Skip to main content


7 Steps to Building an Incident Response Playbook

7 Steps to Building an Incident Response Playbook

What is an Incident Response Playbook?

Hopefully, your organization has never experienced a major cybersecurity incident, and hopefully you never will. However, for those that have experienced an incident and did not have a strong Incident Response Plan (IRP) that helped prepare the organization to deal with incidents ahead of time, one of the biggest regrets is not having taken the time to sit down and walk through different and highly impactful incidents.

Enter, the Incident Response Playbook. An Incident Response Playbook is designed to provide a step-by-step walk-through for most probable and impactful cyber threats to your organization. The Playbook will ensure that certain steps of the Incident Response Plan are followed appropriately and serve as a reminder if certain steps in the IRP are not in place. However, if you decide to create your own Incident Response Playbook, it is important to note that it should be included within your IRP.


Why is an Incident Response Playbook Important?

Creating an Incident Response Playbook tailored to your organization allows you to document ways to mitigate the most risk regarding the riskiest Incident Response threats to your organization, including, but not limited to ransomware, malware, password attacks, and phishing. Identifying relevant threats that could be extremely impactful to your network and creating walkthrough scenarios on how to counteract those threats helps your Business Continuity and Incident Response teams focus on what needs to be addressed first.

Below, you will find 7 steps toward creating an Incident Response Playbook appropriate for your organization.


Step 1: Identify Riskiest Threats

Study your organization’s technology risk assessment(s) and other audit activities, such as Penetration Tests and Vulnerability Assessments, to find the top five riskiest threats (cyber or otherwise) for your organization.

Good security requires good security governance, which could include your technology risk assessment(s), Information Security Program, Penetration Testing, Vulnerability Assessments, and Control Audits. If you already have a strong Information Security Program (ISP), use that governance to your organization’s advantage! Using your risk assessment(s) and audit activities to identify your organization’s greatest threats will only help your Incident Response and Business Continuity teams be informed and prepared for possible upcoming incidents. If your organization does not have a strong Information Security Program already, it’s time to start looking into developing an ISP and testing your security to properly protect your data and your network.


Step 2: Identify Common Attack Vectors

Research the common attack vectors around each of the top five threats based on your risk assessment(s) and audit activities, as discussed in Step 1. Understanding how hackers perform such attacks in today’s environment, including the tools they deploy and methods they use, will help you build out better Incidence Response scenarios (which we’ll discuss in the next few steps).

A prime instance of being up to date on an attack vector rings true when discussing one of today’s scariest incident response scenarios: ransomware. Ransomware has been on the rise over the years; however, the most prominent ransomware attack methods have changed. Attackers will always use whatever tools are convenient to attack an organization’s network. For example, WannaCry was once the most prevalent form of ransomware used by attackers. Then came Bitpaymer, then MegaCortex, then Ryuk, and currently, the most common form of ransomware is called Stop. Just like everything else in the cybersecurity field, attack vector methods are constantly changing, making it even more important to stay educated on recent attack trends.


Step 3: Create Scenarios

Take the top five riskiest threats (cyber-threats or otherwise) you have identified in the first two steps and create a scenario for each about how that threat may actually affect your organization. These Incident Response scenarios should incorporate the research you did about how those threats are realized (Step 2) and allow you to document a realistic scenario about how the threat (i.e. ransomware) may happen to you.

For example, while ransomware is the “threat,” the scenario you may want to build out likely includes an employee receiving an intriguing email, clicks on the email, and inadvertently installs ransomware on the network. We’ll highlight more scenarios at the end of this post.

Outlining these Incident Response scenarios will be your pivot step into preparing for a tabletop walkthrough, which leads us to our next step.


Step 4: Perform a Tabletop Walkthrough

Perform a tabletop walkthrough of each scenario on your own or with your team prior to performing an official Tabletop Test, which is covered in Step 6. This first-stage tabletop walkthrough allows you to work through different scenarios and find how they are mimicking real-world instances. For example, if your organization needs to be wary of phishing emails, a part of your phishing scenario should discuss the possibility of malware delivered by the phishing email spreading to other computers in the organization.

Taking that additional step with your Incident Response scenarios can be beneficial because it puts in perspective what your organization needs to consider in addition to just phishing email awareness (how do we stop malware from spreading?) and allows you to discuss what steps in reacting and recovering from these scenarios may need to be improved.


