What is an Incident Response Playbook?
One of the biggest regrets of people who have faced an incident without a solid incident response plan (IRP) is not preparing beforehand by brainstorming different scenarios of highly impactful incidents.
Enter the incident response playbook.
An incident response playbook provides cybersecurity instructions for organizations like a sports playbook that lays out plays and instructions for athletes. A sports playbook is designed to help athletes break down and practice plays; it gets revised as needed, and the end result is a book of tested plays that will be used in the game.
An incident response playbook is used in the same method and is designed to provide a step-by-step walk-through for your organization’s most probable and impactful cyber threats. The playbook will ensure that specific steps of the incident response plan are followed appropriately. It also serves as a reminder if specific steps in the incident response plan are not in place. If you decide to create your own incident response playbook, it is important to note that it should be included within your IRP.
Why is an Incident Response Playbook Important?
Creating an incident response playbook tailored to your organization allows you to document ways to mitigate the most risk posed to your organization by the riskiest threats, including, but not limited to, ransomware, malware, password attacks and phishing.
Identifying relevant threats that could be extremely impactful to your network and then creating walkthrough scenarios on how to counteract those threats helps your business continuity and incident response teams focus on what needs to be addressed first.
On the following page, you will find the seven steps to create an incident response playbook appropriate for your organization.
Step 1: Identify Riskiest Threats
Study your organization’s technology risk assessment(s) and other audit activities, such as penetration tests and vulnerability assessments, to find your organization’s top five riskiest threats (cyber or otherwise).
Step 2: Identify Common Attack Vectors
Research the common attack vectors around the top five threats based on your risk assessment(s) and audit activities, as discussed in Step 1. Understanding how hackers perform such attacks in today’s environment, including the tools they deploy and methods they use, will help you build out better incident response scenarios (which we’ll discuss in the next few steps).
A prime instance of being up to date on an attack vector rings true when discussing one of today’s scariest incident response scenarios: ransomware. Although ransomware has been on the rise over the years, the most prominent ransomware attack methods have changed. Attackers will always use whatever tools are convenient to attack an organization’s network. Just like everything else in the cybersecurity field, attack vector methods are constantly changing, making it even more important to stay educated on recent attack trends.
Step 3: Create Scenarios
Take the top five riskiest threats (cyber-threats or otherwise) identified in the first two steps and create a scenario for each, covering how that threat may affect your organization. These scenarios should incorporate your research about how those threats are realized (step 2) and allow you to document a realistic scenario about how the threat (i.e., ransomware) may happen to you.
For example, while ransomware is the “threat,” the scenario likely includes an employee receiving an intriguing email, clicking on the email and inadvertently installing ransomware on the network.
Outlining these scenarios will be your pivot step in preparing for a tabletop walkthrough, which leads us to our next step.
Step 4: Perform Tabletop Walkthrough
Before performing an official tabletop test, perform a tabletop walkthrough of each scenario on your own or with your team. This first-stage tabletop walkthrough allows you to work through different scenarios and find how they mimic real-world instances. For example, if your organization needs to be wary of phishing emails, a part of your phishing scenario should discuss the possibility of malware delivered by the phishing email spreading to other computers in the organization.
Taking that additional step with your incident response scenarios can be beneficial because it puts in perspective what your organization needs to consider in addition to just phishing email awareness (how do we stop malware from spreading?) and allows you to discuss what steps in reacting and recovering from these scenarios may need to be improved.
Step 5: Modify Scenarios
Make any necessary changes to the walkthrough scenarios based on your initial tabletop walkthrough. Keeping your organization’s walkthrough scenarios up to date is important to performing tabletop tests (next step) and helping to think through how to respond to incidents before they happen. This step will also ensure that your organization keeps up with the ever-changing field of cybersecurity.
Step 6: Perform Tabletop Testing
Your playbook should be ready for an official tabletop test with representatives from your incident response and business continuity teams. Tabletop tests are critical to an organization because they reveal where your incident response and business continuity plans need to be improved and allow those teams to communicate through conflict effectively. There is no better way to mimic a possible incident than to test relevant scenarios based on your organization’s risk assessment(s), penetration tests, vulnerability assessments and other audit activities.
Tabletop tests should be performed at least annually (more often if needed), and documenting the results of your testing is extremely important each time a test is performed. Documentation not only proves your organization is staying up to date on testing its incident response and business continuity plan but also outlines areas for improvement and shows that you’re continually exercising your team’s ability and communication effectively.
Step 7: Review the Incident Response Plan
After you perform an official tabletop test of your playbook, it is time to revisit your incident response plan. Based on your testing, you should have several questions that need answers or edits to make to your incident response plan. Keeping your IRP updated with recent changes is good practice; it ensures your plan is better prepared if an incident occurs.
Keep Evolving Your Playbook
As your organization grows and expands, so do your risks and vulnerabilities. It’s a good idea to evolve your playbook as your organization evolves. Revisit your audit activities every time they are performed. This will ensure that you stay current on what your organization’s network needs to improve on. In addition, continue to assess the top threats your organization faces compared to the vulnerabilities revealed during your audit activities. Re-analyze your IRP and tabletop walkthroughs and update these with newfound scenarios based on updated threats that may affect your organization.
