Why is an Incident Response Playbook Important?
Hopefully, your organization has never experienced a major cybersecurity incident, and hopefully, you never will.
One of the biggest regrets for those who have experienced a security breach without a strong incident response plan (IRP) in place is not having taken the time to plan for different scenarios ahead of time. This can significantly impact the organization's ability to respond effectively to potential incidents.
Enter the incident response playbook. An incident response playbook is designed to provide a step-by-step walk-through for the most probable and impactful cyber threats to your organization. The playbook will ensure that certain steps of the incident response plan are followed appropriately and serve as a reminder if certain steps are not in place. If you decide to create your own incident response playbook, it is important to note that it should be included in your incident response plan.
Creating a tailored incident response playbook allows your organization to document ways to mitigate the most risk regarding your riskiest threats, including, but not limited to, ransomware, malware, password attacks, and phishing. Recognizing significant threats that have the potential to greatly impact your network and developing detailed walkthrough scenarios on how to combat these threats enables your business continuity and incident response teams to prioritize effectively.
Building an Effective Incident Response Playbook
Follow these seven steps to develop an incident response playbook tailored to your organization's needs.
Step 1: Identify Riskiest Threats
Study your organization’s technology risk assessment(s) and other audit activities, such as penetration tests and vulnerability assessments, to find the top five riskiest threats (cyber or otherwise) for your organization.
Good security requires good governance, which includes your technology risk assessment(s), information security program, penetration testing, vulnerability assessments, and control audits. If you already have a strong information security program (ISP), use that governance to your organization’s advantage!
Using your risk assessment(s) and audit activities to identify your greatest threats will only help your incident response and business continuity teams be prepared for possible upcoming incidents. If your organization does not have a strong ISP, it’s time to start looking into developing one and testing your security to protect your data and your network properly.
Step 2: Identify Common Attack Vectors
Research the common attack vectors around each of the top five threats based on your risk assessment(s) and audit activities, as discussed in Step 1. Understanding how hackers perform such attacks in today’s environment, including the tools they deploy and methods they use, will help you build out better incident response scenarios, which we’ll discuss in more depth in the next few steps.
An excellent example highlighting the importance of staying current on attack vectors is evident when discussing one of today's most alarming incident response scenarios: ransomware. Ransomware has been on the rise for several years; however, the most prominent ransomware attack methods have changed. Attackers will always use the most convenient tools to attack a network. For example, WannaCry was once the most prevalent form of ransomware used by attackers. Then came Bitpaymer, then MegaCortex, then Ryuk, then Stop, and so on. Just like everything else in cybersecurity, attack vector methods are constantly changing, making it even more important to stay educated on recent attack trends.
Step 3: Create Scenarios
Once you have the top five riskiest threats (cyber-threats or otherwise) you identified in the first two steps, create a scenario for each covering how that threat may affect your organization. These incident response scenarios should integrate the findings from your research on how those threats manifest (Step 2) and enable you to outline a realistic scenario of how the threat, such as ransomware, could potentially impact your organization.
For example, while ransomware is the “threat,” the scenario you may want to build out likely includes an employee receiving an intriguing email, clicking on the email, and inadvertently installing ransomware on the network. We’ll highlight more scenarios at the end of this post.
Outlining these scenarios will be your pivot step in preparing for a tabletop walkthrough, which leads us to our next step.
Step 4: Perform a Tabletop Walkthrough
Conduct a hands-on walkthrough of each scenario, either individually or with your team, before moving to an official tabletop test, as outlined in Step 6. This initial walkthrough provides an opportunity to navigate through various scenarios and observe how they mirror real-world situations.
For example, include in your phishing scenario the potential for malware to spread from the malicious email to infect other computers within the organization. This additional step with your incident response scenarios is beneficial as it sheds light on the broader considerations beyond just recognizing phishing emails (how can we prevent malware dissemination?) and opens up discussions on enhancing the response and recovery strategies for these scenarios.
Step 5: Modify Scenarios
After completing walkthroughs, make any necessary changes to the scenarios. Keeping your organization’s walkthrough scenarios up to date is important when performing tabletop tests. This step is crucial in ensuring that your organization stays ahead in the dynamic landscape of cybersecurity.
Step 6: Perform Tabletop Testing
Once you reach this step, your playbook is ready for an official tabletop test with representatives from your incident response and business continuity teams. Tabletop tests are critical to an organization because they reveal where your incident response and business continuity plans need improvement and provide those teams with the opportunity to communicate effectively through conflict.
Tabletop tests should be performed at least annually (more often if needed). Documenting the testing results is extremely important each time testing is performed. Documentation not only proves your organization is staying up to date on testing its incident response and business continuity plans but also outlines areas for improvement and shows that you’re continually exercising your team’s ability and communication effectively.
There is no better way to mimic a possible incident than to test relevant scenarios based on your organization’s risk assessment(s), penetration tests, vulnerability assessments, and other audit activities.
Step 7: Review Your Incident Response Plan
After you perform an official tabletop test of your incident response playbook, it is time to revisit your incident response plan. Following the testing phase, you will have a number of questions to answer and edits to make to your incident response plan. Find answers to those questions and review your IRP to incorporate these answers or modifications.
Keeping your IRP updated with recent changes is good practice. It ensures that your plan is better prepared if an incident were to occur.
Sample Incident Response Walkthrough Scenario
Consider following this walkthrough scenario sample provided by SBS CyberSecurity:
A loan officer at <Bank> headquarters in <City> receives an email from a potential loan customer stating that the customer is moving to the area and looking for a personal loan to help furnish their new home, and they have been told that is the place to go for personal loans! The loan officer begins to exchange communications with the potential customer for a few days, eventually culminating in the customer sending an MS Word Document to the loan officer with the financial information included. The loan officer opens the Word attachment to the email, and immediately, items on his/her workstation begin to act strangely. Suddenly, none of the files on the workstation can be opened and now end in “.crypt”.
A message pops up on the loan officer’s screen demanding payment of 3.5 Bitcoins as ransom for the organization’s now encrypted data. As of December 2019, Bitcoin is Approximately $7,173/Bitcoin, making the ransom in this scenario just shy of $25,000.
Soon after that, other employees begin to report they have a strange note popping up on their screen as well. Before long, all computers – workstations and servers – have the popup on their screens and are unable to function. This is where the Incident Response process begins.
Keep Evolving Your Incident Response Playbook
As your organization continues to grow and expand, the landscape of risks and vulnerabilities also evolves. It is crucial to adapt and enhance your incident response playbook in tandem with this growth.
Revisit your audit activities every time they are performed. This will ensure that you’re staying up to date on what your organization’s network needs to improve upon.
Continue to assess your organization's top threats compared to the vulnerabilities revealed during your audit activities. Re-analyze your IRP and tabletop walkthroughs, and be sure to update these with new scenarios based on updated threats that may affect your organization.
Building an incident response playbook using walkthrough scenarios can be summed up in these seven (7) steps:
- Find the top 5 scenarios that are riskiest for your organization by studying your organization’s audit activities.
- Research the common and up-to-date attack vectors in each of the top 5 scenarios.
- Build walkthrough scenarios based on your research.
- Perform an initial tabletop walkthrough.
- Adjust your tabletop walkthrough scenarios as a result of your initial walkthrough.
- Perform formal tabletop testing with your BCP and IRP teams.
- Revisit your incident response plan and make edits as needed.
Following these steps and preparing your organization to deal with cyber incidents will improve your organization’s cybersecurity posture.