Step 5: Modify Scenarios

Make any changes to the walkthrough scenarios necessary based on your initial tabletop walkthrough. Keeping your organization’s walkthrough scenarios up to date is important to performing Tabletop Tests (next step) and helping to think through how to respond to incidents before they happen. This step will also ensure that your organization is keeping up with the ever-changing field of cybersecurity.


Step 6: Perform Tabletop Testing

Your playbook should be ready for an official Tabletop Test with representatives from your Incident Response and Business Continuity teams. Tabletop Tests are critical to an organization because they reveal where your Incident Response and Business Continuity Plans need to be improved and allow those teams to communicate through conflict effectively. There is no better way to mimic a possible incident than to test relevant scenarios based on your organization’s risk assessment(s), Penetration Tests, Vulnerability Assessments, and other audit activities.

Tabletop Tests should be performed at least annually (more often if needed), and each time a Tabletop Test is performed, documenting the results of your testing is extremely important. Documentation of a Tabletop Test not only proves your organization is staying up to date on testing its Incident Response and Business Continuity Plan, but also outlines areas for improvement and shows that you’re continually exercising your team’s ability and communication effectively.


Step 7: Review Incident Response Plan

After you perform an official Tabletop Test of your Incident Response Playbook, it is time to revisit your Incident Response Plan. After the Tabletop Test, you should have a number of questions that need answers or edits that need to be made to your Incident Response Plan. Find answers to those questions and review your IRP to incorporate these answers or edits. Keeping your IRP updated with recent changes is good practice, it ensures your Plan is better prepared if an incident were to take place.


Sample Incident Response Walkthrough Scenario

A good example of a walkthrough scenario you can use is the following sample SBS CyberSecurity has published:

A loan officer at <Bank> headquarters in <City> receives an email from a potential loan customer stating that the customer is moving to the area and looking for a personal loan to help furnish their new home, and they have been told that is the place to go for personal loans! The loan officer begins to exchange communications with the potential customer for a few days, eventually culminating in the customer sending an MS Word Document to the loan officer with financial information included. The loan officer opens the Word attachment to the email, and immediately items on his/her workstation begin to act strangely. Suddenly, none of the files on the workstation can be opened and now end in “.crypt”.

A message pops up on the loan officer’s screen demanding payment of 3.5 Bitcoins as ransom for the organization’s now encrypted data. As of December 2019, Bitcoin is Approximately $7,173/Bitcoin, making the ransom in this scenario just shy of $25,000. 

Soon after that, other employees begin to report they have a strange note popping up on their screen as well. Before long, all computers – workstations and servers – have the popup on their screens and are unable to function. This is where the Incident Response process begins.


Keep Evolving Your IR Playbook

Building an Incident Response Playbook using Walkthrough Scenarios can be summed up in these seven (7) steps:

  1. Find the top 5 scenarios that are riskiest for your organization by studying your organization’s audit activities
  2. Research the common & up-to-date attack vectors in each of the top 5 scenarios
  3. Build walkthrough scenarios based on your research
  4. Perform an initial tabletop walkthrough
  5. Adjust your tabletop walkthrough scenarios as a result of your initial walkthrough
  6. Perform formal Tabletop Testing with your BCP and IRP teams
  7. Revisit your Incident Response Plan and make edits as needed.

Following these steps and preparing your organization to deal with cyber-incidents will improve your organization’s cybersecurity posture even further.

As your organization grows and expands, so do your risks and vulnerabilities. It’s a good idea to evolve your Incident Response Playbook while your organization evolves, too. Revisit your audit activities every time they are performed. This will ensure that you’re staying up to date on what your organization’s network needs to improve on. In addition to this, continue to assess the top threats that your organization faces compared to the vulnerabilities that are revealed during your audit activities. Re-analyze your IRP and your tabletop walkthroughs and be sure to update these with newfound scenarios based on updated threats that may affect your organization.

If you’re having trouble getting started with creating Emergency Preparedness Testing Scenarios, feel free to reference this download SBS CyberSecurity.


Written by: Kelley Criddle
Information Security Consultant

SBS CyberSecurity, LLC

SBS Resources: 

  • {Download} Eight Emergency Preparedness Scenarios: Engage your team and test your emergency preparedness with eight testing scenarios. Scenarios cover a variety of situations, including malware attack, unknown media,  physical security, power outage, ransomware attack, and website hack. Each scenario includes:  Ground Rules, Documentation, Scenario,  Discussion Questions, Injects (additional information pertaining to the situation), and Lessons Learned Follow Up Discussion Questions. Download Scenarios
  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event. Learn More


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Incident Handler    Certified Banking Business Continuity Professional

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, February 6, 2020
Categories: Blog