as part of the broader incident response effort, advising companies on the immediate steps they are supposed to take following a cyber security event.
The NIST Framework section dedicated on mitigation includes the following steps: contain, reduce impact, eradicate, document. Going through all these steps can be time-consuming and can waste a significant amount of a company’s resources, which is why companies need to consider implementing a software solution that can help their cyber security teams save valuable time while performing these tasks. Incident response platforms with automation-and-orchestration capabilities are the ideal solution for every organization that’s required to mitigate cyber security incidents fast and effectively.
Automated Playbooks for Specific Types of Incidents
By using a cyber incident response platform, companies can take advantage of its numerous features relating to mitigation, such as automated playbooks, workflows, evidence tracking for forensic analysis, and reporting, to name a few.These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.
These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.When it comes to reducing the impact of an incident – related to a malware attack, for example – you can use an incident response platform’s playbooks to figure out how to configure servers and email clients to block emails providing suspicious files, after having identified them, or to block malicious code, and how to identify and isolate the host that has been recognized as a source of the infection.
Few Simple Steps to Eradicate and Document
As far as eradication is concerned, it’s also mostly associated with malware attacks, a highly effective solution is an automated incident response platform. It can help you identify all vulnerabilities and remove the malware fast from all affected hosts, while also allowing you to proceed to the final stage of the mitigation procedure – documentation of an incident. These types of platforms have the ability to preserve, secure and document digital evidence, to allow a proper forensic analysis that would help determine where the attack came from, how it was conducted, and how similar attacks can be prevented in the future.